ARTICLE
20 October 2024

Upcoming Privacy Act Reforms: What Businesses Need to Know About Major Changes

L
LegalVision

Contributor

LegalVision, a commercial law firm founded in 2012, combines legal expertise, technology, and operational skills to revolutionize legal services in Australia, New Zealand, and the UK. Beginning as an online legal documents business, LegalVision transitioned to an incorporated legal practice in 2014, and in 2019 introduced a membership model offering unlimited access to lawyers. Expanding internationally in 2021 and 2022, LegalVision aims to provide cost-effective, quality legal services to businesses globally.
Businesses to review and update your privacy policies to align with the upcoming reforms.
Australia Privacy

In Short

  • Upcoming reforms to Australia's Privacy Act will impact how businesses handle personal data.
  • Companies must update privacy policies and practices to comply with new regulations.
  • Increased penalties for non-compliance highlight the importance of staying informed and proactive.

Tips for Businesses

Review and update your privacy policies to align with the upcoming reforms. Ensure all staff are trained on new data handling procedures. Regularly audit your data practices to identify areas for improvement, and consider seeking legal advice to avoid potential penalties. Staying informed is crucial for compliance.

Australian privacy law will undergo major changes to bring it into the digital age, improve clarity for businesses, transparency and individual rights, and strengthen enforcement mechanisms. These reforms will occur through significant upcoming amendments to the Privacy Act, reflecting recommendations from the Attorney-General's Department's Privacy Act Review Report 2022.

These privacy reforms are likely to affect every business operating in Australia. While the changes have not yet commenced, you can take steps to prepare now. This article explains what changes the proposal includes, how these changes will affect your business, and what actions you should take.

What are the Proposed Privacy Changes?

The following summarises six key reforms:

1. Changes to Civil Penalties

The Privacy Bill introduces new and stronger financial penalties for privacy breaches. It clarifies what counts as a "serious" privacy breach and introduces new penalties for less serious breaches. For example, not having a proper privacy policy could result in fines of up to $66,000 for individuals or $330,000 for companies. The Information Commissioner will be able to issue on-the-spot fines for some breaches, so it is important to ensure your privacy documents are compliant and current.

2. Children's Online Privacy Code (COP Code)

A Children's Online Privacy Code will respond to government calls for greater protections for children online. This code will apply to social media platforms and websites that anyone under 18 is likely to access, including social media platforms, apps, and websites that children often use. The code will explain how these services should handle children's personal information to comply with privacy laws. For example, it might require child-friendly privacy notices or stricter rules about collecting children's data.

3. Automated Decision Making

One significant change to the Privacy Act is the proposal to increase transparency around automated decision-making. For many businesses embracing AI in day-to-day operations, this is an important change to be aware of. If an organisation uses automated systems to make decisions that could significantly impact someone's rights or interests, they must explain this in their privacy policy. This explanation needs to include what kinds of personal information these systems use, what types of decisions they make, and how they're involved in the decision-making process. The goal is to help people understand when and how automated systems use their personal information to make decisions about them.

4. Legal Action For Serious Invasions of Privacy

Under the changes, individuals can sue for serious invasions of privacy. This applies to two main types of privacy breaches: intrusion upon seclusion (for example, by spying on someone) and misuse of private information. To make a claim, a person must show that:

  1. their privacy was invaded;
  2. they had a reasonable expectation of privacy;
  3. the invasion was intentional or reckless;
  4. the invasion was serious; and
  5. protecting their privacy outweighs any public interest in the invasion.

If successful, an individual could seek compensation or an injunction to stop the invasive behaviour. Businesses will have some defences available, such as if the action was legally required or done with consent.

This new right aims to give people more control over their privacy and a way to seek justice if their privacy is seriously violated, especially in situations not covered by existing privacy laws.

5. Overseas Disclosure

International data sharing will become simpler with an official list of countries and privacy schemes that are considered to have privacy protections similar to Australia's. This "whitelist" will make it easier for Australian organisations to share personal information with overseas recipients in these approved countries or schemes. Organisations will not have to do as much work to check if the overseas recipient has sufficient privacy protections. The goal is to make international data sharing simpler and safer while still protecting people's privacy.

6. Criminal Offence for Doxxing

The intentional malicious exposure of an individual's personal data online, known as 'doxxing', will become a criminal offence. It will become illegal to use the internet or phone services to publish or distribute someone's personal data (like their address, phone number, or photo) in a way that a reasonable person would consider threatening or harassing. There is an even stronger penalty if this is done to target someone because of their race, religion, gender, sexuality, or other protected characteristics. These new laws aim to protect people from the serious harms that can come from having their private information exposed online, such as harassment, stalking, or threats to their safety.

What Does This Mean for My Business?

The range of reforms addressed in the Privacy Bill means that every business should assess its current obligations and those that will likely be in the future.

To prepare for these changes, we recommend you:

  • Audit your data and privacy processes and start planning:
    • undertake an audit of your information collection processes. Check how your business collects, stores, uses, discloses, and monitors personal information;
    • identify any obvious gaps in your processes and implement policies and procedures to fill them;
    • check how compliant you are with your existing privacy obligations; and
    • ensure your employees understand the correct procedures and implement training if required.
  • Check your Privacy Toolbox for currency and compliance. Ensure you have:

When Will These Changes Start?

The reforms are likely to commence by mid-2025. After the federal election, the government is likely to introduce further reforms, depending on the potential impacts.

Our 2024 Key Data and Privacy Developments factsheet provides details about these upcoming changes and the likely future steps for legislative reform.

2024 Key Data and Privacy Developments

The Australian Government is changing the law to protect consumer privacy after a series of high-profile data breaches and to bring the law into line with the safer and more protective laws in other regions. This fact sheet outlines what is expected in 2024.

Download Now

Key Takeaways

The upcoming Privacy Act reforms will impose stronger penalties for breaches, with fines up to $330,000 for companies. A new Children's Online Privacy Code will enhance protections for minors, and businesses must disclose the impact of automated decision-making on individual rights. Individuals will have the right to sue for serious invasions of privacy while doxxing will become a criminal offence. To prepare, businesses should audit their data processes, update privacy documentation, and train staff before the reforms take effect by mid-2025.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More