By Heidi Bruce, Clint Fillipou and Emma Farncomb 

17 September 2024

After a four-year review of the Privacy Act, on the 12^th of September 2024, the Australian Government introduced the Privacy and Other Legislation Amendment Bill 2024 (“Bill”). The nation had expected a complete “overhaul” of the Privacy Act 1988 (Cth) (“Privacy Act”), however the Bill is limited in its scope and addresses only a small number of the proposed reforms. Frankly, this is sure to be a relief for agencies and brands as the magnitude of the proposed changes was a lot to have possibly digested in one hit. Many of the more ambitious reforms that were ‘agreed in principle’ by the Government, have been left out – those most keenly awaited by industry, and the subject of concern as to their practical impacts on media, advertising and online businesses, are set to come later. We set out here which reforms made it into the Bill, and which are planned for further rounds.

Described as the ‘first tranche’ of reforms, the Bill progresses 23 of the legislative proposals that were ‘agreed’ in the Government’s September 2023 Response to the Privacy Act Review. As a stepping stone towards strengthening Australia’s privacy framework, the Bill focuses on enforcement regimes, broader powers for the OAIC, protection of children, the creation of new offences against doxxing and a new tort for serious invasions of privacy.

The other more impactful and substantial reforms ‘parked’ for now, include changes to the definition of ‘personal information’, tighter consent models, stronger consent requirements, changes to targeted advertising rules, a new “fair and reasonable” test and new individual rights. These were the changes aimed at bringing our privacy framework closer to other markets, such as the GDPR. Although these proposals were not covered in the Bill, the Government has indicated that it will continue to advance proposals that were ‘agreed in principle’ and that it will be working to develop draft provisions and engage in targeted consultation with stakeholders.  A second tranche of reforms is expected to come before the parliament in 2025 (likely to be after the federal election in May 2025, so agencies and brands need to plan for their likely implementation – just not immediately).

So, what are the key changes in the first tranche of reform?

• A new statutory tort for serious invasion of privacy:

 As no surprise, the Bill outlines a new statutory tort for serious invasions of privacy that are intentional or reckless. Specifically, this applies in circumstances where an individual has invaded a person’s privacy by intruding upon their seclusion (ie. physically intruding on their space) or misusing private information that relates to the person, where there is a reasonable expectation of privacy.

Significant to the cause of action is that it must be “serious” and be “intentional or reckless”, mere negligence will not suffice. Notably, there are some exceptions to this invasion, specifically for journalism, enforcement bodies and intelligence agencies. This change, if passed, will be important in protecting the privacy rights of individuals by providing other avenues to seek redress through the courts.

• A new ‘tiered’ civil penalties system:

The Bill also includes two new categories of civil penalties that will apply depending on the ‘seriousness’ of the interference with privacy:

1. a new mid-tier penalty for general privacy interference that may not amount to ‘serious’ inferences, being a maximum of up to 2000 penalty units, currently $626,000; and

2. additional powers provided to the OAIC to issue infringement notices for administrative or minor breaches of the Privacy Act, such as having a non-compliant privacy policy. The penalty payable will be up to 200 penalty units, currently $62,600.

These new civil penalty provisions will increase the risk of non-compliance, making it even more important for organisations to conduct internal assessments to ensure their operations meet the standards of the Privacy Act.

• A Children’s Online Privacy Code:

 As previously discussed in our article “A New Privacy Law Era: The Government’s Position On Privacy Reform In Australia”, the introduction of the Children’s Online Privacy Code (Code) will be one of the most impactful changes proposed by the Bill. The Code will directly address online privacy for children, specifically applying to entities that provide social media services, relevant electronic services and any designated media services that are likely to be accessed by children (excluding health services). Although the extent of the Code remains unknown, it will be essential in clarifying how the APPs will apply to children, codifying existing OAIC guidance on consent and capacity.

We expect the OAIC to prepare a draft Code within 2 years of the reforms coming into force. However, in the meantime, organisations that may be regulated by the Code must monitor their operations in relation to children.

• Automated decision-making: 

As an ‘agreed’ proposal in the Government’s Response, the Bill also amends APP 1, introducing greater regulations and transparency around the use of personal information in automated decision-making. If passed, it will specifically apply where an individual’s personal information is substantially or directly used in making the automated decision and where such a decision could significantly affect an individual’s rights or interests. Entities will also be required to disclose, within their privacy policy, the type and kind of personal information used if a decision is substantially made using automated decision-making.

Although there will be a two-year grace period following the Royal assent before this proposal will be enforceable, entities must still prepare so that they can substantiate the type and degree of personal information used and how an automated decision is made.

• Increased OAIC and Federal Court powers:

OAIC:

The Bill will expand the OAIC’s investigation and monitoring powers, specifically in relation to entry, search and seizure rights. With the aim of bringing the OAIC in line with federal regulators, there will also be a new power to conduct public inquiries into matters relating to privacy, however, this must be approved or directed by the minister.

Federal Court:

 In addition, the Federal Court will also be provided with additional powers to issue a variety of orders for contraventions of the Act. Some include the payment of compensation, orders for any reasonable act to be performed to reduce loss or damage resulting from a contravention as well as ordering the publication of a statement about any contravention.

• Overseas disclosure of personal information:

 The Bill further proposes to amend APP 8, clarifying the exceptions that relate to the cross-border disclosure of personal information. Essentially, there will be a ‘whitelist’ of prescribed countries and a ‘binding scheme’, which may take the form of a standard contractual clause, enabling APP entities to disclose personal information to those prescribed overseas recipients without needing to take additional steps to ensure the recipient complies with the APPs. Although there is no clarity as to the exact countries that will be included in the ‘whitelist’, this reform will be significant in facilitating the free flow of information overseas.

• Security of personal information:

Furthermore, the Bill amends APP 11 to include a new APP 11.3, clarifying that the ‘reasonable steps’ an entity must take to protect personal information requires the inclusion of ‘technical and organisational measures’. The Bill’s Explanatory Memorandum outlines ‘technical measures’ as including the protection of information through physical measures, software and hardware and further clarifies ‘organisational measures’ as the steps and processes that an entity should implement, such as employee training on cyber security and data protection.

• Eligible data breach declarations:

Additional powers will also be provided to the Attorney-General to make ‘eligible data breach declarations’. This will allow for the disclosure of personal information, only for permitted purposes where such a disclosure would reduce or prevent the risk of harm to individuals. Although this provides an effective response to data breaches, a declaration from the Attorney-General will only likely occur in high-profile cyber incidents.

•  ‘Anti-doxxing’ offences:

 The Bill also amends the Criminal Code Act 1995 (Cth), introducing new offences to target ‘doxxing’. Firstly, there will be an offence for the use of a carriage service to intentionally and maliciously make available, publish or otherwise distribute personal data (such as names, photos or educational information) about a person in a way that is reasonably considered as menacing or harassing (6 years imprisonment). In addition to this, there will also be a more serious offence if a person or group is targeted on the basis of their race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality or national or ethnic origin (7 years imprisonment).

The Wait Continues…

 Although the Bill highlights the Government’s commitment towards reforming the Privacy Act, in practice, the scope of the Bill is limited. This leaves the industry waiting for further clarity on the content and timeline for the second tranche of reforms. As we can anticipate, however, the Government is still indicating that it will continue to progress the more substantial ‘agreed in-principle’ proposals, some of which are listed below:

• Proposal 4 – broadening the definition of “personal information”;
• Proposal 6 – the removal of the small business exemption;
• Proposal 11 – a new definition of ‘consent’ in relation to the collection, use and handling of personal information and the movement towards a ‘privacy by default’ framework (one of the most influential proposals);
• Proposal 12 – the introduction of the ‘fair and reasonable’ test;
• Proposal 18 – new individual rights, such as the rights to erasure or to request an explanation of what personal information may be held by an entity; and
• Proposal 20 – new regulations relating to the use of personal information in direct marketing and targeted advertising.

In the meantime, while the second tranche of reforms is being developed, it will be imperative for organisations to monitor, update and revise their internal processes, to implement a data breach response plan and undertake privacy risk assessments (if they have not done so already) to ensure they are prepared to comply with the Bill once it is enacted.

Given that agencies and brands have been given a “stay of execution” in terms of the introduction of the heaviest changes proposed, we strongly recommend using it wisely. Now is the time to strategically plan for the changes. In particular, this is a very important time for businesses to conduct a review of their practices, and their existing collection notices, consents and privacy policies, so that they have a confident understanding and a clear record of: (a) the personal information that they hold; (b) how it is collected, used and disclosed, (c) the consents that have been obtained in relation to that information, (d) what uses are permitted for that information, and (e) the systems and third parties involved in managing that information.

It is also a good time to select staff who are responsible for privacy within the business and who can follow the changes, seek advice when required and provide guidance on the impacts of the proposed privacy reforms. These changes should be sharply in focus for your roadmap of future planned projects or initiatives. This will help ensure your business is well placed to respond and adapt to the changes.

Contact us

If you would like further information on the Privacy and Other Legislation Amendment Bill 2024 or if you have any general questions relating to compliance with the Privacy Act, please contact one of our experts below.

Co-authored by