Privacy Act Review report – KPMG Submission

As a leading professional services firm, KPMG Australia (KPMG) is committed to meeting the requirements of all our stakeholders – not only the organisations we audit and advise, but also employees, governments, regulators – and the wider community. We strive to contribute in a positive way to the debate that is shaping the Australian economy and we welcome the opportunity to provide a submission in response to the proposals in the Attorney-General’s Department Privacy Act Review Report (the report).

KPMG has been actively involved in the Review of the Privacy Act (the review), providing submissions in response to both the Issues Paper^[1] and Discussion Paper.^[2] As we have previously outlined, entities must currently manage and comply with a range of data-related regulatory frameworks. Reforms to the Privacy Act need to carefully consider the broader landscape of data-related regulatory requirements that exist in overlapping and, in some cases, fragmented frameworks at both a state and federal level and how changes will interact with evolving cyber security regulations as a result of the Cyber Security Strategy which is also currently undergoing a consultation process.

To assist with the above, KPMG welcomes the proposal to review all legal provisions that require the retention of personal information and the further clarification regarding the extraterritorial operation of the Privacy Act in light of the amendments made by the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Privacy Enforcement Bill). KPMG notes that many of the proposals align the Australian Privacy Act 1988 (Act) with the General Data Protection Regulation (GDPR) and other harmonisation efforts globally, which will help with complexity in complying with regulations when businesses operate across borders. 

Given the scale of the changes proposed, it will be important to support businesses through the implementation of the proposals that are adopted. Two key approaches to consider could be first to adopt a tiered and prioritised approach to introducing the reforms and second, to set out staged compliance dates to enable entities to prepare for further changes that may be adopted.

KPMG considers that a critical aspect of reforming the Privacy Act should be provisioning for an appropriately resourced regulator so that it can achieve the right balance of enforcement, oversight, guidance and support. KPMG supports enforcement powers similar to like regulatory bodies – ones that can be exercised in the context of the right privacy settings and are designed to promote compliance and provide clarity.

KPMG has previously outlined the importance of code-making as a key regulatory tool in the regime, as Australian Privacy Principles (APP) code-making powers are a preferred method of addressing discrete issues in the Act. We consider that further clarity about the process required for code-making is required and recommend outlining a clear framework similar to those of ASIC’s Management Accountability Regime or the Online Privacy Code to ensure any codes are carefully developed.

We appreciate the opportunity to participate in the consultation process and we look forward to working with the government on implementing reform to the Privacy Act. If you would like to discuss the contents of this submission further, please do not hesitate to reach out.