Australia's Privacy Act has senior status among national privacy laws. Enacted in 1988, the law has seen many amendments through the years. While there were talks of fundamentally updating the law in past years, 2023 saw these talks turn into action.
The Privacy Act Review Report of 2023
In February 2023, the Privacy Act Review Report was released by the Attorney-General's department. This report proposed 116 recommendations that emerged from input collected from stakeholders since 2020. Key among these was an acknowledgment that Australia's digital economy led to innovation and increased productivity but also to new risks from data breaches and privacy harms.
In September 2023, the government either agreed or agreed in principle with many of the reforms proposed in the report. However, it required further consultation and impact analysis before legislating some proposals.
Privacy and Other Legislation Amendment Bill 2024
On 12 Sept. 2024, the government introduced the first tranche of reforms to the Australian Federal Parliament in the form of the Privacy and Other Legislation Amendment Bill 2024. If passed, the bill would implement 23 of the report's 25 legislative proposals that were agreed to by the government, noting other agreed-upon proposals would be actioned by the development of guidance.
Top operational impacts of the first tranche of reforms
The proposed changes included in the first tranche of reform reflect the government's current priorities, such as ensuring Australia has a powerful privacy regulator in the wake of major data breaches from 2022 and 2023, children's online safety, doxxing and the impact of artificial intelligence on the lives of Australians.
This first tranche of reforms includes numerous enhancements to the current law that businesses and individuals should note.
Multitiered civil penalty system and infringement notice powers
The bill introduces lesser tiers of civil penalty provisions for interferences with privacy that are not serious and administrative breaches such as noncompliant privacy policies, including the power for the Office of the Australian Information Commissioner to issue infringement notices for breaches of certain provisions. Based on the use of similar powers by the Australian Communications and Media Authority for spam and telemarketing breaches, this may become an effective tool in the OAIC's enforcement approach: a mid-tier 2000 penalty units of AUD3.3 million for body corporates based on the new penalty unit value and a low-tier 200 penalty units of AUD330K for body corporates. Lastly, if the OAIC issues an infringement notice, the maximum penalty for each alleged contravention is AUD66,000 for listed corporations and AUD19,000 for nonlisted corporations.
New powers to minimize the impact of data breaches
The bill allows the minister — the relevant Attorney-General — to make eligible data breach declarations permitting information sharing between entities that suffer data breaches and third parties, such as telecommunications providers, banks and government departments, to prevent or reduce the harm to individuals from misuse of personal information that may arise from data breaches. For example, a declaration could permit the disclosure of personal information to banks to enable them to undertake enhanced monitoring and implement safeguards for customers affected by the breach. Parameters and other conditions would apply to the permitted information sharing.
Expansion of the OAIC's investigation powers
Under the proposed reforms, the OAIC's remit includes the power of entry and search and seizure rights. The bill also empowers the OAIC to conduct public inquiries as approved or directed by the minister into any specified matters relating to privacy.
New powers for federal courts
Under the bill, courts may make any order they see fit if a breach of a civil penalty provision related to an interference with privacy has been established. Such orders could include the payment of compensation, publication of statements about the infringement, or orders to perform acts or refrain from engaging in acts.
Introduction of new criminal offenses
The bill proposes the addition of crimes to the Criminal Code Act 1995 for engaging in various acts of doxxing, which is defined as the release of an individual's personal information using a carriage service in a way that reasonable people would regard as menacing or harassing toward the individual in all circumstances. The proposed new offenses carry a six-or-seven-year jail sentence. The larger sentence comes into effect when a person carries out doxxing in whole or in part to target someone due to their race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality, or national or ethnic origin.
Creation of a statutory tort for serious invasions of privacy
The proposed tort is subject to a public interest balancing test. If the defendant gives evidence of public interest in the invasion of privacy, the plaintiff must satisfy the court that the public interest in protecting their privacy outweighs any public interest in the invasion of privacy. However, the bill proposes an invasion of privacy is actionable without proof of damages.
To succeed in a cause of action under the bill, the plaintiff must establish that the defendant invaded their privacy by intruding upon their seclusion, misusing information related to them or both. The plaintiff also must prove there is a reasonable expectation of privacy in all circumstances and that the invasion was intentional or reckless and serious.
The bill provides several exemptions to the statutory tort, including for enforcement bodies, intelligence agencies and journalists in respect of the collection, the preparation for publication or the publication of journalistic material.
New Children's Online Privacy Code
The bill requires the OAIC to develop and register a new Children's Online Privacy Code, which would apply to online services, excluding health services, that are "likely to be accessed by children" within 24 months from the date the bill receives royal assent. Before the OAIC registers the code, it is required to make a draft of the code publicly available, invite the public to make submissions about the draft within a consultation period of at least 40 days, consider submissions made within the specified period, and consult with the eSafety Commissioner and the National Children's Commissioner.
During development, the OAIC may consult with specified parties such as children, organizations or bodies concerned with children's welfare, and any other person it considers appropriate. The OAIC may also make and publish written guidelines to assist organizations in determining if a service is likely to be accessed by children.
Certification for international data transfers
The bill includes mechanisms for the government to prescribe countries and certification schemes that provide substantially similar protections to Australia. Australian businesses that share information with third parties located in those countries or participate in those binding schemes will not need to require and negotiate contractual clauses to meet the "reasonable steps" requirement in Chapter 8.1 of the Australian Privacy Principles. This reform might be a preview of the government's intentions regarding the Global Cross-Border Privacy Rules certification scheme. Australia is a founding member of the Global CBPR Forum.
Expectations for the second tranche of reforms
The most controversial changes appear to have been shelved for the second tranche of reforms. Key proposed reforms that were not addressed in the September 2024 bill include:
- Changing the word "about" in the definition of personal information to "relates to."
- Making changes to the small-business exemption, which currently applies to businesses with an annual turnover of AUD3million or less, subject to certain exceptions. These are estimated to be over 95% of businesses in Australia.
- Restricting the employee records exemption to enhance protections for private sector employees.
- Requiring APP entities to ensure the collection, use and disclosure of personal information is fair and reasonable in the circumstances.
- Introducing the concepts of controllers and processors, as exist in other jurisdictions such as the EU.
- Clarifying in the legislation that consent must be voluntary, informed, current, specific and unambiguous.
- Requiring APP entities to determine and record the purposes for which they will collect, use and disclose personal information.
- Requiring APP entities to establish their own maximum and minimum retention periods in relation to the personal information they hold.
- Expanding individuals' rights in relation to their personal information, including the rights to explanation of the personal information held about them, to object, to erasure, of correction and to deindex online search results.
- Providing individuals with an unqualified right to opt out of the use or disclosure of their personal information for direct marketing purposes and of receiving targeted advertising.
- Requiring APP entities to notify the OAIC and affected individuals of data breaches no later than 72 hours after becoming aware of them.
- Introducing a direct right of action by individuals against organizations for privacy breaches.
Looking ahead to 2025
The approach taken in this first tranche of reform likely means these changes will be more quickly considered and passed than if more controversial changes had been included. Another bill with a second tranche of reforms will likely address the report's remaining legislative proposals that the government agreed to or agreed in principle to, following further consultation. Although the timing of any such bill and the second tranche of reforms is currently unknown, it is unlikely to be delivered before 2025.
This likely means organizations will have more time to engage in consultation and have a say in how the remaining proposals may impact them. Moreover, organizations should stay attuned to the progress of reforms to gain more clarity on what they will entail, and the resources required to comply with the new requirements under an amended Australian Privacy Act.
Aly Apacible-Bernardo, CIPM, is a legal research associate at the IAPP.
The author would like to thank IAPP ANZ Advisory Board Member Megan Knight for her assistance with this article.