The Australian Government has taken a first step forward in its effort to bring Australian Privacy laws into the digital age, with the introduction of the Privacy and Other Legislation Amendment Bill 2024 (Bill) into Parliament last week.
This announcement comes just shy of the one-year anniversary of the release of the Australian Government’s response to the Attorney General’s Privacy Act Review Report, whereby it accepted the need for a privacy regime that offered greater privacy protections, and would remain âfit-for-purposeâ in the evolving digital economy.
Though the Bill is not yet the fundamental overhaul that was ultimately anticipated, it does contain a number of reforms that will impact the way businesses manage, store, and handle personal information and data, and will form the basis of a realignment of Australiansâ expectations of a broader right to privacy.
Highlights
- The changes signal a major shift in personal data management in Australia, aligning privacy laws with modern digital realities.
- Key reforms include addressing doxxing, enhancing childrenâs privacy protections, and introducing a Childrenâs Privacy Code.
- Businesses must update their privacy systems to ensure compliance with the new laws, particularly in areas like automated decision-making transparency.
- The reforms also aim to facilitate seamless global data transfers, helping Australian businesses compete internationally.
Background
In our previous article, we discussed the Governmentâs formal position on each of the 116 recommendations provided for in the Privacy Act Review Report, and touched on the changes that were to be implemented immediately through the new legislation. Of the agreed proposals, we discussed:
Additional protection for individuals, which would address the need for greater transparency with respect to the full range of purposes for which personal information is being used, and provide specific protections or considerations for children privacy in the digitised environment;
Operational clarity for overseas transfers and data security, which would see the introduction of an adequacy mechanism to prescribe countries and certification schemes that provide protection that is âsubstantially similarâ to the Australian Privacy Principles (APPs); and
More nuanced enforcement, which would offer lower tiers of penalty for wrongdoings that fail to satisfy the threshold for âserious or repeatedâ interferences with privacy that allow for enforcement actions to be taken under the current regime.
Key changes
In what the government has called a âfirst trancheâ of reform, the Bill introduces a statutory tort for serious invasions of privacy, expands investigative powers for the Australian Information Commissioner, and establishes new criminal offences targeting harmful practices such as doxxing. It also imposes second-tier civil penalties for non-serious privacy breaches, and outlines how personal information should be handled during emergencies. Many updates are designed with the digital age in mind, including new transparency obligations for the use of AI and the introduction of a children’s privacy code to strengthen online protections for minors.
Notably, many of the proposed reforms that were put forward in last yearsâ Privacy Act Review Report, have been omitted from the Bill. For instance, some of the most significant âagreed in principleâ proposals we discussed in our previous article, such as updating the definition of âpersonal informationâ and abolishing exceptions for small businesses, have been left out.
Of course, that is not to say that the changes the draft legislation captures are insignificant. Rather, it illustrates the considerable reforms still needed to make Australiaâs Privacy Laws entirely fit for purpose in the digital age.
Enhanced Privacy Protections and Enforcement
The Bill proposes several key reforms that, if enacted into law, will serve to enhance the protections offered by the Act, and provide additional enforcement powers for interferences with privacy. These are outlined below:
- Code-making powers
Provisions have been introduced strengthening the Information Commissionerâs power to develop and implement new APP codes. These can be used to address specific use cases that present unique or immediate privacy impacts. - Provisions for Emergency Data Sharing
New guidelines for sharing personal information during emergencies require that emergency declarations clearly outline what information can be handled, which entities are authorised to manage it, who can receive it, and the purposes for its use. This ensures enhanced protection of personal privacy while still allowing effective emergency responses. - Childrenâs Online Privacy Code (COP Code)
To enhance privacy protections for children in the digital space, the Information Commissioner will be required to develop and register a COP Code (an enforceable APP code) within two years of the Billâs coming into force. The COP Code will apply to entities providing services to children, such as social media platforms. - Security, retention and destruction
Further clarification has been provided regarding the measures entities are expected to take to ensure the security and protection of personal data. This includes implementing both âtechnical and organisationalâ measures, such as securing access to premises, encrypting data, and training employees on data protection. - Overseas data transfers
New mechanisms have been introduced to facilitate the safe transfer of personal data across borders, including to prescribed âwhite listedâ countries and the use of binding schemes, which provide substantially similar privacy protections to the APPs. These measures are intended to ease the burden on entities having to assess the âadequacyâ of overseas regimes or having to negotiate detail privacy arrangements with data recipients, enabling less friction when dealing with overseas trading partners. - Eligible data breaches
The Minister may now make an âeligible data breach declarationâ, allowing entities to handle personal information in a manner that would not normally be allowed under the APPs. This right may only be exercised when it is necessary to prevent or reduce the harm to individuals following an eligible data breach. - Increased clarity on serious breaches
The Bill has clarified what courts will consider when deciding whether a privacy breach is âseriousâ, for instance, the sensitivity of the information and the consequences of the breach. - Non-serious breaches
The Bill introduces a second-tier of civil penalties for non-serious privacy interferences, meaning that entities can now be held accountable for a wider range of breaches. Examples of non-serious breaches include not having a privacy policy or having one which lacks the required information. - Increased monitoring and investigative powers
The Bill introduces the right for the Information Commissioner to conduct public inquires into specified matters, subject to ministerial approvals. - Determinations following investigations
The Bill expands the scope of determinations that the Information Commissioner can make following a privacy breach. The Commissioner can not only require an entity responsible for a privacy breach to take reasonable actions to address any damage already suffered, but can also now demand that an entity takes steps to prevent or reduce future loss or damage. - Transparency and Automated Decision-Making
Entities will be required to disclose when personal information is being used in automated decision-making processes that significantly affect an individualâs rights or interests. Privacy policies will now be required to include details of kinds of information that will be used through computer programs (to include AI and machine learning), and the types of decisions that are being made by those programs.
New Statutory Tort for Serious Invasions of Privacy
Individuals can seek remedies against other individuals for intentional or reckless intrusions of privacy. This applies when a person has a reasonable expectation of privacy, and the invasion is serious. Conceptually, this may be the most significant change to the Act if passed, as it would regulate privacy rights as between individuals, rather than addressing the handling of personal information by agencies and organisations. Together with the doxxing proposals, we see an evolution towards the establishment of a sense of online âprivacyâ, and actionable privacy rights between individuals.
Doxxing
Criminal offences for doxxing have been introduced which deal with the release of personal information with malicious intent. The use of communication platforms (such a social media) to distribute personal data in a manner considered to be menacing or harassing has been criminalised, with imprisonment as the penalty. Increased sentences apply where a person is targeted based on race, gender, religion, or other protected characteristics.
Key takeaways
These changes mark a significant shift in how personal data is managed in Australia, by beginning to align privacy laws with the realities of the digital age through increased regulation of agencies and organisations, and the express recognition of personal privacy rights as an actionable concept between individuals.
It is crucial for businesses to understand these reforms and ensure their privacy systems are up to date to maintain compliance. The new laws addressing doxxing and enhancing protections for childrenâs privacy are particularly important, as they address the need to protect individuals from online harm. Similarly, compliance with a new Childrenâs Privacy Code, and transparency around automated decision making, will require specific attention.
On the other hand, there is recognition of the need to provide lawful mechanisms to support frictionless digital, global transactions. The reforms also present opportunities for easier global data transfers, enabling Australian entities to compete more effectively in international markets.
Are you ready?
When was the last time you reviewed your privacy policy or assessed the strength of your privacy mechanisms? With the proposed changes, it is a good time to conduct a privacy risk assessment to stay ahead of the evolving regulations and ensure your business remains compliant.
If you have any questions, or require any assistance, please donât hesitate to contact our team of privacy experts.