The Privacy and Other Legislation Amendment Bill 2024 (the Bill) was tabled in the House of Representatives this morning. This is the first piece of legislation to come out of the Attorney General’s four-year review of the Privacy Act.
With a looming election, the government seems to have cherry picked its way through the Attorney-General’s 116 recommendations made in its Privacy Act Review Report to select those that are primarily focused on the enforcement regime, protection of children, and dealing with the ills of the online world through the creation of new offences against doxxing and a new tort for serious invasions of privacy. Of the 116 amendment proposals put forward in the Review Report, only a sprinkling made it into the Bill. This is perhaps surprising given the government ‘agreed’ or ‘agreed in principle’ to 106 of the 116 amendment proposals in its October 2023 response .
The Bill is getting backlash from privacy advocates because it does not implement some of the more substantive proposals from an individual rights perspective - for example, the proposed changes to the definition of ‘personal information’; the ‘fair and reasonable’ requirement for collecting, using and disclosing personal information; and the direct right of action for individuals. However, the Bill makes material changes to the Privacy Act penalties regime and the breadth of orders that can be made by the Federal Court under the Privacy Act. It also introduces a whole new statutory tort which changes the application of the Privacy Act. These changes have the potential to re-write the risk profile of Privacy Act compliance in Australia.
Here’s a glimpse of the key changes:
Statutory tort for serious invasions of privacy: Significantly (but perhaps not unexpected), the Bill sets out a new statutory tort for serious invasions of privacy, where a person has 'invaded' an individual's privacy by:
Intruding upon their seclusion (that is, physically intruding into their space, or watching or recording their activities); or
Misusing information that relates to that person,
where that individual has a reasonable expectation of privacy in all the circumstances.
The invasion is set at a high bar, it must be intentional or reckless, and it must be serious. Mere negligence will not be sufficient. The Bill sets out exemptions for journalism (a new exemption, not relying on the existing exemption in 7B(4) of the Privacy Act), enforcement bodies and intelligence agencies.
The proposed statutory tort for serious invasions of privacy is a significant change to the way that the Privacy Act currently regulates privacy and who it regulates, and how we think about statutory privacy in Australia, being largely concerned with how agencies and corporate entities protect information privacy. By proposing to implement the new statutory tort, the government is trying to plug some of the perceived holes in the Privacy Act, particularly regarding relations and privacy protections between individuals in the online world, which is currently unregulated.
Children’s Online Privacy Code: Supplementing the current government calls for a general ban on social media for minors, the Bill requires the OAIC to develop an APP code about online privacy for children. This Code will apply to social media platforms, relevant electronic services and any designated media services which are likely to be accessed by children (excluding health services). It is intended that the Code will specify how these types of entities must comply with privacy obligations in relation to children and will align with similar codes in other jurisdictions, such as the United Kingdom. The OAIC will receive $3 million of funding across 3 years to develop the Code.
Automated decision making: As was ‘agreed’ in the Government Response to the Privacy Act Review Report, the Bill introduces new requirements for transparency around automated decision making. The transparency requirements will apply where an APP entity has arranged for a computer program to make, or do a thing that is substantially and directly related to making a decision using personal information, which could reasonably be expected to significantly affect the rights or interests of an individual. In the second reading speech delivered by Attorney-General, Mark Dreyfus, this morning, he clarified that this definition was intended to avoid APP entities avoiding the transparency requirements with ‘tokenistic’ human involvement in decision making. If APP entities undertake this type of automated decision making, their privacy policies must include information about the types of personal information used and the kinds of decisions made using automated processes. APP entities have a 24-month grace period following Royal Assent before these new requirements come into effect.
Multi-tiered civil penalties system: Two new categories of penalties have been created: (i) a mid-tier penalty for general privacy interference, being a maximum of $3,130,000 (for corporates), and (ii) infringement notices available for a variety of prescribed contraventions, including non-compliant privacy policies, up to a maximum of $313,000 (for corporates). Given the penalty ‘stick’ is now proposed to become multi-pronged, these changes could have significant impact on the way businesses comply with the Privacy Act. Currently, businesses largely operate under the assumption that a civil penalty under the Privacy Act is quite a remote possibility given interferences with privacy have to be serious (and also because the penalty enforcement regime has been rarely used by the Privacy Commissioner), the proposed tiered penalty system will make this a real risk (albeit at a lower level of fine).
Bolstered OAIC monitoring and investigation powers: The OAIC’s investigation powers have been significantly expanded under the Bill, to include powers of entry, search and seizure rights. Further, under the Bill, the OAIC is entitled to conduct public inquiries into any matters relating to privacy, as approved or directed by the Minister. This is an extremely broad mandate and could be used to instigate public inquiries into issues as broad as cyber-bullying through to corporate data governance.
Expanded order making powers for the Federal Court: The Bill allows the Federal Court to make a wide variety of orders for these contraventions. Orders made by the Court could include paying compensation for loss to an individual, order to perform acts, engage or refrain for engaging in certain activities, or publish statements about the contravention.
Data breach information sharing powers: The Bill enables the Attorney-General to make an ‘eligible data breach declaration’ which permits the disclosure of personal information where an eligible data breach has occurred, in circumstances where this is necessary or appropriate to prevent or reduce the risk of harm to individuals. In the second reading speech for the Bill, the Attorney-General used the example of sharing personal information with banks following an eligible data breach, to put banks on notice to assist in mitigation of harm caused by compromised accounts.
Overseas disclosures of personal information: The Bill paves the way for regulations to be issued that will clarify the exceptions to APP 8 (Cross border disclosure of personal information). The Bill sets up a framework for there to be developed:
A ‘binding scheme’ (which could take the form of standard contractual clauses); and
A whitelist of prescribed countries which will allow APP entities to disclose personal information to overseas recipients without complying with the requirements of APP 8.
The Bill also contains new doxxing offences which will be added to the Criminal Code Act 1995 (Cth). Under these new offences, criminal penalties (including imprisonment) apply where a person uses a carriage service to make available, publish or distribute contact information of individuals, in a way that a reasonable person considers menacing or harassing.
The government has flagged that the amendments to the Privacy Act will now be done in tranches. However, the government has run out of time to introduce further tranches of Privacy Act amendments before the next election (and possibly a new government). So, it seems that the Privacy Act reform process will likely lose momentum once again, and the fate of the remaining proposals remains unclear.