ARTICLE
20 September 2024

Privacy and Other Legislation Amendment Bill marks the beginning of major privacy reform

HR
Holding Redlich

Contributor

Holding Redlich, a national commercial law firm with offices in Melbourne, Canberra, Sydney, Brisbane, and Cairns, delivers tailored solutions with expert legal thinking and industry knowledge, prioritizing client partnerships.
Bill introduces a radical new criminal sanction for doxxing and an online Children's Privacy Code.
Australia Privacy

On 12 September 2024, a long-awaited Privacy and Other Legislation Amendment Bill (Bill) proposing a number of amendments to the Privacy Act 1988 (Privacy Act), was introduced into the House of Representatives.

While the Bill introduces a radical new criminal sanction for doxxing and an online Children's Privacy Code, there is much for businesses to be concerned about.

This Bill marks the beginning of a shift in privacy legislation. It introduces provisions that signal the beginning of serious privacy reform which will require businesses to uplift their privacy practices. While the Bill does not include the "fair and reasonable test" that was agreed to be implemented as part of the Privacy Act Review, it set the groundwork for that change to follow.

Keeping information secure – additional requirements

The Bill proposes a change to Australian Privacy Principle (APP) 11 which states that reasonable steps to protect information will now include technical and organisational measures. This means that if an organisation faces a challenge, such as a breach, its justification of the extent of organisational and technical steps taken will be tested to determine whether they were reasonable under the circumstances.

Readers might remember that many of the recent breaches have resulted from failures to:

  • enable multi-factor authentication
  • deactivate user accounts when employees, contractors or consultants leave the organisation
  • save sensitive data in encrypted or other forms.

Organisations will now need to take a serious look at the adequacy of their budgets and the robust nature of their processes for information security to see if they pass the "reasonable steps" test.

New power to issue fines for the OAIC

The Office of the Australian Information Commissioner (OAIC) has been granted a range of additional powers to effectively issue infringement notices quickly for breaches of privacy. This allows them to act swiftly without the need to take claims through the court system. This brings them into line with other regulators, such as ACMA who regularly issue such notices for Spam Act infringements.

Interestingly, the new Bill also grants the Commissioner the power to conduct public inquiries. This provides an opportunity for the OAIC to call-out corporate behaviour that might not be a clear breach of existing law but would benefit from public scrutiny. For example, think about the Commissioner's recent public comments about Tik Tok and the fact that no investigation was pursued due to the likelihood of not breaching existing laws. A public inquiry could have brought the issue into the open and potentially led to a deterrent outcome.

New statutory tort

In addition, the statutory tort for invasion of privacy would give individuals the right to seek compensation in the event of a breach which caused them harm.

The new tort considers both physical invasions of privacy – intruding upon seclusion – and misuse of personal information. It is also relevant that the objective of the Privacy Act is being extended to recognise the public interest in protecting privacy and there is no need to prove damages.

A claimant must prove the invasion of their privacy was serious.

The Bill limit damages for non-economic loss to $478,550 or the current limit applicable in defamation proceedings.

In the case of a major data breach, this sort of straightforward claim for multiple victims may be attractive to class action lawyers. There is good reason for businesses to revisit their privacy data collection and data protection settings.

Automated decision making – transparency of information

There is also a provision in the Bill which requires organisations to include information in privacy policies about automated decisions that significantly affect the rights or interests of an individual. For organisations adopting AI and automated processes that may have a negative impact on individuals, there will be a requirement to explain what has been done. Given the Privacy Act applies to commonwealth government agencies as well, this requirement could impose a significant burden and add another layer of complexity to the use of AI for automating processes.

Where to start

This is the first tranche in the Privacy Act reforms that was agreed by the government in 2023. At that time, they agreed to 89 proposals requiring legislative change – 25 were agreed and 56 were agreed in principle. The current Bill implements 23 of the first 25 proposals, meaning there are 58 yet to come.

As consumer sentiment and the public appetite for greater privacy protection continues, it is likely that these will be introduced in 2025 although the current government may run out of time before the next election. Regardless of the election outcome, the public demand for the foreshadowed changes will not diminish and we could reasonably expect that they would appear on the legislative calendar next year.

Now is clearly the time for businesses to begin uplifting their privacy posture and supporting policies and procedures.

This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More