The much anticipated Bill amending Australia’s Privacy Act has finally been released! After much speculation, what does the Bill actually contain?
Nearly five years have passed since the review of the Privacy Act 1988 (Cth) (Privacy Act) commenced in late 2019. On 12 September 2024, the first tranche of substantive reforms to the Privacy Act following the review was released with the introduction of the Privacy and Other Legislation Amendment Bill 20241 (the Amendment Bill) into the House of Representatives. We outline the major amendments in this Insight.
Background
The Privacy Act review commenced in late 2019. The Attorney-General’s Department released its Review Report2 which contained 116 proposals for reform in February 2023 following which there was a consultation. The Government’s response to the Review Report was released on 28 September 20233. While the Government agreed to many of the amendment proposals (or agreed-in-principal subject to further consultation), not many of the amendment proposals have been included in the Amendment Bill. However, given the likelihood of a federal election in the first half of next year, there may not be sufficient time for any further Bills to be released before the election (and this Amendment Bill will lapse if not enacted before the election).
Key changes in the Amendment Bill
Key changes include those outlined below.
1. A new Children’s Online Privacy Code will be developed. Providers of social media services, relevant electronic services or designated internet services (as defined in the Online Safety Act 2021) must comply with the Code if their service is likely to be accessed by children. Where possible, the Code will align with Codes overseas, such as the UK Children’s Code4. A draft Code will be released for consultation and the Code must be implemented within 2 years of the commencement of the amendment.5
2. APP Codes. The Information Commissioner will have enhanced powers to make Australian Privacy Principles (AAPs) Codes which clarify the application of the APPs and how to comply with the APPs.6
3. Overseas data flows. A mechanism will be introduced which prescribes countries and binding schemes which provide substantially similar privacy laws to Australia. This will enable entities, when assessing whether to disclose personal information to an overseas recipient, to have greater certainty about the privacy standards with which the overseas recipient must comply (before disclosing personal information to them).7
4. Automated decision making. Automatic decision making has the potential to significantly impact individuals’ interests. Entities which use automated decision making will be required to update their privacy policies if the automated decisions could be reasonably expected to affect significantly an individual’s rights or interests and their personal information is used in the program making the decision. Privacy policies will need to address, for example, the kinds of personal information used in the program and the types of decisions made. These requirements will take effect 24 months after the Act receives Royal Assent.8 As outlined in the Explanatory Memorandum to the Bill, the Government wants to provide individuals with greater transparency about how their information is being handled by entities and for what purposes.
5. A statutory cause of action for serious invasions of privacy will be introduced (which has been discussed for many decades).9 The cause of action requires the following: (i) there must be an intrusion on a plaintiff’s physical privacy or misuse of their information; (ii) with a person being in the plaintiff’s position having a reasonable expectation of their privacy in all the circumstances; (iii) the invasion being reckless or intentional; and (d) the invasion being serious. While the plaintiff will not have to prove any damage, they will need to establish that the public interest in protecting their privacy outweighs any competing public interest of the defendant. There are various defences and some exemptions from liability including for journalists. This addresses a gap as the Privacy Act does not apply to individuals acting in their personal capacity. Our Media team is considering this amendment in detail. This will take effect on a date to be fixed by Proclamation or otherwise six months after the Act receives Royal Assent.
6. Doxxing (when personal data is released in a harassing or menacing way) will be included as a criminal offence in the Criminal Code 1995 with a maximum penalty of 6 years’ imprisonment.10 The offence will apply when an individual:
- uses a carriage service to distribute or publish the personal data of one or more individuals; and
- does so in a manner which a reasonable person would regard as threatening or menacing to the individuals.
If the individual or group is targeted due to, for example, their race, religion, gender, disability, nationality or ethnicity, the maximum penalty is increased to 7 years’ imprisonment.
For the purposes of the doxing offence, ‘personal data” is any information which would enable the individual to be identified, located or contacted, for example, their name, photo, phone number or address. An example of doxxing is where the name and email address of an individual is published on a website and others are encouraged to repeatedly contact the person with threatening messages.
7. Serious interferences with privacy. There will be greater clarify about what is a “serious interference with privacy” with an interference being serious if various factors apply, for example, the sensitivity of the information, the number of individuals affected and whether an individual is a child or otherwise vulnerable. 11(In December 2022, the maximum penalties for serious or repeated breaches of privacy were increased for companies to the greater of $50 million, three times the value of any benefit of obtained through the information’s misuse and 30% of a company’s adjusted turnover – our Insight on the increased penalties is available here.)
8. New civil penalties will be available for interferences with privacy which are not serious, which fills an enforcement gap as currently civil penalties are only available for serious (or repeated) interferences with privacy. Courts will be able to impose a civil penalty order for interferences with an individual’s privacy which are less than serious, for example, failing to notify individuals of an eligible data breach as soon as practical. These civil penalties are up to a maximum penalty of 10,000 penalty units for a company (currently $3.3 million) or 2,000 penalty units for an individual (currently $626,000).12
9. Infringement notices will be able to be issued by the Information Commissioner for breaches of the Privacy Act which are minor without needing to litigate. Infringement notices may be issued for:
- breaches of various APPs, for example, not having an APP privacy policy; having a privacy policy which does not contain mandatory content; not including a simple way of opt-outing of direct marketing communications and failing to deal with correction requests; and
- failing to provide a complaint eligible data breach statement.13
The maximum civil penalties must not exceed 1,000 penalty units for a company (currently $330,000) or 200 penalty units for an individual (currently $66,000).
10. Public inquiries will be able to be conducted by the Information Commissioner to look at acts or practices which are relevant to the privacy of individuals and may be industry-wide or systematic issues.14
11. Monitoring and investigative powers will be granted to the Office of the Australian Information Commissioner (OAIC), including the power to enter premises with the occupier’s consent or if issued with a warrant.15
Next Steps
We are monitoring the progress of the Amendment Bill closely and will provide further updates. In the meantime, should you have any privacy questions or concerns, please contact us.
For regular insights, follow Addisons on LinkedIn and subscribe to our updates.
- Privacy and Other Legislation Amendment Bill 2024, available at aph.gov.au.
- Attorney-General’s Department, Privacy Act Review Report, 16 February 2023. Addisons Insight: Long awaited Privacy Act Review Report, 20 February 2023.
- Attorney-General’s Department, Government response to the Privacy Act Review Report, 28 September 2023. Addisons Insight: The Future of Privacy Law, 23 October 2023.
- United Kingdom Children’s Code (Age appropriate design: a code of practice for online services).
- Part 4 of Schedule 1 of the Amendment Bill.
- Part 2 of Schedule 1 of the Amendment Bill.
- Part 6 of Schedule 1 of the Amendment Bill.
- Part 15 of Schedule 1 of the Amendment Bill.
- Schedule 2 of the Amendment Bill.
- Schedule 3 of the Amendment Bill.
- Part 8 of Schedule 1 of the Amendment Bill.
- Part 8 of Schedule 1 of the Amendment Bill. As at September 2024, 1 penalty unit is $313.
- Part 8 of Schedule 1 of the Amendment Bill.
- Part 10 of Schedule 1 of the Amendment Bill.
- Part 14 of Schedule 1 of the Amendment Bill.