Proposed Changes To Australian Privacy Laws: Key Implications For Media Content Businesses

Extensive reforms of significance to media and internet businesses have been proposed in the Privacy Act Review Report released in December 2022 (the report). Submissions on the proposals in the report were due by 31 March 2023. The reform process is likely to continue through to late 2023 or beyond.

Media organisations and internet businesses, and particularly those which produce news content will also have a keen eye on whether and to what extent the content (in the case of the privacy tort below) and funding (in the case of adtech and other changes) of journalism will be affected. This article briefly considers some of the key changes.

Key principles and background

Media organisations and producers of news and other non-fiction content in particular (including for example documentaries) have a special role in our society. They hire and train professionals who use their time and significant resources to uncover facts of importance to the public.

That role has important public benefits which extend well beyond each reader of media content. The importance of it and the benefits that it produces, have been recognised by the Courts and is reflected in Australian law. The cases recognise that media reporting is essential for our democratic and Court systems to work, and for the public to have confidence in them. Media reporting of court cases provides the public with transparency in relation to the working of the courts, and protects against corruption. The following quote from R v Davis summarises this succinctly:

Whatever [the media’s] motives in reporting, their opportunity to do so arises out of a principle that is fundamental to our society and method of government: except in extraordinary circumstances, the courts of the land are open to the public. This principle arises out of the belief that exposure to public scrutiny is the surest safeguard against any risk of the courts abusing their considerable powers. As few members of the public have the time, or even the inclination, to attend courts in person, in a practical sense this principle demands that the media be free to report what goes on in them: R v Davis (1995) 57 FCR 512 at 514.

Similarly, media reporting of government and political matters exposes wrongdoing, and provides voters with the information they need to cast their votes. This is of such fundamental importance to our system that it is recognised in an implied constitutional freedom of expression in relation to government and political matters, which renders any law which is inconsistent with it invalid: see eg. McCloy v New South Wales (2015) 257 CLR 178; [2015] HCA 34. The constitutional test applies to any law which burdens freedom of speech in relation to government and political matters. Any such law is only valid if it is reasonably appropriate and adapted, in the sense of being proportionate, to a legitimate purpose. The purpose and the means to achieve it must be compatible with the maintenance of the constitutionally prescribed system of government: McCloy v New South Wales (2015) 257 CLR 178; [2015] HCA 34.

It has long been recognised that these very important public benefits need to be recognised and protected in law reform processes. Indeed, failure to do so could affect the constitutional validity of resulting legislation.

In the Privacy Act, the journalism exemption is the mechanism which is currently used to ensure that the Act does not impede investigation and reporting by media organisations. It exempts acts in the course of journalism by media organisations from the operation of the Act. “Journalism” is not defined. The exemption plays an important role, because if the Australian Privacy Principles applied to acts in the course of journalism by media organisations then media organisations would require consent to collect sensitive information unless an exception applied: APP 3.1. Sensitive information includes matters such as criminal records and political beliefs. One can imagine that many people may refuse consent in relation to investigations of matters of public importance. As further explained below, the report proposes to retain the journalism exemption albeit with significant changes.

Media Exemption

The report proposes to retain the exemption, but to amend it to “require media organisations to be subject to:

  • privacy standards overseen by a recognised oversight body (the ACMA, APC or IMC); or
  • Standards that deal adequately with privacy.

It is proposed that in consultation with industry, and the ACMA, the OAIC should develop and publish criteria for adequate media privacy standards and a template privacy standard that a media organisation may choose to adopt.

The content and approach to those standards, if developed will be critical.

Privacy Tort

The report proposes to introduce a statutory privacy tort. The possibility of introducing a statutory tort or privacy has been considered in multiple privacy reform processes in Australia over a period of decades. To date, none of those processes has resulted in the enactment of a tort. Since the decision of the High Court in ABC v Lenah Game Meats [2001] HCA 1, there have been court decisions both for and against the proposition that there is a tort (or alternatively or additionally an equitable confidence-based cause of action) available in respect of publications of private information which would be highly offensive to a reasonable person of ordinary sensibilities.

The report proposes to enact a statutory tort proposed in Australian Law Reform Commission Report 123: Serious Invasions of Privacy.

The essential features of the proposed tort are summarised as follows:

  • The invasion of privacy must be either by:
    • intrusion into seclusion, or
    • misuse of private information
  • It must be proved that a person in the position of the plaintiff would have had a reasonable expectation of privacy in all of the circumstances;
  • The invasion must have been committed intentionally or recklessly – mere negligence is not sufficient;
  • The invasion must be ‘serious’;
  • The invasion need not cause actual damage, and damages for emotional distress may be awarded, and
  • It is subject to a ‘balancing exercise’ – the court must be satisfied that the public interest in privacy outweighs any countervailing public interests.

The report lists the following proposed defences:

  • A defence of lawful authority
  • A defence where the conduct was incidental to defence of persons or property
  • A defence of consent
  • A defence of necessity
  • A defence of absolute privilege
  • A defence for the publication of public documents, and
  • A defence for fair reporting of public proceedings.

Media organisations opposed the tort in previous submissions, on the basis that it would have a detrimental or chilling effect on freedom of expression and journalism in Australia.

The proposed form of the tort also raises significant questions. For example, the defences which are given, appear to be the ones which would only be available where the public interest in publication outweighs the public interest in privacy. Clarification may be required to prevent them from causing the public interest test to be read down.  

The intrusion upon seclusion aspect of the proposed tort could also have ramifications well beyond the media and internet context, including for example in relation to residential property. They will also overlap with trespass and other laws.

The report proposes that the remedies to be made available include:

  • damages, including for emotional distress and, in exceptional circumstances, exemplary damages;
  • An account of profits;
  • Injunctions;
  • Delivery up, destruction and removal of material;
  • Correction and apology orders; and
  • Declarations.

Overarching Fair and Reasonable Test

The report proposes an overarching “fair and reasonable” test. If enacted, this would give the Privacy Commissioner (and Courts) a broad remit in relation to practices which comply with other aspects of the Privacy Act, but which are considered excessive. The report states (at 12.3.1) that there was broad support for the proposal from many submissions, whilst others raised concerns including as to uncertainty, and placing excessive discretionary power in the hands of the regulator. The report proposes legislated factors to provide clarity as to how the requirement will be interpreted, and states that “OAIC guidance, and enforcement through determinations and judicial consideration, will map the contours of the fair and reasonable test over time.”

The impact of this overarching rule if introduced on media and internet organisations is uncertain. It could be substantial in the adtech and business context. The rule would presumably be subject to the journalism exemption. If it was not, then it would be potentially vulnerable to challenge on a constitutional basis as it would give the Privacy Commission who is part of the Commonwealth Government discretionary power over media content. It could be argued that this would not be “reasonably appropriate and adapted in the sense of being proportionate” in circumstances in which a key function of the media is to provide independent investigation and insight into the Commonwealth Government including statutory offices such as the Office of the Privacy Commissioner.

Adtech: Personal information, choices and opt outs

The report recommends a suite of changes which are likely to significantly affect the media and online advertising environment if enacted. If enacted, they will very substantially increase consumer visibility and control over adtech practices.

These changes include:

  • Changes to the definition of “personal information” which may result in more adtech data falling within the definition, and thus also the core operation of the Act.
  • Extension of certain obligations to de-identified information.
  • An unqualified right to opt out of personal information being used or disclosed for direct marketing purposes.
  • An unqualified right to opt out of receiving targeted advertising.
  • A requirement that an individual’s consent must be obtained to trade their personal information.
  • Prohibition of direct marketing to children unless the personal information used for direct marketing was collected directly from the child and the direct marketing is in the child’s best interests.
  • Prohibition of targeting to a child, with an exception for targeting that is in the child’s best interests.
  • Prohibiting trading in the personal information of children.
  • A requirement that targeting individuals should be fair and reasonable in the circumstances.
  • A prohibition on use of sensitive information to target individuals (except for political opinions, membership of a political association or membership of a trade union).
  • Requiring entities to provide information about targeting including clear information about the use of algorithms and profiling.
  • Regulation of use of geolocation tracking data within the auspices of the Act.
  • Changes to the provisions of the Act dealing with consent (including in relation to children).
  • An overarching “fair and reasonable” requirement (see discussion above).
  • A children’s online privacy code.

These changes, if enacted, would likely have a substantial impact on the practices and business models of media and internet organisations. This will no doubt be the subject of a detailed consideration as part of the next round of consultation.

The report states that “opting out of targeted advertising should not be a barrier to service for individuals to elect to make this choice”  and notes submissions that “the media should be permitted to continue to provide media content in exchange for receipt of advertising and that without this value exchange, the public would not have free access to multiple Australian media organisations’ content”. It also noted submissions by IAB and Meta to the effect that “if a consumer objects to their personal information being collected, used or disclosed for targeted advertising it should be possible for entities to no longer offer the service”. Points in support of this were that “an organisation should not have to fundamentally change its business model…in order to respond to a consumer objection”, and users should be able to make an “informed decision as to whether the value they derive from the service outweighs any actual or perceived cost to their privacy from accepting personalised ads.

Rights to Erasure, Correction and Deindexing: General

The report proposes significant new rights in relation to erasure, correction and de-indexing of personal information (proposals 18.3, 18.4 and 18.5). And also a right to object, requiring a written response (proposal 18.2).


The proposes that the relevant rights of the individual should be subjected to exceptions for the following:

  • Competing public interests.
  • Required or authorised by law and legal relationships.
  • Technically infeasible or abuse of process.

The report notes that freedom of expression is an important relevant public interest.[8] It proposes to model a public interest test based on the Freedom of Information Act 1982 (Cth). The factors it proposes might guide decisions about the public interest are as follows:

  • Promotion of the objects of the Act.
  • Informing the public, or enabling debate on a matter of public importance.
  • Constituting an unreasonable limitation on the expression of a legitimate view or opinion, or;
  • Inhibiting the handling of personal information for archival, research or statistical purposes, journalistic purposes; or for academic, artistic or literary expression in the public interest.

The report does not discuss in detail the application of the journalism exemption vis-à-vis this right. Presumably the exemption will exempt acts in the course of journalism by media organisations. If not, then the factors above will be critical. The rights could adversely affect media organisations archives, and their ability to maintain a public record. There is a question as to whether in the case of accurate information in particular, it is appropriate to apply a public importance or public interest test, when determining whether an archive can be maintained.

The operation of the exemption or the proposed public interest test (or both) will be essential when considering the consistency of the changes with the implied constitutional freedom of speech.


The proposed right of erasure would have the following features:

  1. An individual may seek to exercise the right to erasure for any of their personal information.
  2. An APP entity who has collected the information from a third party or disclosed the information to a third party must inform the individual about the third party and notify the third party of the erasure request unless it is impossible or involves disproportionate effort.
  3. In addition to the general exceptions, certain limited information should be quarantined rather than erased on request, to ensure that the information remains available for the purposes of law enforcement.


The report notes that APP entities do not relevantly “hold” personal information so as to be subject to relevant rules where the information is in a generally available publication.

The report proposes to amend the Act to extend the right to correction to generally available publications online over which an APP entity maintains control. It says that entities which maintain webpages can exercise control over what is on those webpages.

This is proposed to be subject to the public interest exceptions above.

The report does not discuss the application of the journalism exemption in this context, though presumably the exemption will apply.

This right, if enacted, would be likely to have a very substantial impact on publishers of internet content which do not have the benefit of the journalism exemption.


Subject to the public interest exceptions discussed above, the report proposes to introduce a right to de-index online search results containing personal information which is:

  • Sensitive information (eg. Medical history);
  • Information about a child;
  • Excessively detailed [eg. Home address and phone number]
  • Inaccurate, out-of-date, incomplete, irrelevant or misleading.

The report notes that Google is the principal search engine in Australia. As such it is likely to be most affected by the compliance burden in relation to this right. Google submitted that it would be better for a judicial or regulatory authority to make relevant determinations. The report recommends that there be a provision for referral by Google to the OAIC of suitable requests for determination on a fee-for-service basis.

It is important to note that this right could also affect media organisations to the extent that content is the subject of de-indexation requests. A question arises as to whether a clear exception for journalism should be made in this context (to match the journalism exemption at the search engine level). Again, the proposed public interest test would be critical here, particularly if the journalism exemption does not apply.

The right is proposed to be jurisdictionally limited to Australia.

Direct Right of Action

The report proposes a direct right of action in relation to an interference with privacy with the following “design elements”:

“(A) the action would be available to any individual or group of individuals who have suffered loss or damage as a result of privacy interference by an APP entity. This would include claims by representative groups on behalf of members affected by breaches of the Act.

(B) Loss or damage would need to be established within the existing meaning of the Act, including injury of the person’s feelings or humiliation.

The action would be heard by the Federal court or the Federal Circuit and Family Court of Australia (FCFCOA).

(D) The claimant would first need to make a complaint to the OAIC and have their complaint assessed for conciliation either by the OAIC or a recognised EDR scheme where the IC or an EDR is satisfied there is no reasonable likelihood that the complaint will be resolved by conciliation or the IC decides a complaint is unsuitable for conciliation, the complainant would have the option to pursue the matter further in a court..

(F) In cases where the IC has decided that a complaint is unsuitable for conciliation on the basis that the complaint does not involve an interference with privacy or is frivolous or vexatious, the complainant should be required to seek leave of the court to bring an application in the court.

(G) the OAIC would have the ability to appear as amicus curiae or to intervene in proceedings instituted under the Privacy Act, with leave of the court.

(H) Remedies available under this right would be any order the court sees fit, including any amount of damages.

Interestingly, the report did not agree with submissions which suggested that a serious harm threshold should be included as part of any direct right of action to discourage unmeritorious claims. The report considered that the potential for an adverse costs order would “operate as disincentive for claimants to commence unmeritorious claims.” In contrast, a serious harm element has been included in recent defamation reforms to address a concern that the courts were burdened with excessive numbers of claims.


The report proposes to introduce into the Australian legislation the “controller/processor” distinction which is in place under the GDPR and in other key jurisdictions.

This will simplify the application of the Act in relation to suppliers of data storage and processing services and conform with key overseas jurisdictions. This reform had not been considered in any depth in Australia’s previous privacy law reform reports seemingly because it was not raised squarely in those rounds.

Other proposals in the report

The report also makes other significant proposals including in relation to a variety of other matters which will be of relevance to media and internet organisations. They include changes to the employee records exemption (which will affect media and internet organisations in their capacity as employers), changes relating to notices and consents, including in relation to templates and guidance, requirements in relation to privacy default settings, requirements for privacy impact assessments, consent for research, with consultation on other changes to facilitate research, a requirement to record the purposes of collection of personal information, a requirement to have a privacy officer, clarification of consent rules in relation to children, guidance on capacity and consent more generally, requirements for entities to provide more information to individuals in response to access requests, requirements to notify individuals about their rights and how to exercise them, and an obligation to respond to and provide reasonable assistance in relation to exercise of rights, additional obligations and guidance in relation to the security, retention and destruction obligations in APP 11, enhanced powers for the OAIC and Courts in relation to enforcement of the Act and changes to the notifiable data breaches provisions in the Act.

A complete list of proposals can be found in the report which is at

Subscribe toLegal Insight

Discover best practice and keep up-to-date with insights on the latest industry trends.