A new approach to privacy governance

17 September 2025

Hamish Fraser
Partner
Sparke Helmore Lawyers

Hamish Fraser
Partner
Sparke Helmore Lawyers
t: +61 2 9373 3616

Hamish is an accomplished senior technology lawyer with more than 30 years’ experience advising clients on commercial issues and regulatory matters across the information technology and communication industries. Hamish enjoys demystifying the complex interaction of technology and the law.

All.Corporate & Commercial.Technology Cyber and Privacy

The average productivity growth in Australia over the decade to 2020 was the slowest in 60 years.[1] To address this slowdown and reverse the trend the Australian Government has tasked the Productivity Commissioner (PC) to produce five inquiries into key policy areas the Government should focus on.

On 5 August 2025, the PC released an interim report on one of these five inquiries, specifically addressing actionable recommendations related to Harnessing Data and Digital Technology (Interim Report).

Technology is a key driver for innovation, efficiency, and growth in the economy. However, alongside the opportunities and benefits it provides, there are also potential risks that must be considered. It is therefore not surprising that one of the five PC inquiries focuses on technology and the balancing exercise Government needs to perform regarding privacy regulation. The balance is necessary to ensure consumer trust with appropriate guardrails in place while not stifling the innovation or adoption of emerging technologies.

The Interim Report delivered seven draft recommendations for consultation, focusing on four key areas in technology. This article specifically examines the third key area: ’supporting safe data access and use through an alternative compliance pathway for privacy.’

The PC have provided two recommendations in relation to the Privacy Act 1988 (Cth) (Privacy Act), being:

amend the Privacy Act to create for an alternative compliance pathway for entities to comply with their obligations by meeting criteria that is outcome based as opposed to controls-based rules (recommendation 3.1), and
do not amend the Privacy Act to introduce a right to erasure (recommendation 3.2).

Recommendation 3.1: Alternative Compliance Pathway

The first recommendation the PC has proposed is an alternative compliance pathway. This would allow flexibility for businesses to choose the most appropriate and effective ways to protect the privacy of its customers in a way that is targeted and fit for purpose.

The PC has commented that certain requirements under the Privacy Act are focused on specific controls - such as certain mandated procedures like consent, notification, and disclosure requirements - that result in a ‘tick-box’ exercise, failing to adequately meet the protections the Privacy Act intends to achieve.

For example, APP 1 requires entities to have an up-to-date privacy policy and specifies what information needs to be included. However, the PC suggests that the overload of information does not achieve its intended result of informing consumers. the ACCC found that ‘If Australian consumers were to read all of the privacy policies they encounter in full, it would take nearly 46 hours every month.’[2]

The PC is therefore advocating flexibility for businesses to have the discretion to meet regulatory requirements that effectively caters to their specific customers and business needs. Privacy protections can vary significantly among different business models; what a small and medium business enterprise considers for privacy protections differs from a well-known corporation. The PC argues that there is no ‘one size fits all’ solution, so the privacy laws should be flexible to reflect these differences.

The PC is consulting on what an alternative compliance pathway might look like and has provided two potential frameworks:

outcomes-based obligations could be framed as a defence so if entities are not compliant with certain requirements, they are still able to rely on the defence to show they have achieved the intended privacy protections, or
establishing an alternative compliance pathway that is focused on outcome-based requirements.

This approach differs from the recommendations put forward for tranche 2 reforms of the Privacy Act, which introduced a ’fair and reasonable test’. The fair and reasonable test adds to businesses’ current obligations and the PC argues that its recommendation does the opposite, offering a reduction in business obligations.

However, measuring what a successful outcome-based model is and enforcing it may present challenges. Some suggestions the PC has provided include:

an obligation on businesses to have the best interest of its the customers in relation to privacy
having regard to a consumer’s best interest when making privacy decisions, or
or imposing a duty of care to take reasonable steps to mitigate future harms.

The PC’s recommendation encourages the Government to explore alternative pathways that achieve effective privacy outcomes for consumers while simultaneously reducing unnecessary burdens on businesses.

Recommendation 3.2: Right to Erasure

The PC has recommended against a proposed tranche 2 reform, where consumers would have the ‘right to erasure.’ This has been adopted from the European Union’s privacy laws, General Data Protection Regulation (GDPR), where the ’right to be forgotten’ gives power to the consumer to request a business to erase their information.

During the consultation for the Privacy Act review, businesses expressed concern regarding the impracticalities of implementing this right, against what quantifiable benefits this could provide to consumers. The PC noted that most businesses were concerned with the technical difficulties and changes required to ensure all of a customer’s data has been deleted from their systems.

The introduction of the right to erasure could place further unnecessary regulatory burden on industry, where there are already existing requirements under the Privacy Act like APP 11 that require entities to take reasonable steps to destroy or deidentify personal information that is no longer needed.

The PC referenced and agreed with industry comments from the Privacy review, emphasising that there should be great caution when deciding to implement the right to erasure. They noted that the practice implications and costs for businesses should be weighed against the potential benefits for consumers.

Conclusion

The PC is currently consulting on these recommendations, with a final report expected to be submitted to the Australian Government is aimed to be provided in December of this year. The recommendations and concerns raised by the PC are likely be contentious point during consultation on the tranche 2 reforms.

[1] Treasury, Intergenerational Report 2023, Australia’s future to 2063, pg. 81 Intergenerational Report 2023 (https://www.pc.gov.au/inquiries/current/data-digital/interim)

[2] Productivity Commissioner, 2025, Interim Report: Harnessing data and digital technology, pg. 57 Interim Report - Harnessing data and digital technology - Productivity Commission

We would like to acknowledge the contribution of Jasmine Thai.

16-02-2026 | Safety by design

06-02-2026 | Bunnings use of facial recognition - Appeal Panel decision decided collection is authorised

16-12-2025 | Ex tempore decision in Services Australia v Anatoly Kern

11-12-2025 | 12 Days of (Christmas) FOI

08-12-2025 | FOI Secondees – letters 'home' for Christmas

04-12-2025 | Information as to existence of certain documents – s 25 of the FOI Act

Media room