What Didn’t Happen (Yet): The Privacy Reforms Still Waiting in the Wings
You could be forgiven for thinking Australia’s privacy law just had its big moment — and it did. But don’t get too comfortable. What we’ve seen so far from the December 2024 amendments to the Privacy Act 1988 (Cth) is just Round 1.
Welcome to the final instalment of our 9-part Privacy 2.0 series.
There’s a long queue of proposed changes that didn’t make it into the latest legislation, many of them quietly simmering in government inboxes, consultation drafts and “agreed in principle” footnotes.
Some of these postponed reforms could reshape the privacy landscape even more profoundly than the current crop. If you’re trying to future-proof your compliance or understand where the law is going next, here’s what to watch.
1. The Small Business Exemption — Still Alive (for Now)
Right now, businesses with an annual turnover under $3 million are generally exempt from the Privacy Act. That’s tens of thousands of data-handling entities with zero formal privacy obligations. The reform process flagged this as outdated — and it’s clear the exemption will eventually go. When it does, thousands of SMEs will be pulled into the privacy net for the first time. It’s not a question of if. It’s when.
2. Controllers vs Processors — Coming Soon to a Framework Near You
Unlike the GDPR(s), Australia’s privacy law still doesn’t distinguish between data “controllers” (who decide the purpose and means of processing) and “processors” (who process data on someone else’s behalf). That distinction brings clarity and proportionality in many overseas regimes. Expect pressure to harmonise with global norms — especially from businesses operating across borders who are tired of legal whiplash.
3. The Right to Object, Delete, Port — Not Yet, But On Deck
Australia still lacks a formal, standalone right to object to certain uses of data, to demand deletion (the famed “right to be forgotten”), or to port your data from one provider to another. These rights — core pillars of the GDPR(s) — have been agreed to in principle, are popular with the public, and would bring us closer to GDPR standards (and make life very interesting for adtech, fintech, and platform businesses).
4. De-Identified Data? Still A Grey Zone
The reform process acknowledged that re-identification of supposedly anonymous data is a real risk — and that de-identified information still needs regulation. But the law hasn’t caught up yet. Watch for future reforms to APPs 8 and 11 that would bring de-identified data into scope and make re-identification attempts a regulatory red flag.
5. Privacy by Design & Mandatory PIAs — Still Optional (for Now)
There was also discussion of codifying “privacy by design” and making Privacy Impact Assessments mandatory for high-risk activities. The idea? Embed privacy into planning, not just cleanup. It didn’t land this time, but expect it to return — particularly as AI, biometric tech and behavioural profiling go mainstream.
Bottom line? This is just the intermission. The Privacy Act is evolving — slowly, but deliberately — toward a framework that looks more like the GDPR(s) and less like its 1980s self. Businesses that treat the current reforms as the finish line are missing the point. The smart ones are already adapting to what’s next.
That’s a wrap on our Privacy 2.0 reform series. If you’ve made it this far, congratulations — you now know more about privacy law than most of Parliament.
Now, go fix your privacy policy — and maybe tell your AI to behave while you’re at it.