In Australia, legal obligations and requirements for online businesses are contained in both legislation and common law principles. Legislation that may be of particular relevance includes the:

The laws above are also supplemented by regulations that contain details to assist the implementation of the legislation.

Australia has three levels of government: federal, state or territory, and local. Online businesses must comply with laws made by all three levels of government (to the extent applicable).

Legislation in Australia, including any legislation dealing with online business, must be passed by the relevant Parliament (whether Federal or State Parliament). The Federal Parliament derives its powers from the Australian Constitution and is responsible for legislating in respect of specific subject areas such as corporations, taxation, and interstate and international trade.

To introduce any new or amended legislation relating to an online business, if the subject matter of the legislation falls within the power of the Federal Government, the new or amended legislation is proposed by way of a bill that is introduced to Federal Parliament. During its consideration, the bill will pass through successive stages at which proposals are made and the bill is debated. A bill must be passed in identical form by a majority vote in both the House of Representatives and in the Senate, and given Royal Assent by the Governor-General, in order to become an Act of Parliament and part of the law of the land.

The role of regulatory bodies is to investigate possible breaches of the law and to enforce the relevant legislation (and, where applicable, any industry codes) falling within the scope of its powers. These include the:

If a regulator has an interest in a particular area, it can propose or advocate for legislative amendments or new legislation to deal with any concerns. Regulators are also given certain powers to develop, register and/or enforce industry standards and codes.

Starting an online business often requires the following steps:

Depending on the nature of the business conducted, in its early stages an online business can expect to contract with:

If the online business intends to use a standard form consumer contract for its dealings with customers, the business must obtain advice to ensure the contract does not contain unfair terms.

Previously, under the ACL, an unfair term in a standard form consumer contract could only be voided. However, the Federal Government has now passed legislation which introduces penalties in respect of unfair contract terms. The reforms to the unfair contract terms regime will come into force in November 2023, and will prohibit making a contract with, and applying, relying on, or purporting to apply or rely on, an unfair contract term.

Under the amended law, a contract can still be classed as a "standard form contract" even where there is an opportunity for a party to:

In determining whether a contract is a standard form contract, a court will also be required to consider whether one of the parties has made another contract with substantially similar terms, and how many contracts that party has made.

The reforms will also expand the scope of the unfair contract terms regime under the ACL to more small business contracts, and will apply where at least one party to the contract employs fewer than 100 persons or has an annual turnover of less than AUD10 million.

Australian law does not mandate any specific procedure for developing and distributing an app. Generally, to develop and distribute an app, an online business should:

The key issues to consider when entering into an app developer agreement include:

Under the Commonwealth Electronic Transactions Act and the corresponding legislation in the states and territories, a transaction is not invalid simply because it took place wholly or partly by means of electronic communications. In the light of this, it is possible to form a contract electronically.

Where a company forms a contract electronically, the recent amendments to the Corporations Act 2001 (Cth) via the Corporations Amendment (Meetings and Documents) Act 2022 allow companies to electronically execute company related documents such as contracts and deeds and to also sign meeting-related documents and provide those to their members. In jurisdictions where the common law paper rule has been abolished by statute (NSW, Victoria and Queensland), all deeds may be created and signed in a broad range of circumstances.

Where the formation of the contract requires signatures to be witnessed, some jurisdictions (WA, NSW, Victoria, Queensland, ACT and Tasmania) allow for the witnessing documents by audio-visual link and the witness can sign a copy of the document. Outside these jurisdictions, the witness must be physically present and the same document, not a copy, must be signed.

There is no required format for an electronic contract. The requirements for electronic contract formation are the same as the requirements for hard copy contract formation. To form a contract, there must be evidence of:

If the formation of any click-wrap, browse-wrap or shrink-wrap contracts complies with the above requirements relating to hard copy contract formation, the click-wrap, browse-wrap or shrink-wrap contract will be valid and enforceable.

Cooling-off periods only apply to a limited number of transactions including some contracts for the purchase of land or property, certain contracts for motor vehicles and contracts with an agency to sell property. Where a cooling-off period applies to a particular type of contract, this period will be imposed regardless of how the contract is formed.

Certain contracts must be in writing to be binding and, in the absence of any interim legislation, cannot be formed electronically, for instance unsolicited consumer agreements. Rules may vary between states.

Contracting on the internet is not expressly regulated in Australia. The Commonwealth Electronic Transactions Act and the corresponding legislation in the States and Territories govern electronic transactions and provide for certain contracts transacted electronically to be legally enforceable as written contracts.

Any personal data collected and processed via electronic contracting must be retained and handled in accordance with the Privacy Act. For example, Australian Privacy Principle (APP) 11 requires certain entities to take measures to ensure the security of personal information and to actively consider whether they are permitted to retain such personal information.

Under the Commonwealth Electronic Transactions Act (and the corresponding legislation in the States and Territories), if a written document (such as an electronic contract) is required to be retained for a particular period, the requirement is taken to have been met if all of the following apply:

There are no official government trusted site accreditations or certification marks for websites in Australia.

Certification is available to Australian businesses in accordance with ISO 27001, an international Information Security Management System Standard. This specifies the requirements and processes for measuring, planning, implementing, maintaining, reviewing and improving an organisation's information security performance and management system. A number of consultancy services are available to assist businesses with meeting the requirements of ISO 27001.

Certain private organisations also provide trusted site accreditations based on verification procedures and the payment of a fee. The verification procedures are determined by the organisation and can include matters such as an assessment of business registration and location, communication channels and payment processes.

The remedies available for breach of a contract apply generally, and do not differ for contracts whether formed online or offline. The appropriate remedies are determined by:

The remedies sought by a party to the contract can include termination of the contract or damages in connection with the breach. These remedies are available regardless of whether the relevant contract was formed electronically or not.

In Australia e-signatures are regarded as a subset of electronic signatures. Prompted by the need to digitally sign documents during the pandemic, state jurisdictions responded differently in permanently codifying the right to signing agreements and deeds electronically.

Under federal law, the Electronic Transactions Act (ETA) recognises e-signatures on documents in most instances, provided the document or transaction is subject to the laws of an Australian jurisdiction.

However, there are still some instances in which it is unclear whether an e-signature would be recognised or valid such as in the contract for sale of land or any interest in or concerning land.

The term "e-signature" is not defined in the ETA. The legislation instead specifies the circumstances in which the requirement to obtain the signature of a person will be taken to have been fulfilled in relation to an electronic communication.

Rather than prescribing the format of an e-signature, the person receiving the e-signature can consent to any method or format that identifies the signee and is reliable in the circumstances. The ETA provides that where, under a law of the relevant jurisdiction, the signature of a person is required, the requirement is met in relation to an electronic communication if all of the following apply:

Certain contracts must be in writing to be binding and, in the absence of any interim legislation, cannot be formed electronically, including unsolicited consumer agreements (see Question 7).

The Privacy Act is the key Australian legislation that regulates the collection, storage, use, disclosure, security and disposal of personal information, and the access to and correction of that information. The Privacy Act applies to the handling of personal information by most Australian Government agencies, private sector organisations with an annual turnover more than AUD3 million and certain small business operators (that is, organisations with a turnover of AUD3 million or less), such as health service providers, credit reporting bodies and businesses that have opted-in to the Privacy Act.

Privacy and data protection laws are also contained in other Commonwealth, State and Territory legislation and may apply depending on the type of:

Other legislation, regulations and rules that confer rights or obligations relating to privacy include the My Health Records Act 2012 (Cth), the Health Care Identifiers Act 2010 (Cth) and the My Health Record Rule.

For further information on data protection laws in Australia, see Data Protection in Australia: overview.

The Privacy Act regulates the handling of "personal information". This is defined as any information or opinion about an identified, living individual, or an individual who is reasonably identifiable, whether the information is:

The Privacy Act separately defines "sensitive personal information", which is a subset of personal information. Sensitive personal information includes health and genetic information as well as information or an opinion about certain matters including an individual’s racial or ethnic origin, religious beliefs, sexual orientation or practices, political opinions or associations, or criminal record.

The Privacy Act does not regulate business data or any other information that does not identify an individual or from which an individual is not reasonably identifiable.

The Privacy Act contains 13 Australian Privacy Principles (APPs) that regulate the handling of personal information generally, including the collection and the use or disclosure of such information. Under the Privacy Act, when collecting personal data, an APP entity (as defined in the legislation) must:

Additional rules apply in relation to "sensitive information", which is information that is considered to be ''personal information'' and that also contains, without limitation:

An APP entity must not collect sensitive information about an individual unless one of the following applies:

The legislation does not contain specific limitations on the storage of personal data in the cloud. General security obligations apply, (regardless of where the information is stored), requiring the APP entity to take reasonable steps in the circumstances to protect the information from misuse, interference and loss, unauthorised access, modification or disclosure.

A vast number of government bodies and regulators have the power to access or compel the disclosure of information related to its monitoring, regulation and/or enforcement activities. The rights of these government bodies and regulators are typically contained in legislation, setting out their roles, functions and powers. For example, under section 49(3) of the Australian Securities and Investments Commission Act 2001 (Cth), if the Australian Securities and Investments Commission (ASIC) reasonably suspects or believes that a person or business can give information relevant to a prosecution for an offence, the ASIC can order the individual or business to give all reasonable assistance (including the provision of personal information) in connection with the prosecution. Failure to comply with this notice is an offence.

In addition, the APPs contained in the Privacy Act provide that an APP entity (as defined in the Privacy Act) can use or disclose personal information where it reasonably believes that the use or disclosure is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body.

Under the Privacy Act, enforcement related activities include the prevention, detection, investigation and prosecution or punishment of criminal offences and intelligence gathering activities. A list of enforcement bodies is specified in the Act and includes government bodies that are responsible for policing, criminal investigations, and administering laws to protect the public revenue or to impose penalties or sanctions, such as the Australian Federal Police, Customs, the Immigration Department, and the Australian Securities and Investments Commission.

The use of cookies is permitted in Australia. Australia does not currently have laws requiring specific consent to the use of cookies or imposing express restrictions on the use of cookies.

While cookies do not typically contain personal information, if a cookie contains personal information or can be combined with other information so that it could reasonably be used to identify an individual, the use of the cookie may be subject to the Privacy Act.

Profiling and targeted advertising may attract further regulation in Australia if the Privacy Act is amended. In its Privacy Act Review Report, the Federal Attorney-General’s Department recommended increased obligations on handling personal information for direct marketing, targeting and trading purposes. If introduced, entities may need to allow individuals to opt out of their personal information being used or disclosed for direct marketing purposes, and from receiving targeted advertising.

If an internet transaction involves the collection, disclosure or transfer of personal information by an APP entity (as defined in the Privacy Act), APP 11 (see Question 16) will apply. This requires the APP entity to take reasonable steps in the circumstances to protect the information from:

If the internet transaction involves accepting, processing, transmitting or storing cardholder data in connection with a debit or credit card transaction, the online business must comply with the Payment Card Industry Data Security Standards (PCI-DSS). PCI-DSS compliance is expected of all Australian businesses, regardless of their size.

Encryption may be required within a particular industry or as a pre-requisite to providing services to certain customers (such as Government bodies). Generally, the use of encryption is not mandatory for all online businesses.

The Telecommunications Act requires carriage services providers (CSPs) (such as ISPs), to be able to encrypt, format and decrypt communication passing over the CSP's network or facility, in accordance with an interception warrant under the Telecommunications (Interception) Act 1979. CSPs are not responsible for decrypting communications that have been encrypted by a user or by an over-the-top communications provider.

Under the ACL, when imposing a surcharge on customers for making a payment using a credit, debit or prepaid card, the level of the surcharge must not be excessive. A payment surcharge is excessive if the surcharge exceeds the amount of the business' costs of acceptance for each designated payment type. For most merchants, these costs will be based on what they are charged for payments by their acquirer or payment facilitator and include:

Certain additional types of costs paid to other providers can be included if they are directly related to accepting that particular card type. These are:

The ePayments Code (Code) regulates consumer electronic payments in Australia such as:

The Code provides a consumer protection regime for payment facilities by requiring effective disclosure of information to enable consumers to make informed decisions about:

The Code is a voluntary code of practice monitored by the Australian Securities and Investments Commission but most banks, credit unions and building societies subscribe to the Code.

The Online Safety Act 2021 provides that social media services, relevant electronic services or designated internet services can be issued with a removal notice by the eSafety Commissioner in relation to any cyber-bullying material of an Australian child. For a notice to be issued, the material must first have been the subject of a complaint to the provider of the service and the provider must have failed to remove it within 48 hours of the complaint.

Australia has in place certain regulatory and self-regulatory codes governing the promotion of products to children. The codes have been developed to ensure that advertisers and marketers develop and maintain a high sense of social responsibility in such advertising and marketing.

The codes, which will apply when advertising online (including via a website) or when advertising an online business in any other media, include:

Australian law does not provide any specific protection to companies that resell or market online digital content, services or software licences provided by a foreign supplier. However, certain legislation such as the Competition and Consumer Act 2010 (and the ACL) are expressed to have extra-territorial effect, which may bring foreign suppliers within scope.

Linking is generally acceptable and will not infringe copyright associated with the linked website or material. However, it is prudent to exercise care when deep-linking or framing to ensure that:

The Copyright Act does permit the copying or reproduction of copyright material for the purposes of caching or indexing, in limited circumstances, such as:

Under the current .au Domain Administration Rules: Licensing (Domain Name Rules), the registration of an Australian domain (.com.au, .net.au, .org.au, .id.au, .edu.au) depends on whether the entity is an Australian registered entity or a foreign entity.

For an Australian registered entity (such as an Australian registered company or the holder of an Australian Business Number), the domain name must be either:

For a foreign entity, the domain name must:

The .au Domain Administration Ltd (auDA) is the authority responsible for developing, administering and enforcing policies dealing with the registration of .au domain names, including the Domain Name Rules.

Under the current Domain Name Rules:

The registration of a domain name does not confer proprietary rights in the domain name. Registration gives the licence holder the right to use that domain name for the licence period, subject to the applicable terms and conditions.

Registering a domain name also does not give any ownership rights (including trade mark rights) over the name or words used in the domain name.

A domain name may be registrable as a trade mark in Australia, however, such an application will often require additional verification requirements.

In Australia, business names, company names and trade marks are used for different purposes and require different types of registration.

When registering a company, the entity is required to select a name. Provided the name is not identical to an existing company name and does not contain any restricted words (where the approval of a specified minister or government agency has not already been obtained), the name can be registered with the ASIC. It is also possible to reserve a company name prior to registering the company.

A trader (whether an individual, company or other business) should register a business name in Australia if it wishes to trade under a name that is not its own name. For example, a sole trader with the name Amy Sutton can trade using the name, "Amy Sutton", but must register a business name if she wishes to trade as, "Amy Sutton Consulting." Similarly, a company with the name Sutton & Co Consulting Pty Ltd can trade as, "Sutton & Co Consulting" but must register a business name if it wishes to trade using an abbreviation of the company name, "Sutton & Co".

When determining the jurisdiction for internet transactions or disputes, the courts can have regard to a range of factors including, without limitation:

An online business can nominate the jurisdiction for an internet transaction or dispute. However, Australian case law suggests that this will not always be enforceable as the courts will have regard to the location of the parties and where the publication of information pertaining to the dispute occurred.

In addition, under the ACL, a term of a consumer contract is prohibited if the term is unfair, and the contract is a standard form contract. An online agreement, including a click wrap agreement, will be considered a standard form consumer contract if it is for supply of goods or services to an individual for personal, domestic or household use or consumption, and the contract is not negotiated between the parties (beyond changes of a minor or insubstantial effect).

If the governing laws and jurisdiction specified in such a contract would prevent or hinder a consumer from enforcing their rights by requiring that the consumer commence proceedings in a foreign jurisdiction, such terms may be deemed unfair.

Except in relation to domain name registration disputes (which, where the dispute relates to .au registrant eligibility are handled by the Australian Domain Name Administrator), Australia does not have in place a regime or ADR body that specifically deals with online traders and their customers.

The ADR options and remedies that are available to online traders and their customers in Australia are the same as those available for offline transactions and disputes. A specialist dispute tribunal, or a small claims tribunal, is available in most states and territories to resolve a wide range of everyday disputes. The following tribunals can be used by consumers to resolve disputes about the supply of goods and services ordered online:

When submitting an application to a tribunal, the applicant must nominate the type of orders sought from the tribunal. These orders can include payment of a monetary amount, the delivery of goods or other orders which may be specified by the applicant.

In July 2020, the Australian Influencer Marketing Council (AIMCO) released the industry’s first Influencer Marketing Code of Practice. The code sets out the best practices on a range of matters, including:

Generally, the rules applicable to advertising goods, services online and via social media, and conducting trade promotion lotteries online, are the same as those that apply offline. All advertising and promotions must comply with the ACL, which states that businesses (including online businesses) must not:

The above list is not exhaustive and additional restrictions and prohibitions may apply.

In January 2023, the ACCC announced that it had launched a social media "sweep" to discover misleading testimonials and endorsements by social media influencers (across a range of social media platforms), following tip-offs from consumers. The regulator plans to publish its findings following its analysis, and it is possible that the sweep will lead to enforcement action from the regulator.

If conducting a trade promotion lottery, whether on a business website or via social media, the business is responsible for obtaining any necessary permits and for otherwise ensuring that the promotion complies with the laws of the jurisdictions in which the promotion is being conducted.

When advertising online or via social media, it is of particular importance to ensure that any disclaimers, limitations or special terms and conditions are clearly communicated to consumers. Limitations on the size of an advertisement (such as a banner ad) or the number of available characters (such as in a tweet) will not remove or reduce the obligations that exist at law and may increase risk to the online trader.

Regulations and guidelines apply to the advertising and sale of certain goods and services generally including, without limitation:

Certain licensing and regulatory authorities also impose conditions on the advertising of certain goods and services, whether advertised online or offline. For example, in relation to the advertising of therapeutic goods (medicines and medical devices), advertisements must comply with the Therapeutic Goods Act 1989 (Cth), the Therapeutic Goods Regulations 1990 (Cth) and the Therapeutic Goods Advertising Code. These legislative instruments ensure, among other things, that prescription medicines are only advertised to health professionals. Only non-prescription medicines (such as over the counter and non-prescription complementary medicines) can be advertised to consumers.

Licensees, or online businesses that operate within a regulated industry, must check with the relevant licensing or regulatory authority prior to engaging in any advertising or marketing, or otherwise seeking to sell a regulated product.

Unsolicited commercial electronic messages (such as text messages and e-mails) are prohibited. Commercial electronic messages must (Spam Act 2003 (Cth)):

There is also an increased focus on the regulation of scam SMS messages. In 2022, the ACMA registered the Reducing Scam Calls and Scam SMS Industry Code (Scams Code), which requires telecommunications providers to identify, trace and block SMS scams. It also requires telcos to publish information about scam messages for consumers, share information with other telcos and to report scams to the regulator.

The Federal Government also recently requested the ACMA to investigate the creation of a SMS sender ID register, which can act as a blocking list to prevent scammers from impersonating brands.

There are no specific language requirements in Australia for a website that targets Australian residents or whose target market includes Australia.

A broad-based consumption tax called the Goods and Services Tax (GST) is imposed on certain goods and services supplied in Australia.

Sales of goods and services concluded online often constitute a taxable supply and will be subject to taxation under the GST legislation, unless they are GST-free or input-taxed.

An online business makes a taxable supply if all of the following applies:

GST amounts collected by an online business must be remitted by the business to the Australian Taxation Office, subject to any input tax credit entitlements of the business.

Any business that holds an Australian Business Number (ABN) can register for GST.

It is mandatory for an online business to register for GST if both of the following apply:

A person may not need to register for GST if the only sales it makes are made through an online marketplace or electronic distribution platform.

In 2016, changes were introduced in respect of GST and cross-border transactions. The intended effect of the changes is to reduce compliance obligations of non-resident businesses. In particular, the test for carrying on a business in Australia has changed such that, in most instances, a non-resident business will only be required to register for GST if it is based in Australia for more than 183 days in a 12-month period and it has a GST turnover of AUD75,000 or more. The changes also limit the cases where a non-resident entity must pay GST on supplies of things done in Australia and extended the GST-free (zero rate) rules for certain supplies made to non-residents.

In 2017, changes were introduced (with effect from 1 July 2018) which extended GST to include low value imported goods.

The GST turnover of a business is determined by calculating its gross business income excluding GST for either the 12 months leading up to the current month (current GST turnover) or the 12 months starting with the current month (projected GST turnover).

The online business must register for GST within 21 days of reaching the turnover threshold and must hold an ABN in order to register. Applications for an ABN and for GST registration are made to the Australian Taxation Office.

In 2022, the Federal Government passed legislation to introduce a "Sharing Economy Reporting Regime", which requires electronic platform operators to report certain transactions to the Australian Taxation Office. The regime is designed to ensure that sellers in the "sharing economy" comply with their tax obligations and do not have an unfair advantage. The regime will commence for transactions made from 1 July 2023 for the supply of taxi services and short-term accommodation and from 1 July 2024 for other reportable transactions.

Various laws govern liability for website contents, including (but not limited to) the:

There are also a range of criminal offences under the Criminal Code Act 1995 that can apply to providers of online services, such as for failing to refer details of abhorrent violent material to the Australian Federal Police, or for failing to remove or cease hosting abhorrent violent material.

Laws and regulations that apply in an offline environment apply equally to a website and associated content.

Various laws govern liability for website contents, including the:

Laws and regulations that apply in an offline environment apply equally to a website and associated content.

Under the Corporations Act, the name and the Australian Company Number (ACN) of a website operator must be included in all public documents (such as emails, websites and any legal documents published on a website, include any terms of use and privacy policy) and eligible negotiable instruments. This requirement applies regardless of whether the website operator provides a consumer-facing or business-facing website.

The ACN is a unique nine-digit identifier that is issued by the ASIC when a company is incorporated. The ACN does not change throughout the company's life and remains the same even if the company name changes.

A company can use the ABN (see Question 36) with the company name in place of the ACN, provided that the following applies:

There are no express requirements regarding the placement of such identifiers.

Where a company or business is subject to the Privacy Act , it must also provide a privacy policy (which must comply with the requirements of the Privacy Act).

Generally, the operator of a website is liable for the content displayed on that website, even where the content has been provided by a third party, such as through a blog or other facility. In the light of this and as a measure to limit its liability, it is prudent for a website operator to:

In addition, in a judgement of the Court of Appeal of the Supreme Court of New South Wales in June 2020, it was upheld that media companies were publishers of comments posted to their public Facebook pages by third party users. Since then, the High Court has dismissed appeals from the judgement of the Court of Appeal. Accordingly, media companies can be liable for allegedly defamatory comments made by third parties on such public pages.

An ISP is not under any obligation to shut down a website, remove content, or disable linking due to the website's content without permission. However, these obligations can be provided for in the ISP's terms of service.

In early 2015, the Copyright Amendment (Online Infringement) Bill 2015 (Cth) was introduced to amend the Copyright Act 1968 (Cth). It enables a copyright owner to apply to the Federal Court for an injunction requiring a carriage service provider to take reasonable steps to block access to overseas websites that have the primary purpose of providing users with access to material which infringes copyright.

In a 2017 decision of the Federal Court of Australia, it was observed that:

Australian government agencies also have the power to compel ISPs to block certain websites where the Commonwealth government agency or the State or Territory government agency considers it reasonably necessary for the purpose of (section 313, Telecommunications Act 1997 (Cth)):

While detailed legislation relating to products or services supplied online does not exist in Australia, all products that are supplied in Australia (whether online or not) must be safe and must meet the consumer guarantees under the ACL. The consumer guarantees are automatic guarantees for the benefit of a consumer whenever they purchases products or services.

Businesses must guarantee the products and services they sell, hire or lease where the value of those products or services is:

If a business fails to deliver any of the guarantees, a consumer has the right to either:

Certain products may also be subject to specific regulations that prescribe product safety requirements, labelling requires or impose restrictions on the sale of certain types of goods.

Insurance requirements are determined by the type of business operated by the online business, which must obtain advice as to the kind and level of protection it requires based on its own business type and needs. Generally, insurance options available to businesses consist of:

Certain forms of insurance are also mandatory. For example, if the online business employs any person in Australia, workers compensation obligations must be satisfied in accordance with the regulations in place in the State or Territory in which each person is employed.

In July 2019, the Australian Government released the Australian Competition & Consumer Commission's (ACCC) Digital Platforms Inquiry Final Report (Final Report). The Inquiry was conducted to consider the impact of online search engines, social media and digital content aggregators (digital platforms) on competition in the media and advertising services markets. The Final Report contains 23 recommendations relating to matters such as:

As part of the Federal Government's response to the findings of the Inquiry, in February 2020 the ACCC was directed to undertake two further inquiries, as follows:

In February 2023, the Federal Attorney-General’s Department released the Privacy Act Review Report (Privacy Act Report). The Privacy Act Report contains 116 specific proposed changes to be made to the Privacy Act. If implemented, these proposals will drastically change the privacy landscape in Australia and have implications for all organisations that collect, handle, use and disclose personal information.