On the road: Australia’s privacy law overhaul begins

14 minute read  13.09.2024 Paul Kallenbach, Eibhlin Hamman, Tom Fletcher, Maria Rychkova, Payal Matta

We examine the implications of the Australian Federal Government's introduction of the Privacy and Other Legislation Amendment Bill 2024.


Key takeouts


  • The Privacy and Other Legislation Amendment Bill 2024 was introduced into the lower house on 12 September 2024.
  • The Bill implements 23 of the 25 proposals directed at legislative change to the Privacy Act 1988 (Cth) that were ‘agreed’ to by the Government in its 2023 response to the Attorney-General’s Privacy Act Review Report.
  • The reforms pave the way for a longer journey towards robust privacy protection, particularly as organisations move ever further into an era defined by data, innovation and digital transformation.

The Privacy and Other Legislation Amendment Bill 2024 (Bill) has been introduced into the lower house, a major milestone in an overhaul of the Privacy Act 1988 (Cth) (Privacy Act) following the Attorney-General’s Privacy Act Review Report of February 2023 (Report) and the Government’s response to that Report of September 2023 (Response). We have previously discussed the Report and the Response in detail in our article, The long road to Australian privacy reform.

In the Government's Response, it ‘agreed’ to 38 of the 116 proposals, with a further 68 'agreed-in-principle'. The Bill will only implement 23 of the 25 'agreed' proposals that were specifically directed at legislative change. The balance of the 'agreed' proposals largely relate to enhancing guidance issued by the Office of the Australian Information Commissioner (OAIC) and engaging in further consultation. None of the 'agreed-in-principle' proposals are addressed in the Bill.

Two significant reforms covered by the Bill are the new cause of action in tort for serious invasion of privacy, and the new criminal offence of 'doxxing' – that is, targeting the release of personal data using a carriage service in a manner that would be menacing or harassing. (The ‘doxxing’ offence was not discussed in the Report or the Response, but has been introduced following the leaking of hundreds of messages from a Jewish WhatsApp group in February 2024.)

Other provisions in the Bill are aimed at increasing transparency and certainty regarding the handling of personal information, for example, the welcome introduction of a 'white list' mechanism to prescribe countries as providing similar protections to the APPs in order to assist entities to assess whether to disclose personal information to an overseas recipient. More general reforms include extensions to the Federal Court's authority in civil penalty proceedings beyond pecuniary penalties, and additional OAIC powers, including the ability for the Information Commissioner hold public inquiries on privacy-related issues.

The key aspects of the Bill are summarised below.

Tort for the serious invasion of privacy

One of the most significant (and controversial) reforms included in the Bill is the proposed statutory tort for serious invasions of privacy. This cause of action will allow individuals to sue for serious invasions of privacy in circumstances where the individual had a reasonable expectation of privacy, but subject to some limitations.

To establish a claim under the proposed cause of action, the plaintiff would have to prove all of the following elements:

(a) there has been an invasion of privacy by either intrusion upon the plaintiff's seclusion (i.e., physical intrusion on their private space) or the misuse of information that relates to the plaintiff;

(b) the plaintiff has a reasonable expectation of privacy in all of the circumstances;

(c) there is an element of fault on behalf of the defendant (i.e., the invasion of privacy must have been intentional or reckless, rather than merely negligent);

(d) the invasion of privacy was serious; and

(e) the public interest in protecting the plaintiff’s privacy outweighs any countervailing public interest raised by the defendant (such as freedom of expression or freedom of the media).

The plaintiff must be an individual (i.e. natural person) – that is, companies cannot sue under this tort.

Courts are to be guided by non-exhaustive lists of factors and issues in their assessment of reasonable expectations of privacy, the 'seriousness' of the invasion of privacy, and public interest matters. Importantly, the plaintiff will not have to prove that they have suffered damage in order to bring an action.

The Bill provides for a number of remedies, including injunctions, declarations, ordered apologies and compensation. There is a cap on exemplary or punitive damages and damages for non-economic loss, the sum of which cannot exceed $478,550 or the maximum amount of damages available for non-economic loss in defamation law (whichever is greater).

The Bill sets out several defences common to the law of torts, including that the defendant's conduct was required or authorised by law; the defendant reasonably believed the invasion of privacy was necessary to prevent or lessen a serious threat to the life, health or safety of a person; and the plaintiff impliedly or expressly consented to the invasion of privacy. There are also defences familiar to the field of defamation law, including absolute privilege, publication of public documents, and fair report of proceedings of public concern.

The Bill provides exemptions to journalists in relation to the collection, preparation for publication or publication of journalistic material. This exemption extends to employers of journalists and persons assisting journalists in certain circumstances. There are similar exemptions for enforcement bodies, intelligence agencies, and persons under the age of 18.

Doxxing

The Bill proposes to make doxxing (being the intentional malicious exposure of an individual’s personal data online) a criminal offence by amending the Criminal Code Act 1995 (Cth) (Criminal Code). Section 3 of the Bill also introduces the concept of personal data of an individual which is defined as information about the individual that enables the individual to be identified, contacted or located, and includes the individual's name, photograph or other image, telephone number, email address or residential or work address. This appears to be a broader concept that ‘personal information’ under the Privacy Act, since it extends beyond a person’s identity (being the focal point of the Privacy Act definition) to also encapsulate that person’s contact details and location (ie, even when that person is not themselves identifiable).

The Bill introduces two separate doxxing related offences:

  • the first encompasses using a carriage service to make available, publish or distribute personal data, where the person engages in the conduct in a way that reasonable persons would regard as being menacing or harassing (imprisonment for 6 years); and
  • a further offence where a person or group is targeted due to a belief that the group is distinguished by their race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality or national or ethnic origin (imprisonment for 7 years).

Importantly, the proposed legislation states that whether or not the group is actually distinguished by the above characteristics is immaterial for the purposes of determining whether someone has committed an offence under this provision.

APP 11 – security of personal information

The Bill introduces a number of measures intended to increase transparency and certainty regarding the handling of personal information. Currently, APP 11.1 requires an APP entity to take reasonable steps to protect personal information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure.

The Bill will add a new APP 11.3, which provides that ‘reasonable steps’ in APP 11.1 includes ‘technical and organisational measures’. This new APP adopts the wording employed in Article 32 of the EU General Data Protection Regulation (‘… the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk …’).

The Bill’s Explanatory Memorandum gives examples of technical measures as including protecting information through physical measures, software and hardware, whilst organisational measures include steps and processes that an entity should implement, such as employee training on data protection.

Unfortunately, this abbreviated wording provides limited practical guidance as to what organisations should be doing to protect personal information – particularly in light of an ever increasing number of data breaches. It is hoped that the OAIC will provide detailed guidance in due course.

Facilitating overseas data flows

To support the free flow of information across borders, the Bill proposes a ‘white list’ mechanism to prescribe countries with substantially similar privacy laws, in order to assist entities to assess whether to disclose personal information to an overseas recipient.

Currently, an APP entity must take reasonable steps to ensure an overseas recipient does not contravene the APPs in relation to personal information disclosed to it. In addition, under the accountability principle, the APP entity is liable for any acts or omissions of the overseas recipient that would otherwise breach the Privacy Act.

There is an exception to this accountability regime, where the APP entity reasonably believes that the recipient of the information is subject to a law or binding scheme that is substantially similar to the APPs (ie, an equivalent privacy regime). In practice, this exception has rarely been relied upon, due to the difficulty of determining whether the laws of any particular jurisdiction give rise to an equivalent privacy regime.

The Bill will address this by enabling the Government to prescribe equivalent privacy regimes by regulation. At the present time, neither the Explanatory Memorandum nor the Bill specify what countries might be included on this ‘white list’.

Automated decision-making systems

The Bill acknowledges that automated decision-making systems pose privacy risks, as they can use the personal information about individuals in ways which may have significant impact, with little or no transparency.

The Bill proposes to address this issue by requiring APP entities to update their privacy policies to expressly outline where personal information will be used by a computer program to make a decision that ‘could reasonably be expected to significantly affect the rights or interests of an individual’.

This is required if a computer program is making, or doing a thing substantially or directly related to the making of, the decision. This means that even if there is a ‘human in the loop’ in the decision-making process, if the decision is substantially made or influenced by AI or another automated decision-making system, this will need to be disclosed in the Privacy Policy.

Whether a decision could reasonably be expected to significantly affect the rights or interests of an individual will depend on the circumstances, but could include a decision made under an Act to grant a benefit to an individual (such as a housing benefit), or a decision that affects an individual's rights under a contract (such as a life insurance policy).

These proposed changes will apply broadly, regardless of whether the arrangement for a computer program to make the decision was made before or after commencement of the new law, and regardless of whether the personal information in the operation of the computer program was acquired before or after the commencement of the new law.

Civil penalties and enforcement powers

The Bill will introduce new civil penalties that will apply commensurate with the seriousness of the interference with privacy.

In determining whether an interference with privacy may be 'serious', certain factors will be taken into consideration, including the sensitivity of the personal information of the individual, and the consequences of the interference with privacy for the individual.

The enforcement mechanisms available to the OAIC will also be enhanced, so that infringement notices for civil penalties can be issued for relatively minor contraventions of the Privacy Act – for example, a having a non-compliant privacy policy, or a failure to issue a complaint data breach notice. The penalty payable under such infringement notices will not exceed 200 penalty units (currently $62,600).

With these new powers, we can expect to see an even greater focus by the OAIC on enforcement-led activities.

Expanding Federal Court of Australia (FCA) and Family Court of Australia (FCFCOA) powers

The Bill aims to enhance the privacy of an individual's personal information by expanding the availability of remedies for contraventions of civil penalty provisions under the Privacy Act.

In such cases, the FCA and FCFCOA will have the power to issue any order it sees fit, including orders directing any reasonable act to be performed to redress the loss or damage suffered, orders directing damages to be paid by way of compensation as well as orders directing a statement regarding the contravention to be published or communicated.

Empowering the OAIC’s investigative and monitoring powers

The Bill aims to improve successful regulatory outcomes of the Privacy Act, by empowering the OAIC to use general investigation and monitoring powers for certain matters under the Regulatory Powers (Standard Provisions) Act 2014 (Cth). The provisions that enable this measure would replace the Privacy Act provisions regulating entry and inspection. These new powers of the OAIC will be constrained in several ways, including that they cannot be exercised without prior judicial authorisation (i.e. a warrant) or consent being given for the entry into the premises, and conditions will be placed on the issuing of a monitoring or investigation warrant. However, the ability to use necessary and reasonable force when executing a warrant, which is permitted by current Privacy Act arrangements, has been preserved.

Empowering public inquiries by the Information Commissioner

The Bill enables the Information Commissioner to hold public inquiries into certain privacy matters with the direction or approval of the Minister, to allow the investigation of systemic industry-wide acts and practices. The Minister will be required to specify the acts or practices and the type of personal information in relation to which the inquiry is to be held. Notably, the Information Commissioner would not be bound by the rules of evidence in such enquiries, and has the power to require the production of documents and information as well as the power to examine witnesses.

Code making powers

The Information Commissioner will have enhanced powers to create codes that offer more detailed guidance on how to apply or comply with the APPs. This includes developing and registering an APP code on the direction of the Attorney-General where it is in the public interest to do so, and to make temporary APP codes to respond to urgent situations.

To enhance and safeguard children's privacy on the internet, the Information Commissioner must also draft and implement a Children's Online Privacy Code within two years of these provisions coming into effect.

Emergencies

The Bill proposes to amend the Privacy Act's emergency declaration provisions, which previously allowed for the broad sharing of personal information in a declared emergency or disaster. Emergency declarations will be more targeted, by requiring that the declaration specify, amongst other things, the kinds of personal information that may be handled and the entities which may handle the personal information. It is hoped that these prescriptive requirements will give entities more confidence about when they are permitted to take action without contravening the Act, and strike a better balance between protecting individuals' privacy and enabling effective responses to a disaster or emergency.

In addition, the Minister will have the power to issue a declaration that would enable the sharing of personal information with appropriate entities in order to prevent or reduce the risk of harm to individuals in the event of a data breach.

In conclusion - reform to better protect Australians' privacy

Overall, although the Bill demonstrates the Government's commitment to reform to better protect Australians' privacy, it is a modest response to the substantial overhaul proposed in the Report.

Notable omissions from the Bill include the extension of the Privacy Act to small business; the removal of the employee records exemption; changes to what is covered by the definition of 'personal information'; and the introduction of the requirement that the collection, use and disclosure of personal information must be 'fair and reasonable' in the circumstances. Some of the reforms will have little real effect on privacy protection, such as the proposal to amend the object of the Act to explicitly recognise that there is a public interest in protecting privacy. For other reforms, such as additional OAIC investigatory powers and extensions to the Federal Court's authority in civil penalty proceedings beyond pecuniary penalties, it remains to be seen whether there will be any material impact on strengthening and enforcing privacy protections in Australia.

There is still some way to go in overhauling Australia's privacy laws to ensure they are fit-for-purpose for the digital age, with many of the more significant reforms yet to be legislated.

Nevertheless, the Bill signals an opportune time for all APP entities to consider whether their privacy and data protection arrangements are in order. This should include the following:

  • reviewing and updating privacy policies, not only to address the new automated decision-making disclosures, but to ensure that they reflect the organisations’ current data handling practices;
  • conducting a data audit – in order to identify and document personal information collected, stored, and processed by the organisation, as well as its necessity and security;
  • reviewing and enhancing technical and organisational data security measures – including to protect personal information from data breaches;
  • providing regular training to employees – emphasising the importance of compliance with the Privacy Act and internal policies, particularly given the OAIC’s increasingly enforcement-led approach;
  • preparing for automated decision-making requirements – by examining current practices involving automated decision-making to ensure they comply with the Bill’s proposed amendments.

The reforms reflected in the Bill are a modest start, but pave the way for a longer journey towards robust privacy protection, particularly as organisations move ever further into an era defined by data, innovation and digital transformation. For Australian organisations, the opportunity is not only to show compliance, but to champion privacy and data protection as a differentiating cornerstone of trust and transparency.


The team at MinterEllison can assist you in understanding the legal issues and risks associated with privacy reform to your organisation. If you need more detailed advice, contact us.

 

Contact

Tags

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiI4MTAzOWNkYS0yYzRmLTQ0ODctOGI3Ni1hOWZjM2Q0ZTExZGQiLCJyb2xlIjoiQXBpVXNlciIsIm5iZiI6MTcyODMyMDE5OSwiZXhwIjoxNzI4MzIxMzk5LCJpYXQiOjE3MjgzMjAxOTksImlzcyI6Imh0dHBzOi8vd3d3Lm1pbnRlcmVsbGlzb24uY29tL2FydGljbGVzL2F1c3RyYWxpYXMtcHJpdmFjeS1sYXctb3ZlcmhhdWwtYmVnaW5zIiwiYXVkIjoiaHR0cHM6Ly93d3cubWludGVyZWxsaXNvbi5jb20vYXJ0aWNsZXMvYXVzdHJhbGlhcy1wcml2YWN5LWxhdy1vdmVyaGF1bC1iZWdpbnMifQ.CjCeMumq6s2f-RXRDF-i7UamNVBGyNHuHW8jeBO8VaU
https://www.minterellison.com/articles/australias-privacy-law-overhaul-begins