After consultation, and several years of inquiries, reviews and reports, the Privacy and Other Legislation Amendment Bill 2024 (Cth) was introduced to Parliament on 12 September 2024. You can find the Bill and Explanatory Memorandum here.

If enacted in its current form, the Bill will implement 23 of the 25* legislative proposals that the Government noted as 'agreed' in the Government's Response to the Attorney-General's Privacy Act Review Report. You can find the Government's Response in full here

The Government's Response 'agreed' or 'agreed in principle' with 106 of the 116 proposals in the Privacy Act Review Report. So, you may be asking yourself, what about the remaining proposals?

Well, the Attorney-General in his second reading speech, stated "[t]his Bill is an important first step in the Government’s privacy reform agenda, but it will not be the last …. the Attorney-General’s Department will develop the next tranche of privacy reform for targeted consultation, including draft provisions" in the coming months, and concluding with "this Labor Government is committed to genuine privacy reform". It is therefore clear that further reform is on the horizon. 

Nonetheless, the Bill still proposes significant reforms, particularly in relation to enforcement and penalties, new privacy policy content requirements for relevant automated decision making process, development of a new children's online privacy code, introduction of a new statutory tort giving individuals the right to take action for privacy breaches independently of the privacy regulator, and the criminalisation of doxxing. 

Below we highlight some of the elements of most interest to clients.

Key items in the Bill

  • Automated decision making (ADM) processes: The Bill introduces new transparency obligations for ADM processes, which means including specific details about your use of ADM processes in your privacy policy. 
  • The ADM processes relevant to this requirement will be those that use a computer program to make, or do a thing that is substantially and directly related to making a decision, that uses personal information about an individual, which could reasonably be expected to significantly affect the rights or interests of that individual. For example, this may include decisions that affect an individual's right to access a significant service or support, or affect their rights under a contract, agreement or arrangement.
  • This means you will need to understand your use of relevant ADM processes, any personal information used in those processes, and whether the resulting decisions would reasonably be expected to significantly affect the rights or interests of the individual, and update your privacy policy accordingly.
  • Offshore disclosures: The Bill aims to facilitate offshore disclosures under APP 8 to certain countries. The Bill will allow regulations to be made to 'white list' countries that are considered to have substantially similar privacy protections to the APPs under the Privacy Act, and mechanisms to enable the individual to take action to enforce those protections. This will be a welcome change, providing certainty for disclosures to those countries (and reducing cost of making assessments on the application of the exception under APP 8.2(a). That said, you will still need to understand the offshore disclosures of personal information you are making, in order to identify those that are to white listed jurisdictions, and ensure the remainder still meet the requirements of APP 8.1 (or another exception in APP 8).
  • While this change is similar to the concept of an adequacy decision under the GDPR, it will only assist for offshore disclosures made by entities subject to the Privacy Act to recipients in the white listed countries (but will not assist with inbound disclosures made to them by offshore third parties).
  • Security of personal information: You are already required to take 'reasonable steps' to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure, and to destroy or de-identify personal information when it is no longer needed for a purpose for which it can be lawfully used or disclosed under the APPs, particularly APP 6. This requirement remains unchanged, but the Bill clarifies that 'reasonable steps' includes both technical measures (such as, encryption) and organisational measures (such as, staff training programs). Whilst this reflects existing OAIC guidance, it reflects the strong focus of the OAIC in recent years on the need for entities to have robust data governance, data security and data minimisation, retention and destruction practices. 
  • Code making powers:  The Australian Information Commissioner (OAIC) will have enhanced code making powers to provide greater clarity on the application of the APPs to certain sectors. Further, and in theme with Government calls to regulate access to social media by children, the OAIC will be required to develop and register a Children's Online Privacy Code for social media platforms, and certain other categories of electronic and internet services that are likely to be accessed by children (and which are not health services). The Attorney-General noted in his second reading speech that $3 million in funding over three years has been allocated to the OAIC to develop this Code.
  • New penalties: The Bill amends the penalty provisions to:
  • clarify that the existing civil penalty provisions apply to 'serious interferences with privacy' (removing the words 'or repeated'), and also to set out the factors that may be taken into account in determining whether an interference is 'serious' (such as, the kind and sensitivity of the information, the number of individuals affected, whether those individuals include any children or others experiencing vulnerability, the consequences or potential consequences of the interference). Under the Bill the civil penalty provisions for serious interferences with privacy remain the same, namely:
  • $50,000,000;
  • if the court can determine the value of the benefit that the body corporate, and any related body corporate, have obtained directly or indirectly and that is reasonably attributable to the conduct constituting the contravention -3 times the value of that benefit; or
  • if the court cannot determine the value of that benefit, 30 per cent of the adjusted turnover of the body corporate during the breach turnover period for the contravention.
  • expand the powers of the Court in civil penalty proceedings to allow the Court to use its initiative during such proceedings to make other orders (such as, orders for compensation and orders requiring the entity to publish a statement about their non-compliance), or to make such orders subsequently upon application by an affected individual or the OAIC;
  • introduce a new civil penalty provision of up to 2,000 penalty units for individuals and 10,000 penalty units for corporates (i.e. currently $660,000 for corporates) for other interferences with privacy (i.e. those that do not meet the threshold of 'serious'); and
  • prescribe new circumstances for the issuing of infringement notices of up to 200 penalty units for individuals and 1,000 penalty units for corporates (i.e. currently $330,000 for corporates) for a range of compliance failures, including:
  • a failure to have an up-to-date privacy policy;
  • a failure to include all required information in your privacy policy;
  • a failure to allow an individual to deal with you anonymously or using a pseudonym in circumstances required by APP 2;
  • a failure to include an opt-out means in certain marketing material as required by APP 7; and
  • a failure to provide a timely response to a correction request as required by APP 13.5.

     These new penalties are expected to be a more accessible enforcement 'stick' for the OAIC. 

  • New investigation powers: The Bill expands the OAIC's investigation powers to include search and seizure powers, and the power to conduct public inquiries into matters that are directed or approved by the Minister.
  • Information sharing in the event of eligible data breaches: The Bill provides the OAIC with the power to make declarations to permit the sharing of personal information about affected individuals between entities involved and agencies in the event of an eligible data breach (i.e. a notifiable breach). These declarations can be made where necessary or appropriate to prevent or reduce the risk of harm to affected individuals, and will specify the types of personal information that can be collected, used and disclosed, the relevant entities and agencies and the purposes of the information sharing. This will be a welcome reform which assists to streamline incident response processes, and may also assist to reduce the steps required to be taken by affected individuals themselves in response to a relevant data breach.
  • Statutory tort for serious invasions of privacy: One of the most significant proposed reforms is the introduction of a cause of action for individuals if their privacy is seriously invaded by someone intruding into their private space (e.g. physically or by watching or recording their activities) or misusing their information in circumstances where there is a reasonable expectation of privacy. This new tort will enable individuals to take action where their privacy is intentionally or recklessly encroached, seeking damages. The Court can also grant a range of other remedies in addition to, or instead of damages, including an injunction to prevent further such invasions of privacy. The Bill provides for a number of defences, including where the defendant has acted with lawful authority or with consent, in circumstances of necessity or defence of persons or property, or where information has been published which would be protected by certain defences under an action for defamation. Exemptions are provided for journalists (and their employers and assistants), enforcement bodies, intelligence agencies and persons under 18.
  • Criminalisation of doxxing: The Bill will introduce new criminal offences prohibiting the release of personal data using a carriage service in a manner that is menacing or harassing, commonly known as 'doxxing'. The Explanatory Memorandum describes doxxing as the "intentional malicious exposure of an individual's personal data online". However, as drafted, the offences do not require that the conduct be intentional or malicious. Further, no defences or exemptions have been included. The offences will carry a maximum penalty of 6 years' imprisonment, increased to 7 years where a person is targeted on the basis of race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality or ethnic origin.

Other Relevant Reforms

The changes proposed by the Bill are further complemented by:

  • The Australian Government's Voluntary AI Safety Standard released on 5 September 2024, and current consultation on Mandatory Guardrails for High Risk Settings. That Voluntary Standard (and the proposal paper for high risk settings with one differing guardrail) gives practical guidance for the safe and responsible use and development of AI through 10 "guardrails". Those guardrails have various intersects with the Privacy Act and APPs, but relevant to the Bill, includes a guardrail of informing end-users about AI-enabled decisions and interactions. You can read more about the Australian Government's Voluntary AI Safety Standard in our recent Insight article here.
  • The introduction into Parliament of the Communications Legislation Amendment (Combatting Misinformation and Disinformation) Bill 2024, which would insert new obligations into the Broadcasting Services Act 1992 (Cth) to regulate "digital communication platforms" in relation to misinformation and disinformation. An Insight on this reform will be published soon.

Timing

Debate on the Bill has been adjourned. Once passed, the majority of the changes will come into effect immediately, other than the changes in relation to ADM processes, and the statutory tort for serious invasions of privacy. 

What happens next

Once passed, the Bill will build on the 2022 Privacy Act reforms, and further heighten the risk profile for non-compliance with the Privacy Act. 

So, while many of the changes in the Government's Response, particularly those that will require a substantial uplift in the operational aspects of privacy compliance programs, have been deferred to the tranche 2 reform, this is not a time for complacency. 

Once passed, the new investigative and enforcement powers of the OAIC, new statutory tort, and other changes made by the Bill mean that it is more important than ever to ensure your house (aka, your privacy compliance framework and practices) is in order. 

For assistance on dealing with the new privacy laws, please contact our Technology and Telecommunications and Intellectual Property teams.

*For those of you who recall that the Government's Response 'agreed' with 38 proposals in total, the Explanatory Memorandum states that only 25 of those were directed at legislative change.