First tranche of Privacy Act reform has landed with parliament, further reforms are urgent

Share

Yesterday the Privacy and Other Legislation Amendment Bill 2024 (the Bill) was introduced to the Parliament of Australia.

The Bill proposes to enact the first tranche of reforms arising from agreed proposals in the Government’s response to the Privacy Act review which has been ongoing since 2020.  The Bill will need to be approved by Parliament and ratified before the proposed amendments take effect.

The proposed amendments to the Privacy Act 1988 (Cth) (Privacy Act) are extensive and aim to clarify the objectives of the Privacy Act, strengthen regulatory enforcement tools and improve overseas data flows. Other key changes include the introduction of a children’s online privacy code, improved information-sharing for emergencies and after eligible data breaches, and increased transparency when entities are automating significant decisions involving personal information, including the use of AI tools.

The Bill also seeks to introduce a new statutory tort for serious invasions of privacy allowing individuals to seek remedies such as compensation, and criminal offences that will apply specifically in relation to doxxing, which is the intentional malicious exposure of personal information online.

In the second reading of the Bill, the Attorney General, Hon Mark Dreyfus highlighted the paramount importance of the Bill in the digital age and that the Bill implements the “first tranche of agreed recommendations of the Privacy Act review, ahead of consultation on a second tranche of reforms.”

The Office of the Australian Information Commissioner (OAIC) has welcomed and expressed support for the Bill. However, Australian Privacy Commissioner Carly Kind has commented that “much more needed to be done” highlighted the need for further reforms. On this point, Commissioner Kind said, “we are eagerly awaiting the second tranche of privacy reforms, dealing with much needed reforms including a new positive obligation that personal information handling is fair and reasonable”.

She also stated that “The coverage of Australia’s privacy legislation lags behind the advancing skills of malicious cyber actors. Further reform of the Privacy Act is urgent, to ensure all Australian organisations build the highest levels of security into their operations and the community’s personal information is protected to the maximum extent possible.”

As we continue to review the Bill and its implications, we provide an overview of some of the key changes that have been proposed, as outlined in the Explanatory Memorandum.

Summary of proposed changes

  • Clarified objectives – The objectives of the Privacy Act are to be amended to clarify that the objects include “promoting the protection of individuals’ personal information, and to recognise the public interest in protecting privacy”.
  • Code-making powers – The Commissioner will be provided with enhanced code-making powers, for example to make APP codes to provide greater clarification about how the Australian Privacy Principles (APP) are to be complied with.
  • Emergency declarations – Emergency declaration powers are to be enhanced to allow improved sharing of personal information as might be needed to better assist individuals affected by emergencies or disasters.
  • Child protection – There will be the development of a children’s online privacy code.
  • Security measures – The amendments will make it clear that it is important to use technical and organisational measures to address information security risks in relation to personal information.
  • Overseas data transfers – A mechanism is to be introduced to prescribe countries and binding schemes that provide substantially similar privacy protections to the APPs to enhance the flow of information outside of Australia and ensure privacy of individuals is still respected.
  • Eligible data breaches – The Minister is given powers to make a declaration to allow entities to handle personal information in a manner that would usually not be permitted by the APPs or certain secrecy provisions to better prevent or reduce the risk of harm to individuals in the event of a data breach.
  • New civil penalties –New civil penalties are proposed for breaches of the Privacy Act commensurate to the seriousness of the interference with privacy to give the Commissioner more enforcement options to deter non-compliance and tailor penalties to the seriousness of the contravention. The proposed penalty tiers include:
    • Serious or repeated interferences with privacy – Maximum civil penalty isan amount not exceeding the greater of $50million, 3x the value of the benefit obtained from the conduct constituting the serious or repeated interference with privacy or if the value cannot be determined, 30% of adjusted turnover in the relevant period. The maximum penalty is $2.5 million for persons who are not body corporate. This maximum penalty has applied since the commencement of the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022. The amendments seek to provide clarification about what constitutes a “serious” interference of privacy to clarify what breaches should attract the maximum penalty.
    • Interferences that are not a serious interference – The maximum penalty would be 2000 penalty units ($660,000 at present) for individuals and 10,000 penalty units ($3.3 million at present) for bodies corporate). An example given of an interference subject to this penalty could be where an APP entity fails to notify individuals of an eligible data breach in the prescribed reporting period.
    • Administrative breaches – This would involve specific breaches of the APPs, such as failing to specify the required information in a privacy policy, and non-compliant eligible data breach statements, subject to infringement notices. The maximum penalty would be 200 penalty units ($66,000 at present) for individuals and 1,000 penalty units ($330,000 at present) for bodies corporate. The Commissioner can issue infringement notices for alleged contravention of the civil penalties to encourage enforcement of obligations and avoid litigation. The amount to be stated in the infringement notice would be 12 penalty units ($3,960 at present) for individuals and 60 penalty units ($19,800 at present) for bodies corporate. However, listed corporations will have a higher penalty of 200 penalty unites ($66,000 at present).
  • Expanded court jurisdiction –The Federal Court of Australia and Federal Circuit and Family Court of Australia are given powers to issue any order it sees if there has been contravention of a civil penalty provision.
  • Public inquiries – The Commissioner will be given the power to conduct public inquiries in to matters given Ministerial approval, for examples in relation to practices showing systemic or industry-wide issues relevant to individuals privacy.
  • Directions – The Commissioner will be given the power to issue a determination requiring a respondent to a privacy matter to perform “any reasonable act or course of conduct to prevent or reduce reasonably foreseeable future loss of damages”. The intention is to allow the Commissioner to require respondents to be more proactive following privacy breaches.
  • Enhanced enforcement powers – OAIC will have the power to use general investigation and monitoring powers arising under the Regulatory Powers (Standard Provisions) Act 2014 (Cth) to improve the success of regulatory actions.
  • Automated decision making – There will be requirements for entities to include information in their privacy policies about the kinds of information used in, and types of decisions made by, computer programs (including AI technologies) that use personal information to make decisions that could reasonably be expected to significantly affect the rights or interests of an individual. These requirements will be in addition to the separate obligations that apply to use of AI technologies governed by the Voluntary AI Safety Standard and mandatory guardrails to apply in high-risk settings, which we outlined in our previous article.
  • New statutory tort for serious invasions of privacy – A new statutory tort will be introduced to protect against a broader range of privacy interferences to enable individuals to access a range of remedies, including compensatory damages and injunctions. An individual will have a cause of action if they suffer an invasion of their privacy either by an intrusion into their seclusion or by misuse information when a person in their position would have had a reasonable expectation of privacy in all the circumstances, the invasion of privacy was intentional or reckless and the invasion of privacy was serious. A range of defences and exemptions for legitimate activities are proposed.
  • Criminal offence for doxxing – Amendments are proposed to the Criminal Code Act 1995 (Cth) to protect against the release of personal data using a carriage service in a manner that would be regarded as menacing or harassing, which is often referred to as doxxing. There will also be a further offence where a person or group is targeted because of their race, religion, sex, orientation, gender identity, intersex status, disability, nationality or national or ethnic origin.

Next steps

While there is still some time until the proposed changes under the Bill are finalised and adopted, businesses can already start considering how these upcoming changes might affect them so that they can look to improve their privacy compliance maturity. Businesses should be mindful that this is only the first tranche of proposed changes and further reform is on the horizon.

If you need help understanding or complying with the Privacy Act, or if you require advice on the proposed reforms from the Privacy Act review, please do not hesitate to contact us.

Note that this article is not intended to provide legal advice or offer comprehensive guidance.

Share
Back to Articles

Contact our Expert Team

Contact Us