Privacy Reform Update

Written By Demetrio Zema

The Privacy and Other Legislation Amendment Bill 2024 (the Bill) was introduced in Federal Parliament on 12 September 2024. The Bill contains the first tranche of proposed reforms to the Privacy Act 1988 (Cth) (Privacy Act) to implement measures that will enhance the privacy of individuals in Australia. If the Bill successfully proceeds through Parliament this year, the new laws can be expected to commence from mid-2025.

Background

The Bill incorporates many of the recommendations put forward in the Attorney-General’s Privacy Act Review Report 2022 (the Report). The Federal Government subsequently released a response to the Report which ‘agreed’ to implement 25 of the recommendations requiring legislative change to the Privacy Act. The Bill proposes 23 of these recommendations.

Why this matters?

Reforms to the Privacy Act will impact most Australian Government agencies, private sector organisations with an annual turnover of over $3 million and health service providers or small businesses who are currently covered under the ambit of the Privacy Act (e.g., small businesses that sell or purchase personal information or contract with the Government) (APP Entities).

Although the majority of the proposed reforms impose obligations on relevant APP Entities, the Bill also introduces further protections for individuals through the creation of a statutory tort for serious invasions of privacy, in addition to criminalising the practice of ‘doxxing’.

The increased penalties for breach, the new investigation and enforcement powers for the Office of the Australian Information Commissioner (OAIC) and the introduction of a statutory tort for individuals for serious invasions of privacy create additional incentives for APP Entities to ensure their privacy policies and internal processes are clear, up-to-date and compliant.

Key Changes:

1.     Statutory Tort for Serious Invasions of Privacy

  • The introduction of a tort for serious invasions of privacy provides a person with a cause of action if another person invades their privacy, either through:

    • an intrusion upon seclusion, including:

      • a physical intrusion on a plaintiff’s private space; or

      • an intrusion through watching, listening to or recording the plaintiff’s private affairs; or

    • the misuse of information that relates to the person.

  • While the scope of the Privacy Act has traditionally only covered information privacy and APP entities, this statutory tort fills a gap in the current Australian privacy framework by creating a cause of action for individuals which includes invasions of physical privacy, in addition to the misuse of personal information.

  • A plaintiff seeking to bring an action in tort must establish that:

    • the person had a reasonable expectation of privacy in all of the circumstances;

    • the invasion of privacy was serious;

    • the invasion of privacy was intentional or reckless, not merely negligent; and

    • the public interest in protecting the plaintiff’s privacy outweighs any public interest raised by the defendant.

    • The tort is actionable without proof of damage, however, a range of public interest exceptions and defences are available, including for journalism, enforcement bodies and intelligence agencies.

    • This statutory tort may open the door to potential class actions against APP entities for serious breaches of privacy. However, the invasion of privacy must be both ‘serious’ and ‘intentional or reckless’, which is a high threshold.

    • If successful, a plaintiff is able to access various remedies, including injunctions and an award of damages.

    • In light of recent high-profile data breaches in Australia, businesses should review the type and necessity of any personal information they collect, store and disclose to reduce the risk of liability and prevent intentional or reckless misuse of personal information.

2.     Automated Decisions

  • The Bill introduces a requirement for APP entities to include information in their privacy policies about:

    • whether the APP entity uses an automated decision-making process;

    • the decision could reasonably be expected to significantly affect the rights or interests of an individual; and

    • personal information about an individual is used to inform the decision-making process.

  • This reform is intended to increase transparency and certainty around automated decision-making processes which are likely to have an impact on individuals.

  • While this is limited to automated decisions which could reasonably be expected to significantly alter the rights or interests of an individual, businesses should review their privacy policies to ensure compliance with the Bill.  

3.     Children’s Online Privacy Code

  • The Bill creates an obligation for the Information Commissioner to develop and register a Children’s Online Privacy Code which would cover APP entities that provide online or electronic services which are likely to be accessed by children, except health services.

4.     Doxxing Offence

  • The Bill also introduces changes to the Criminal Code Act 1995 (Cth) to criminalise the practice of ‘doxxing’.

  • Doxxing is where personal data which would enable an individual to be ‘identified, contacted or located’ is released through a carriage service in a way that is ‘menacing or harassing’ towards the individual.

  • A ‘carriage service’ is defined with reference to the Telecommunications Act 1997 (Cth) and covers any form of electronic communication method, including telephones, mobile services, radio waves, and internet services.

5.     Tiered civil penalties

  • The OAIC will receive new investigative powers, including a search and seizure powers, exercised under a warrant when investigating breaches under the Privacy Act

  • Additionally, the OAIC will gain new enforcement powers, including civil penalties which can be tailored appropriately in accordance with the severity of the privacy breach, expanded monitoring and assessment functions and the ability to establish a public inquiry when directed to monitor systemic threats to privacy.

What’s next?

Following further consultation over the coming months, the Government is expected to release a second tranche of reforms which will likely consider:

  • a broader definition of ‘personal information’;

  • the introduction of broader individual rights, including a right to erasure;

  • a reduced timeframe for notifying the OAIC of a data breach; and

  • a plan to remove the small business and employee records exemptions.

Demetrio Zema
Next

Changes to the Fair Work Act Now in Force