The report found vulnerable Australians need better data protection and suggested enhanced guidelines on data destruction, boosted reporting obligations for breaches, new penalties and new powers for the information commissioner among 116 proposals.
Attorney-General Mark Dreyfus commissioned the Privacy Act review shortly after taking office last year, while the government increased penalties for serious breaches following the Optus attack in 2022 which exposed the personal details of customers.
But a proposal that small businesses be covered by privacy laws has been met with concern by the sector.
CPA Australia's Gavan Ord said small businesses were under pressure and needed more support, not further regulation and red tape.
"Improvements in privacy protections can be achieved by helping businesses with an educative approach rather than more rules," he said.
"We want to see small businesses incentivised in the May budget to improve their use of technology and enhance their cybersecurity and data privacy."
But Australia's peak tech body was pleased with the call, having previously made the recommendation.
"It is pleasing the review has accepted the AIIA (Australian Information Industry Association) recommendation to remove the SME carve-out under the act so the Australian privacy regime is cross-economy and consumers may have confidence in entrusting their personal information to businesses of all sizes," association CEO Simon Bush said.
"We accept that Privacy Act obligations upon SMEs will need to be implemented in a way that ensures these businesses receive adequate education and time to comply with new obligations."
Mr Dreyfus said the review showed the government was taking data protection seriously.
"Strong privacy laws are essential to Australians' trust and confidence in the digital economy and digital services provided by governments and industry," Mr Dreyfus said.
"The Privacy Act has not kept pace with the changes in the digital world. The large-scale data breaches of 2022 were distressing for millions of Australians, with sensitive personal information being exposed to the risk of identity fraud and scams."
The review, which says its proposals are to bring Australia's protection laws in line with global standards, noted "considerable confusion" from stakeholders about what personal information legislation covers.
It proposes better guidelines for what steps should be taken to destroy and de-identify stored data, adding entities should periodically review how long they are retaining data.
It also calls for further review of surrounding laws as to what personal data needs to be retained, to see if they correctly balance privacy risks with other objectives.
New reporting obligations would require the Information Commissioner to be told about a breach within three days of it happening.
The commissioner would also have stronger powers for public investigations and determinations, along with stiffer civil penalties.