Privacy Act Review complete after three years


Brandon How
Reporter

After three years, the Privacy Act Review commissioned under the Coalition government has been completed and the final report handed to Attorney General Mark Dreyfus.

The Attorney General will now consider the review over the summer and is expected to release it publicly alongside the government’s response in the first half of 2023.

The completion of the review comes a full year after the Attorney General’s Department originally expected to finish.

In July, Mr Dreyfus promised the final report would be presented to the government by the end of the year.

InnovationAus.com understands the review was completed at the end of last week and handed to Mr Dreyfus on Tuesday.

During a press conference on Friday, Mr Dreyfus told InnovationAus.com that he was about to be handed the final report.

“I’ve made sure that it’s going to be completed by the end of this year, which is fast approaching. I’ll have more to say about the review and reform, large scale reform of the Privacy Act that we expect to occur next year,” Mr Dreyfus said last Friday.

Attorney General Mark Dreyfus

Confirming the review had been handed to him on Tuesday, Mr Dreyfus said on Twitter that “the former government left Australia’s privacy laws out of date and not fit-for-purpose in our digital age”.

The former Coalition government kicked off the Privacy Act Review in December 2019 in response to the Australian Competition and Consumer Commission’s report on digital platforms as an alternative to accepting its recommendations.

The review considered whether current laws effectively protect personal information, whether individuals should have direct rights of action to enforce their privacy protections, whether a statutory tort for serious invasions of privacy is needed, and the effectiveness of enforcement powers and feasibility of an independent certification scheme to monitor compliance with privacy laws.

An issues paper was released in October 2020, although a promised follow up issues paper was never released. In October 2021, a discussion paper was released.

In response to the massive Optus data breach, the government fast-tracked some of the review’s recommendations, passing legislation in November to create one of the toughest data breach penalty regimes in the world.

This raised the maximum penalty for serious or repeated privacy breaches to the greater of $50 million, three-times the value of any benefit obtained through the misuse of information, or 30 per cent of a company’s adjusted turnover in the relevant period.

Labor’s amendments also expanded the remit of the Privacy Act to cover breaches of Australian data that may be stored or processed outside of the country.

Next year’s reforms will arrive as Australia’s privacy watchdog, the Office of the Australian Information Commissioner (OAIC), continues to struggle under an increased workload. Last year, it met less than two thirds of its key performance indicators.

The OAIC received $5.5 million in the budget over two years to “investigate and respond to the Optus data breach,” according to Information Commissioner Angelene Falk.

Do you know more? Contact James Riley via Email.

Leave a Comment

Related stories