Nearly four years after the Privacy Act review began, the Australian government has introduced a reform bill that falls short of delivering the fundamental changes needed to modernise the country’s privacy laws.
Attorney-General Mark Dreyfus acknowledged in May that the existing privacy framework is “woefully outdated and unfit for the digital age,” and promised reforms to address these shortcomings. However, many critical updates remain absent from the proposed legislation.
To borrow from Elvis: “A little less conversation, a little more action, please.”
While the latest amendments, introduced to Parliament on September 12, include stricter penalties for the malicious release of personal data, stronger protections for children online, a direct right of action, and regulations on automated decision-making, key changes that affect marketing – such as the “fair and reasonable” test for consent – were left out.
These crucial reforms are now highly unlikely to be tabled before the next Federal election, extending uncertainty for businesses that rely on data-driven marketing practices.
Ongoing uncertainty and delays
One of the most anticipated aspects of the Privacy Act reforms is the requirement that businesses prove their data practices are “fair and reasonable.”
Unlike other data protection laws, such as Europe’s GDPR, this test would apply even if a company has obtained consent from consumers.
Sarla Fernando, ADMA’s director of regulatory and advocacy, emphasises how this differs from other global privacy laws: “Consent doesn’t matter… The Australian Privacy Act reform is different to GDPR and even the US ones… [This is] something that hasn’t been seen around the world.”
However, with this part of the legislation delayed, businesses face a complex challenge.
Not only must they navigate current data privacy laws, but they also need to prepare for a more ambiguous future where the notion of “reasonable” data usage could become a legal battleground.
The ongoing uncertainty may delay budgeting and investment in new technologies or compliance initiatives that would have been essential under clearer regulatory guidelines.
How businesses can prepare
Though the most critical marketing-related provisions have been postponed, brands shouldn’t wait for the law to pass. Instead, this delay presents an opportunity to get ahead of the curve.
What organisations need to do to get ready hasn’t changed, just the timeline.
Brands should focus on reviewing their current data handling processes, especially in areas such as consent management and transparency. The delay offers a window to align practices with emerging global standards and ensure compliance with stricter privacy-by-design frameworks.
Companies that wait until the last minute risk being caught off-guard when the law does pass, leading to significant compliance challenges.
Previously, I have outlined specific actions businesses can take to prepare for these reforms, even before they are enforced. These include auditing data collection practices, ensuring compliance with cookie deprecation strategies, and dealing with dark data, which is an essential step in building more transparent and consumer-centric data practices.
The fair and reasonable test: What it means for your business
The “fair and reasonable” test represents a fundamental shift in how businesses will need to justify their data usage.
Under this provision, organisations of all sizes must demonstrate that individuals would reasonably expect their personal information to be collected, used, or disclosed; that collecting and using the information was necessary; and that the impact on privacy was proportionate to the benefits gained from using that data.
This introduces a more complex dynamic for businesses that have historically relied on broad consumer consent. Now, even with explicit consent, businesses must ensure their data practices are justifiable in a broader sense. This could potentially limit the scope of personalised marketing and the use of third-party data, leading to more conservative data handling practices.
I’ve also discussed the potential impact of the “fair and reasonable” test and why businesses need to move to a transparent and justifiable method of using personal data. This shift is critical as organisations must now consider not only whether they have obtained consent but also whether their data practices align with consumer expectations.
Lessons from international markets
Australia is not alone in grappling with the complexities of modern data privacy. Other countries have faced similar delays and challenges when implementing new privacy laws.
For example, in the United States, the California Privacy Rights Act (CPRA) has undergone numerous updates, and litigation has delayed key provisions. The situation in Europe is comparable, as the GDPR took six years from its initial proposal in 2012 to full enforcement.
These international examples show that privacy reform is often a long and drawn-out process, but businesses that act early will be better prepared.
The consistent delays in legislation passing mean that businesses should continue to use this time to prepare for the inevitable shifts that will bring Australia’s privacy regulations closer to global standards.
What this means for you
While the delay in passing the full suite of Privacy Act reforms may offer some breathing room, you should not interpret this as a reason to slow down.
The focus should remain on building privacy-first data practices, reviewing data flows, and ensuring that consent management processes are robust. Businesses that stay ahead of the evolving regulations will not only be more compliant but also foster greater consumer trust.
By proactively aligning with the proposed privacy standards now, brands will not only mitigate future risks but also strengthen their relationships with increasingly privacy-conscious consumers.