Privacy Act Review Report: What it could mean for your business

On 16 February 2023 the Australian Government Attorney-General’s Department released the long-awaited Privacy Act Review Report (‘the Report’). The Report forms a part of the Privacy Act Review (‘the Review’) which was first announced in 2019.

The Report contains 116 proposals to amend Australia’s Privacy Laws. Whilst the Report does not affect the law as it currently stands, it does give us an indication of what is likely on the horizon for legislative change.

The Government is currently accepting feedback on the Report. The deadline for feedback is 31 March 2023. Following the closure of the feedback period it can be expected that the Government will release a draft amendment bill which will give us a clearer picture of what to expect.

Here are a few key take aways that are most notable for businesses:

  1. Remove the small business exemption from compliance with the Privacy Act (Proposal 6).

Potential impact on your business: Businesses with a turnover of less than $3 million will have a significant compliance burden placed on requiring new privacy policies and staff training.

  1. A requirement of Australian Privacy Principle (‘AAP’) entities to act ‘fair and reasonably’ when collecting, using and disclosing personal information. Most importantly the Report indicates that the requirement will be judged on an objective standard and will not be affected by tick boxes and privacy policies (Proposal 12).

Potential impact on your business: closer consideration on when you collect data and potential re-write of privacy policies that apply to your customers.

  1. The requirement for APP entities to conduct a Privacy Impact Assessment prior to the commencement of any high risk activity and provide the report to the Office of the Australian Information Commissioner upon request (Proposal 13.1).

Potential impact on your business: greater time spent on compliance and reporting in the event that your business engages in high-risk activity.

  1. Introduction of the right of erasure which would allow individuals whose personal information is collected by an AAP entity to request the deletion of personal information (Proposal 18.3).

Potential Impact on your business: increase current compliance activities and administration.

  1. Targeted advertising regulation. There are a number of proposed regulations, most notably, allowing individuals with an unqualified right to opt out of receiving targeted advertising. In addition, any targeting must be fair and reasonable in the circumstances (Proposal 20).

Potential Impact on your business: rethinking your businesses data collection and usage in relation to your direct marketing activities across a range of media.

  1. Direct right of action for individuals whose Privacy has been interfered with by an APP entity. This would allow individuals to bring an action in the Federal Court for compensatory, aggrieved and exemplary damaged for both financial and non-financial harm caused by the breach (Proposal 26).

Potential impact on your business: a new risk of being subject to legal action as a result of interference with the customer’s privacy.

  1. A Statutory tort of privacy to be introduced for serious invasions of privacy where such invasions are intentional or reckless (Proposal 27).

Potential impact on your business: a new risk of being subject to legal action where your business recklessly or intentionally engages in a serious invasion of privacy.

This is just a snapshot of some of the potential changes that could be coming our way and how those changes could affect your business. To read the full report see Privacy Act Review Report | Attorney-General’s Department (

Reach out to one of our Commercial lawyers to prepare or review your privacy policy or terms and conditions of sale to include a consent to use of personal information.