LAWS70082 · Privacy Law
Privacy Law Reform
Australian privacy law is mid-reform, and this chapter is the research-paper heartland (and the discursive take-home question). The legal question: is the principles-based Privacy Act regime fit for the data economy, and what should the next tranche do? The reform through-line runs ALRC 108 (2008) → the unified APPs (2014) → the ACCC Digital Platforms Inquiry (2019) → the AGD Privacy Act Review (2022, released 2023; 116 proposals) → the Government Response (2023) → the POLA Act 2024 first tranche, which enacted the statutory tort, tiered penalties, automated-decision-making transparency and a Children’s Online Privacy Code. A second tranche — the fair-and-reasonable test, a direct right of action, an expanded “personal information” definition, and exemption removal — is proposed but not yet law. The chapter also supplies the comparative leverage examiners prize: the EU GDPR (lawful bases, subject rights, extraterritoriality, Schrems II) and the US patchwork (FTC s 5, CCPA/CPRA), and the emerging frontiers — AI/automated decision-making, biometrics and facial recognition, and data brokers. The cardinal rule: do not overstate the law — keep enacted and proposed sharply apart.
What this chapter covers
- 01The reform through-line: ALRC 108 → APPs → ACCC DPI → Privacy Act Review
- 02The AGD Privacy Act Review (2022): 116 proposals; Proposal 27.1 = the tort
- 03Enacted — POLA Act 2024: statutory tort, tiered penalties, ADM transparency, children’s code
- 04Proposed (not law) — fair-and-reasonable test, direct right of action, expanded definitions, exemption removal
- 05Comparative: EU GDPR (lawful bases, rights, extraterritoriality, Schrems II)
- 06Comparative: the US patchwork (FTC s 5, CCPA/CPRA)
- 07Emerging: AI/ADM, biometrics & FRT, data brokers
- 08Argue, don’t describe — and never overstate what is enacted
Worked example: framing a reform thesis
- +1Map the law briefly: Australia uses principles-based APPs (flexible, outcome-focused) overseen by the OAIC; the GDPR uses enumerated lawful bases and individual data-subject rights (access, erasure, portability) with extraterritorial reach.
- +1Frame a narrow thesis: e.g. ‘Australia should adopt a GDPR-style direct right of action and erasure right, but retain principles-based APPs rather than rigid lawful bases’ — contestable, not a description.
- +1Argue for: enforceable individual rights and a direct right of action close the regime’s remedial gap (the second-tranche proposal) and align Australia with its largest trading partner.
- +1Argue against / nuance: rigid lawful bases can be brittle in fast-moving tech; principles-based APPs adapt — so the thesis takes GDPR rights but keeps APP flexibility.
- +1Anchor in currency: tie the argument to the enacted first tranche vs the pending second tranche, and use Schrems II on cross-border transfers — without overstating what is law.
Key terms
- Privacy Act Review (AGD, 2022)
- The Attorney-General’s Department review (report 2022, released 2023) making 116 proposals to modernise the Act — the blueprint for the staged reforms, including Proposal 27.1 (the statutory tort) now enacted.
- POLA Act 2024 (first tranche)
- The Privacy and Other Legislation Amendment Act 2024 (Cth) — the enacted first tranche: the statutory tort (Sch 2), tiered civil penalties, automated-decision-making transparency, and a Children’s Online Privacy Code.
- The fair-and-reasonable test (proposed)
- A pending second-tranche proposal that collection, use and disclosure of personal information be ‘fair and reasonable in the circumstances’ as an overarching standard — proposed, not yet law; a key reform-paper subject.
- The GDPR
- The EU General Data Protection Regulation — the leading comparator: enumerated lawful bases, strong data-subject rights (access, erasure, portability), extraterritorial reach, and the cross-border transfer constraints of Schrems II.
- Direct right of action (proposed)
- A pending proposal to let individuals sue directly in court for breaches of the Act, rather than only complain to the OAIC — closing a remedial gap; proposed, not yet law.
Privacy Law Reform FAQ
What is the single biggest risk in a reform answer?
Overstating the law. The first tranche (statutory tort, tiered penalties, ADM transparency, children’s code) is enacted; the fair-and-reasonable test, the direct right of action, the expanded ‘personal information’ definition and exemption removal are proposed, not law. Marking treats ‘the law now requires X’ as a serious error when X is only a proposal.
What makes a strong reform thesis?
Narrow and contestable, argued not described. Reliable seams: does the 2024 tort’s public-interest balance protect free speech? Is the Telstra ‘about an individual’ test fit for the data-broker era? GDPR-rights model vs principles-based APPs? Are the small-business / employee-records / journalism exemptions defensible? Map the law briefly, then argue with authority.
How much comparative law do I need?
Enough to leverage, not a survey. The GDPR (lawful bases, subject rights, extraterritoriality, Schrems II) and the US patchwork (FTC s 5, CCPA/CPRA) are the prized comparators because the subject’s outcomes reward comparative analysis — use them to sharpen an Australian thesis, not to describe foreign law for its own sake.
Do I cite in AGLC here?
For the research paper, yes — strict AGLC is required, with a table of contents and headings, and authority for every legal proposition. For the discursive take-home question the same accuracy applies even if the citation form is lighter. Either way, cite a real authority for every claim and keep enacted/proposed labelled.
Exam move
Build a single enacted-vs-proposed table and keep it spotless, because the cardinal error here is overstating the law — the POLA Act 2024 first tranche is in force; the fair-and-reasonable test, direct right of action, expanded definitions and exemption removal are not. Memorise the through-line (ALRC 108 → APPs → ACCC DPI → Privacy Act Review → POLA Act 2024) so you can map the law in two sentences and spend the rest arguing. Keep two or three contestable theses ready (the tort vs free speech; Telstra in the data-broker era; GDPR rights vs principles-based APPs) and one or two comparators (GDPR, Schrems II) to leverage. For the paper, draft in strict AGLC and cite a real authority for every proposition.