Last week Federal Parliament passed the Privacy and Other Legislation Amendment Bill 2024 (the Bill). The Bill is the first piece of legislation to come out of the Attorney-General’s four-year review of the Privacy Act 1988 (Cth) (Privacy Act). For a refresher on the contents of the Bill, see our article on the Privacy Amendment Bill: a new risk landscape.
Almost all provisions of the Bill commence on the day the Bill receives Royal Assent, or the day after. There are two exceptions:
The requirements to disclose automated decision making commence 24 months after the Bill receives Royal Assent.
The statutory tort of serious invasions of privacy commences on a day to be fixed by Proclamation, but no later than six months after the Bill receives Royal Assent.
The Bill’s passage through Federal Parliament
On 19 September 2024, the Senate referred the Bill to the Legal and Constitutional Affairs Legislation Committee (LCALC) for inquiry and report. This referral followed a recommendation by the Senate Standing Committee for the Selection of Bills that an inquiry was necessary given the Bill’s introduction of new offences, significant reforms concerning doxxing and the potential impact of regulatory changes on online platforms and social media.
On 14 November 2024, the LCALC published its report, which included 10 principal recommendations, with nine directed at refining the Bill and one recommending the Senate's endorsement of the revised Bill. The final version of the Bill, as passed by Federal Parliament in a late sitting last Thursday night, incorporated all nine substantive recommendations proposed by the LCALC’s report.
Last minute amendments to the Bill
New right for OAIC to issue compliance notices as an alternative to infringement notices
The Bill introduces a new right for the Information Commissioner to issue infringement notices for a variety of prescribed contraventions of the Privacy Act. Based on a recommendation from the LCALC, the Bill was amended to introduce a new discretionary right for the Information Commissioner to issue a compliance notice if it ‘reasonably believes’ that an entity has engaged in these contraventions (section 80UC), as an alternative pathway to infringement notices. The compliance notice would provide the entity with “practical and measurable steps” to remedy the contravention (paragraph 15 of the notes to the amendments set out in the Supplementary Explanatory Memorandum). If the entity fails to comply with the compliance notice, the Information Commissioner may issue an infringement notice or apply to the court for a civil penalty order.
The Supplementary Explanatory Memorandum says the intent of this amendment is to enable the Information Commissioner to enforce the Australian Privacy Principles more flexibly, encouraging entities to engage with the OAIC and rectify issues before formal penalties are applied. As the Information Commissioner is entitled to issue a compliance notice when it ‘reasonably believes’ an entity has contravened the prescribed sections, it may also use the pathway when it wants to take action, but does not have enough evidence to issue an infringement notice outright.
New public interest limb for the tort of serious invasions of privacy
The test for the tort of serious invasions of privacy has been amended to require the plaintiff to demonstrate that the public interest in their privacy outweighs any countervailing public interest. The Act also includes a non-exhaustive list of what may constitute a countervailing public interest, including:
freedom of expression, including political communication and artistic expression
freedom of the media
the proper administration of government
open justice
public health and safety
national security
the prevention and detection of crime and fraud.
Previously, the tort was structured so that public interest would only be considered if the defendant adduced evidence of a public interest in the invasion of privacy. The LCALC raised concerns about the need to ensure the courts have flexibility to proactively consider public interest factors without placing an undue burden on defendants to adduce evidence of a public interest in every case. Rather, the court should be required to consider countervailing public interests in determining whether the statutory tort cause of action is made out.
Broadening the journalism exemption for the tort of serious invasions of privacy
The Bill contains an exemption to the tort of serious invasions of privacy that applies to the collection, preparation for publication or publication of journalistic material, by journalists and certain people associated with journalists. This exemption has been amended to apply to a broader range of entities and individuals that assist with publication, even where they do not have an employment relationship with the journalist. The amendments also explicitly include 'editorial' material within the definition of 'journalistic material' to ensure that editorials are afforded the same protections as other forms of journalism.
Guidance added to the Explanatory Memorandum for automated decision making
The Bill introduces new requirements for transparency around automated decision making. It requires APP entities to disclose in their privacy policies information the types of personal information used and the kinds of decisions made using automated processes. The LCALC expressed apprehension that the proposed APP 1.7 could lead to the unintended exposure of confidential business information. The Explanatory Memorandum has been amended to clarify the level of information required in privacy policies “is not expected to include commercial-in-confidence information about automated decision making systems”.
Other amendments
The Bill was also amended to bolster the consultation process for the development of the Children’s Online Privacy Code. It must now go through a minimum 60 day consultation period that includes consultation with industry bodies.
The amendments also introduce a requirement for the anti-doxxing offences to undergo an independent review 24 months after their introduction, along with various other minor changes and corrections to the Bill.