When first introduced, the Privacy Act 1988 (Cth) was considered to represent a comprehensive, integrated set of legal rules protecting various privacy interests in Australia. Perhaps foreseeing the future, the then Attorney-General Lionel Bowen told the Parliament that “enormous developments in technology for the processing of information are providing new and, in some respects, undesirable opportunities for the greater use of personal information.”
However, the Privacy Act has not kept pace with the widespread adoption of digital technologies. This has created conditions rife for exposing us all to the risk of identity fraud and scams, and data breaches involving the release of sensitive information of millions of Australians.
As we have reported previously,[1] on 28 September 2023, the Federal Government issued its response[2] to the Attorney General’s Privacy Act Review Report of 2022[3] which foreshadowed significant amendments to the Privacy Act.
The Privacy Act Review Report made 116 recommendations designed to clarify and strengthen privacy laws in Australia, including an effort to bring the Australian laws more into line with the likes of the European GDPR.
Previously, the Government had indicated that it agreed with 38 recommendations agreed to be implemented by way of legislative amendment, and it agreed with a further 68 ‘in principle’. 11 recommendations had been simply noted.
However, with the tabling of The Privacy and Other Legislation Amendment Bill 2024 (Privacy Amendment Bill) in the House of Representatives yesterday, it seems more than surprising that the Government has only chosen to tackle relatively few of the Attorney-General’s 116 recommendations and to select those that are primarily focused on the enforcement regime, protection of children, the creation of new offences against the practice of ‘doxxing’,[4] and a new tort for serious invasions of privacy. The Government has flagged that the future amendments to the Privacy Act will now be done in stages.
The Bill does not implement many of the more substantive proposals from an individual rights perspective – including, the proposed changes to the definition of ‘personal information’; the ‘fair and reasonable’ requirement for collecting, using and disclosing personal information; and the direct right of action for individuals. However, the Bill makes material changes to the Privacy Act penalties regime and the breadth of orders that can be made by the Federal Court under the Privacy Act. It also introduces a new statutory tort which changes the application of the Privacy Act.
Enforcement Tools
Schedule 1 of the Bill aims to amend the Privacy Act by enhancing its effectiveness in strengthening the enforcement tools available to the privacy regulator and widening the orders available for breaches in the Federal Court. Two new categories of penalties have been created: (i) a mid-tier penalty for general privacy interference, being a maximum of $3,130,000 (for corporates), and (ii) infringement notices available for a variety of prescribed contraventions, including non-compliant privacy policies, up to a maximum of $313,000 (for corporates). Given that many businesses currently understand that the penalty enforcement regime is rarely used by the Privacy Commissioner and that a civil penalty under the Privacy Act is quite a remote possibility given interferences with privacy have to be serious, the proposed tiered penalty system will make this a real risk.
In addition to these penalties, the Bill allows the Federal Court to make a wide variety of orders for these contraventions. Orders made by the Court may now include orders to engage or refrain for engaging in certain activities, paying compensation for loss to an individual, and publishing statements about the contravention.
Overseas Disclosure of Personal Information
The Bill allows for regulations to be made that will clarify the exceptions to APP 8 (Cross border disclosure of personal information). The Bill sets up a framework for there to be developed:
- A ‘binding scheme’ (which could take the form of standard contractual clauses); and
- A whitelist of prescribed countries which will allow APP entities to disclose personal information to overseas recipients without complying with the requirements of APP 8.
Children’s Online Privacy Code
The Bill also requires the OAIC to develop a Children’s Online Privacy Code. This Code will apply to social media platforms, relevant electronic services and any designated media services which are likely to be accessed by children (excluding health services).
Automated Decision Making
The Bill also aims to increase transparency when entities utilise automating decision algorithms which use personal information that has been collected or stored. The transparency requirements will apply where an APP entity has arranged for a computer program to make, or do a thing that is substantially and directly related to making a decision, using personal information, which could reasonably be expected to significantly affect the rights or interests of an individual. Apparently, this definition was intended to avoid APP entities avoiding the transparency requirements with ‘tokenistic’ human involvement in decision making.
For APP entities undertaking this type of automated decision making, the Bill requires that their privacy policies must include information about the types of personal information used and the kinds of decisions made using automated processes. APP entities have a 24-month grace period following Royal Assent before these new requirements come into effect.
New Statutory Tort
Schedule 2 of the Bill aims to introduce a new statutory tort to provide redress for serious invasions of privacy that are intentional or reckless, where an individual has “invaded” another person’s privacy by:
- Intruding upon their seclusion (that is, physically intruding into their space, or watching or recording their activities); or
- Misusing information that relates to that person, in circumstances where that person has a reasonable expectation of privacy in all the circumstances.
The proposed statutory tort for serious invasions of privacy is a significant change to the way that the Privacy Act currently regulates privacy, who it regulates, and how we think about statutory privacy in Australia.
We will report further as the reforms progress through the legislative assembly and any amendments which may be made as the Bill passes to law.
This publication covers legal and technical issues in a general way. It is not designed to express opinions on specific circumstances. It is intended for information purposes only and should not be regarded as legal advice. Further professional advice should be obtained before taking action on any issue dealt with in this publication.
[1] https://www.bennettphilp.com.au/blog/proposed-reforms-privacy-act-1988
[2] https://www.ag.gov.au/sites/default/files/2023-09/government-response-privacy-act-review-report.pdf
[3] https://www.ag.gov.au/sites/default/files/2023-02/privacy-act-review-report_0.pdf
[4] These new doxxing offences will be added to the Criminal Code Act 1995 (Cth). Under these new offences, criminal penalties (including imprisonment) apply where a person uses a carriage service to make available, publish or distribute contact information of individuals, in a way that a reasonable person considers menacing or harassing.