Australia’s privacy protection reform laws came into force in mid-March, making significant changes to the regulation of data. Further reform is now on the horizon, with the Australian Law Reform Commission (the Commission) publishing a discussion paper titled, ‘Serious Invasions of Privacy in the Digital Era’ (Discussion Paper).

The Commission is carrying out an inquiry at the request of the Australian government to find “innovative ways the law might prevent or redress serious invasions of privacy.”  Two of the Commission’s proposals are likely to be of particular concern to businesses.

First, the Discussion Paper proposes the introduction of a principle for the deletion of personal data. The principle would differ significantly from the ‘Right to Erasure’, one of the headline provisions contained in the proposed EU General Data Protection Regulation.

The current draft of the EU provision would allow citizens to request the deletion of any personal data held about them, where the data controller has no reason for retaining it. Data controllers would also be required to take reasonable steps to inform any third parties to whom they have passed the data of this request. In contrast, the Australian recommendation on data erasure would apply only to data that the citizen had personally provided to a data controller. The Discussion Paper calls for comments as to whether the data controller should be under a duty to inform third parties of this request.

Second, the Discussion Paper contains a proposal to introduce a new Commonwealth Statute which would apply to all territories in Australia. This statute would provide citizens with the ability to bring a cause of action against any individual or entity that seriously invades their privacy. The action would enable individuals to obtain damages independent of breach of the Australian Privacy Act.

The Commission is scheduled to deliver its final report to the Attorney-General in June 2014.