Earlier this year, the Privacy and Other Legislation Amendment Bill 2024 (Bill) was introduced into the lower house. Read our summary of the proposed changes to the Privacy Act 1988 (Cth) (Privacy Act) and Criminal Code Act 1995 (Cth) (Criminal Code).
On 19 September 2024, the Senate referred the Bill to the Legal and Constitutional Affairs Legislation Committee (Committee). The Committee received a number of submissions from the public and released its Report on 14 November 2024.
The Report makes 10 recommendations, one of which is that, subject to the other 9 recommendations being adopted, the Senate should pass the Bill.
The Report's key recommendations are as follows:
1. In relation to the proposed Children's Online Privacy Code (COP Code):
- the Office of the Australian Information Commissioner (OAIC) clarified in its submission that the proposed COP Code would not apply to health service providers, such as online counselling and advice services, and telehealth;
- the Information Commissioner must consult in relation to the development of the COP Code. Recommendation 1 of the Report extends the minimum consultation period from 40 days to 60 days. Recommendation 2 is that the Bill be amended such that the Information Commissioner is required to consult with stakeholders and industry bodies (as opposed to the previous wording, which was that the Information Commissioner 'may' consult with these bodies) – with the aim of ensuring that the COP Code is both fit for purpose and technically feasible.
The provisions relating to the development of the COP Code will take effect the day after the Bill receives Royal Assent. The Information Commissioner will then have 24 months from the date of Royal Assent to develop and register the COP Code.
2. In respect of the handling of personal information in emergencies, the Report clarifies that the Bill's reference to permitting national broadcasters to access personal information during emergencies was a drafting error. The proposed section 80KA(2)(b) will be amended to exclude such entities (Recommendation 3) and will take effect the day after the Bill receives Royal Assent.
3. Recommendation 4 provides that the Information Commissioner should be empowered to issue a discretionary notice to an APP entity to remedy an alleged breach of the new section 13K provisions (for example, for failing to have a privacy policy, or not including the requisite information in a privacy policy) before issuing an infringement notice under section 80U of the Privacy Act. This power will commence the day after the Bill receives Royal Assent.
4. Part 15 of the Bill provides that a new APP 1.7 will be included in the Privacy Act, which will require APP entities to include information about how and what kinds of personal information will be used in automated decision-making processes. Recommendation 5 proposes to clarify that the disclosures required to be made in privacy policies need not compromise commercial-in-confidence information about the APP entity's automated decision-making systems. The requirements under new APP 1.7 will commence 24 months from the day after the Bill receives Royal Assent.
5. Schedule 2 of the Bill creates a statutory cause of action in tort for serious invasions of privacy, and a public interest balancing mechanism. In relation to this Schedule, the Committee recommends:
- (Recommendation 6) the Bill should be amended to clarify that a defendant should not be required to adduce evidence of a public interest in every case, the Court should be required to consider countervailing public interests when determining whether the tort is made out, and that 'artistic expression' is a form of freedom of expression;
- (Recommendation 7) the journalism exemption should be broadened to include persons involved in a range of journalistic activities, such as publication, re-publication and distribution of journalistic material;
- (Recommendation 8) 'editorials' should be included as a form of exempt journalistic material; and
- (Recommendation 9) clause 9 of Schedule 2, currently headed 'interim injunctions' (for invasions of privacy) should be amended to clarify the Court is not limited in its powers to issue interim injunctions only.
The Deputy Chair Senator of the Committee recommended that Schedule 2 be excised from the Bill to allow for further extensive consultation with stakeholders to consider potential unintended consequences. Accordingly, it does not appear that the new tort will be passed within this first tranche of privacy reforms.
The Report also confirmed these Privacy Act reforms will be introduced before the mandatory guardrails for the use of artificial intelligence in high-risk settings (read our post on the mandatory guardrails) to support the Government's work in relation to ensuring the safe and responsible AI use in Australia.
On 18 November 2024, the Bill was introduced in the Senate and read a second time. This stage allows for the consideration and debate of proposed amendments to the Bill, including the Committee's recommendations, by the Senate as a whole.
Further updates to follow.