The regulatory privacy journey from 2020 to 2024: What is the current status of the Privacy Act reforms?


The Privacy Act 1988 (Cth) (Privacy Act) is the principal piece of legislation governing the handling of personal information by the Australian government and private organisations.

The Privacy Act has undergone various tranches of amendments since its inception in 1988, with significant changes on the horizon during 2024.

2020 – 20221

The current tranche of amendments covering the period of 2020 – 2024 commenced after the Australian Competition and Consumer Commission made a number of recommendations for change in its 2019 ‘Digital Platforms Inquiry’ (2019 Inquiry). The 2019 Inquiry made both specific recommendations to strengthen protections in the Privacy Act as well as recommendations for broader reform of Australian privacy law to accommodate the increasing volume and scope of data collection in the digital economy.

In late 2022 the Government passed the Privacy Legislation Amendment (Enforcement and Other Measures Act) 2022 which granted the Office of the Australian Information Commissioner (OAIC) additional powers to regulate and enforce the Privacy Act in line with community expectations in regards to the digital space. This included greater powers of the OAIC to gather information about data breaches, share information with other authorities and impose harsher penalties on organisations for contravening the Act’s civil penalty provisions.

This followed the September 2022 Optus data breach.

2023 developments2

The 2019 Inquiry prompted a further review by the government. In early 2023 the Attorney-General’s Department published the highly anticipated Privacy Act Review Report (2023 Report). In their response to the 2023 Report, the Government has committed to a handful of reforms and committed to implementing them as early as 2024. A number of recommendations were agreed to “in principle” but the government has said they require further consultation and consideration to properly balance privacy safeguards and regulatory burden.

2024 and beyond3

On the cards for 2024 is what was described by former Australian Information and Privacy Commissioner Angelene Falk as being “the most significant change to the Privacy Act in decades”4. But what will this look like?

From the commitments of Government in response to the 2023 Report, organisations can expect:

  • Development of a Children’s Online Privacy Code.
  • Consultation on introduction of a criminal offence for malicious re-identification of de-identified information.
  • Changes to the journalism exemption where a media organisation must be subject to privacy standards.
  • Clarification on identifying an individual who may be experiencing vulnerability and at higher risk of harm from interference with their personal information.
  • Ability to facilitate overseas data flows between countries with similar privacy laws to Australia’s.
  • Introduction of mid and low-tier civil penalty provisions for interferences with privacy that are respectively non-serious and administrative.
  • Strengthened restrictions on automated decision-making and introduction of an individual right to request meaningful information about how substantially automated decisions with legal effect are made.
  • Clarity on the “reasonable” steps organisations are required to take to secure their data holdings.
  • Possibly a revised definition of personal information which captures information that is “related to” and not just “about” an individual and clarification on when an individual might be “reasonably identifiable.”
  • Power for the Courts to make any order it sees fit in a matter involving an interference of privacy.

Agencies and organisations should have privacy high on their 2024 agendas to ensure they are ready for the next phase of privacy amendments, expected to come before parliament late 2024 and start preparing now. For advice on the upcoming amendments and assistance future-proofing your organisation, contact Griffin Legal’s privacy team.

  1. History of the Privacy Act | OAIC
    Digital platforms inquiry – final report | ACCC ↩︎
  2. Privacy Act Review Report | Attorney-General’s Department ( ↩︎
  3. Government response to the Privacy Act Review Report | Attorney-General’s Department ( ↩︎
  4. OAIC welcomes reforms critical to Australia’s privacy future | OAIC ↩︎

Parental Leave for Casual Employees

For casual employees the unpredictability of their employment can be a major source of stress as often casual employees miss out on many of the entitlements that full-time and part-time employees enjoy. For many, this concern is further exacerbated when they learn that they are about to become a parent. It should therefore be of …
Read more

Purchasing an Off-the-Plan Property

The interest in “off-the-plan” properties is ever increasing and is becoming more popular for buyers. An off-the-plan purchase is one where the Buyer enters into a contract to purchase a property that has not yet been constructed. Due to the prolonged settlement period for an off-the-plan purchase it is imperative for buyers and sellers to …
Read more