Access Now welcomes the introduction of the first set of amendments in reforming Australia’s Privacy Act, 1988 on September 12. The Attorney-General’s statements acknowledging privacy as a “fundamental human right,” and framing the reforms as an effort to bring Australia’s privacy laws into the digital age signal a rights-respecting approach that Access Now hopes holds strong through this process. Authorities must present a clear path for the remaining reforms to ensure this move is not tokenistic.
The Privacy and Other Legislation Amendment Bill 2024 (the Bill) includes some provisions necessary to strengthen “greater protections, transparency, and control” over personal data for people in Australia. The proposed increased funding for the Office of the Australian Information Commissioner (OAIC) to develop a children’s privacy code, and new monitoring and investigative powers, will enable the OAIC to protect the rights of people in Australia to their personal data beyond its borders, and allow it to become a global leader in privacy protection. Access Now also welcomes greater transparency around the use of personal data in automated decision-making and improved measures on data breaches, given recent exposures of sensitive personal data of millions of people.
These amendments are a good first step. But the government must make public the timeline and precise scope of the next steps to ensure that people in Australia can enforce their right to privacy in the digital age.Namrata Maheshwari, Senior Policy Counsel and Encryption Policy Lead at Access Now
The Bill currently fails to include key amendments accepted in principle by the government. A direct right of action for breaches of the Act remains lacking, undermining enforcement. A positive obligation requiring fair and reasonable handling of personal data is a crucial provision of the previously agreed-upon recommendations that has been left out. Access Now urges the Australian government to provide a clear, concrete plan for the next set of reforms and their proposed timeline, and not let the reform process stagnate.
The Bill also does not deal with the spurt of legislation enabling the collection and the use of vast amounts of personal data, such as the Digital ID Act set to commence in December 2024 and the Australian Cyber Security Strategy. While the statutory tort for privacy breaches outside the Act, and the inclusion of the “reasonable, necessary, and proportionate” standard are welcomed, the broad exemptions for enforcement and intelligence bodies leave people without remedy against privacy violations by the state. Questions around government surveillance are pending response, as the government excluded electronic surveillance legislative powers from the present process.
Australia’s Privacy Act will only be fit for purpose in the digital age if there is comprehensive reform of laws affecting people’s privacy, including surveillance and digital identity laws. Without accompanying changes to limit access to data by the private sector and government, the Privacy Act amendments will be dead on arrival.Raman Jit Singh Chima, Asia Pacific Policy Director and Global Cybersecurity Lead at Access Now