The much-anticipated reforms of Australia’s Privacy Act of 1988 are on to the legislative phase with the introduction of an initial amendments package to the Parliament of Australia 12 Sept. The first of what is expected to be two tranches of legislative updates mark country's latest step toward modernized privacy protections and business requirements as well as a heightened penalty scheme.
The updates, proposed by Attorney-General Mark Dreyfus, include new enforcement powers for the Office of the Australian Information Commissioner's privacy unit, authorization for an OAIC-drafted Children's Online Privacy Code and transparency requirements around automated decisions. Additionally, within the enforcement amendments is a proposed statutory tort for individuals to use with emerging risks of "serious invasions of privacy," including doxxing.
The Privacy Act has undergone prior adjustments since its initial passage, adding online protections, consumer rights benefits, and enabling the Office of the Australian Information Commissioner and its enforcement powers. However, Dreyfus noted that a recent lag in legislation with an increase in potential harms made the latest update necessary.
"Strong privacy laws are essential to Australians' trust and confidence in the digital economy and digital services provided by governments and industry," Dreyfus said in a statement. "The Privacy Act 1988 has not kept pace with changes in the digital world. Recent large-scale data breaches were distressing for millions of Australians, with their most sensitive personal information exposed by criminals."
The kickoff to reform comes as the IAPP ANZ Summit 2024 in Melbourne is slated for November.
Increased enforcement actions
The bill introduced a slew of enforcement measures that could criminalize the harmful misuse of personal data.
The OAIC explained the bill proposes a new tiered enforcement approach. Low-level civil penalties will apply to "specific administrative breaches" while the mid-tier penalty will be for "interferences with privacy."
"The enhanced civil penalty regime will add significantly to our enforcement toolkit, providing the OAIC with greater discretion and flexibility to apply a risk-based approach to enforcement that is proportionate and also supportive of a growing digital economy," Australian Privacy Commissioner Carly Kind said in a statement.
Along with additional advancements to enforcement efforts, the attorney-general could allow for the creation of the OAIC’s Australian Privacy Principle Code, which provides organizations with the ability to adjust their personal data collection practices.
The changes aim to reduce malicious use of personal data and prevent organizations from risky security practices that could harm consumers and businesses.
"The Attorney General’s department have clearly thought strategically on how to significantly reform unethical and risky privacy practices in the digital economy, while not rushing through wholesale reform just before an election," Civic Data Managing Partner Chris Brinkworth said in a statement.
Protections for children
The proposed Children's Online Privacy Code represents a key step forward in a broader Australian effort around children's online safety.
The OAIC would receive AUD3 million funding over three years to fully develop the code. Details around what the code might contain have yet to surface, but the OAIC would likely use prior stakeholder comments during reform consultations in its drafting.
UNICEF Australia Head of Policy and Advocacy Katie Maskiell said in a statement that the code "will set the foundation for years to come – and together with industry stakeholders, our supporting communities and each and every family - we can all take that one step closer to making Australia the safest place in the world for children to go online."
The proposed code may soon have companion legislation as the Australian government considers provisions for children's use of social media. Reuters reports Prime Minister Anthony Albanese indicated legislation for social media age limits will be proposed before potential elections in 2025, but the government has not yet decided on an exact age limit while grappling with how such a ban is easily circumvented with issues around age verification.
There's been a broad consensus for more attention to children's online protections in recent years.
The 2023 Australian Community Attitudes to Privacy Survey found that 79% of Australians had concerns over the protection of children's private information and only 50% of parents surveyed said they felt like they could protect their children's privacy. The measures to address the online safety of underaged users would provide added protections to address citizens’ concerns.
Next steps
The initial reform package is just the tip of the iceberg for Privacy Act modernization.
Commissioner Kind indicated the next proposed updates will include "a new positive obligation that personal information handling is fair and reasonable" and measures to "ensure all Australian organisations build the highest levels of security into their operations."
The Australian government and the OAIC did not indicate a timeline for the second phase of the proposed reform.
InnovationAus.com reports the next amendments are not likely to appear before the elections, meaning Kind's callouts, along with amendments to end the Privacy Act's small business exemption, add a right to erasure, and improve consent models, won't materialize until the middle of 2025 at the earliest.
Though the reform package has received praise from UNICEF and Human Rights Watch, some argue the reforms are not enough.
In a column for The Conversation, UNSW Sydney Assistant Professor Katherine Kemp opined, "Almost four years since the Privacy Act review commenced, the Australian government has introduced a reform bill that fails to make most of the fundamental changes needed to modernise our privacy laws."
She argues the bill "doesn't touch most of the substantive principles ... originally passed in 1988," but added that it "does finally introduce a statutory tort for serious invasion of privacy," as well as a process for the children's code and tiered penalty scheme.
Attorney-General Dreyfus said stakeholder consultations will continue on the proposed reforms, while the second phase of proposals will aim to strike "the right balance between protecting people's personal information and allowing it to be used and shared in ways that benefit individuals, society and the economy."
Lexie White is a staff writer for the IAPP.
