Last week, Atlassian co-founder Scott Farquhar sparked backlash when he suggested on ABC’s 7.30 that all copyrighted material should be open for artificial intelligence companies to mine under a sweeping “fair use” provision . To many, the call — made while his own company was shedding 150 jobs in roles displaced by AI — felt tone deaf. Days later, at Treasurer Jim Chalmers’ productivity roundtable, Farquhar and ACTU secretary Sally McManus managed a short but surprising breakthrough: a commitment to explore a model for compensating creators when their work is used to train AI .
That is an important debate. Copyright and proprietary rights matter. But in the rush to argue over who gets paid when machines learn, we risk overlooking something even more fundamental: the privacy rights of every Australian citizen. If copyright is about ownership of words and ideas, privacy is about ownership of ourselves. And right now, our laws are not up to the task.
A fragmented framework
Australia doesn’t just have one privacy law. In addition to the federal Privacy Act 1988 (Cth), there are at least nine separate state and territory regimes: Victoria alone has both the Privacy and Data Protection Act 2014 and the Health Records Act 2001. NSW has two as well. The ACT, Northern Territory, Queensland, Tasmania and now Western Australia all have their own frameworks, with WA’s Privacy and Responsible Information Sharing Act 2024 commencing in 2026. South Australia governs through cabinet circulars.
Each of these laws has its own definitions, exemptions, regulators and remedies. A healthcare startup in Melbourne may be subject to both Commonwealth and Victorian rules on the same patient record. A charity might be exempt federally but bound by state law. Even ordinary employee records sit in a grey zone — excluded federally but partly covered in some states.
For citizens, this creates uncertainty: if your data is mishandled, do you complain to Canberra or Spring Street? For organisations, the problem is worse: reconciling these overlapping rules is costly, confusing, and often paralysing.
Complexity that harms
This duplication has real consequences. In health, inconsistent rules have delayed or derailed national research projects and clinical trials — initiatives that could save lives. In business, startups spend scarce capital navigating multiple regulators instead of building privacy-by-design products.
Meanwhile, fragmentation is deepening. WA’s new Act adds another model. NSW and Victoria are actively considering statutory torts of privacy. If that proceeds, Australians could soon face a patchwork resembling the United States, where businesses juggle dozens of state regimes.
Ironically, complexity undermines privacy. Organisations overwhelmed by uncertainty may mishandle data or avoid handling it altogether. Large firms with deep legal budgets can cope; smaller ones cannot — which entrenches incumbents and stifles competition. The result: weaker compliance, reduced trust, and lost opportunities.
A proven solution
There is a clear precedent for fixing this. Two decades ago, company law was equally fragmented. Each state had its own rules, creating uncertainty and inefficiency. The solution was bold but effective: states referred their powers to the Commonwealth, enabling the Corporations Act 2001 (Cth). The result was a unified national rulebook, hailed by business and legal groups as a breakthrough for clarity and consistency.
Privacy deserves the same treatment. Data flows seamlessly across borders. Australians deserve the same rights everywhere, and organisations deserve one set of obligations, not ten.
Building a better framework
A single Privacy Act would not mean lowering standards. On the contrary, it would mean taking the strongest protections from each jurisdiction and making them universal. States could still play a role through specialist commissioners or local offices, but under a harmonised national law.
This would bolster consumer trust — Australians would know exactly where to turn if their rights are breached. It would slash compliance costs for business, particularly startups and not-for-profits. And it would give regulators the clarity to act decisively.
Importantly, it would let us learn from overseas. The EU’s GDPR set a global benchmark but imposed such heavy burdens that innovation slowed, venture capital dried up, and incumbents gained market share. Australia can do better: strong principles, clear rules, and flexibility to adapt — without strangling growth.
Time to act
The Privacy Act 1988 was pioneering when it began. But in 2025, overlapping silos are no longer fit for purpose. With data breaches making headlines and states legislating in different directions, the risks are only growing.
The copyright debate is grabbing attention, and rightly so. But if we care about how AI shapes our future, privacy must be at the centre of the conversation. Who owns our data — and how it can be used — is just as important as who gets paid when machines read our words.=
Just as with corporate law two decades ago, the national interest now demands a unified approach. The federal government should lead, and the states and territories should refer their powers over privacy to Canberra — just as they did for company law in 2001. That would enable the passage of a single, modern Privacy Act covering all Australians, with one regulator overseeing compliance and state offices supporting local implementation.
The Attorney-General should bring this reform to National Cabinet, and premiers should seize the opportunity to end the duplication and confusion. Anything less is complexity for its own sake — and Australians deserve better.
