Privacy law in Australia is currently being reviewed, part of the government\u2019s response to the Australian Competition and Consumer Commission (ACCC) Digital Platforms Inquiry. The review will consider the scope of privacy regulations as well as the use of notifications, enforcements, and regulatory frameworks and whether Australia should introduce a statutory tort that would provide for damages in serious invasions of privacy.However, with a looming federal election, there\u2019s more uncertainty than usual about the outcome of the review and the form any new privacy regulations might take. Additionally, with many privacy regulations around the world influenced by the European Union\u2019s GDPR regime, there are questions about whether new local regulations should align with the EU\u2019s approach.CSO guides to privacy rules around the worldHow GDPR has inspired a global arms race on privacy regulationsThe EU\u2019s GDPRLaws across Asia-PacificLaws in US statesCalifornia\u2019s CPRALaws in CanadaAustralia's CDR and Australia\u2019s proposed GDPR-inspired privacy lawNew Zealand's Privacy ActThe UAE\u2019s data lawChina\u2019s PIPLOne of the most fundament aspects of privacy \u2014 and one that may or may not be enacted in any new laws \u2014 is the general right to privacy. As things stand, Australia doesn\u2019t have a general right to privacy, which it makes it very challenging for people to go to court if something is causing them serious harm.Many legal experts say Australia should have a right to privacy. For one, the Australian Law Reform Commission\u2019s review recommended a tort of \u2018serious invasion of privacy\u2019. \u201cEvery law reform report for over a decade has concluded that we do,\u201d says Graham Greenleaf, a professor of law and information systems at UNSW Sydney and founding codirector of the Australasian Legal Information Institute (AustLII).Where Australian privacy regulation needs to be strengthenedOne of the most pressing issues with this kind of review should be targeting and strengthening the weak spot in privacy regulations. Yet it\u2019s not always a single point of focus. Because technologies and the way people use technologies constantly changes, privacy and data protection are constantly on the move.Many experts believe it\u2019s about every 10 to 15 years that major reforms need to be undertaken just to keep abreast of what\u2019s happening with technology and in terms of regulation in other parts of the world. We\u2019re at that point in time again, says Normann Witzleb, associate law professor at the Chinese University in Hong Kong and adjunct associate professor in law at Australia\u2019s Monash University. \u201cThere have been some quite persistent weaknesses in the Australian regime that have been recognised as such for quite a long time, so hopefully they can be addressed,\u201d he tells CSO Australia.Specifically, he points to some of the terminology and even key concepts which need updating. \u201cThe foundational term of \u2018personal information\u2019 has become a bit doubtful, because it\u2019s become perhaps a bit narrow as it was defined in Australia,\u201d Witzleb says.As one example, the increasing use of AI to generate information and create inferences means there\u2019s a need to clarify that AI is also a way to create and generate personal information. \u201cThere\u2019s other data that perhaps in the past we didn\u2019t really have to take quite so seriously, like metadata, which is quite telling about what people do, that needs to be considered,\u201d he says.\u201cLooking at notice and consent as a basis for data processing, there\u2019s probably too much faith put in that as the basis for protecting people\u2019s ability to decide what information they disclose and what happens with it,\u201d Witzleb says, \u201cThe way it\u2019s been used in practice means that consent has become quite meaningless because we simply consent, without knowing what we\u2019re consenting to. We don\u2019t understand it and we don\u2019t have time to read privacy notices.\u201dThere\u2019s a need to establish certain baseline protections, even though there may be consent. It needs to protect situations where \u201cthe use of personal information isn\u2019t unreasonable and doesn\u2019t go against people\u2019s expectations\u201d, Witzleb says. Plus, \u201cAustralia has always been quite weak on enforcement too and this also needs to be strengthened in any new privacy regime.\u201dAs things stand, until there\u2019s draft legislation, there\u2019s no firm idea about the direction and detail of any new privacy laws. \u201cThe discussion paper has some good suggestions that would make Australia much more convergent with the EU,\u201d says UNSW Sydney\u2019s Greenleaf.If the relevant EU-inspired suggestions are adopted, \u201cit would give Australia a modern data privacy law \u2014 and a much better one than we currently have. But there are also many alternatives in the discussion paper, so it\u2019s not clear,\u201d Greenleaf tells CSO Australia.How Australia\u2019s approach compares to GDPRGDPR is seen globally as the standard for privacy protection. That\u2019s clear in Australia where there\u2019s so much reference to GDPR in the reform process. \u201cThe updated laws may not mimic GDPR but it\u2019s certainly a reference point,\u201d Witzleb says.In the EU, there\u2019s an emphasis on protecting the fundamental rights of citizens with a focus on personal data. In Australia, there\u2019s protection for personal information about identified people, although there is no constitutional foundation for data protection.Also, Witzleb notes that GDPR is complex and bureaucratic. \u201cIt\u2019s also quite intimately bound up with the overall legal framework of the EU, so, when it comes to standards and principles, they\u2019re based on fundamental rights protections. \u2026 Being a rights-focused way of approaching things, it doesn\u2019t always work in countries like Australia that don\u2019t have the same sensitivity towards rights dialogue and rights balancing. That balancing of conflicting interests and positions works within the EU, because that\u2019s how the whole legal system is structured.\u201dYet there are commonalities between GDPR and the Australian Privacy law as it currently stands. The Australian privacy regulator, the Office of the Australian Information Commissioner (OAIC), notes they share requirements to implement a privacy-by-design approach to compliance, the need to demonstrate compliance with privacy principles, and obligations and the more generalised need to have transparent information-handling practices.Data breach notification and privacy impact assessments are other commonalities. Still, there are notable differences, when it comes to the rights of individuals (such as GDPR\u2019s \u201cright to be forgotten\u201d) which do not have an equivalent right under Australia\u2019s Privacy Act.Witzleb says that taking a principles-based approach\u2014which is more aligned to the Australian approach, versus the stronger rights-based approach of GDPR to regulation works\u2014works quite well when supplemented by guidance from the regulator, which also happens in the GDPR. \u201cBeing too strict, laws can become rigid and out of date, so there needs to be a degree of flexibility and openness to adapt privacy requirements as technology and social practices develop.\u201d With that in mind, both regimes are technology-neutral to remain relevant and applicable as technology and practices change.When looking at aligning Australia\u2019s updated privacy rules to the EU\u2019s GDPR, it\u2019s important to distinguish technically between convergence and adequacy in relation EU GDPR privacy requirements. Convergence is changing a non-EU country\u2019s privacy regulations so they\u2019re similar to the EU. Adequacy is about what\u2019s required to get EU certification that a specific country\u2019s rules achieve the aims of GDPR when dealing with EU citizens\u2019 data held abroad.The discussion paper asks for input on the question of the potential benefits or disadvantages of Australia seeking adequacy under the GDPR. However, Greenleaf notes, there\u2019s one glaring omission that would be crucial to a positive EU adequacy decision: exemptions for small businesses, which covers the vast majority of businesses in Australia. \u201cWithout that being changed, they won\u2019t measure up to EU requirements.\u201d And that is not all, he says: \u201cThen there\u2019s employment information, political parties, all exempted. These exemptions need to go before there\u2019s any real prospect of adequacy with EU requirements,\u201d he says.In the EU, the first privacy regulations were adopted in the 1980s. They have evolved over two further generations, culminating in GDPR, to include more and more principles for protecting privacy, Greenleaf says\u2014now totalling 40 principles that have been implemented to varying degrees across the world. The top 75 countries outside the EU, based on gross domestic product, have a third to half of these principles in place. But \u201cthere are not many that get a score of 40 out of 40,\u201d he says.Even with the privacy review now under way, it\u2019s not likely Australia would match the EU\u2019s number of privacy principles, Greenleaf says. But \u201cif Australia implemented the strong aspects of the discussion paper, that\u2019s the league we\u2019d be in. We wouldn\u2019t be at the top of the class by any means, but we\u2019d have a respectable third-generation privacy framework,\u201d he says.