The Privacy Act 1988 was designed for a world before cloud computing and data brokers. The proposed reforms, following the Attorney-General's review, represent an acknowledgement that the legislative framework has not kept pace with modern commercial data handling.
Removal of the Small Business Exemption
The current Act exempts businesses with annual turnover below $3 million — covering a substantial proportion of Australian businesses. The reforms propose removing or significantly narrowing this exemption. Businesses that currently have no formal privacy obligations would need to comply with the Australian Privacy Principles, including developing a privacy policy and implementing breach response procedures.
Stronger Consent Requirements
Consent must be voluntary, informed, current, specific, and unambiguous. Pre-ticked boxes, bundled consent in terms and conditions, and implied consent from continued service use would no longer satisfy the standard.
Right to Erasure
Modelled on GDPR, individuals would have the right to request deletion of their personal information in certain circumstances. Businesses would need processes for receiving, assessing, and responding to erasure requests — including locating and deleting data across all systems where it is stored.
Significantly Increased Penalties
Maximum penalties increase substantially — up to $50 million or more for serious or repeated interference with privacy. Combined with proposed direct action rights allowing individuals to take complaints to courts, the enforcement landscape changes materially.
When do the reforms take effect?
The reforms were progressing through consultation and drafting at the time of writing. A transition period after enactment is expected. Businesses should treat this as an opportunity to assess current practices rather than waiting for a compliance deadline.
