Federal Attorney-General Mark Dreyfus on Thursday will announce the most significant ­reshaping of the nation’s privacy regime since the 1980s, committing to 38 out of 116 proposals in the 313-page Privacy Act Review Report and agreeing in-principle to 68 measures.

Removing privacy exemptions for small businesses with turnovers under $3m, which are not now obligated to keep personal information secure or notify customers of data breaches, would have economy-wide implications and require significant investment.

Mr Dreyfus said the government would “work with the small business sector, as well as employer and employee representatives, on enhanced privacy protections for private sector employees and for small businesses”.

The Australian understands the exemption would be removed only following an impact analysis, consideration of a support package and a transition period giving small businesses time to prepare.

Employer groups including the Council of Small Business Organisations Australia, Australian Industry Group and Australian Chamber of Commerce and Industry have raised concerns with the Attorney-General’s Department about removing the small business exemption.

The privacy review, which commenced in 2020 under former attorney-general Christian Porter and was released in February, said the majority of stakeholders had “recommended the exemption should be removed”.

The government has agreed in-principle to a statutory tort for serious invasions of privacy, allowing individuals to seek compensation for privacy invasions, including physical privacy such as being filmed in an environment where privacy would be reasonably expected.

The proposed tort, first investigated by the Australian Law ­Reform Commission following a referral by Mr Dreyfus before the 2013 election, would require a person to prove an invasion of privacy was serious, not trivial.

In April, a group of leading media outlets wrote to the government “strenuously” opposing any proposed changes to the Privacy Act over fears it could have a “devastating impact on press freedom … without any clearly defined need or benefit”.

The Right to Know coalition said the introduction of a tort of invasion of privacy would have “a detrimental impact on freedom of expression and would undermine news reporting” and trigger a “flood” of legal proceedings.

Mr Dreyfus has committed to maintaining exemptions for media organisations, a new Children’s Online Privacy Code prohibiting entities from targeting and direct marketing to children and trading in their personal information, and greater transparency over automated decision-making and AI.

The Attorney-General said the government was putting in place stronger privacy protections for people who “increasingly rely on digital technologies for work, education, healthcare and daily commercial transactions and to connect with loved ones”.

“When they are asked to hand over their personal data, they rightly expect it will be protected,” Mr Dreyfus said.

“These next steps build on legislation passed last year which significantly increased penalties for repeated or serious privacy breaches, and provided the Australian Information Commissioner with greater powers to address privacy breaches.”

Mr Dreyfus said his department would conduct an impact analysis and continue working with community and business groups, media organisations and government agencies to “inform the development of legislation … in this term of parliament”.

“The government will also consider appropriate transition periods as part of the development of any legislation,” he said.

The privacy overhaul led by Mr Dreyfus mirrors the EU’s General Data Protection Regulation, which is considered a world-leading model in response to the rapid rise of tech platforms and digital economies.

Privacy reform legislation, to be introduced into parliament next year, includes provisions shielding Australians from future hacking events like last year’s Optus and Medibank breaches.

Increasing the rights of individuals and imposing greater transparency across all entities would require a dramatic ramping up of resources for the Office of Australian Information Commissioner regulator.

The government has not agreed to a privacy review proposal that registered political parties and organisations should have their exemption narrowed.

“The political exemption was introduced to encourage freedom of political communication and enhance the operation of the electoral and political process in Australia. Advances in technology, which have increased the volume of information about voters that can be collected and harnessed for political influence, have raised concerns about privacy risks and concerns that the exemption is not achieving its ­objective,” the review said.

The government is considering a “direct right-of-action” enabling individuals to bring actions or class actions against entities if their privacy is breached.

Under a ”right to be forgotten”, agreed to in-principle by the government, Australians would have limited rights to request a search engine remove certain results from an internet search of an individual’s name. The new right, which does not allow an individual to scrub public reporting on their past, would not remove content but addresses the ease of finding the information on a search engine.

A “right of erasure” would require entities to destroy personal information they have no legal right to keep. While not overriding laws requiring companies to retain identification documents, individuals can request the deletion of records when they are no longer legally required.

Law enforcement agencies would be exempt from several reforms, ensuring criminals would not have a right to erase their records. Exceptions for the destruction of information will also be in place in relation to taxation and social security payments.

COSBOA chief executive Luke Achterstraat said “small businesses must be informed in practical terms and not be set up to fail” if the Privacy Act exemption is removed.

“Significant changes require significant time to get right — in many European countries there has been a three to five year period for changes to privacy obligations,” Mr Achterstraat told The Australian.

“The timing of this release imminently after the news storm of the Victorian Premier’s resignation seems careless at best and cynical at worst.

“Small business has been waiting for a formal response from government on the privacy review (it) certainty could have been provided earlier. But once again small business faces policy fatigue on industrial relations, workforce, productivity, cost of doing business and now privacy fronts”

He said the timing “just adds to the small business pile on at a time where uncertainty is widening and trust in government processes is waning”.

More related stories

Nation

Message to minister: ‘Pull your head in and sort it out’

The nation’s most vulnerable mental health patients demand psychiatrists be looked after as a charity boss urges system change.

Read more

Politics

‘Recognise Palestine now’: ALP activists’ post-ceasefire call

Labor activists have demanded Anthony Albanese immediately recognise Palestine, despite the Prime Minister’s attempt to neutralise the conflict as an election issue post-ceasefire.

Read more