Almost to the one-year anniversary of providing its response to the Privacy Act Review Report (which we reported on here), the Federal Government has introduced the Privacy and Other Legislation Amendment Bill 2024 (Cth) (Bill) into Parliament, which it has made clear is only the "first-tranche" of reforms.
If the Bill is enacted in its current form, the following key changes will be introduced:
- Transparency will be required when using personal information to make automated decisions (e.g. through the use of AI);
- A new statutory tort will be available to individuals for serious invasions of privacy (including for physical intrusions and misuse of information);
- Obligations relating to data security will be clarified, requiring organisations to take "technical and organisational measures" in respect of data protection;
- A clearer framework for overseas disclosure of information will be introduced, allowing the Government to prescribe countries with similar privacy regimes to Australia for the purposes of easier data sharing;
- A framework for information sharing in the case of eligible data breaches will be introduced in order to prevent or reduce the risk of harm to individuals;
- A tiered penalty system and the ability for the OAIC to issue infringement notices for breaches which do not meet the "serious breach" threshold will be introduced, as well as stronger enforcement powers for the OAIC; and
- A code to protect the online privacy of children with respect to social media and other internet services which are likely to be accessed by children and new criminal offences for "doxxing" (being the release of personal information using a carriage service in a way that would be menacing or harassing).
While the amendments are not as substantial as had been anticipated from the perspective of individual rights, these initial proposed reforms are substantial enough that entities that hold personal information should be taking the opportunity to proactively audit their privacy practices and make improvements where shortfalls are identified, in anticipation of greater privacy protection and enforcement.
This is particularly important for those in the healthcare industry, where technological advancements are changing the delivery of health services and the way in which patient data is managed in a landscape which has already seen increased breaches, regulatory scrutiny and enforcement. This is highlighted in the Notifiable Data Breaches Report recently released by the OAIC reporting on the first half of 2024, which showed that the health service provider sector was by far the largest sector to notify of data breaches, and emphasised the enforcement activity taken against healthcare industry operators.
If you would like to discuss any of the matters raised in the reforms and how they may specifically impact your business or your privacy obligations generally, please feel free to reach out to a member of our team.
We have provided further commentary in relation to the reforms below.
- AI and automated decisions APP entities will
need to include additional information in their privacy policies if
they use automated decision-making programs in certain
circumstances. Where an entity has arranged for a computer program
which uses personal information to make a decision (or to do
something substantially or directly related to making that
decision) that could reasonably be expected to significantly affect
the rights or interests of the individual, the following additional
information will need to be included in its privacy policy:
- the types of personal information used;
- the kinds of decisions made solely by the computer program; and
- the kinds of decisions for which a thing is done by the operation of the computer program that is substantially and directly related to making the decision.
The Explanatory Memorandum to the Bill confirms that the wording "to do something substantially or directly related to making that decision" reflects that a computer program may be used to recommend a decision to a human decision-maker, or guide a human decision-maker, and where this occurs, the thing must be substantially and directly related to making a decision to be captured by the obligation.
As to what kinds of decisions may be taken to affect the rights or interests of an individual, the amendments provide a non-exhaustive list of examples, which include decisions that affect the individual's rights under a contract or arrangement or that affects the individual's access to a significant service or support (e.g. access to healthcare).
In the healthcare industry, this could potentially capture the use of programs which provide options for diagnosis or healthcare/support services which can be offered to patients. Accordingly, entities that are using or considering using these types of computer programs or others which fall within the categories described above, should be prepared to make changes to their privacy policies if the Bill becomes law as drafted.
APP entities will have a 2-year grace period following the making of the Bill into law before these changes come into effect.
- New statutory tort for serious invasions of
privacy
The amendments will establish a new cause of action which would be available to individuals for serious invasions of privacy, where a person has invaded the individual's privacy by either:- Intruding upon their seclusion (i.e. physical intrusions such as watching/spying or recording their private activities); or
- Misusing information relating to them,
where the person would have had a reasonable expectation of privacy and the invasion was serious and intentional or reckless.
The person is not required to prove that they experienced damage in order to make a claim, however, any harm or damage caused would be a relevant consideration with respect to the seriousness of the invasion.
The Explanatory Memorandum to the Bill states that each type of invasion of privacy is intended to be construed broadly, which may expose entities to a broad range of possible claims that have not previously been available to individuals. This could include claims (including potentially class actions) relating to cyber-attacks, data breaches, physical theft of data and collection of information without consent.
The amendments specifically provide that the place where the invasion occurred may be relevant in determining whether a person had a reasonable expectation of privacy. Entities which operate in an industry (such as the healthcare industry) where a person would have a higher expectation of privacy than they would have in a public place should consider whether their processes and physical barriers are sufficient to ensure a person's privacy is preserved. Measures should also be taken to ensure that risks relating to misuse of information within the entity's operations are audited and appropriated managed.
- Data Security
APP entities are already required to take "reasonable steps" to protect personal information they hold from misuse, interference, loss, unauthorised access or disclosure under APP 11.1. The amendments introduced by the Bill provide further guidance in relation to this obligation by stating that "reasonable steps" which are required to be taken includes (without limitation) "technical and organisational measures". The guidance provided in the Explanatory Memorandum to the Bill of what these measures could entail include:- Technical Measures – physical measures, and software and hardware (e.g. securing access to premises, encrypting data, anti-virus software and strong passwords).
- Organisational Measures – steps, processes and actions an entity should put in place (e.g. training employees on data protection, and developing standard operating procedures and policies for securing personal information).
These changes are largely aimed at avoiding doubt as to the expectations in relation to this obligation and should already be standard practice for APP entities. However, this amendment serves as a reminder to ensure that these measures are in place and operating effectively to protect personal information held.
- Overseas disclosure
Any entities currently seeking to share information outside of Australia are faced with a complex analysis of international privacy regimes, by virtue of obligations which exist under APP 8 and the Privacy Act. These obligations require entities to take reasonable steps to ensure that the overseas entity with which the data is being shared does not breach the APPs and to take accountability in the event that breaches are made. An exception currently exists to the obligation to take such "reasonable steps" where the entity reasonably believes the recipient of the information is subject to a law or binding scheme that, overall, is at least substantially similar to the APPs, and where there are mechanisms that an individual can access to take action to enforce those protections. The amendment proposed by the Bill would provide a mechanism for countries to be prescribed by the Government as those which are subject to the relevant type of law for the purposes of relying on the exception, i.e. if the data is being disclosed to one of those countries, the entity will be able to rely on that exception. It remains to be seen which countries will make it onto the list, however this is likely to provide greater opportunities for international data sharing while reducing the costly burden of entities themselves assessing the adequacy of international privacy regimes.
- Data breaches
The amendments set up a new framework whereby a declaration can be made by the Minister for the disclosure of personal information to particular entities (that would otherwise not be permissible) in order to prevent or reduce the risk of harm to individuals whose data has been compromised. The Explanatory Memorandum to the Bill provides an example of the application of this framework in the context of an eligible data breach, which would allow the making of a declaration to permit the entity who has been subject to the breach (e.g. a healthcare provider) to disclose personal information to other entities (e.g. a bank) so that those other entities can implement additional monitoring and safeguards against the use of the breached data (e.g. for identity theft or financial crime). While this amendment will not require any changes to privacy protection practices, entities should consider building this component into their eligible data breach processes which would apply in the event that the declaration is made.
- Penalties & Enforcement
The current penalty regime under the Privacy Act applies to "serious and repeated interferences" with privacy, under which entities can be liable for fines of up to $50 million or more depending on their turnover and any benefit obtained from the breach. The reforms propose to remove the "repeated" requirement from the current penalty regime and would also see the creation of two new categories of penalties:- a mid-tier category for privacy interference that do not meet the "serious" threshold which would attract a penalty of up to 2,000 penalty units; and
- a low-tier category for which infringement notices of up to 200 penalty units can be issued for particular contraventions (including for failures to comply with privacy policy requirements or failing to draw attention to the ability to opt out of direct marketing or provide a simple means for people to do so).
The reforms also include heightened enforcement powers for the OAIC (including investigations, search and seizure) and together with the new penalty regime would create a significant shift in the risk matrix of most organisations in light of the increase in likelihood of regulatory and reputational impact of a breach.
If the Bill is enacted as drafted, the Information Commissioner will also have the power to hold public inquiries in relation to certain privacy matters. As we have seen from public inquiries conducted by other regulators, it is rare for a party to emerge from that process completely unscathed, and entities that hold personal data are urged to take a proactive approach to privacy compliance, continually audit their practices, make improvements where shortfalls are identified and prepare for the need to make further changes to practices as these reforms progress.
Please note, the above does not exhaustively cover the proposed reforms which also include the introduction of privacy codes, including specifically relating to the protection of children's online privacy and the creation of a criminal offence for doxxing, (being the release of personal information using a carriage service in a way that would be menacing or harassing).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.