Australia’s Privacy Laws Overhaul: Changes in Data Protection & Governance

27 May 2024

Board directors, executives and organisational leaders are about to hear the words ‘Data Governance Risk’ an awful lot.

Australia will soon witness a seismic shift in its privacy laws, marking the most significant overhaul in decades. Sweeping changes to be introduced before Parliament in August 20241 aim to enhance the protection of personal information, increase transparency, and hold organisations more accountable for the data they collect, store and further up the ante on data protection and data breaches.

In talking to Directors and Executives over the past 12 months it’s become clear to our team in McGrathNicol’s Cyber and Technology Practice that few truly understand the scale of the challenge they are about to face in managing their data privacy risks in the face of new legislation. Organisations will need to review and overhaul their data protection policies, practices, and systems to ensure compliance. This includes updating privacy policies, implementing robust consent mechanisms, enhancing security measures, running detailed discovery processes to locate their risky data, and train staff on the new requirements.

The likely introduction of a mandatory consumer ‘right to erasure’ means being able to point with laser precision to every piece of data about an individual that an organisation holds and having the capability to erase it on demand, if an individual so requests, within a defined timeframe. In other words, data management at a granular level is about to become a key competency. Knowing what data you have, where it is held, why you are keeping it, how long for, when it needs to be deleted and how different data needs to be handled in accordance with law will become data handling basics.

With data volumes growing for most businesses at a rate of 22% per annum2 this is likely to be a sizable problem for the majority which will need to implement technology and process solutions to ensure they stay compliant. The amendments come in response to the rapidly evolving digital landscape, increased data breaches, rapid AI implementation and growing concerns about how personal data is collected, used, and shared. These changes have been a long time coming ‒ Australia has been far behind jurisdictions such as the European Union with its General Data Protection Regulation (GDPR) introduced in 2016. They align Australia’s privacy framework more closely with international standards, ensuring better protection for individuals and creating a more robust regulatory environment.

The Australian Privacy Commissioner’s 2023 report on community attitudes to privacy found that only 2 in 5 people feel most organisations they deal with are transparent about how they handle their information, and 58% say they do not understand how it is used at all. Moreover, 89% of Australians want stronger legislation to protect their personal information.3

Of the 116 recommendations for reform which followed soon after from the Attorney-General’s Department last December, 38 were accepted in full by the Federal Government, and a further 68 accepted in-principle. Whilst it’s not yet totally clear how many of the in-principal reforms will pass when introduced to parliament in August this year or whether small businesses will be exempt, the proposed reforms flagged by the Attorney-General seek the following:

  • Introduction of a statutory tort for serious privacy invasions.

  • Specific rights for consumers in respect of personal information including, access rights, objections rights, correction rights, erasure rights (the right to be forgotten) and de-index rights (for online search engines).

  • Requirement for entities to specify data retention periods in their privacy policies.

  • Allowing individuals to directly seek legal remedy for privacy breaches.

  • Making privacy notices clearer, concise, and easily understandable.

  • Introduction of a test to ensure that the handling of personal information by entities is justifiable.

  • Requirement that more entities conduct assessments for high-risk privacy activities, such as using facial recognition or biometric identification technologies.

  • The disclosure of personal information in significant automated decisions and provide rights to individuals to understand these processes.

Particularly significant is the introduction of a new statutory tort ‒ a wrongful act or an infringement of a right leading to legal liability that is specifically defined and governed by a statute, rather than by common law or case law. This underscores the importance of compliance with the act’s amendments, as failing to meet the new standards is likely to result in severe financial and potentially other consequences. Organisations must therefore be prepared to respond swiftly to data breaches and handle data erasure requests promptly.

For individuals, the new privacy laws provide stronger protection and greater control over personal data. The enhanced consent requirements and right to erasure empower individuals to make informed decisions about their data. Enhanced data breach notification requirements ensure that individuals are promptly informed of any potential risks to their privacy, allowing them to take necessary precautions.

While businesses will face challenges in adapting to these new requirements, the overall impact sought by Government is a more robust and trustworthy framework for managing personal information, benefiting both organisations and individuals alike.

One thing is for certain: we are all about to become far more familiar with our data rights and for companies storing, collecting, processing, and monetising it, that means taking data governance seriously.

1 Privacy by Design Awards 2024

2 Edge Delta

3 Australian Community Attitudes to Privacy Survey 2023