What Do the Updates to the Australian Privacy Act Mean for Your Business?

When the Australian Privacy Act (APA) was passed in 1988, floppy discs were the norm for digital storage and a data breach might have meant a handful of people passing one around. Over the last 35 years, the rapid pace of technological advancement has seriously raised the stakes for data leaks. Sensitive data can now be shared with the whole world in a matter of minutes. 

The APA is getting a long-overdue update to catch up with the realities of data security today. In February 2023, the Attorney-General released the Privacy Act Review Report, outlining 116 specific recommendations that would fundamentally change how we deal with data in Australia. The Australian Government’s response to this report makes it clear that it plans to overhaul privacy laws to catch up with rising global standards.  

These changes follow the foundation set by other international privacy legislation, namely Europe’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Consumers around the world are demanding that companies take online privacy more seriously in exchange for their trust, and Australia is set to follow this trend.

According to the Australian Community Attitudes to Privacy Survey 2023, 91% of Australians say they would like businesses and governments to do more to protect their data. It’s time for businesses to raise their awareness and take steps to minimise risk if they want to win customer trust.

The Australian Privacy Act updates — why they’re important

Put simply, these updates are changing the way businesses manage their customer’s data and requiring them to have a process to deal with new privacy concepts. The extensive recommendations can be broadly summarised into three key areas. 

First is a broadening of the APA. This would expand the definition of what is considered personal and sensitive information. With more types of data subject to regulation, there will be greater potential for ramifications if privacy is compromised. 

Next are increased obligations for anyone collecting personal data. This includes a fair and reasonable objective test, which means that an ordinary person, and not an organisation, should think it’s reasonable for information to be collected. Companies will also be required to have a person responsible for privacy compliance. 

Finally, there’s the expansion of individual rights, including the right to be forgotten. Individuals will have the right to claim damages from organisations if their data is compromised. This means you could theoretically have 10 million people taking legal action against you.

While we don’t yet know exactly when and how these recommendations will be enacted into legislation, it is clear that privacy law will be a key priority before the 2025 election, and businesses need to start taking data security seriously. 

The cost of inaction

Businesses, no matter how big or small, need to be ready to comply. Recent high-profile data breaches have hurt reputations and bottom lines. Customers are no longer willing to accept lax privacy measures, and when these reforms pass, businesses won’t be able to afford them.

The Government introduced the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 where the maximum penalties for non-compliance have been significantly increased. The penalty for a serious privacy breach up until late 2022 was just $2.22 million. Now, businesses can be charged with the greater of: 

• $50 million
• three times the value of any benefit obtained through the misuse of information
• 30 percent of the company’s adjusted turnover in the relevant period

These penalties are a compelling reason alone for businesses to improve the way they protect their customers’ data. This is just the beginning — businesses need to understand their data and roll out new, compliant processes.

How to build customer trust

In the post-privacy-update world, customer trust will be more important than ever. There are simple things businesses can do to protect their customers and earn this trust. This starts with bringing awareness to how they’re protecting data and letting customers know there is something they can do to protect them.

The complexity of privacy law and the sheer number of new regulations may leave businesses exposed. Salesforce Privacy Centre has already helped organisations outside of Australia comply with GDPR, CCPA and other regulatory requirements. Now, Australian businesses are adopting this leading-edge technology to minimise their risk.

One of those businesses is Morgans Financial Limited. Matt Neubauer, Chief Information Officer, explained why Morgans decided to invest in Salesforce Privacy Centre: 

“In light of recent high-profile data breaches and upcoming changes to Australian Privacy Laws, we were looking for a solution to assist us in capturing, classifying, storing and when appropriate, destroying our confidential client information. 

“Morgans needs to manage our client communications and preference management on a single pane of glass. Privacy Centre makes this possible.

“Morgans sees the Salesforce Privacy Centre as a smart investment in ensuring we can protect our client data and stay ahead of our obligations to remain compliant in an ever-changing regulatory landscape.”

Taking control of data privacy is no longer optional—it’s an essential part of doing business. With just a few clicks, Privacy Centre simplifies data privacy compliance and builds trust with customers. It’s a simpler, more secure future for businesses and their customers. 

Privacy Act changes are coming, consumers want greater security and you don’t want to be the next company getting exposed. Minimise risk and build in these protections for your business and your customers now.