Australia's Attorney-General Christian Porter announced on Friday the terms of reference[1] and issues paper that his department will use as a basis for its review of the Privacy Act.
The wide-ranging review will consider the definition of personal information; whether existing exemptions for small businesses, political parties, and the storing of employee records to comply with the Act should remain; whether individuals should gain the power to drag privacy violators to court; and whether a privacy tort should be created.
The review was agreed to as part of the Commonwealth's response[2] to the Australian Competition and Consumer Commission's (ACCC) Digital Platforms Inquiry[3].
In posing 67 questions for submissions to respond to, the Attorney-General's Department (AGD) has asked whether the definition of personal information should be extended to inferred personal information as well as whether additional protections should be extended to de-identified, anonymised, and pseudonymised information.
Of particular interest in the paper was the failure of Australian privacy laws to be compatible with those in Europe, especially the General Data Protection Regulation[4] (GDPR), with exemptions created in the Australian law two decades ago being a roadblock.
"The [Australian Law Reform Commission (ALRC)] noted that no other comparable jurisdiction (the United Kingdom, New Zealand, Canada, and the European Union) exempts small businesses from the general privacy law," the paper said.
"The Senate Committee inquiry further recommended the removal of the exemption given the privacy regimes in overseas jurisdictions have operated effectively without a small business exemption and that the existence of the exemption was one of the key outstanding issues preventing Australia from seeking adequacy with the EU.
"[The ALRC] also noted that the United Kingdom does not exempt employee records and that removing