In 2006, the Commonwealth Attorney-General gave a reference to the Australian Law Reform Commission (ALRC) to enquire into the extent to which the Privacy Act 1988 (Cth) and related laws continue to provide an effective framework for the protection of privacy in Australia. The Commission’s final report was made publicly available on 11 August 2008.

The report recommended 295 changes to the privacy regime in Australia, and the then Government indicated that it would respond to the report in a two stage process.

On 12 December 2012 the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) (Privacy Amendment Act) received the Royal Assent and it came into full operation on 12 March 2014. The Privacy Amendment Act addresses 197 of the ALRC's 295 recommendations on changes to Australian privacy law and practice. The changes implemented by the Privacy Amendment Act include:

• the introduction of a uniform set of privacy principles;

• the concept of pseudonymity;

• updated definitions of personal and sensitive information;

• new obligations with regard to implementation of policies, practices and systems to ensure compliance with the principles including requirements for privacy policies and collection notices; and

• new obligations relating to direct marketing, cross-border data transfers and dealing with unsolicited personal information.

The Privacy Amendment Act also increased the powers of the Privacy Commissioner including powers to:

• conduct assessments of privacy compliance;

• accept enforceable undertakings; and

• seek civil penalties of up to $2.1 million in the case of serious or repeated breaches of privacy.

See Background information.

In its report, the ALRC reported that all the submissions it received from stakeholders emphasised the need for national consistency of privacy regulation. The ALRC agreed with these submissions and emphasised that one of the goals of privacy regulation should be national consistency.

Following that recommendation the Australian Privacy Principles (APPs) were introduced by the Privacy Amendment Act and apply to both Commonwealth and private sector organisations. The APPs replace the National Privacy Principles (NPPs) for the private sector and the Information Privacy Principles (IPPs) for the public sector.

See Australian Privacy Principles

The High Court of Australia has not expressed a conclusive view of whether a tort of invasion of privacy exists in Australia. The ALRC recognised that waiting for guidance on this issue from the High Court is problematic in that it would be difficult for organisations and individuals to assess the effect of the law on their operations and to minimise exposure to liability. Accordingly, the ALRC recommended the introduction of a statutory cause of action for serious invasion of privacy.

The Privacy Amendment Act did not address this recommendation and a further ALRC inquiry into the protection of privacy in the digital era was launched on 12 June 2013. As part of its terms of reference the ALRC examined a statutory cause of action for breach of privacy. The ALRC released an issues paper on 8 October 2013 and the report was expected in late 2014.

The final ALRC report titled “Serious Invasions of Privacy in the Digital Era” was tabled in parliament on 3 September 2014 and recommends the creation of a tort for the invasion of privacy. A guiding principle of the recommendation was that an individual's right to privacy is not absolute and it does not necessarily trump other matters of public interest. Suggested defences to the tort included fair reporting of proceedings of public concern, publication of public documents, consent (whether express or implied), necessity or whether the conduct was required or authorised by law. Under the proposal, a court would have the power to award damages, an account of profits or injunctions retraining a threatened invasion of privacy. A defendant could also be ordered to apologise. It is uncertain whether the creation of the new tort will be a priority for the current government, given the strong criticism the recommendation received from businesses.

See Creation of a statutory cause of action for serious interference with privacy.

The ALRC also recommended that the Privacy Act 1988 (Cth) (the Act) should provide for notification by agencies and organisations to individuals affected by a data breach, on the basis that an obligation to notify is consistent with the Act's objective to protect the personal information of individuals and can serve to protect the personal information from any further exposure or misuse. This was not included in the reforms enacted by the Privacy Amendment Act however several bills have been introduced since the commencement of the Privacy Amendment Act to enact such a framework. The most recent bill, the Privacy Amendment (Notifiable Data Breaches) Bill 2016, was passed into law and the Privacy Amendment (Notifiable Data Breaches) Act 2017 will come into effect on 22 February 2018..

See Mandatory data breach notification.

In June 2013, the Parliamentary Joint Committee on Intelligence and Security (PJCIS) published its report entitled Report of the Inquiry into Potential Reforms of Australia's National Security Legislation. That report included recommendations in relation to mandatary data retention, and on 30 October 2014, the Australian government introduced the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 in an attempt to enact a number of those recommendations and address Australia's need for a data retention scheme. The bill was given Royal Assent on 13 April 2015 with parts of the new Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Data Retention Act) commencing on that date and the remainder to commence on 13 October 2015.

The Data Retention Act amends the Telecommunications (Interception and Access) Act 1979 by including new provisions imposing a requirement for telecommunications companies to keep specified certain data, including metadata, in relation to telecommunications (which is information about the source and circumstance of a communication) for a 2 year period (either 2 years from the date of creation of the data or 2 years from the closure of the account to which the information relates, depending on the category of information). The set of data required to be retained is defined by reference to the following six types of information:

• the identity of the subscriber to a communications service;

• the source of the communications service;

• the source of the communication;

• the destination of the communication;

• the date, time and duration of the communication;

• the type of communication; and

• the location of the equipment used in the communication.

The Data Retention Act also enacts a new s 187LA of the Telecommunications (Interception and Access) Act 1979 (Cth) which confirms that the Privacy Act 1988 continues to apply in respect of any personal information held by industry under their data retention obligations and that any data retained under the Telecommunications (Interception and Data) Act 1979 is considered personal information within the meaning under the Privacy Act 1988.

On 12 October 2016 the Privacy Amendment (Re-identification Offence) Bill 2016 was introduced into Parliament. The bill would make it an offence to re-identify information published by a Commonwealth agency on a de-identified basis. This followed a “public interest alert” from a Melbourne academic that Department of Health information published on its open data portal could be decrypted to identify medical practitioners.

The Senate referred an inquiry into the bill to the Senate Legal and Constitutional Affairs Legislation Committee and the committee's report was tabled 7 February 2017. The bill remains before the Senate.

See Re-identifying de-identified personal information.