Australia’s next set of Privacy Act reforms will address innovation and protection

While specific measures have not yet been disclosed, Rowland emphasised to the Australian Financial Review that the current legislation is “not fit for the digital age”, particularly considering the rise of generative artificial intelligence (AI). This has been a consistent message driving the reform process for the past four years. Whilst recognising the benefits of AI, Rowland expressed concern over the lack of appropriate security for data and personal information and the need for guardrails to ensure the responsible use of generative AI.

When asked about the progress of the reforms during an appearance on Sky News’ Sunday Agenda, Rowland said that the federal government’s policy would not be “dictated by multinational tech giants who are trying to assert that you can either have innovation or you can have privacy protection, but not both”. She said that the government’s aim is to ensure that the reforms are workable and are in the best interests of Australians to provide a basis for both innovation and the protection of personal information.

Rowland acknowledged the ongoing public concern about the commercial use of personal data for profit and the data breaches that have happened. As a result, the reforms are expected to respond more directly to these concerns, while advancing broader amendments on AI governance, data security and organisational accountability.

Progress of privacy reforms

Following an extensive review process by the attorney general’s department under Rowland’s predecessor, Mark Dreyfus, the 2022 Privacy Act Review Report proposed 116 recommendations to modernise the national privacy framework.

The government accepted 38 of the proposed reforms and agreed to 68 in principle, committing to a phased implementation. The Privacy and Other Legislation Amendment Act 2024 was passed in December 2024 to implement 23 of the reforms, including the introduction of a statutory tort of privacy, anti-doxxing offences and a new tiered civil penalty regime, as well as the development of a new Children’s Privacy Code, which is currently the subject of a detailed consultation process led by the Office of the Australian Information Commissioner (OAIC).

The new obligation to disclose the use of personal information for automated decision making will commence in December 2026.

The introduction of a second, more comprehensive, set of reforms this year has been looking less likely, despite the government’s agreement to a number of other proposed reforms, such as an expanded definition of personal information, the introduction of a fair and reasonable test for data processing, more privacy protections for children and requiring organisations to establish minimum and maximum retention periods. One of the proposals which the government agreed to in principle, but has not yet addressed, is to remove the exemption covering about 2.5 million small to medium businesses with an annual turnover of less than A$3 million from the Privacy Act.

In the interim, Australian Privacy Commissioner Carly Kind has emphasised the OAIC’s more enforcement-focused approach to regulating compliance, through the use of its new civil penalty powers and an expansive interpretation of the principles-based privacy laws.

Organisations should be taking a proactive and ‘no regrets’ approach to ensure both compliance with the current requirements of the Australian Privacy Principles and planning to uplift their compliance. If they are deploying AI, using higher risk technologies, engaging with children online, engaging in online tracking or target marketing, handling sensitive data and if they generate, collect and hold large amounts of data, they should be paying extra attention to ongoing regulatory developments both in Australia and overseas.

While small business may be exempt from the Privacy Act, they often have access to systems and process data as part of a supply chain and regulated organisations will need to ensure they manage up and downstream privacy and security risks.