The Law Handbook 2024

1096 Section 12: Government and the individual privacy (report no. 57: Remedies for Serious Invasions of Privacy ). The NSW Government responded on 5 September 2016. In relation to the key recommendation, the government stated that as the federal government has publicly confirmed that it does not support a tort of privacy, and no other Australian jurisdiction has indicated a willingness to take steps in this direction, NSW cannot act alone in the absence of an agreed national approach. In the same year, an inquiry by the South Australian Law Reform Institute also recommended the establishment of a South Australian civil law action for serious invasion of personal privacy (report no. 4: Too Much Information: A Statutory Cause of Action for Invasion of Privacy ). Since 2019, the adequacy of Australia’s privacy protection has gained significantly more traction as an issue for law reform. The Australian Competition and Consumer Commission’s ( ACCC ) 2019 Digital Platforms Inquiry examined the adequacy of the existing regulation of digital platforms considering their impact on the news media and advertising sector. Privacy laws were one aspect of this broad- ranging inquiry that led the ACCC to the view that a statutory cause of action would increase business accountability for data management and give consumers greater control over their personal information ( Digital Platforms Inquiry: Final Report , July 2019, www.accc.gov.au/about-us/publications/ digital-platforms-inquiry-final-report) . The federal government responded to the ACCC’s reform proposals in December 2019 and reiterated an earlier commitment to amending the Privacy Act 1988 (Cth) (‘ PA 1988 ’) to increase penalties, strengthen enforcement, and require social media platforms to subscribe to a binding privacy code. The recommendation to introduce a statutory cause of action was ‘noted’ and the recommendation for a direct right of action under the PA 1988 was supported in principle, subject to consultation and design of specific measures. The federal government announced that the recommendations for a statutory cause of action would be further examined as part of a review of the PA 1988 and related laws (‘review’). This two-year extensive and wholesale review has considered whether broader reform is necessary in the medium to long term to empower consumers, to protect their data, and to best serve the Australian economy (Australian Government, Regulating in the Digital Age: Government Response and Implementation Roadmap for the Digital Platforms Inquiry , 2019). This review ran alongside a now lapsed exposure draft Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Cth) (‘ Online Privacy Bill ’). In September 2023, the Australian Government published its formal response to the review of the PA 1988 and committed to changes that would strengthen online privacy protection (particularly for children), in addition to several other areas of privacy protection. This includes further consideration of a direct right of action for serious invasions of privacy. For the 2022 report, see www.ag.gov.au/sites/default/files/2023- 02/privacy-act-review-report_0.pdf, and for the Australian Government’s response to the review, see www.ag.gov.au/rights-and-protections/publications/ government-response-privacy-act-review-report. Further impetus for the creation of a statutory tort of invasion of privacy has been evidenced through the Australian Human Rights Commission’s ( AHRC ) separate examination during its ongoing inquiry into human rights and technology; the AHRC has proposed that the ALRC’s recommendations be implemented (‘Human rights and technology: Discussion paper’, December 2019). Commonwealth privacy legislation: Privacy Act 1988 Overview The Privacy Act 1988 (Cth) (‘ PA 1988 ’) sets minimum standards for how personal information (see the definition in ‘Personal information’, below) can be collected, used, held and disclosed. It gives individuals certain rights in respect of their personal information, including the right to access the information an entity holds about them, and the right to seek the correction of that information. Two key features of the PA 1988 are: • the 13 Australian Privacy Principles ( APPs ): these legally binding principles apply to the handling of personal information by the Australian Government (generally only federal agencies) and most Australian businesses and not-for-profit organisations (although most small businesses are exempt; see ‘Exemptions from the Privacy Act’, below); and