Privacy Act reforms: further consultation on the A-G's Privacy Act review

Published on 11 November 2021

The next stage of the Attorney-General's much-anticipated privacy reforms is here

In late October, the Attorney-General's Department released:

  • a Discussion Paper setting out feedback from its earlier Issues Paper, and proposals for reform; and
  • an Exposure Draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill (Online Privacy Bill) to amend the Privacy Act 1988 (Privacy Act) to introduce an Online Privacy Code and update the OAIC’s enforcement powers (including penalties for breach).

In this Insight we explore the Discussion Paper and the imminent changes to the OAIC's enforcement powers proposed to be introduced in the Online Privacy Bill. For more information about the proposed new Online Privacy Code, see here.

The Discussion Paper contemplates an expansive set of potential changes to the existing Privacy Act, which would have a very significant impact on all parts of the Australian economy.  

The magnitude of this review makes it difficult to provide a concise summary. Instead, we have broken the Discussion Paper down into a number of bite-sized chunks, focusing on the key issues raised in each. We hope this assists you in your own review, and welcome the opportunity to discuss it further with you. 

Key takeaways

  • Consultation on the Discussion Paper will close on 10 January 2022.
  • The Discussion Paper proposes changes to the Privacy Act that would provide:
    • consumers with greater transparency and protections in relation to their personal information; and
    • the OAIC with a raft of expanded enforcement mechanisms and powers.
  • The changes canvassed in the Discussion Paper would require a very significant change to the current privacy processes of organisations. They would elevate privacy compliance to one of the most critical and time-consuming parts of an organisation's regulatory compliance activities. The Allens team thinks that these changes, and the enhanced enforcement powers, would constitute a larger shift than the implementation of the new Privacy Act in 2014. 
  • It is currently too early to predict which of the contemplated proposals will find their way into the final legislative package. That is particularly the case given that some discussion topics are presented as preferred options, and some remain open for further submission and consideration. 
  • All the same, it's prudent for organisations to continue to enhance the maturity and rigour of their privacy and data governance programs, including taking into account a number of the components of the discussion paper which would codify existing OAIC guidance. This will place organisations in a strong position to uplift their processes when the legislative package is implemented. 
  • The Allens team will keep you updated as the discussion paper progresses to the next stage. 


The review of the Privacy Act is a key part of the Government's response to the ACCC's Digital Platforms Inquiry Report of June 2019 (DPI Report), which made extensive recommendations to strengthen privacy protections for individuals and improve transparency and accountability in data handling practices.

In October 2020, the Government commenced its long-awaited review of the Privacy Act with the release of its terms of reference and an issues paper for public consultation (Issues Paper). We considered the key implications arising from the Issues Paper (as well as some of the topics also raised by this latest reform proposal) in our Insight.

The Government has now released for consultation a Discussion Paper on proposed reforms to the Privacy Act, which summarises the feedback it received from 200 submissions to the Issues Paper, asks a series of further detailed questions and puts forward possible reform proposals to address issues identified with the current operation of the Privacy Act.

In the following pages, we analyse each of the key issues canvassed and proposals set out in the Discussion Paper.

As identified in the Attorney-General's terms of reference, the credit reporting provisions under Part IIIA and the CovidSafe App under Part VIIA are out of scope of the Attorney-General's review.