12 September 2024 marks the end of almost one year of anticipation following the Government’s positive response to the privacy reform consultation last year. The long-awaited “generational overhaul” of Australia’s Privacy Act 1988 (Cth) (Privacy Act) bears the unremarkable name the Privacy and Other Legislation Amendment Bill 2024.

Among the 17 topics of amendment drafted in a way that is anything but plain and clear, the Bill’s notable proposals include:

• New civil penalties at the disposal of the Commissioner in pursuing non-compliant organisations for serious, non-serious and other contraventions.
• Court powers to order offending organisations to cease activity, pay damages or take remedial steps.
• A mandatory Children’s Online Privacy Code to protect children’s privacy online.
• Increased transparency in privacy policies about significant machine-made decisions.
• A statutory tort of serious invasion of privacy providing people with redress through the courts.
• Criminalising the malicious publication of another person’s contact details, also known as “doxxing”.

Are we there yet? No …

Privacy Commissioner Carly Kind praised the “important initiatives” in the Bill, but reminded the Government that the second tranche of amendments is eagerly awaited.[1] It is hoped to deal with a further 75% of the amendments previously agreed in principle by the Government, but not expected until mid-2025. It should include the requirement for fair and reasonable information handling by organisations, which the Commissioner believes will significantly improve data privacy of Australians and reduce organisations’ overreliance on consent which can lead to harmful privacy practices.[2]

The current Bill contrasts with Government ambitions to widen the definition of “personal information” which currently fails to capture most digital activities. It also fails to remove the exemptions for small businesses and employee records, shielding over 90% of Australian businesses from a basic duty to protect the data privacy of Australians.

Australia continues to fall behind countries where the law regulates digital activities. The cost to businesses associated with a data privacy reform is small in contrast to the cost of privacy to Australians of all ages, giving technology companies a free reign over massive datasets about their intimate interests, life events and predicted future plans, with little choice and even less control. Nevertheless, the reform is a welcome first step.

What are the proposals?

The Bill introduces a number of proposals underpinned by a new objective of the Privacy Act “to recognise the public interest in protecting privacy”.

APP Code regime and Children’s Online Privacy Code

The Commissioner will have new rule-making power in developing APP Codes upon Ministerial direction. A registered App Code is a legislative instrument which will be enforced. Certain industries and activities will benefit from more detailed and certain data privacy rules under future codes.

The Commissioner will have 24 months to develop and register an APP Code about online privacy for children. The code will apply to social media and other designated internet services which are likely accessed by children. This is a necessary step in reducing the risk of online harms for children.

Emergency declarations

A Minister will be able to make emergency declarations to order certain collection, disclosure and use of personal information as required in response to an emergency or disaster, typically, to assist the affected individuals.

Data security, data retention and destruction

The taking of “such steps as are reasonable in the circumstances” to ensure information security and the timely deletion of personal information under the Australian Privacy Principle 11 will have to include “technical and organisational measures”. This will likely increase accountability for a lack of information security preparedness of organisations.

Overseas dataflows 

The Governor-General will be able to designate as safe a country or binding scheme which provide “at least substantially similar” protection of personal information and access to a redress mechanism. This proposal will further facilitate cross-border dataflows which are arguably already relaxed.

Eligible data breach declaration 

A Minister will be able to order an entity involved in a data breach to share data if necessary or appropriate to prevent or reduce a risk of a misuse of personal information following the data breach. For example, organisations could be informed of heightened security risk in respect of individuals affected by a previous data breach.

Civil penalties for privacy interference

The pecuniary penalties for serious interference with privacy under section 13G of the Privacy Act remain capped at $2.5 million for non-corporates and $50 million, 3 times the benefit or 30% of adjusted annual turnover for corporates. The “seriousness” will depend on the nature of information, potential consequences of the interference, number of victims and their vulnerability, nature of the offending act, lack of preparedness or mitigation measures and other relevant matters.

The new section 13H will allow for pecuniary penalties for non-serious interference with privacy, capped at 2,000 penalty units, currently $626,000.

The new section 13K will allow for pecuniary penalties for certain contraventions, such as issues with privacy policies, lack of easy opt-out, or data rights breaches, capped at 200 penalty units, currently $62,600.

The removal of penalties for “repeated interferences” signals that multiple contraventions could attract individual rather than cumulative penalties.

Court redress powers

The new section 80UA will enable the court to order offending organisations to perform acts to redress loss or damage likely to be suffered, pay damages, cease activity, or publish a statement about contraventions.

Commissioner to conduct public inquiries

The Commissioner will upon Ministerial direction be able to conduct public inquiries into matters relating to privacy and exercise its power to obtain information and examine witnesses.

Annual reports

The Commissioner will have to report on the number of privacy complaints received and its decisions not to investigate.

Monitoring, investigation and determination powers

The Commissioner will be able to monitor certain matters and investigate reasonably suspected contraventions. The Commissioner will be able to exercise entry, search and seizure powers with a court warrant under the Regulatory Powers (Standard Provisions) Act 2014 (Cth). The Commissioner will be able to order entities to perform reasonable acts to redress reasonably foreseeable loss or damage.

Automated decisions and privacy policies

Organisations which rely on software to make decisions or initiate action based on relevant personal information with significant effect on peoples’ rights or interests (such as denying a benefit, contract or service) will have to be transparent about it.

Privacy policies will have to include information about:

• the kind of personal information used;
• the kind of decisions made solely by automated means; and
• the kind of action initiated by automated means related to an automated decision.

The requirements will apply 2 years after the Bill receiving royal assent.

Statutory Tort for Serious Invasions of Privacy

A person will be able to bring an action without proof of damage if the other person intentionally or recklessly seriously invaded their privacy by intruding upon their seclusion or misusing their information in circumstances where the person had a reasonable expectation of privacy.

The court will be able to award damages for emotional distress and, in exceptional circumstances, exemplary or punitive damages. Such damages are capped at $478,550 or the maximum amount that can be awarded for defamation. The new tort will apply 6 months after the Bill receiving royal assent.

The new tort will provide redress for privacy infringements beyond the requirements under the Privacy Act. Small businesses will not be shielded from liability. However, the threshold for liability is not low with intention or recklessness as well as seriousness being a condition. Seriousness will depend on various factors including the likely offence, distress or harm to dignity, the defendant’s anticipation of the consequences, and the defendant’s intention such as malice.  

Doxxing offences

The Bill’s example of ‘doxxing’ refers to publishing the name, image or telephone number of a person and encouraging others to send them violent or threatening messages.

The Criminal Code’s new section 474.17C establishes an offence punishable by 6 years’ imprisonment if a person uses an online service to publish or distribute personal data about one or more individuals in conduct which can reasonably be regarded as menacing or harassing towards those individuals.  The new offence 474.17D, punishable by 7 years’ imprisonment, concerns such acts towards members of certain groups (such as a private online religious discussion group) if motivated by discrimination.

Next steps

The proposed changes could have significant impact on the risk profile of organisations, if they are held liable for data privacy infringements which go beyond the requirements of the Privacy Act. Some business activities may be too risky to continue, and it may be good to start thinking about alternatives.

Understanding all activities involving personal information will be essential to identifying and mitigating the risks. We recommended the following steps:

• renew your focus on data privacy compliance with data privacy training sessions for staff;
• review relevant activities concerning your employees, customers and prospects, to identify privacy risks and to think about suitable immediate and future mitigations;
• consider the maturity of existing policies and procedures; and
• adopt a more robust approach to data privacy in contracts and consider if immediate changes may be necessary.

If you require further guidance, KHQ can support you and your team with a presentation on how to best comply with the changing Australian data privacy obligations.