ARTICLE
15 September 2024

Privacy Act reforms: work to be done, but more to come

CC
Corrs Chambers Westgarth

Contributor

With over 175 years of experience and a team of over 1000 talented professionals, we offer exceptional legal services for major transactions, projects, and disputes. Our client-focused approach and commitment to excellence ensure success for our clients. We connect with top lawyers globally for the best results.
The first tranche of the highly anticipated changes to the Privacy Act 1988 (Cth) (Privacy Act) were tabled.
Australia Privacy

The first tranche of the highly anticipated changes to the Privacy Act 1988 (Cth) (Privacy Act) were tabled in Federal Parliament on 12 September in the Privacy and Other Legislation Amendment Bill 2024 (Cth) (Bill).

What you need to know

  • The changes contained in the Bill represent only a small number of the 116 reforms proposed as part of the four-year review and consultation process into modernising Australia's privacy legislation.
  • The Federal Government has deferred a number of substantive reforms that stakeholders anticipated would be included in the Bill to later tranches of amending legislation.
  • Key changes include the introduction of a Children's Online Privacy Code (COP Code) and a statutory tort for serious invasions of privacy, as well as the creation of new penalties for less serious infringements of the Privacy Act.
  • The tranche one changes will impact all Australian businesses but will have an outsize impact on providers of social media and other platforms likely to be accessed by children.
  • Most changes contained in the Bill will commence the day after Royal Assent (with the exception of the statutory tort, which will commence no later than six months after Royal Assent, and the requirement to include information about automated decisions in privacy policies, which will commence two years from Royal Assent). The Commissioner is required to develop and register the COP Code within two years of Royal Assent.
  • Further reforms to the Privacy Act are not expected to occur prior to the next Federal election (currently anticipated around the middle of 2025).

What's included?

New statutory tort

The statutory tort for serious invasions of privacy introduces a cause of action against a person who invades another person's privacy by intruding upon their seclusion (such as physically intruding into a person's private space, watching, listening to, or recording the person's private activities or private affairs), or misusing information that relates to a person.

Importantly, this new tort means that a broader range of privacy harms will be regulated. It also provides a cause of action against individuals and entities who are not otherwise required to comply with the Privacy Act.

Framework for a Children's Online Privacy Code

To strengthen and protect the privacy of children online, the Bill requires the Australian Information Commissioner to develop and register a COP Code within two years of Royal Assent. The Information Commissioner will be required to seek and consider public submissions on the draft Code as well as consult with the eSafety Commissioner and National Children's Commissioner.

The COP Code will be an enforceable APP code under the Privacy Act that sets out how the Australian Privacy Principles (APPs) are to be applied or complied with in relation to the privacy of children (with a new definition of "child" being introduced by the Bill, being an individual who has not reached 18 years). The COP Code will apply to APP entities (i.e. entities that are governed by the Privacy Act, which are agencies (such as Federal Government departments) and organisations (such as sole traders and companies)) not providing a health service that:

  • provide social media services, relevant electronic service or designated internet service (as defined in the Online Safety Act 2021 (Cth));
  • which are likely to be accessed by children (even if not specifically targeting them); and
  • any other entity specified in the COP Code.

The Explanatory Memorandum gives the example of the COP Code, setting out how regulated entities must meet requirements in relation to privacy policies and consent notices "by ensuring that information addressed to a child is clearly expressed and understandable – such as through the use of graphics, video and audio content rather than relying solely on written communication".

New penalty provisions

The Bill introduces an extensive, tiered penalty regime intended to capture a broader range of contraventions. This is a significant departure from the current focus on only penalising the narrow set of practices which constitute "serious" or "repeated" interferences with the privacy of individuals.

If the Bill is passed as currently drafted, the civil penalty provisions and relevant penalties under the Privacy Act would be as follows:

  • for serious interferences with the privacy of an individual, the greater of A$50 million, three times the benefit, or 30% of adjusted turnover;
  • for interferences with the privacy of an individual, a maximum penalty of 10,000 penalty units for bodies corporate (currently A$3.3 million); and
  • for a breach of any of the provisions of the APPs prescribed in the Bill, a maximum penalty of 1,000 penalty units for bodies corporate (currently A$330,000).

Notably, "repeated interferences with the privacy of an individual" has been removed as a standalone civil penalty provision, indicating that entities may instead face cumulative penalties for multiple "interferences with the privacy of an individual".

Further enhancement of OAIC regulatory powers

The OAIC has been granted a range of new powers to assist in its investigative and enforcement functions, including:

  • a power to conduct public inquiries; and
  • the standard monitoring and investigations powers under the Regulatory Powers (Standard Provisions) Act 2014 (Cth), including entry, search and seizure powers in relation to documents relevant to investigations.

Increased transparency for automated decisions

The Bill contains measures intended to increase transparency about a business' use of artificial intelligence used for automated decision making (ADM).

If an APP entity uses an individual's personal information in an ADM system to make a decision and the decision could reasonably be expected to significantly affect the rights or interests of the individual, then the entity would be required in its privacy policy to describe the kinds of:

  • personal information used in ADM; and
  • decisions made by ADM.

Overseas data flows

The Bill provides for a 'whitelist' of overseas jurisdictions (to be developed and included in the regulations). Entities will be able to transfer personal information to recipients subject to the laws of these prescribed jurisdictions (subject to compliance with any other conditions in the regulations) without back-to-back contractual protections. Notably, however, the Bill does not include standard contractual clauses for use with counterparties outside of whitelisted jurisdictions (a concept provided for in the EU GDPR).

Securing personal information

The requirement that APP entities take reasonable steps to protect personal information now specifies that such steps include "technical and organisational measures". This makes it clear that entities are expected to implement formal organisational measures to protect personal information, such as data breach response planning and senior executive and board oversight of cybersecurity measures. Guidance on what these measures are expected to include are anticipated to be developed by the OAIC.

Enhanced information sharing during data breaches and emergencies

The Bill introduces provisions to allow declarations to be made that permit entities to handle personal information in ways that would otherwise breach the APPs in order to facilitate information sharing in emergencies and significant data breaches to reduce the risk of harm to individuals. For example, entities may be permitted to share personal information with banks to enable the banks to provide enhanced monitoring to customers who may have had their financial details stolen.

Doxxing offences

The Bill also proposes amendments to the Criminal Code Act 1995 (Cth) to introduce new criminal offences prohibiting the malicious release of personal data online (known as 'doxxing').

What's excluded?

The following anticipated reforms were not addressed in the Bill:

  • the introduction of the 'fair and reasonable' test, which would require businesses to ensure that the collection or processing of personal information is 'fair and reasonable' notwithstanding that the individual had provided consent to the business to do so. This will be included in the second tranche of privacy reforms, according to Australian Privacy Commissioner Carly Kind;
  • the proposed removal of the employee and small business exemptions, which would require a significant investment in privacy compliance by entities that currently rely on the exemptions;
  • the inclusion of provisions to address harms associated with direct marketing, targeted advertising and online content and trading in personal information, including allowing individuals to opt-out of targeted advertising;
  • the introduction of a number of additional individual rights modeled on the GDPR; and
  • a direct right of action, which would allow individuals to apply to seek remedies in relation to an interference with privacy.

Next steps

  • We recommend APP entities consider the following:
  • Consider their business practices in relation to the use of ADM systems. Privacy policies will need to be updated to include information on the personal information used and the decisions made. Emerging regulation of artificial intelligence should also be taken into account in relation to ADM;
  • Consider whether they provide an electronic service likely to be accessed by individuals under 18 years or whether they might be likely to be otherwise identified as being subject to the new COP Code. Such entities are likely to be required by the COP Code to implement significantly enhanced information handling practices in relation to children. Such entities may wish to consider engaging in the consultation process for the development of the COP Code;
  • Update their risk management frameworks to reflect potential exposure to new penalties and enforcement action in relation to privacy, as well as the risk of a cause of action under the new statutory tort; and
  • Consider their approach to overseas data flows once the regulations are updated to identify 'whitelisted' countries.

We've previously identified the measures APP entities should consider taking to uplift their data handling practices. We recommend entities continue to pursue these activities while the full suite of amendments to the Privacy Act crystalise over the next 12-24 months.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Lawyers Weekly Law firm of the year 2021
Employer of Choice for Gender Equality (WGEA)

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More