Privacy Milestone: First Tranche of Privacy Reforms Passed

15 minute read  02.12.2024 Tom E Fletcher, Fiona Chong, Kate Dimes Letters, Sonja Read and Paul Kallenbach

The Privacy and Other Legislation Amendment Bill 2024 (Cth) has been passed by both Houses of Parliament.


Key takeouts


  • The Privacy and Other Legislation Amendment Bill 2024 (Cth) has been passed by both Houses of Parliament. The Bill now awaits the Royal Assent.
  • The Bill implements 23 of the 25 proposals directed at legislative change to the Privacy Act 1988 (Cth) that were ‘agreed’ to by the Government in its 2023 response to the Attorney-General’s Privacy Act Review Report.
  • Key changes to the Bill since it was first introduced include changes to the tort for serious invasions of privacy, and the introduction of new OAIC powers to issue compliance notices.

The Privacy and Other Legislation Amendment Bill 2024 (Cth) (Bill) was passed by both Houses of Parliament on 29 November 2024. It is the first tranche of long-awaited reforms to the Privacy Act 1988 (Cth) (Privacy Act) following the Attorney-General’s Privacy Act Review Report of February 2023 (Report) and the Government’s response to that Report of September 2023 (Response). We have previously discussed the Report and the Response in detail in our article, The long road to Australian privacy reform.

In the Government’s Response, it ‘agreed’ to 38 of the 116 proposals, with a further 68 ‘agreed in-principle’. The Bill implements 23 of the 25 ‘agreed’ proposals that were specifically directed at legislative change. Key reforms which have been passed include:

  • a new cause of action in tort for serious invasions of privacy;
  • a new criminal offence of ‘doxxing’ – that is, releasing personal data using a carriage service in a manner that would reasonably be regarded as menacing or harassing;
  • a requirement for the OAIC to develop a Children’s Online Privacy Code addressing online privacy for children;
  • new civil penalty provisions for interfering with the privacy of individuals and new OAIC powers to issue infringement notices and compliance notices;
  • new Ministerial powers to ‘white list’ countries that provide substantially similar privacy protections, in order to assist entities disclosing personal information overseas;
  • a new requirement for privacy policies to include information about automated decision-making; and
  • clarifying that taking ‘reasonable steps’ to protect the security of personal information includes implementing ‘technical and organisational measures’.

There have been some changes to the Bill since it was first introduced, in particular, to the tort for serious invasion of privacy, and the introduction of new OAIC powers to issue compliance notices, which we explore below.

The key amendments commence the day after the Bill receives the Royal Assent, except for:

  • updating privacy policies to include automated decision-making – which will commence 24 months after the Royal Assent; and
  • the provisions relating to the tort of serious invasions of privacy – which will commence on a day to be fixed, but within 6 months after the Royal Assent.

Tort for serious invasions of privacy

One of the most significant and hotly contested reforms is the new tort for serious invasions of privacy. This new cause of action empowers an individual to sue another person where that person has invaded the individual’s privacy by intruding upon their seclusion or misusing information relating to them. The statutory tort requires a plaintiff to prove the following elements:

(a) there has been an invasion of privacy by either intrusion upon the plaintiff’s seclusion (e.g., physical intrusion on their private space) or the misuse of information that relates to the plaintiff;

(b) the plaintiff has a reasonable expectation of privacy in all of the circumstances;

(c) there was an element of fault on the part of the defendant (i.e., the invasion of privacy must have been intentional or reckless, rather than merely negligent);

(d) the invasion of privacy was serious; and

(e) the public interest in the plaintiff’s privacy outweighs any countervailing public interest (such as freedom of expression or freedom of the media).

This last ‘public interest’ element was added to the Bill by amendments in the Senate, and means that defendants are not required to adduce evidence as to the public interest. Instead, the onus of proof lies on the plaintiff in relation to the public interest balancing element, and courts will be able to take judicial notice of public interest matters. The Bill also clarifies that ‘artistic expression’ is a form of freedom of expression and provides examples of matters that may constitute a ‘countervailing public interest’.

The plaintiff must be an individual (i.e., a natural person), that is, companies cannot sue under this tort.

Importantly, although the tort sits under the Privacy Act, the defendant need not be an ‘APP entity’ – any individual or organisation can be sued under this tort.

The Bill provides non-exhaustive lists of factors that will guide courts in their assessment of reasonable expectations of privacy, the ‘seriousness’ of the invasion of privacy, and public interest matters. Importantly, the plaintiff will not have to prove that they have suffered damage in order to bring an action.

Remedies include injunctions, declarations, ordered apologies and compensation. There is a cap on exemplary or punitive damages and damages for non-economic loss, the sum of which cannot exceed $478,550 or the maximum amount of damages available for non-economic loss in defamation law (whichever is greater).

It is a defence to the cause of action if the defendant’s conduct was required or authorised by law; the defendant reasonably believed the invasion of privacy was necessary to prevent or lessen a serious threat to the life, health or safety of a person; or the plaintiff impliedly or expressly consented to the invasion of privacy. There are also defences similar to those in defamation law, including absolute privilege, publication of public documents, and fair report of proceedings of public concern.

Journalists are exempt from the cause of action to the extent that an invasion of privacy involves the collection, preparation for publication or publication of journalistic material. Significantly, after amendments made in the Senate, this exemption now extends to those who publish and distribute journalistic material, as well as employers of journalists and persons assisting journalists in certain circumstances. The definition of journalistic material has been expanded to include editorial content.

Exemptions apply for law enforcement bodies, intelligence agencies, and persons under the age of 18. A late addition to the exemptions included Commonwealth agencies, and State and Territory authorities and their staff members to the extent that the invasion of privacy occurs in the good faith performance or purported performance of a function, or exercise or purported exercise of a power, of the agency or authority.

Importantly, after amendments made in the Senate, the Bill introduces a mechanism for the early determination of whether an exemption applies. This procedural change will allow courts to deal with the threshold issue of exemption before the parties spend significant time and resources preparing for trial.

Doxxing to be a criminal offence

The Bill makes ‘doxxing’ a criminal offence by amending the Criminal Code Act 1995 (Cth). Doxxing is the use of a carriage service to make available, publish or distribute personal data, where the person engages in the conduct in a way that reasonable persons would regard as being menacing or harassing. This offence will be punishable by up to 6 years’ imprisonment.

Personal data of an individual is defined as information about the individual that enables the individual to be identified, contacted or located. This is a broader concept than ‘personal information’ under the Privacy Act, since it extends beyond a person’s identity (being the focal point of the Privacy Act definition) to also include the person’s contact details and location (i.e., even when that person is not themselves identifiable).

The Bill also creates a separate doxxing offence where one or more members of a group are targeted due to a belief that the group is distinguished by their race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality or national or ethnic origin. This offence is punishable by up to 7 years’ imprisonment.

APP 11 – security of personal information

Currently, APP 11.1 requires an APP entity to take reasonable steps to protect personal information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure. The Bill will add a new APP 11.3, which provides that ‘reasonable steps’ in APP 11.1 includes ‘technical and organisational measures’ – mirroring language used in the European General Data Protection Regulation.

The Bill’s Explanatory Memorandum provides examples of technical measures, including protecting information through physical measures, software and hardware, whilst organisational measures include steps and processes that an entity should implement, such as employee training on data protection. However, the Bill provides limited practical guidance. It is hoped that the OAIC will provide more detailed guidance in due course.

Facilitating overseas data flows

To support the free flow of information across borders, the Bill introduces a ‘white list’ mechanism to prescribe countries with substantially similar privacy laws, in order to assist entities to assess whether to disclose personal information to an overseas recipient.

Currently, an APP entity must take reasonable steps to ensure an overseas recipient does not contravene the APPs in relation to personal information disclosed to it. In addition, under the accountability principle, the APP entity is liable for any acts or omissions of the overseas recipient that would otherwise breach the Privacy Act.

There is an exception to this accountability regime, where the APP entity reasonably believes that the recipient of the information is subject to a law or binding scheme that is substantially similar to the APPs (i.e., an equivalent privacy regime). In practice, this exception has rarely been relied upon, due to the difficulty of determining whether the laws of any particular jurisdiction give rise to an equivalent privacy regime.

The Bill addresses this by enabling the Government to prescribe equivalent privacy regimes by regulation.

Automated decision-making systems

APP entities will need to update their privacy policies to include additional information, where personal information will be used by a computer program to make a decision that ‘could reasonably be expected to significantly affect the rights or interests of an individual’. APP entities will need to include information about the kinds of personal information used in the operation of such computer programs, and the kinds of decisions that are made.

This is required if a computer program is making, or doing a thing substantially or directly related to the making of, the decision. This means that, if the decision is substantially made or influenced by AI or another automated decision-making system (even if there is a ‘human in the loop’), this will need to be disclosed in the Privacy Policy.

These proposed changes will apply broadly, regardless of whether the arrangement for a computer program to make the decision was made before or after commencement of the new law, and regardless of whether the personal information in the operation of the computer program was acquired before or after the commencement of the new law.

As stated above, this requirement will take effect 24 months after the Bill receives Royal Assent.

Civil penalties and enforcement powers

The Bill introduces new ‘lower threshold’ civil penalties that will apply commensurate with the seriousness of the interference with privacy.

In determining whether an interference with privacy may be ‘serious’, certain factors will be taken into consideration, including the sensitivity of the personal information of the individual, and the consequences of the interference with privacy for the individual.

The enforcement mechanisms available to the OAIC will also be enhanced, so that infringement notices for civil penalties can be issued for relatively minor contraventions of the Privacy Act – for example, a having a non-compliant privacy policy, or a failure to issue a complaint data breach notice.

Following Senate amendments to the Bill, the OAIC will also be empowered to issue compliance notices if they ‘reasonably believe’ that an entity has contravened the Privacy Act. A compliance notice must set out the details of the contravention and specify:

  • the steps that the entity must take to address the contravention and/or to ensure that the conduct constituting the contravention is not repeated or continued; and
  • the time period within which the steps must be taken (which must be a reasonable period).

Importantly, an entity that complies with a compliance notice is not taken, by that compliance, to have admitted to the contravention set out in the notice, or to have been found to have engaged in the contravention. However, if an entity fails to comply with a compliance notice, the OAIC may issue an infringement notice or seek a civil penalty order.

With these new powers, we can expect to see an even greater focus by the OAIC on enforcement-led activities. These new powers will take effect imminently (i.e., the day after the Bill receives Royal Assent).

Expanding Federal Court of Australia (FCA) and Family Court of Australia (FCFCOA) powers

The Bill expands the availability of remedies for contraventions of civil penalty provisions under the Privacy Act.

The FCA and FCFCOA will have the power to issue any order it sees fit, including orders directing any reasonable act to be performed to redress the loss or damage suffered, orders directing damages to be paid by way of compensation, as well as orders directing a statement regarding the contravention to be published or communicated.

Empowering the OAIC with new investigative and monitoring powers

The Bill empowers the OAIC to use general investigation and monitoring powers for certain matters under the Regulatory Powers (Standard Provisions) Act 2014 (Cth). The provisions that enable this measure replace the Privacy Act provisions regulating entry and inspection. These new powers cannot be exercised without prior judicial authorisation (i.e., a warrant) or consent being given for the entry into the premises, and conditions will be placed on the issuing of a monitoring or investigation warrant.

Empowering public inquiries by the Information Commissioner

The Bill enables the Information Commissioner to hold public inquiries into certain privacy matters with the direction or approval of the Minister, to allow the investigation of systemic industry-wide acts and practices. The Minister will be required to specify the acts or practices and the type of personal information in relation to which the inquiry is to be held. Notably, the Information Commissioner would not be bound by the rules of evidence in such enquiries, and will have the power to require the production of documents and information as well as the power to examine witnesses.

Code making powers

The Information Commissioner will have enhanced powers to create codes that offer more detailed guidance on how to apply or comply with the APPs. This includes developing and registering an APP code on the direction of the Attorney-General where it is in the public interest to do so, and to make temporary APP codes to respond to urgent situations.

To enhance and safeguard children’s privacy on the internet, the Information Commissioner must also develop a Children’s Online Privacy Code (COP Code) within two years of these provisions coming into effect. The COP Code will set out how to comply with APPs in relation to the online privacy of children. It will apply to providers of social media services, relevant electronic services or designated internet services that are ‘likely to be accessed by children’ and are not providing a health service.

Following Senate amendments to the Bill, consultation for development of the COP Code has been extended to include industry organisations or bodies representing the interests of one or more entities that may potentially be bound by the COP Code and timeframes for the minimum consultation period have been extended from 40 days to 60 days.

Emergencies

The Bill amends the Privacy Act’s emergency declaration provisions, which previously allowed for the broad sharing of personal information in a declared emergency or disaster. The amendments will set out the matters which must be specified in an emergency declaration, including:

  • the kinds of personal information that may be handled;
  • the entities which may handle the personal information; and
  • permitted purposes of the collection, use or disclosure.

It is hoped that these prescriptive requirements will give entities more confidence about when they are permitted to take action without contravening the law, and strike a better balance between protecting individuals’ privacy and enabling effective responses to a disaster or emergency.

In addition, the Minister will have the power to issue a declaration that would enable the sharing of personal information with appropriate entities in order to prevent or reduce the risk of harm to individuals in the event of a data breach.

Following Senate amendments, the Bill has been updated to clarify that national broadcasters are not permitted to access personal information during emergencies, confirming that the previous reference to that effect in the Bill was a drafting error.


While the changes under the Bill may be a modest response to the substantial overhaul proposed in the Report, they are a first step in the journey to robust privacy protections.

There is still some way to go in overhauling Australia’s privacy laws to ensure they are fit-for-purpose for the digital age, with many of the more significant reforms yet to be legislated in the future.

Nevertheless, with the introduction of a tort for serious invasions of privacy, and new civil penalty provisions, organisations should take the opportunity to consider whether their privacy and data protection arrangements are in order. This should include the following:

  • reviewing and updating privacy policies, not only to address the new automated decision-making requirements, but to ensure that they reflect the organisations’ current data handling practices;
  • conducting a data audit – in order to identify and document personal information collected, stored, and processed by the organisation, as well as its necessity and security;
  • reviewing and enhancing technical and organisational data security measures – including to protect personal information from data breaches;
  • providing regular training to employees – emphasising the importance of compliance with the Privacy Act and internal policies, particularly given the OAIC’s increasingly enforcement-led approach;
  • preparing for automated decision-making requirements – by examining current practices involving automated decision-making in preparation for compliance with the Bill’s proposed amendments.

For Australian organisations, the opportunity is not only to show compliance, but to champion privacy and data protection as a differentiating cornerstone of trust and transparency.

Contact

Tags

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiJkNTc1YmIyYi1kOWEwLTQxNzgtOGU2OS02ZDIwZDI2YzQzNmIiLCJyb2xlIjoiQXBpVXNlciIsIm5iZiI6MTczNzEyMjgwMywiZXhwIjoxNzM3MTI0MDAzLCJpYXQiOjE3MzcxMjI4MDMsImlzcyI6Imh0dHBzOi8vd3d3Lm1pbnRlcmVsbGlzb24uY29tL2FydGljbGVzL2ZpcnN0LXRyYW5jaGUtb2YtcHJpdmFjeS1yZWZvcm1zLXBhc3NlZCIsImF1ZCI6Imh0dHBzOi8vd3d3Lm1pbnRlcmVsbGlzb24uY29tL2FydGljbGVzL2ZpcnN0LXRyYW5jaGUtb2YtcHJpdmFjeS1yZWZvcm1zLXBhc3NlZCJ9.-XORfNWqDObPWFu3Agsw4eL_q0PYlAC6NdAhAyguF5Q
https://www.minterellison.com/articles/first-tranche-of-privacy-reforms-passed