Long-awaited privacy laws hit Commonwealth Parliament

18 September 2024

After a long gestation, the first major piece of legislation to arise from the Commonwealth Government’s Privacy Act (Act) review is finally here, with the Privacy and Other Legislation Amendment Bill 2024 (Bill) introduced into the Commonwealth House of Representatives on 12 September. While a number of the most substantial changes proposed have been left for a future second phase, if passed the Bill will represent the largest changes to the Act in at least 8 years and includes the first changes to the Australian Privacy Principles (APPs) since they commenced over a decade ago.

The Act and the APPs govern the handling of personal information about individuals by Commonwealth Government agencies and by most private organisations, including all businesses with an annual turnover of more than $3 million.

The Bill addresses a range of different areas associated with privacy law in Australia, which we will be discussing in a series of forthcoming articles.

At a very high level, major changes include:

  • A statutory tort for serious invasion of privacy:
    • An individual can now maintain an action for a serious breach of their privacy.
    • Remedies include damages (including punitive damages and an account of profits), injunctive relief, an apology and destruction of materials.
    • Media organisations, journalists and government agencies have certain exemptions.
    • The legislation attempts to strike a balance between the public interest and an individual’s right to privacy.

Click here for a detailed article on the proposed statutory tort for serious invasion of privacy.

  • Provision for a new children’s privacy code:
    • A definition of child will be included in the Act for the first time.
    • The Australian Information Commissioner must develop a Children’s Online Privacy Code (Code).
    • The Code will apply to social media services, relevant electronic services or designated internet services and other services likely to be accessed by children (unless providing a health service).
    • The Code must be registered within 2 years.
  • New rules with respect to automated decision making:
    • If an APP entity utilises computer programs to make a decision using personal information which could reasonably be expected to significantly impact the rights or interests of an individual, they will need to include details of such practices in their privacy policy.
    • Details that need to be disclosed in the privacy policy include the kinds of personal information used and the types of decisions made by such programs.
    • There is a 24 month grace period following Royal Assent before these new transparency requirements take effect.
  • Updates to existing data security requirements under the APPs:
    • APP 11 deals with data security and retention requirements for personal information.
    • The Bill clarifies that the reasonable steps an APP entity must take to protect information from misuse, interference, loss, unauthorised access or disclosure includes “technical and organisational measures”. This provides clarity that governance and organisational controls must be in place, not just technical IT data security controls.
  • Changes to APP 8 regarding overseas disclosures of personal information:
    • APP 8 sets out the circumstances in which cross-border disclosures of personal information are permitted.
    • One currently permitted circumstance is where an overseas recipient of personal information is subject to a law or binding scheme that has the effect of protecting the information in a way that is substantially similar to the way in which the APPs protect the information, and there are mechanisms the individual can access to take action to enforce that protection of the foreign law or binding scheme.
    • Under existing laws, the APP entity disclosing the information must make the assessment as to the adequacy of the foreign law or binding scheme to determine whether the permitted circumstance applies.
    • The Bill would introduce a separate mechanism for the Commonwealth government to recognise foreign laws and binding schemes (effectively a ‘white list’) that would be adequate and therefore allow a cross-border disclosure.
  • Updates to the notifiable data breaches scheme by introducing eligible data breach declarations:
    • Where there is an eligible data breach of an entity, the Minister will be empowered to make eligible data breach declarations to allow entities to handle and disclose personal information in ways that are not otherwise permitted under the APPs in order to reduce the risk of harm individuals face when their personal information has been exposed by a data breach. This can include disclosing personal information to other entities for specified purposes.
    • These permitted purposes to prevent or reduce a risk of harm in relation to an eligible data breach can include responding to a cyber security incident, fraud, scam activity or identity theft or responding to the consequences of such incidents and addressing malicious cyber activity.
  • A range of new civil penalty options will be introduced, along with other related powers of the court to make orders:
    • Amendments to the civil penalty provision for serious interferences with privacy:
      • The current civil penalty provision for serious or repeated interferences with privacy will be replaced with a new provision simply for serious interferences with privacy.
      • The introduction of a list of factors the court may have regard to in determining if an interference with privacy is serious (including whether the relevant act or practice was engaged in repeatedly or continuously).
    • Two new categories of penalties will be introduced:
      • A mid-tier penalty for an interference with privacy where the court is not satisfied the interference is serious, attracting a maximum penalty of 2,000 penalty units (currently equating to $3,130,000 for bodies corporate, or $626,000 for other entities).
      • Civil penalties imposed by way of infringement notices issued by the Commissioner up to a maximum penalty of 200 penalty units (currently equating to $313,000 for bodies corporate or $62,600 for other entities) for a variety of prescribed contraventions (such as non-compliant privacy policies, or failures with respect to written notice of certain uses or disclosures or certain direct marketing requirements).
    • The Bill will also confer power on the court to make a broad range of ancillary orders for civil penalty provision contraventions including orders that an entity pay compensation to an individual for loss or damage, perform specific acts to redress loss or damage to an individual, refrain from engaging in specific activities or publish or otherwise communicate a statement about the contravention.
  • A criminal offence for doxxing:
    • Doxxing involves the intentional online exposure of an individual’s identity, private information or personal details without their consent.
    • The Bill would amend the Criminal Code Act 1995 (Cth) to introduce new criminal offences associated with doxxing, with jail terms of up to 7 years.
    • The offences would specifically relate to the online distribution of certain personal data that can allow an individual to be identified, contacted or located, such as their name, photograph, telephone number, email address, home or work address, or place of education or worship.
    • The highest imprisonment term could be imposed in instances that involve conduct towards groups of persons distinguished by characteristics such as race, religion, sexual orientation, nationality or ethnicity.

We will update this list with links to our relevant articles on each of these reforms as they are published.

How we arrived here

The current review of the Act originally arose as part of the Government’s response to the Australian Competition and Consumer Commission’s Digital Platforms Inquiry. Although that Inquiry was focussed primarily on the dominance of Google and Facebook in digital advertising markets, the recommendations made by the ACCC were wide reaching, including suggesting specific changes to the Act as well as a recommendation for ‘Broader reform of Australian privacy regime to ensure it continues to effectively protect consumers’ personal information in light of the increasing volume and scope of data collection in the digital economy’.

In response, the Government released an Issues Paper in October 2020, followed by a Discussion Paper in October 2021, seeking feedback on a broad range of possible changes to the Act.

A small number of key changes were accelerated by the Attorney-General in November 2022, with legislation quickly passed to significantly introduce maximum penalties, expand the activities of foreign entities caught by the Act, and provide additional enforcement powers for the Office of the Australian Information Commissioner.

This was followed by the Attorney-General’s Department Privacy Act Review Report (Report), released in February 2023, which set out 116 proposed reforms.

The Government released its response to the Report (Response) in September 2023, indicating that it agreed with 38 of the 116 proposed reforms, and agreed ‘in-principle’ with 68 more. Since that Response, we have been awaiting legislation implementing the reforms agreeable to the Government.

In the interim, the Attorney-General’s Department undertook a brief consultation in March 2024, seeking views on statutory reform to address doxxing.

In May, the Attorney-General announced that legislation would be brought forward later in the year, which has now arrived in the form of the Bill.

What’s still to come?

There were a range of measures mooted in the Report which were agreed (or agreed in-principle) by the Government in its Response but remain to be legislated at a later stage. These include some of the most major (and potentially more controversial) changes.

The Attorney-General has described the Bill as ‘just the first stage of the Government’s commitment to provide individuals with greater control over their personal information‘, although given timing of the legislative cycle any further reforms will likely be a matter for the next Parliament.

Amongst the most significant reforms which have at least ‘in principle’ agreement but were not addressed by the Bill are:

  • removal of the small business exemption and employee record exception from the Act;
  • redefining ‘personal information’;
  • creating a distinction in the APPs between ‘data controllers’ and ‘data processors’, reflecting similar structures in other privacy laws abroad, such as the European Union’s General Data Protection Regulation;
  • tighter rules around what constitutes valid consent for the purpose of the APPs;
  • providing individuals with a direct right to bring a claim against an entity which has failed to comply with the APPs (an ability currently only held by the OAIC);
  • a right for individuals to seek deletion of personal information;
  • reforming rules around direct marketing and the associated tracking of individuals;
  • requiring privacy impact assessments for high risk activities; and
  • an overarching requirement that any collection, use and disclosure of personal information needs to be ‘fair and reasonable’.

The Privacy Commissioner had earlier in the year highlighted removal of the small business exemption and the addition of the ‘fair and reasonable’ test as key changes she was anticipating in the Bill to ‘really change the coverage of privacy protection for the Australian community‘, but they have been left for a later piece of legislation at this stage.

That ‘fair and reasonable’ test and mandatory privacy impact assessment requirement have already made their way into the Privacy and Responsible Information Sharing Bill currently before Western Australian parliament, and so could apply first to the WA public service before being picked up nationally.

Next steps

We anticipate that the Bill may be referred to a parliamentary committee before it is able to pass through the Parliament, so we do not believe that these reforms will be operational imminently.

While a number of the changes proposed (such as the doxxing offences and new data breach provisions) will become most relevant as controversies arise, there are some elements that will require proactive steps to ensure compliance, especially for organisations which engage in automated decision making or who are caught by the new Children’s Privacy Code.

The stakes have also increased more generally for businesses and their privacy compliance – given the much lower threshold for the new mid-tier and infringement notice civil penalties, we anticipate an increase in regulatory enforcement in relevant instances of non-compliance.

In coming weeks we will be publishing a series of articles looking at the details of each of the proposed changes. If you wish to receive these directly, please make sure that you are signed up to our Privacy mailing list, by clicking here.

This article was written by Daniel Kiley, Partner, with input from a number of Partners from HWL Ebsworth’s privacy law team, including Matthew Craven, Karen Keogh, Andrew Miers, Jason O’Connell and Nic Pullen with assistance from Matt Kearins, Associate, Nicolas Totaro, Associate, Maddison Crawford, Law Graduate and Amani Fatileh, Law Graduate.

Subscribe to HWL Ebsworth Publications and Events

HWL Ebsworth regularly publishes articles and newsletters to keep our clients up to date on the latest legal developments and what this means for your business.

To receive these updates via email, please complete the subscription form and indicate which areas of law you would like to receive information on.

  • What type of content would you like to receive from us?

Contact us