The landmark three-year review of Australia’s Privacy Act has recommended significant new rights be handed to individuals, including to sue over privacy breaches, have their data erased and to opt out of targeted marketing.

A widespread review of the Privacy Act was launched in 2020 by the former Coalition government on the back of a recommendation from the Australian Competition and Consumer Commission (ACCC) the previous year.

The final report was handed to the Labor government late last year and was released on Thursday morning by Attorney-General Mark Dreyfus.

Among the 116 proposals across 320 pages are for the introduction of a direct right of action and statutory tort for serious invasions of privacy, the inclusion of small businesses in the regulatory scheme and increased powers for individuals to control the use of their own personal information.

The goal of the review was to investigate whether the Act is fit for purpose in the online world, and to ensure the benefits of data-driven technology are realised while individual privacy is protected.

“The Privacy Act has not kept pace with the changes in the digital world,” Dreyfus said.

“The Australian people rightly expect greater protections, transparency and control over their personal information and the release of this report begins the process of delivering on those expectations.”

One of the most significant recommendations from the report is for the introduction of a direct right of action and statutory tort for serious invasions of privacy.

This will give Australians “more agency to seek redress for interference with privacy” through new avenues to seek remedies in the courts.

The direct right of action will allow individuals and groups of individuals to seek remedies in the courts for breaches of the Privacy Act which have caused harm.

“Such a right would be an important measure to enhance individuals’ control of their personal information, and reflect current community expectations,” the report said.

“A direct right of action would increase the avenues available to individuals who suffer loss as a result of an interference with privacy to seek compensation. Empowering individuals in this way may also serve to increase consumers’ bargaining power with businesses that collect and use their personal information.”

These claims would be heard in the Federal Court, with any remedies applicable, including damages.

To access this claim, an individual will first need to make a complaint to the Office of the Australian Information Commissioner and have it assessed for possible resolution.

The report said that the majority of submitters supported this, including academics, regulators, complaints bodies, civil society, unions and finance groups.

Those that opposed it included digital platforms, telecommunications firms, media organisations and tech industry groups.

A statutory tort for serious invasion of privacy should also be introduced, the report found.

“An examination of existing frameworks indicates clear gaps in current privacy protection, and the ability of an individual to take steps to protect themselves and seek compensation for invasion of privacy,” the report said.

“These gaps would be best addressed through a single privacy tort designed to cover the field.”

The report also recommended that a new “fair and reasonable test” be introduced to underpin the activities of entities covered by the Privacy Act when they are handling personal information.

Australia should follow Europe’s General Data Protection Regulation (GDPR) and introduce a right to object, right to request erasure and to have search results de-indexed, the report said.

The exemption for small businesses under the Act should also be removed, it found, after an impact analysis is conducted and these companies are in a position to comply with the new obligations.

Despite calls to end the political exemption, the report recommended this be maintained with new safeguards introduced.

In terms of the enforcement of the Act, new tiers of civil penalty provisions should be introduced to allow for better targeted responses, the review found.

This would include a mid-tier civil penalty provision to cover interferences with privacy with a serious element, and a low level civil penalty provision for specific administration breaches.

There should also be an unqualified right to opt out of targeted ads and personal information being disclosed for direct marketing purposes, the review concluded.

The federal government is now seeking feedback on the final report to inform its response, with submissions due by the end of March.