Everything You Need to Know About the Privacy Act Reforms in 2024

Our world is changing fast. The digital age is here and our participation means that our data has the potential of being accessed in many more and different ways.

In Australia, the Privacy Act 1988 (the Privacy Act) is the key piece of legislation that helps to keep our personal information safe. This law protects the handling of our data, including its collection, use, storage and disclosure in the federal public sector and private sector. The states and territories also have various applicable regulations and requirements. But so far existing legislation has struggled to keep up with the changing digital world. But that’s set to change in 2024.

Major Privacy Act reforms are on their way. These changes aim to keep up with privacy in the digital age and cover topics such as cyber-security, children’s privacy, digital identities and AI.

Before you think, ‘this doesn’t apply to me’, these reforms will impact almost all businesses in Australia. So if you own a business, you need to stay informed.

Let’s look closer at why we need Privacy Act reforms, what brought us to this point, where to next and what you can do to stay on top of the changes.

In This Article – Everything You Need to Know About the Privacy Act Reforms

1. Why do we need Privacy Act reforms?
2. What led to the changes?
3. What are the major reforms?
4. How can you protect your business?

Why do we need Privacy Act reforms?

The Privacy Act reforms are a simple case of legislation keeping up to date with our ever-evolving world. Life as we know it has changed with technology. That extends to protection of our personal information.

Now that so much of our data is collected, used and stored online, we of course need laws to regulate it. It is also important that Australian legislation stays on par with international regulations.

What led to the changes?

Digital Platforms Inquiry

In 2017, the Australian Competition and Consumer Commission (ACCC) commenced the Digital Platforms Inquiry. The ACCC says the inquiry investigated ‘the effect that digital search engines, social media platforms and other digital content aggregation platforms have on competition in media and advertising services markets’.

The final report was handed down in 2019, which saw the ACCC make a series of recommendations. You can read these in the Digital Platforms Inquiry – Final Report (Final Report).

The Privacy Act Review report

The Privacy Act Review (the Review) began in 2020, following on from the privacy recommendations in the Final Report. The Attorney General’s Privacy Act Review Report was published in 2022, noting that the Review revealed just how vulnerable people’s information was in the digital world. It then listed 116 proposals to help increase the safety of data in today’s modern world.

The government’s response to the Privacy Act Review Report

In September 2023, the Australian government released its response to the Privacy Act Review Report. Of the 116 proposals recommended in the original report, the government has ‘agreed’ with 38, ‘agreed in-principle’ to 68 proposals and noted 10.

To put it simply, the ‘agreed’ proposals will be developed into legislation amendments, likely implemented in tranches beginning in 2024. The ‘agreed in-principle’ proposals will be discussed further before the government makes its final decision and implements these.

What are the major reforms?

All of this means that we’ll be seeing some Privacy Act reforms as of this year (2024). Those that have been agreed to are:

• Children’s Online Privacy Code – stronger protections to apply to online services that children are likely to access or use
• Automated decisions – requiring privacy policies to outline the types of personal information used to automate decisions
• Data destruction – strengthening existing security and destruction obligations

You should be prepared to manage your compliance processes around these reforms as soon as possible.

Other reforms that are agreed to in-principle, and that we could see sooner than later include:

• Fair and reasonable – personal information collected, used and disclosed must be ‘fair and reasonable’ in the circumstances and all organisations must appoint a senior employee who is responsible for privacy and keep accurate records
• Collection notices and consent requirements – these requirements have been strengthened to be clear collection notices and voluntary and unambiguous consents
• Marketing, targeting & data trading – there will be changes to marketing requirements, including strengthening protections around privacy for information that is being used to ‘target’ or tailor content. Individuals will also have the right to opt out of direct marketing and targeting advertising, and trading any personal information must have consent.
• Information availability – individuals’ right to object to how their personal information is being handled will be strengthened and they’ll be entitled to an explanation about how their information is being handled
• Removal of exemptions – the current Privacy Act exemptions for small businesses will be removed, and would require businesses with an annual turnover of less than $3 million to introduce or strengthen their current privacy processes including how they handle employee records
• Enforcement – introducing tiers of civil penalty provisions, expanding court powers and granting the Commission the ability to redress loss by individuals
• Remedies – individuals will be given a direct right of action in relation to their privacy rights and, after consultation with states and territories, a statutory tort for serious invasion of privacy will be introduced

How can you protect your business?

The Government has indicated it intends to introduce legislation in 2024. That means the time to be prepared is now. The better your systems are now, the less the costs will be to uplift your privacy compliance when it really matters.

Here are the steps you can take to ensure you’re ready for the Privacy Act reforms to begin.

• Undertake a privacy law compliance review. The first step is to understand how your privacy compliance currently operates. What information are you collecting, how are you collecting it and how are you storing it. This also needs to include how you collect and use data in your marketing. If you don’t have a privacy compliance program in place, now is the time to start developing one.
• Understand the gaps between your privacy compliance and the requirements set out in the agreed reforms. Once you have finished an audit of your privacy law compliance processes, you need to understand where they fall short. You can do this internally, or work with one of our team to help you understand where you may need to elevate your processes to meet the new reforms.
• Design a tiered implementation process. If you’re starting the process of uplifting your privacy compliance with enough time, then you can use a tiered implementation process. This will save you money and stress in the long run.

Need Help Getting Ready for the Privacy Act Reforms?

If you want to ensure your company stays ahead of the upcoming Privacy Act reforms but have too many other tasks on your plate, let us take care of the legal minutiae for you. The Victor Legal team offer a no-nonsense, personalised approach to get your business to where it needs to be when it comes to privacy reforms and all other business related legal issues. Get in touch today.