Peter A Clarke

In late July 2025 the Attorney General, Michelle Rowland, said to the Australian Financial Review that the Privacy Act was not fit for the digital age”. She later said during an an appearance on Sky News’ Sunday Agenda regarding the Privacy Act that “..Well, this is the second tranche of privacy reforms. I think it’s fair to say, Andrew, that Australians are sick and tired of their personal information not only being exploited for benefit by third parties, but also the way in which that information is not being protected. We’ve seen that in recent times with data breaches, both by Australian companies as well as multinational tech giants.”

Modern reform often begins with Ministers making noises about the need to address this or that reform.  Putting the issue onto the agenda.  In the privacy context that was done in 2022 – 2023.  The 2022 Privacy Act Review Report proposed 116 recommendations to reform the Privacy Act 1988.

The government accepted 38 of the proposed reforms and agreed to 68 in principle.  It said it would implement the changes in phases.  The first tranche, as it became known, was found in the Privacy and Other Legislation Amendment Act 2024 which passed in November 2024 and became law on 10 December 2024.  It implemented 23 of the reforms, including the introduction of a statutory tort of privacy, anti-doxxing offences and a new tiered civil penalty regime, as well as the development of a new Children’s Privacy Code, which is currently the subject of consultation undertaken by the Office of the Australian Information Commissioner (OAIC). The  obligation to disclose the use of personal information for automated decision making will commence in December 2026.

The Attorney General has now dropped two not very subtle hints that more privacy reform is required.  Nothing detailed about the what and the when but that is not required.  Starting the conversation is the key.  Given the Government has already responded to a report’s recommendation going from discussion to action is a short step.

As to when the second tranche will be introduced into Parliament as a Bill is the subject of some speculation.  It is a more comprehensive  set of reforms and some are more contentious than the first tranche.  The government has agreed to:

• an expanded definition of personal information,
• the introduction of a fair and reasonable test for data processing,
• more privacy protections for children; and
• requiring organisations to establish minimum and maximum retention periods.

The first three points are consistent with legislative provisions in other overseas jurisdictions.

One of the proposals which the government agreed to in principle, but has not yet addressed, is to remove the small business exemption under the Privacy Act 1988 for those small to medium businesses with an annual turnover of less than A$3 million. There is a consultation process being undertaken.  That process could be completed in reasonably short time given the first recommendation to remove the small business exemption occurred in 2008.  The issues have been well ventilated, the parties respective positions have been set for many years and the mood is for more not less privacy protection.

While the exact timing of and what elements will be included in tranche 2 are unclear the majority of the outstanding recommendations the government has agreed could be introduced, debated and enacted without significant delay. It is understood that the parliamentary draftsman has provided a preview of some amendments as part of the process to finalise tranche 1 of the reforms last year.

What needs to be borne in mind by organisations is that the Australian Privacy Commissioner Carly Kind has publicly set out as a priority in the next 12 months a more enforcement-focused approach by the OAIC to regulating compliance.  The Privacy Commissioner has increased new civil penalty powers and will take a more expansive interpretation of the principles-based privacy laws.  She also has enhanced and easier to deploy powers to commence civil penalty proceedings.  Companies that collect and hold large amounts of data and do not properly protect them and retain data which they no longer use, can expect close regulatory attention.  The cost of dealing with an investigation by the Privacy Commissioner followed by possible enforcement action and civil litigation makes it economical to be properly compliant to start with.

Organisations need to take a proactive approach to ensure both compliance with the current requirements of the Australian Privacy Principles and a process to comply with the anticipated reforms.  It is not hard to plan for. For example, companies using AI, those using higher risk technologies, those whose business model involves engaging with children online, the many companies who use  online tracking or target marketing and those which handle sensitive data should review their processes and be ready to respond to the amendments.

There has been a noticeable increase of activity in response to the Attorney General’s comments.  Part of any activity needs to include ensuring companies have budgeted for further increased compliance with privacy and cyber security requirements.  That includes considering whether there is sufficient personnel, security infrastructure and project teams in place to properly ensure compliance with the current obligations and the greater responsibilities when reform occurs.

Small business may be exempt from the Privacy Act that does not mean they immune from action.  The statutory tort of serious invasion of privacy applies to small business and the misuse of information is a basis for a claim if the actions are intentional or reckless.  Organisations covered by the Privacy Act may require compliance with the Privacy Act if they use small business operators to undertake work for them.  If they have access to systems and process data as part of a third party access or supply chain then regulated organisations will likely require compliance with the APPs with a particular focus on adequate security, in particular cyber security.

All organisations covered by the Privacy Act 1988 should:

• undertake a review of the data collected and determine what the personal information is collected and held;
• review the security of the personal information held;
• prepare, maintain and test a data breach response plan;
• review privacy policies to make sure they are compliant;
• establish or review practices to ensure they are transparent and have systems to notify individuals when required;
• delete sensitive information once the purpose for its collection has finished; and
• ensure there is appropriate budgeting and resources allocated to undertake the necessary privacy compliance when the Privacy Act is further reformed.