Australia is ‘Revving Up’ its Privacy Protections – What Businesses Need to Know

by | Nov 25, 2024 | Aged Care Blog, Health Blog

The Privacy and Other Legislation Amendment Bill 2024 (the ‘Bill’) was introduced to Parliament on 12 September 2024, marking a pivotal step in overhauling the Privacy Act 1988. At the time of writing, the Bill is still before the Senate.

The Bill implements 23 of 25 legislative changes arising from the Commonwealth Government’s 2023 response to the Attorney-General’s Department Privacy Act Review Report.

The Bill lays the foundation for significant changes aimed at strengthening privacy protections for Australians.

These changes are designed to combat the misuse of personal information, discourage unsafe security practices, and protect consumers and businesses.

This article is the first in a series by Panetta McGrath, which aims to outline the key changes that have been introduced by the Bill. Subsequent articles will detail steps that businesses can take to improve their information privacy practices, as well as what can be expected from the second tranche of reforms.

Key Changes

  1. Statutory tort for serious invasions of privacy

The Bill establishes a new legal pathway for individuals to sue for privacy invasions, which is:

  1. physically intruding an individual’s space;
  2. watching or recording an individual’s activities; or
  3. misusing information in relation to an individual,

where that individual has a reasonable expectation of privacy in the circumstances.

The threshold to be met for a valid claim is set at a high bar: the invasion must be intentional or reckless, and it must be serious – mere negligence will not be sufficient. Notably, plaintiffs can pursue claims based solely on the invasion itself, without the need to prove they suffered damage.

Exemptions exist for journalists, law enforcement, and intelligence agencies under certain conditions, ensuring these sectors can operate within defined boundaries.

  1. Multi-tiered civil penalty system and infringement notices

The Bill introduces a tiered penalty system for privacy breaches, ensuring that penalties are proportional to the severity of the offense, for example:

  1. penalties of $66,000 for listed corporations and $19,800 for non-listed corporations for a variety of prescribed contraventions (such as non-compliant privacy policies), which will be dealt with by way of infringement notices;
  2. low-tier penalties of up to $330,000;
  3. mid-tier penalties of up to $3.3 million; and
  4. top-tier penalties of up to the higher of $50 million, three times the benefit gained from the breach, or 30% of the corporation’s turnover in the relevant period.

 

  1. Children’s online privacy code

To protect younger users, the Bill mandates a Children’s Online Privacy Code (the ‘Code’), which will apply to online services likely to be accessed by children (excluding health services) within 24 months from the date the Bill receives royal assent.

Before the Office of the Australian Information Commissioner (the ‘OAIC’) registers the Code, it is required to make:

  1. a draft of the Code publicly available;
  2. invite the public to make submissions about the draft within a consultation period of at least 40 days;
  3. consider submissions made within the specified period; and
  4. consult with the eSafety Commissioner and the National Children’s Commissioner.

The OAIC may also make and publish written guidelines to assist organisations in determining if a service is likely to be accessed by children.

It is intended that the Code will specify how organisations must comply with privacy obligations in relation to children and will align with similar codes in other jurisdictions, such as the United Kingdom.

  1. Automated decision making

 The Bill creates new requirements for transparency around organisations using automated decision making, which is when a computer programme uses personal information to make decisions that can significantly affect someone’s rights or interests. Such a scenario may include, by way of illustration, a computer programme analysing a loan applicant’s credit history, income, and other details to decide whether to approve or deny their application.

If organisations undertake this type of automated decision making, their privacy policies must include information about the types of personal information used and the kinds of decisions made using automated processes.

Organisations have a 24-month grace period following royal assent before these transparency requirements come into effect.

 

  1. Criminal offences for ‘doxxing’

The Bill introduces criminal penalties for ‘doxxing’, which is the malicious sharing of personal information online in a way that is menacing, harassing, or harmful.

Maximum sentences range from six to seven years, with the larger sentence for cases involving discrimination based on race, gender, disability, or similar factors.

  1. Expanded OAIC powers

The OAIC will see its enforcement powers enhanced, including:

  1. search and seizure powers for investigating privacy breaches; and
  2. the power to hold public inquiries to investigate systemic privacy issues, subject to ministerial approval.

 

  1. New powers for federal courts

These courts will gain broader powers to address privacy breaches, including the ability to:

  1. award compensation to affected individuals;
  2. require public statements acknowledging breaches; and
  3. issue orders to prevent future violations.

 

  1. Certification for international transfers

The Bill simplifies compliance for Australian businesses transferring personal information internationally. It allows the Australian government to:

  1. approve countries or certification schemes with privacy standards equivalent to Australia’s; and
  2. exempt these transfers from certain contractual requirements under the Australian Privacy Principles.

 

  1. Enhanced breach mitigation

The Bill allows the Attorney-General to issue breach declarations, enabling organisations to share personal information with third parties, like banks or telecommunications providers, to reduce harm to individuals affected by breaches. For instance, a declaration could permit the disclosure of personal information to banks to enable them to undertake enhanced monitoring and implement safeguards for customers affected by the breach.

What’s Next?

The Bill is likely to commence in the coming months, following passage through the Senate and royal assent of the Bill. There will be a delay on certain provisions – such as a 6-month delay for the new statutory tort for serious invasions of privacy and a 24-month delay for the transparency requirements regarding automated decision-making.

After the Bill, there will be a second tranche of reforms, though the Australian government and the OAIC have yet to provide a timeline. Based on current indications, we do not expect these to emerge before the federal election, which suggests they are unlikely to materialise before mid-2025 at the earliest.

Privacy Commissioner Carley Kind has issued a clear message to Australian businesses in anticipation of the first tranche: “Businesses – don’t take your foot off the gas, because we’re going to be looking to take a more enforcement-based approach in the interim.”

In light of this, our next article in the series will outline practical steps businesses can take to strengthen their information privacy practices ahead of the upcoming reforms.

Written by Principal Lawyer David McMullen and Associate Ryan Callanan

David McMullen

David McMullen