The Commonwealth Attorney-General’s Department looks set to have a busy summer ahead as it moves forward with its Privacy Act review and reforms on a number of fronts. Last week, the Department published:

  1. an exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Draft Bill) and associated explanatory memorandum; and
  2. a discussion paper for the on-going Privacy Act review (Discussion Paper).

The Draft Bill proposes two distinct reforms:

  1. the introduction of an Online Privacy Code that will apply to social media platforms, data brokers and large online platforms; and
  2. an increased penalty regime which brings penalties under the Privacy Act 1988 (Cth) (Privacy Act) into line with those under the Australian Consumer Law.

We consider each of these reforms and the Discussion Paper below.

Online Privacy Code

The Privacy Act currently empowers the Information Commissioner to implement and enforce Australian Privacy Principle (APP) Codes and Credit Reporting Codes. APP Codes, which may be developed by industry and/or the Information Commissioner, set out how entities in a particular industry will comply with one or more of the APPs. Credit Reporting Codes, as the name suggests, may be implemented in respect of entities bound by Part IIIA of the Privacy Act and set out how those entities comply with the credit reporting obligations.

The Draft Bill proposes a third category of Code for online privacy. It will apply to “OP organisations”, that is, organisations providing any of the following:

  1. social media platforms (which includes social networks, online dating, online content, online blog or forum sites, gaming platforms and online messaging platforms);
  2. data brokerage services which are services involving the collection of personal information for the purpose of on-supply; or
  3. “large online platforms” which is any business that collects personal information in the course of providing access to information, goods or services online (that is, by the use of an “electronic service”) and has at least 2.5 million Australian end users (such as Apple, Google, Amazon or Spotify).

This third category is likely to be especially broad as it will feasibly capture large banks with online banking platforms (however, note our comment below regarding conflicts between the OP Code and the consumer data right) and large retailers/ecommerce stores. Interestingly, however, the Draft Bill specifically excludes organisations that collect personal information in the course of providing a customer loyalty scheme.

The OP Code itself is yet to be developed but will be required to set out the ways in which OP organisations will comply with the following APPs (in sum):

  1. APP 1.4(c) which is the purposes disclosure requirement in a privacy policy;
  2. APP 5 which sets out obligations around collection notices; and
  3. APP 3 and APP 6 which deals with the seeking of consent for collection, use and disclosure of personal information.

The OP Code will also require organisations to take reasonable steps (if any exist) to cease using an individual’s personal information if they request it to do so. This appears to be similar to the “right to be forgotten” which is included in the European Union’s GDPR but stops short by limiting the steps required to be taken by reasonableness.

The OP Code will also need to address how organisations interact with children, including, in respect of social media platforms specifically, an express fairness obligation and the requirement to obtain parental/guardian consent for the collection, use or disclosure of personal information for anyone under the age of 16 years.

The Information Commissioner must adopt an OP Code within 12 months of the legislation taking effect and development of the code will follow a similar process to the existing codes for APPs and credit reporting.

As mentioned, because a high number of organisations are likely to be caught by the OP Code, the Draft Bill sets out an order of precedence for resolving conflicts between obligations under the OP Code with other requirements. Where there is a conflict between the OP Code and either an APP Code or credit reporting code, then the provisions of the OP Code will prevail. However, where there is a conflict between the OP Code and the privacy requirements in relation to the consumer data right (CDR), then the CDR obligations will prevail.

Consultation on the exposure draft is open until 6 December 2021.

Penalties under the Privacy Act

The Draft Bill also provides for an increase in penalties under the Privacy Act. These changes were announced in 2019 but are only now being legislated (see our previous article here).

The proposal will see the maximum penalties for privacy breaches increase from $2.2 million to the greater of:

  • $10 million; and
  • three times the value of any benefit obtained (directly or indirectly) from the contravention; or
  • if the value of the benefit cannot be ascertained, 10 per cent of the annual turnover of the organisation.

These changes bring the penalties into line with those under the Australian Consumer Law.

Privacy Reform Discussion Paper

At the same time as releasing the Draft Bill for the online privacy code and increase in penalties, the Attorney-General’s Department also released its Privacy Act Review Discussion Paper. This is part of the wholesale review of the Privacy Act undertaken as recommended by the Digital Platforms Inquiry which was published in July 2019.

We will consider the full scope of the points raised in the Discussion Paper in a separate article to be published shortly. However, the table below sets out the proposed changes at a glance:


Details on Proposed Amendments

Definition of personal information

Definition of personal information broadened to include "technical information"

Notice of collection

Express requirement that privacy notices be clear, current and understandable

Consent to collection, use and disclosure

Update definition of consent to be a voluntary, informed, current, specific, and an unambiguous indication through clear action

Standardised Notice and Consent

Suggestion that standardised privacy notices or consent with standardised layouts, wording and icons could be introduced in a Privacy Code

Additional requirements for collection, use and disclosure

Requirements for collection, use and disclosure of personal information to be "fair and reasonable"

Replace “de-identified” with "anonymous" for information not caught by Privacy Act

Increase standard from "de-identified" to "anonymous" for information to no longer be considered "personal information" that is caught by the Privacy Act

Right to object / withdraw consent

A right for individuals to object or withdraw consent at any time to the collection, use or disclosure of their personal information

Right to erasure of personal information

A right for individuals to request erasure of personal information under specific circumstances

Restricted Practices

Introducing requirements for entities to take reasonable steps to identify and mitigate privacy risks in relation to certain restricted practices

Pro-privacy defaults

2 options proposed:

  1. (Strict) Pro-privacy settings selected by default, which means entities must pre-select the most restrictive privacy settings
  2. (Less strict) Easily accessible privacy settings, which means entities must make it easy to set privacy settings to the most restrictive, without jumping through any hoops

Additional protections for children

Amend the Privacy Act to require consent to be provided by a parent or guardian where a child is under the age of 16 (interestingly, this may have the effect of  generalising similar provisions in the proposed OP Code discussed above)

Direct right of action

Creation of a direct right of action for individuals or groups of individuals whom have been subject to an interference with their privacy

Statutory tort

Four options proposed, ranging from the introduction of a statutory tort for invasion of privacy to not introducing a tort and allowing common law to develop instead

Overseas data flows – Certification

Introduce a mechanism to prescribe and certify countries with substantially similar privacy laws as Australia, with the result that certain privacy obligations do not apply when disclosing information to those countries

Given this list of items has been produced out of the submissions made to the Issues Paper published in October 2020, we think it is likely that most, if not all, of these changes will be captured in the review’s final report, unless there is considerable opposition received through submissions to the Discussion Paper.

Consultation on the Discussion Paper is open until 10 January 2022.


Authors: Melissa Fai, Mark Ferguson, Sophie Bogard and Rishabh Khanna

Expertise Area