The Privacy and Other Legislation Amendment Bill 2024 (Cth) which we reported on here received Royal Assent on 10 December 2024 and has been in force as of 11 December 2024.
The majority of the new laws commenced on the day after the Bill received Royal Assent, with the exception of the following:
- the new statutory tort for serious invasions of privacy will commence on a proclaimed date but within six months of Royal Assent; and
- the new requirements relating to disclosure of the use of automated decision-making programs will commence 24 months after Royal Assent.
The key changes from the Bill as originally introduced include the following:
1. Compliance Notices
New powers have been introduced for the Office of the Australian Information Commissioner ("OAIC") to issue compliance notices where it reasonably believes that an entity has contravened a civil penalty provision for which infringement notices can be issued. The compliance notice must contain:
- the details of the contravention and specify the steps the entity must take to address the contravention and to ensure that the conduct is not repeated or continued; and
- a reasonable time period within which such steps must be taken.
Where an entity complies with such a notice it is not taken to have admitted to the contravention or to have been found to have contravened the relevant section. However, a failure to comply with a compliance notice could lead to a civil penalty or an infringement notice.
These expanded enforcement powers are likely to see further increased enforcement activity by the OAIC.
2. Statutory Tort for Serious Invasions of Privacy
The statutory tort applies in circumstances where a defendant intentionally, or recklessly, intrudes upon the plaintiff's seclusion or misuses the plaintiff's information. The invasion must be deemed 'serious' where the plaintiff had a 'reasonable expectation' of privacy in all circumstances. The Australian Law Reform Commission has previously indicated that the interpretation of 'intentionally' for this tort encompasses a subjective and deliberate desire to intrude or misuse or disclose private information, and that a motivation to do so arising from malicious intent would be a relevant factor in determining liability.
The original Bill allowed a defendant to adduce evidence that there was a public interest in the invasion of privacy. The plaintiff was then required to satisfy the Court that that public interest was outweighed by the public interest in protecting their privacy.
This process has been removed from the Bill as passed and replaced with the introduction of a 'public interest' element in the new statutory tort whereby the cause of action would only be available if the public interest in the plaintiff's privacy outweighed any countervailing public interest. This represents a shift in the onus onto the plaintiff in this regard.
In addition to the changes to the Bill, an Addendum to the Explanatory Memorandum to the Bill has also been published which includes clarification on the application of the statutory cause of action for serious invasions of privacy in the healthcare industry.
The Addendum states that the clarifications were in response to concerns raised in submissions to Senate Legal and Constitutional Affairs Legislation Committee in relation to the broad definition of 'misusing information'. Specifically, the Addendum to the Explanatory Memorandum to the Bill clarifies that:
- The tort is unlikely to affect the 'proper activities of healthcare providers' in light of all of the elements which must be satisfied, high thresholds and defences (for example, in connection with "intimate, health or family information").
- The elements of the tort should ensure that 'legitimate practices', such as medical care and research, do not attract liability.
Healthcare providers can enquire with patients about family-related medical histories and collect reports from other specialists in treatment of patients. Consistent with the clarifications in the Addendum, we would expect that use and disclosure of health information arising from these circumstances for the treatment of patients would be considered a 'proper activity' or 'legitimate practice' (rather than, say, arising from a malicious intent), and not attract liability for the statutory tort.
While these clarifications and our comments above relate to the legitimate and proper activities of healthcare providers, we further note our previous observations that entities operating in the healthcare industry (or other industries where a person would have a higher expectation of privacy) should ensure that their processes and physical barriers are sufficient to ensure a person's privacy is preserved. This is particularly in relation to situations which may arise within healthcare settings that are unrelated to the proper delivery of health services to a patient by a health practitioner but include peripheral or unrelated interactions.
Now that the Bill has passed, entities should ensure that they are actively and continually auditing their data and privacy practices.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.