On 12 September 2024, following a four-year review process, the Australian Government tabled the first tranche of proposed amendments to the Australia's Privacy Act—the Privacy and Legislation Amendment Bill 2024 (the 2024 Bill).1
The 2024 Bill covers a lot of ground, but there are some items that caught our attention. Here's a quick rundown of our initial thoughts:
Children's Privacy Code: The Information Commissioner will be empowered to develop a Children's Privacy Code. A 'Child' will be defined as a 'person under 18'.2It will be interesting to see how this interacts with the Government's proposed social media restrictions for children. Further, this additional regulation poses a logistical challenge—how to verify age in online venues, which may require identity verification (traditionally extremely unpopular with users).
Clarity on 'reasonable' security steps: Australian Privacy Principle 11, which requires organisations to take reasonable steps to keep personal information secure and to destroy or de-identify personal information that is no longer required for a lawful business purpose,3 is proposed to be amended to explicitly include "technical and organisational measures"4 as reasonable steps.
- Security: This means organisations will not only be required to maintain technical security controls (such as firewalls, monitoring, access controls, and penetration testing) but also policy and governance controls such as Risk Frameworks and Data Breach Response Plans. It is likely the OAIC would provide detailed guidance on what technical measures may be reasonable. For many organisations, this new requirement will not pose a challenge, as it mirrors widely adopted industry standards such as NIST and ISO270001 that require both robust governance and layered cybersecurity controls. Less mature organisations may find this requirement more daunting as the cyber threat landscape and regulator expectations continue to evolve.
- Data retention: Over-retention has been a key factor in the mega-breaches of the last few years;5 the clear expectation here is that organisations will be required to implement both policy controls and technical controls to classify personal information, set clear retention timelines, proactively identify information which should no longer be held, and securely dispose of it. Information governance is commonly overlooked, and this is likely to be a significant challenge for many organisations.
Clarity for overseas data flows: The 2024 Bill would enable the whitelisting of countries that are deemed to have equivalent privacy protections to Australia and to which data can, therefore, be transferred without restriction – an approach similar to the EU's GDPR Article 45.6
Data breach declarations: The 2024 Bill would enable the Minister to declare that entities can handle personal information in ways not normally permitted by the APPs for limited periods to mitigate the impacts of a breach on individuals. This could provide flexibility for entities to act quickly to mitigate harm in the breach response process.
Greater clarity on the factors that make an interference with privacy 'serious' (s13G1A): this may support entities to better identify notifiable data breaches so these can be appropriately reported to the regulator and affected individuals.
New civil penalty provisions for non-serious interferences with privacy (s13H) and infringement notice powers: As long promises, these amendments would provide a broader range of enforcement options for the OAIC. Notably, penalty notices would be available for a range of non-compliances with the APPs involving privacy policies, anonymity, direct marketing opt-outs, and access requests.
Powers for the Federal Court to direct entities to take restorative actions, pay damages, cease certain actions, or publish a statement. This would typically be sought during civil penalty proceedings.
Public inquiries: The 2024 Bill would provide the ability for the Minister to direct the Information Commissioner to conduct a public inquiry into specified privacy matters. This is intended to enable the examination of acts or practices that may identify systemic or industry-wide issues.
Transparency of Automated Decision Making: The 2024 Bill would require privacy policies to provide transparency of automated decisions, similar to what is required by the EU's GDPR Article 22.7 However, we also note that the Government has recently released a voluntary AI Safety Standard,8 and there is continuing pressure to regulate AI. As the EU AI Act has set a new global standard,9 it is likely that the Australian Government will continue to evolve its approach to AI.
Statutory tort for invasions of privacy: Sixteen long years after the ALRC first recommended it in 2008,10 the 2024 Bill would create a statutory tort for serious invasions of privacy, actionable without proof of damage. This is likely to change the landscape with respect to privacy class actions. Non-compliant entities that suffer a data breach will likely face increased pressure from irate consumers.
Criminal offences for doxxing and harassment: With specific provisions for protected groups (race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality or national or ethnic origin). It is likely that there will be some debate on the chilling effect that these provisions could have on journalism and freedom of speech.
The 2024 Bill is still in its early stages and may see further changes, but it clearly highlights the Government's main privacy priorities. Now is the perfect time for businesses to start getting ready. Focus on improving how you manage personal information, communicating your practices, and ensuring your policies match how your business operates day to day.
Footnotes
1: 'Privacy and Other Legislation Amendment Bill 2024,' Parliament of Australia (12 September, 2024).
2: Id
3: Id
4: Id
5: Bogle,A., "Past Optus customers have had their data exposed — why did the company still have it?", ABC News (2 October 2022).
6: 'General Data Protection Regulation', Intersoft Consulting (accessed 18 September 2024)
7: Ibid.
8: Department of Industry, Science and Resources, 'Voluntary AI Safety Standard', Australian Government (5 September 2024).
9: EU Artificial Intelligence Act,'The Act Texts', Future of Life Institute (accessed 18 September 2024)
10: Australian Law Reform Commission, "Options for reform in ALRC 108", Australian Government (28 July 2010).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.