Keeping Up with Changes in Data Privacy
The pace of changes to privacy regulations in Australia has felt dizzying lately. While data driven operations have become more and more accessible to small and medium enterprise over the past years, that same ease of access has left a substantial number of organisations with stored personal data, serious privacy obligations and limited resources to keep up with the changeable privacy landscape.
But ‘privacy’ has rarely been conceptually or legally static. Periods of rapid change have occurred previously, even within the scope of Australian privacy regulations — and they keep happening as lawmakers strive to respond to technological developments and community attitudes as they evolve.
The advent of privacy
The philosophical concept of privacy dates back at least as far as the 4th century BCE, when Aristotle made the distinction between public and private life in his work ‘Politics’. Ancient trivia notwithstanding, though, serious conversations about the legal concept appear to have emerged in the west at roughly the same time as camera technology advanced sufficiently that photographs could be taken in seconds, rather than minutes.
The Stanford Encyclopaedia of Philosophy pins this to 1890, emerging from the Harvard Law Review in Warren and Brandeis article “The Right to Privacy.” In it, the pair helpfully define privacy as “the right to be left alone.” Crude, but certainly evocative — and it resonates with us today, still, more than a hundred years later.
After the Second World War, privacy was also presented as a fundamental right of all human beings when it was listed as the 12th article of the 1948 Universal Declaration of Human Rights.
But our consciousness of privacy has developed and become yet more sophisticated over time. That growing sophistication is probably why, at under 40, Australia’s key national privacy law has been amended over a hundred times.
The Privacy Act
In Australia, concepts that fall under “information privacy” are governed by a web of intersecting legislation. We have little regulatory quirks, like the way our private health providers are beholden to national privacy legislation and our public health providers are regulated by state laws instead. Often these apparent discrepancies have sound historical or contextual bases, but they can be counter-intuitive and seem hopelessly idiosyncratic to a surface-level review.
However, the Privacy Act 1988 is the key Australia-wide law that dictates the privacy obligations of businesses and government agencies today. Most key changes in how we regulate businesses’ use of data in Australia can be seen in a history of recent changes to the Privacy Act, and this timeline serves as a fascinating reflection of technology research and development as well as the evolution of community attitudes towards privacy.
A timeline of privacy changes
Within the scope of common business use cases for personal data, there are a few major pieces of legislation and Privacy Act amendments with which we’ve all had to keep pace:
1988: The earliest version of the Privacy Act was passed to protect Australians’ personal information. Because information privacy is embedded in every aspect of our lives, amendments commenced almost immediately and came regularly over the next three decades, concerning every area of legislation, from industrial law to defence to education policy.
2000: The Privacy Act Amendment (Private Sector) was passed. Although the Information Privacy Principles had applied to public sector organisations for some time, this amendment established the National Privacy Principles to which private organisations were beholden.
2003: This was not an amendment to the Privacy Act, but growing frustrations with electronic direct marketing material prompted the passage of the SPAM Act 2003, which still governs email and SMS marketing today.
2006: The Do Not Call Register Act 2006 passed, establishing both the register of phone numbers that opt out of telemarketing and the rules for the register’s use.
2012 – 2014: The Australian Privacy Principles were created and came into force. They consolidated and replaced the Information Privacy Principles and the National Privacy Principles.
2017: Privacy Amendment (Notifiable Data Breaches) Act 2017 passed into legislation. Any organisation holding personal information security obligations under the Privacy Act would now be beholden to the Notifiable Data Breaches Scheme.
2019: The Digital Platforms Inquiry ran from 2017 to 2019. In 2019 it published its final report, which triggered our most recent review of privacy law: the Privacy Act Review.
2022: Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 raised the maximum penalties permissible under the Privacy Act. This followed a series of serious and damaging data breaches which had a particularly severe impact upon public trust.
2023: The Privacy Act Review Report was published in February, featuring 116 proposals to be addressed. The government response emerged shortly after.
2024: The first tranche of reforms related to the recommendations emerging from the Privacy Act Review passed in November, including changes reflecting broader community anxieties about automated decision making and offshore data processing security.
At the time of writing in 2025, we are braced for more changes.
Some platforms will need to balance changing data privacy rules with the ban on under 16s accessing social media, which will come into force at the end of 2025. Others are anticipating any recommendations that may yet proceed from the ACCC’s Digital Platform Services Inquiry, whose final report was due to be provided to the Government in March 2025. Then, too, the next tranche of reforms to the Privacy Act itself are likely to arrive in the near future.
