Australian citizens would be able to take legal action directly against organisations breaching privacy laws, under a potential change being looked at as part of a long-awaited review of privacy legislation.

The Attorney General has published the terms of reference for a review of Australia’s Privacy Act, following concerns raised by the Australian Competition and Consumer Commission’s (ACCC) Digital Platforms Inquiry last year. The aim of the review is to “ensure privacy settings empower consumers, protect their data and best serve the Australian economy.”

The wide-ranging review will consider options for reform in areas including the definition of personal information, rules around collection, use and disclosure of personal information, notification and consent requirements and the effectiveness of enforcement action (see full terms of reference below.)

It will look at whether individuals should be able to take direct legal action against organisations, rather than relying on regulatory action, and whether a statutory tort for serious invasions of privacy should be introduced. It will also examine the feasibility of an independent certification scheme.

The Attorney General’s terms of reference document said: “As Australians spend more of their time online, and new technologies emerge, such as artificial intelligence, more personal information about individuals is being captured and processed raising questions as to whether Australian privacy law is fit for purpose.”

The review was promised by the Australian Government after the ACCC inquiry  found that existing regulatory frameworks for the collection and use of data “have not held up well to the challenges of digitalisation”.

A public consultation on the review is open until 29 November. Members of the public and organisation can make a submission here.

Australian Privacy Review: terms of reference

The review will examine and, if needed, consider options for reform on matters including:

  • The scope and application of the Privacy Act including in relation to: the definition of ‘personal information’; current exemptions and general permitted situations for the collection, use and disclosure of personal information.
  • Whether the Privacy Act effectively protects personal information and provides a practical and proportionate framework for promoting good privacy practices including in relation to: notification requirements; consent requirements including default privacy settings; overseas data flows, and erasure of personal information.
  • Whether individuals should have direct rights of action to enforce privacy obligations under the Privacy Act.
  • Whether a statutory tort for serious invasions of privacy should be introduced into Australian law.
  • The impact of the notifiable data breach scheme and its effectiveness in meeting its objectives.
  • The effectiveness of enforcement powers and mechanisms under the Privacy Act and the interaction with other Commonwealth regulatory frameworks.
  • The desirability and feasibility of an independent certification scheme to monitor and demonstrate compliance with Australian privacy laws. The review builds on reforms announced in March 2019 to increase the maximum civil penalties under the Privacy Act and develop a binding privacy code to app

Source: Australian Government Attorney General’s Department Privacy Act Review