The long-anticipated uplift of Australia’s privacy laws is now underway, with the first tranche of amendments in what will be a staggered approach to reform.
The good news for organisations – there will be adequate time to update their privacy policies, data governance practices and cross-border data transfer arrangements to ensure compliance with incoming requirements. However, organisations should take heed that litigation, class action and regulatory risks are set to increase, with a new statutory right to litigate and a significant expansion in penalties, court powers and enforcement tools a clear focus in this round of reforms.
We outline below the most notable amendments sought to be introduced by the Privacy and Other Legislation Amendment Bill 2024 (Cth) (the Bill) and address which compliance items should be high on organisations’ agendas, to ensure readiness for the new landscape and to reduce exposure to unwanted outcomes.
Recap: Where Is Privacy Reform At?
The Bill, tabled in Parliament on 12 September 2024, follows lengthy periods of consultation and review of the Privacy Act 1988 (Cth) (Privacy Act), commencing in October 2020. Once passed, the Bill will implement the first tranche of reforms recommended by the Privacy Act Review Report, aimed at ensuring that Australia’s privacy laws are better aligned with global privacy benchmarks and fit for the digital age. We canvassed the spectrum of foreshadowed reforms here.
While the Australian Government had ‘agreed’ or ‘agreed in-principle’ to 106 of the Review Report’s 116 proposals, it seeks to implement only a discrete subset in this first tranche, reflective of high privacy risk areas and an evident enforcement stance. Other proposals, such as the removal of the small business exemption, a ‘fair and reasonable’ test for data handling and GDPR-style rights for individuals, have not been included. Although a second tranche of reforms is said to be in development for consultation over the coming months, any second or subsequent rounds of reform are not expected to be tabled before the next election (due by May 2025).
Key changes to be across in the first round of reforms are highlighted below.
Privacy Policies and Data Handling Practices
The Bill, assuming it is passed in its current form, will result in changes to the way in which organisations communicate and conduct their data handling practices, as follows:
• Automated decision-making
Privacy policies will need to include information about computer-driven decisions. Where APP entities use personal information in a computer program to make or do something substantially and directly related to making a decision which could reasonably be expected to significantly affect individuals’ rights or interests, they must disclose in their privacy policies the types of decisions made, and the kinds of personal information so used.
For example, this captures decisions made or substantially contributed to by an AI tool, or a score generated by Microsoft Excel which is used as a key factor in human decision-making. It would not, however, capture word processing or the use of a spreadsheet to merely tally up numbers. To ensure compliance, APP entities will need to first closely review their decision-making processes and any technological input. They will have a 24 month grace period from Royal Assent to the incoming legislation to make any required changes to their privacy policies.
• Cross-border data transfers
The Bill seeks to make cross-border disclosures of data significantly easier. It would introduce a certification-style mechanism to prescribe countries and binding schemes which provide at least substantially similar protection to the APPs. This would enable APP entities to freely transfer personal information to an overseas recipient who is subject to the laws of a prescribed country or a prescribed binding scheme, without the APP entity itself bearing the risk and related accountability should the overseas recipient breach the APPs (as a new exception to APP 8.1 and section 16C of the Privacy Act). Prescribed countries would be expected to include those with mature data protection laws, such as those in the GDPR-governed EU and UK. Prescribed countries, binding schemes and any conditions would be identified by way of regulations.
• Data security, destruction and de-identification
The Bill clarifies that the reasonable steps an APP entity must take in discharging its obligations pursuant to APP 11 to protect, secure, destroy and/or de-identify personal information include both “technical and organisational measures”. This is intended to highlight the range of governance and technical systems and tools expected from organisations to combat data security risks, as is reasonable in the circumstances – for example, robust data protection, management, retention and destruction policies and operating procedures, staff training, data encryption, access restrictions and physical and cyber security measures.
Litigation and Enforcement Risks
Much of the Bill has a strong slant towards deterrence of, and punishment for, breaches of privacy or non-compliance with data handling obligations. It arms Federal Courts, the Office of the Australian Information Commissioner (OAIC) and private individuals with significant new powers or rights, in a significant step-change for the data privacy risk landscape in Australia. Notable proposed changes are as follows:
• Statutory tort for serious invasions of privacy
The Bill includes a statutory tort for serious invasions of privacy, which is new to Australian law and intended to address current and emerging privacy risks. In essence, it provides individuals with a right to sue for damages for serious breaches of their privacy (for example, spying, data hacks or dissemination of information, where sufficiently ‘serious’).
Such a claim could be brought against any individual or organisation, whether or not they are subject to the Privacy Act.
The elements of the claim, as well as applicable defences, exemptions and remedies, are summarised in the table below.
Statutory Tort for Serious Invasions of Privacy
|
Elements of Claim |
Defences |
Exemptions |
Remedies |
|
Invasion of privacy (intrusion upon seclusion, misuse of information, or both) |
Conduct required or authorised by an Australian law or court / tribunal order
|
Journalists |
Damages, including for emotional distress Exemplary or punitive damages (Combined cap of $478,550 for damages for non-economic loss, exemplary and punitive damages) |
|
A person in the plaintiff’s position would have had a reasonable expectation of privacy in all the circumstances |
Consent (express or implied) |
Law enforcement bodies |
Accounts of profits |
|
Fault (intentional or reckless – not negligent) |
Necessity (defendant reasonably believed the invasion of privacy was necessary to prevent / lessen a serious threat to life, health or safety) |
Intelligence agencies |
Injunctions, interim and permanent |
|
Invasion of privacy is serious |
Incidental to exercising a lawful right to defend people or property (if proportionate, necessary and reasonable) |
Children under the age of 18 |
Apology orders, correction orders, orders for destruction or delivery up of materials (including copies), declarations
|
|
Public interest in protecting the plaintiff’s privacy outweighs any competing public interests raised by the defendant (e.g. freedom of expression) |
Various defences under defamation law for publishing information (Absolute privilege, publication of public documents, and fair report of proceedings of public concern) |
|
Other remedies as the court thinks most appropriate |
A plaintiff is not required to meet a minimum quantum threshold or indeed prove that they suffered any damage in order to bring a claim – as the cause of action is intended to protect an individual’s dignity and other intangible interests. However, any harm or damage caused is relevant to the court’s assessment of whether or not the privacy invasion can be considered ‘serious’, as well as any remedies ordered. The courts would be given summary judgment powers to dispose of unfounded claims. A limitation period would apply (1 year after the plaintiff became aware of the privacy invasion or 3 years after it occurred, whichever is earlier, subject to extension of time provisions).
• Federal Court powers to award damages and other orders
Federal Courts will be given powers to make any order they see fit upon finding that a civil penalty provision under the Privacy Act has been contravened. These orders may include, for example, directing entities to pay damages by way of compensation to individuals for any loss or damage suffered or likely to be suffered as a result of the breach, or directing entities to make a public statement about their breach. Affected individuals may apply to the Court for such an order within 6 years of the contravention.
• Civil penalties and infringement notices
New low and mid tier civil penalty provisions are set to be introduced under the Privacy Act. Different penalties would apply commensurate with the seriousness of an act or omission, with corporations facing maximum penalties ranging from 1,000 penalty units (currently $313,000) for ‘low tier’ non-compliances with the Privacy Act, through to 10,000 penalty units (currently $3,130,000) for ‘mid tier’ interferences with privacy. This seeks to address the gap in OAIC’s current enforcement capability, whereby civil penalties can be imposed only for serious, ‘high tier’ privacy interferences. OAIC would also have the power to issue infringement notices for up to 200 penalty units (currently $62,600) for relatively minor breaches of the Privacy Act.
• OAIC determinations following investigations
Following an investigation, OAIC would have the power to make a determination requiring an entity to take certain steps to redress loss or damage suffered as a result of a privacy interference or breach, or to prevent or reduce reasonably foreseeable future loss or damage. It could, for example, require an entity in breach of its data security obligations under APP 11 to assist individuals affected by a leak of their drivers’ licences, by replacing them or engaging theft and cyber support services.
• OAIC’s investigation and monitoring powers
The Bill contains a proposed expansion of OAIC’s monitoring and investigation powers, including new powers of entry, search and seizure (with consent or a warrant). In addition, the Information Commissioner could, upon Ministerial direction or approval, conduct public inquiries, examining systemic or industry-wide privacy issues.
Other Priority Areas
The following further high priority areas are reflected in the first round of privacy reforms:
• Eligible data breach and emergency declarations
The Bill seeks to enable Ministerial declarations to be made permitting the collection, use or sharing of personal information where an eligible data breach has occurred, to prevent or reduce the risk of harm to individuals. For example, declarations may be made to permit an APP entity to provide personal information to banks where there is a heightened risk of bank account scams or fraud, following a hack of personal data held on the APP entity’s systems. The declaration is intended to give the APP entity confidence that it is acting lawfully when sharing information in time critical situations. Similarly, the Bill provides for emergency declarations to permit targeted handling of personal information to assist individuals in emergency and disaster situations.
• Criminalisation of doxxing
The Bill seeks to introduce doxxing offences into the Criminal Code Act 1995 (Cth) (as previously discussed here). Individuals would face imprisonment for up to 6 years if they make available, publish or distribute an individual’s personal data online in a way that is menacing or harassing. The penalty increases to imprisonment for up to 7 years if such conduct is engaged in because of the victim’s race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality or national or ethnic origin.
• Children’s Online Privacy Code
OAIC’s code-making powers would be enhanced. Additionally, the Bill requires OAIC to develop a Children’s Online Privacy Code, which stipulates how the APPs are to apply in the context of children’s privacy. APP entities that provide a social media service, relevant electronic service, or designated internet service (as defined, but excluding health service providers) whose services are likely to be accessed by children will be bound by that code, as will any other entities specified in the code.
Implications For Your Organisation
Entities are well advised to instigate a review and uplift of their privacy policies and compliance practices with the Bill’s proposed legislation front of mind.
At the top of the privacy agenda for organisations is the clearly amplified risk of litigation and regulatory action. The suite of enhanced Federal Court and OAIC powers has stepped up both the likelihood and impact of enforcement action for Privacy Act breaches, ranging from damages awards (which can be sought by affected individuals) and monetary penalties, through to infringement notices for lower-level contraventions such as a non-compliant privacy policy.
In tandem, in the case of serious invasions of privacy, the statutory tort provides an entirely new litigation pathway that is actionable without proof of loss, opening the door to both individual claims and class action risk. Entities subject to a data breach may find themselves facing such an action, particularly in the case of known or obvious systems weaknesses, although the bar for recklessness (or intent) is high and negligence would not suffice.
We recommend specific strategies for organisations to deploy to mature their data governance and privacy stance, build the confidence of their stakeholders, and mitigate against the reputational, legal and financial consequences of falling short. If you would like to further consider these issues or their impact on your business, our team would be happy to discuss them with you.
KEY TAKEAWAYS:
- On 12 September 2024, the Australian Government tabled the Privacy and Other Legislation Amendment Bill 2024 (Cth), setting in motion the first tranche of reforms to Australia’s privacy laws.
- APP entities using automated decision-making will need to update their privacy policies under the proposed legislation.
- Cross-border data transfers will be facilitated by a certification-style mechanism, enabling free flows of data to prescribed countries and binding schemes.
- The reasonable steps organisations must take in discharging their obligations pursuant to APP 11 to protect, secure, destroy and/or de-identify personal information will include both “technical and organisational measures”.
- A new statutory tort for invasions of privacy is set to be introduced, providing individuals with a right to sue for damages for serious breaches of their privacy.
- Individuals will also have the right to apply for orders, including damages awards, where a Federal Court finds that an organisation has contravened a civil penalty provision of the Privacy Act.
- A new tiered civil penalty system is proposed, with penalties commensurate with the seriousness of the privacy interference or non-compliance, and infringement notices and other new tools and powers at OAIC’s disposal.
- Doxxing is set to be criminalised, with new offences for online disclosures of personal data in a way that is menacing or harassing.
- A Children’s Online Privacy Code is on the cards, with OAIC to develop a code stipulating how the APPs are to apply in the context of children’s privacy.
- Given the increased exposure to litigation and regulatory action arising from this first round of privacy reforms, it is recommended that organisations take careful steps to shore up their privacy and data governance practices.