Privacy Act reforms: work to be done, but more to come

The first tranche of the highly anticipated changes to the Privacy Act 1988 (Cth) (Privacy Act) were tabled in Federal Parliament on 12 September in the Privacy and Other Legislation Amendment Bill 2024 (Cth) (Bill).

What’s included?

New statutory tort

The statutory tort for serious invasions of privacy introduces a cause of action against a person who invades another person’s privacy by intruding upon their seclusion (such as physically intruding into a person’s private space, watching, listening to, or recording the person’s private activities or private affairs), or misusing information that relates to a person.

Importantly, this new tort means that a broader range of privacy harms will be regulated. It also provides a cause of action against individuals and entities who are not otherwise required to comply with the Privacy Act.

Framework for a Children’s Online Privacy Code

To strengthen and protect the privacy of children online, the Bill requires the Australian Information Commissioner to develop and register a COP Code within two years of Royal Assent. The Information Commissioner will be required to seek and consider public submissions on the draft Code as well as consult with the eSafety Commissioner and National Children’s Commissioner.

The COP Code will be an enforceable APP code under the Privacy Act that sets out how the Australian Privacy Principles (APPs) are to be applied or complied with in relation to the privacy of children (with a new definition of "child" being introduced by the Bill, being an individual who has not reached 18 years). The COP Code will apply to APP entities (i.e. entities that are governed by the Privacy Act, which are agencies (such as Federal Government departments) and organisations (such as sole traders and companies)) not providing a health service that:

• provide social media services, relevant electronic service or designated internet service (as defined in the Online Safety Act 2021 (Cth));

• which are likely to be accessed by children (even if not specifically targeting them); and

• any other entity specified in the COP Code.

The Explanatory Memorandum gives the example of the COP Code, setting out how regulated entities must meet requirements in relation to privacy policies and consent notices “by ensuring that information addressed to a child is clearly expressed and understandable – such as through the use of graphics, video and audio content rather than relying solely on written communication”.

New penalty provisions

The Bill introduces an extensive, tiered penalty regime intended to capture a broader range of contraventions. This is a significant departure from the current focus on only penalising the narrow set of practices which constitute “serious” or “repeated” interferences with the privacy of individuals.

If the Bill is passed as currently drafted, the civil penalty provisions and relevant penalties under the Privacy Act would be as follows:

• for serious interferences with the privacy of an individual, the greater of A$50 million, three times the benefit, or 30% of adjusted turnover;

• for interferences with the privacy of an individual, a maximum penalty of 10,000 penalty units for bodies corporate (currently A$3.3 million); and

• for a breach of any of the provisions of the APPs prescribed in the Bill, a maximum penalty of 1,000 penalty units for bodies corporate (currently A$330,000).

Notably, “repeated interferences with the privacy of an individual” has been removed as a standalone civil penalty provision, indicating that entities may instead face cumulative penalties for multiple “interferences with the privacy of an individual”.

Further enhancement of OAIC regulatory powers

The OAIC has been granted a range of new powers to assist in its investigative and enforcement functions, including:

• a power to conduct public inquiries; and

• the standard monitoring and investigations powers under the Regulatory Powers (Standard Provisions) Act 2014 (Cth), including entry, search and seizure powers in relation to documents relevant to investigations.

Increased transparency for automated decisions

The Bill contains measures intended to increase transparency about a business’ use of artificial intelligence used for automated decision making (ADM).

If an APP entity uses an individual’s personal information in an ADM system to make a decision and the decision could reasonably be expected to significantly affect the rights or interests of the individual, then the entity would be required in its privacy policy to describe the kinds of:

• personal information used in ADM; and

• decisions made by ADM.

Overseas data flows

The Bill provides for a ‘whitelist’ of overseas jurisdictions (to be developed and included in the regulations). Entities will be able to transfer personal information to recipients subject to the laws of these prescribed jurisdictions (subject to compliance with any other conditions in the regulations) without back-to-back contractual protections. Notably, however, the Bill does not include standard contractual clauses for use with counterparties outside of whitelisted jurisdictions (a concept provided for in the EU GDPR).

Securing personal information

The requirement that APP entities take reasonable steps to protect personal information now specifies that such steps include “technical and organisational measures”. This makes it clear that entities are expected to implement formal organisational measures to protect personal information, such as data breach response planning and senior executive and board oversight of cybersecurity measures. Guidance on what these measures are expected to include are anticipated to be developed by the OAIC.

Enhanced information sharing during data breaches and emergencies

The Bill introduces provisions to allow declarations to be made that permit entities to handle personal information in ways that would otherwise breach the APPs in order to facilitate information sharing in emergencies and significant data breaches to reduce the risk of harm to individuals. For example, entities may be permitted to share personal information with banks to enable the banks to provide enhanced monitoring to customers who may have had their financial details stolen.

Doxxing offences

The Bill also proposes amendments to the Criminal Code Act 1995 (Cth) to introduce new criminal offences prohibiting the malicious release of personal data online (known as ‘doxxing’).

What’s excluded?

The following anticipated reforms were not addressed in the Bill:

• the introduction of the ‘fair and reasonable’ test, which would require businesses to ensure that the collection or processing of personal information is ‘fair and reasonable’ notwithstanding that the individual had provided consent to the business to do so. This will be included in the second tranche of privacy reforms, according to Australian Privacy Commissioner Carly Kind;

• the proposed removal of the employee and small business exemptions, which would require a significant investment in privacy compliance by entities that currently rely on the exemptions;

• the inclusion of provisions to address harms associated with direct marketing, targeted advertising and online content and trading in personal information, including allowing individuals to opt-out of targeted advertising;

• the introduction of a number of additional individual rights modeled on the GDPR; and

• a direct right of action, which would allow individuals to apply to seek remedies in relation to an interference with privacy.

We've previously identified the measures APP entities should consider taking to uplift their data handling practices. We recommend entities continue to pursue these activities while the full suite of amendments to the Privacy Act crystalise over the next 12-24 months.