On 29 November 2024, both Houses passed the Privacy and Other Legislation Amendment Bill 2024 (Cth) (Bill). The Bill adopts a significant number of reforms to the Privacy Act 1988 (Cth) (Privacy Act) proposed by the Government. As the Bill has received Royal Assent, the reforms are incorporated into the Privacy Act.
In this Insight, we will summarise the key amendments to the Privacy Act which are likely to have an impact on businesses.
Statutory tort for serious invasions of privacy
One of the key reforms is the creation of the statutory tort for serious invasions of privacy, introduced in part to address the lack of recognition of such tort in Australian common law. Individuals have a cause of action against another (referred to as ‘A’ and ‘B’ respectively) if:
- B invaded A’s privacy by intruding upon A’s seclusion and / or misusing information relating to A;
- A person in A’s position would have had a reasonable expectation of privacy in the circumstances;
- the invasion of A’s privacy was intentional or reckless;
- the invasion of A’s privacy was serious; and
- the public interest in A’s privacy outweighs any countervailing public interest (such as freedom of expression, including political communication and artistic expression; freedom of the media; the proper administration of government; open justice; public health and safety; national security; and the prevention and detection of crime and fraud).
Whether the invasion of privacy is ‘serious’ takes into account (but is not limited to):
- the degree of offence, distress or harm likely caused to an ordinary person in the position of the plaintiff;
- whether the defendant knew or ought to have known the invasion of privacy was likely to offend, distress or harm the dignity of the plaintiff;
- whether the defendant was motivated by malice.
The plaintiff must be a natural person, and the suit must be commenced before the earlier of 1 year after the date the plaintiff becomes aware of the invasion of privacy, or 3 years after the date the invasion of privacy occurred. Where the plaintiff was under 18 at the time of the invasion of privacy, the action must be commenced before their 21st birthday.
The invasion of privacy is actionable without proof of damage. While damages are an available remedy, the Bill explicitly prohibits the award of aggravated damages, and caps non-economic loss at $478,550 or the maximum damages for
non-economic loss, whichever is greater.
It is a defence if: the invasion of privacy was required or authorised by law; where the plaintiff or an authorised person consented; or the defendant reasonably believed it to be necessary to prevent a serious threat to the plaintiff’s life, health or safety. Three defamation law related defences are available where the invasion occurred ‘by publishing’. A suit
cannot be brought against intelligence agencies, enforcement bodies with belief that the invasion is reasonably necessary, and journalists if the invasion of privacy involves the collection, preparation for publication, or publication of
journalistic material.
A “journalist” is someone working in a professional capacity as a journalist and who is subject to standards of professional conduct or a code of practice that applies to journalists. Whether the invasion of privacy breaches
the standards or codes of practice to which the journalist is subject is immaterial.
Material is “journalistic material” if it:
- has the character of news, current affairs or a documentary;
- consists of commentary or opinion on, or an analysis of, news, current affairs or a documentary; or
- consists of editorial content relating to news, current affairs or a documentary.
Doxxing Offences
The Bill inserts two new doxing offences to the Criminal Code Act 1995 (Cth). It will be an offence to use a carriage service to make available, publish or distribute ‘personal data’ in a way that reasonable persons would consider menacing or harassing towards the person whose personal data is published (hereafter, to dox). Further, it will be an offence to dox one or more members of a group with the belief that the group is distinguished by one or more protected attributes (e.g. race, sexual orientation, disability). These offences attract a maximum penalty of 6 and 7 years of imprisonment respectively.
Personal data is any information that enables the individual to be identified, contacted or located. This includes data such as the individual’s name, address, phone number, email, photograph.
Penalties for Interference with Privacy
The Bill amends the civil penalty provision in section 13G of the Privacy Act. Currently, civil penalties may be imposed on entities which engage in conduct that constitutes serious interference with an individual’s privacy or repeated conduct that is interference with the privacy of one or more individuals. The Bill refocuses the section on whether the conduct of an entity was ‘serious’, with repeated or continuous conduct as a factor to determine seriousness.
The Bill also introduces lower threshold civil penalties, applicable where an entity’s conduct interferes with the privacy of an individual but is not ‘serious’. The maximum penalty is 2,000 or 10,000 penalty units (currently $660,000 or $3,300,000) for individuals and body corporates respectively.
Further, the Bill empowers the OAIC to issue civil penalty infringement notices where Australian Privacy Principle (APP) codes are breached or for non-compliant eligible data breach statements. APP codes – written codes of practice setting out how APPs are to be applied or complied with – are currently developed by developers’ own initiative or by request of the Commissioner. The Bill empowers the Minister to direct the Privacy Commissioner to develop and register APP codes if the Minister is satisfied that it is in the public interest. The maximum civil penalty for breaching a civil penalty infringement notice is 200 penalty units (currently $660,000).
Further reforms
The OAIC will also be able to issue compliance notices requiring entities to take certain steps by the deadline listed in the notice and, if the entity fails to comply with a compliance notice, the OAIC can then issue an infringement notice (as outlined above).
The Bill also includes provisions:
- requiring APP entities to include in their privacy policies information about the kinds of personal information used and types of decisions made, in automated decision-making;
- relating to data breach declarations, which includes specifying matters which must be specified in an emergency declaration, and enabling the privacy minister to make eligible breach declarations;
- to facilitate overseas data flows (cross-border disclosures of personal information), primarily by allowing for adequacy decisions to be made in respect of the privacy laws of other jurisdictions where those privacy laws are considered substantially similar to Australian privacy laws;
- to establish a Children’s Online Privacy Code (COPC), which will set out how the APPs will apply or be complied with in relation to children. In particular, providers of social media services, relevant electronic services or designated internet services (as defined in the Online Safety Act 2021) will be required to comply with the COPC if their service is likely to be accessed by children. A draft Code will be released for consultation and the Code must be implemented within 2 years of the commencement of the amendment;
- expanding the powers of the Federal Court of Australia and Family Court of Australia in relation to orders which may be issued; and
- empowering the Commissioner to conduct public inquiries into specified privacy-related matters.
While the Bill introduces significant reforms to the Privacy Act, more are expected to be rolled out in the coming years. Follow Addisons on LinkedIn and subscribe to stay up to date on the next set of reforms.