First Tranche of Privacy Act Reforms enter Parliament

13 September 2024
Dudley Kneller, Partner, Melbourne Sinead Lynch, Partner, Sydney Michael Morris, Partner, Brisbane Antoine Pace, Partner, Melbourne

The long-awaited Privacy Act 1988 (Cth) (Privacy Act) reforms are finally here, with the Privacy and Other Legislation Amendment Bill 2024 presented before Parliament yesterday.

After almost four years since the commencement of the Privacy Act Review, the Government has introduced the first ‘tranche’ of these reforms. In tabling before Parliament, the Attorney-General Mark Dreyfus commented that “this legislation is just the first stage of the Government’s commitment to provide individuals with greater control over their personal information”….”but it will not be the last“. He went on to confirm that “over the coming months work will continue on a second tranche of reforms on which widespread consultation with industry is expected”.  Noting an impending 2025 election year, it is hard to see this second tranche of reforms making it to consultation stage until late 2025, at the earliest.

That said, businesses should not mistake this stepped approach as complacency. The announced reforms set the stage for a much stronger regulatory and court presence, with new enforcement powers for the Office of the Information Commissioner (OAIC), tiered civil penalties for breach, a new statutory tort of privacy, and enhanced information-sharing powers for the regulator. This follows recent public warnings from the Privacy Commissioner, Carly Kind, that “the regulated community should be alert that the OAIC will ensure compliance with the law, and where there are egregious privacy breaches, we will hold organisations to account”. We should expect to see a much stronger, enforcement-focused and funded regulator who will be keen to flex their muscles with these new set of privacy tools.

Businesses should therefore focus their attention on ensuring privacy and data security uplift programs are well underway. Although the ‘meaty’ reforms on employee records exemption, small business exemptions and the new ‘fair and reasonable’ test might be 12 months away, the AG’s Office is not stepping back from their future implementation – and as many will be aware, 12 months is a short timeframe for any business designing new systems, tools and/or processes to meet these current and anticipated future privacy changes.

We have provided a snapshot of the key amendments proposed in this first tranche below, together with some high-level guidance on what the changes may mean for your business.

Reform AreaProposed AmendmentWhat could this mean for business?
Security, retention and destruction of informationThe obligation to take reasonable steps to protect information under Australian Privacy Principle (APP)11 has been confirmed to expressly include (GDPR-style language) “technical and organisational measures”.

The Explanatory Memorandum has confirmed that this clarification is seeking to provide clarity to APP organisations on what ‘reasonable steps’ mean, and how APP entities should determine if and how they are protecting personal information (with reference to examples such as encrypting data, securing access to systems and premises and undertaking continual staff training).
• A review and technical uplift to security measures in place to protect personal information will be required to ensure that technical controls (such as firewalls, penetration testing and staff/user access) are adequate, and that policies and procedures in place to manage data breaches reference such technical and organisational measures and controls.

• Businesses will also be required to review retention of personal information records to prevent over-retention and ensure that privacy risk management processes, and retention procedures (as well as system controls) reflect the new measures.

• Businesses should review and uplift their current information security practices.
Overseas data transfers Introduction of a mechanism to prescribe countries and binding schemes that provide substantially similar protections to the Australian Privacy Principles.• Takes lesson from GDPR’s Article 45 ‘adequacy’ approach to cross-border data transfers and introduces a ‘white list’ mechanism of prescribed countries with a similar standard of privacy protection.

• This is likely to provide greater certainty to business and disclosing entities about the standard of privacy protections in countries in which overseas recipients of personal information are located.

• Businesses should review existing cross-border data transfer mechanisms, and locations to which data transfers currently arise, to determine how this might affect.
New Ministerial power in event of eligible data breaches • Provides a new power to the Minister to make a declaration about eligible data breaches, to allow APP entities to handle information in an eligible data breach situation that might not otherwise be authorised under the Privacy Act, APPs or usual secrecy provisions.

• This is to allow entities to act quickly to prevent or reduce the risk of harm arising from any misuse of personal information about one or more individuals following any unauthorised access to or unauthorised disclosure of personal information from the eligible data breach.

• The declaration must specify the kinds of information to which the declaration applies, entities that may collect, use and disclose the personal information (or to whom personal information is disclosed), or one or more permitted purposes for the collection.
• Following the aftermath of some recent high profile breaches, this new measure is seen as a preventative action for the Minister to have broader rights in the event of major data breaches where it is deemed necessary to prevent or reduce harm to individuals.
New Tiered Penalties for interference with privacy Confirmation of the introduction of a new tiered civil penalty system, including:

• a penalty where the entity has done an act, or engaged in a practice that is a serious interference with privacy (with a list of factors that may be taken into account in determining if interference with privacy is serious). These include but are not limited to:
• kinds of information,
• sensitivity of the information,
• consequences of the interference,
• whether the affected person is a child or vulnerable person; and
• a lower level penalty for an interference with the privacy of an individual (which does not include the ‘serious’ qualification).

It is also proposed that infringement notices can be issued by the OAIC for breach of specified APP Privacy and non-compliant eligible data breaches. The penalty must not exceed 200 penalty units (currently $3.3 million) for APP entities. The Bill includes examples of administrative breaches which may attract this penalty, including a failure to maintain an up-to-date and required APP privacy policy, or to provide relevant privacy notices in situations that warrant such.
• These changes, if enacted, would have wide-ranging impacts on APP entities not least due to the increased risk of incurring penalties for breach for what might have been seen in the past as ‘administrative’ or low-level contraventions.

• Businesses should prepare for likely increases in regulator investigations and remedial activity.

• Penalties may be used to encourage compliance with regulator investigations and enforcement activity.

• This is one of the proposals that is likely to have the greatest impact on business to ensure general compliance with the Privacy Act and APPs.
New Federal Court Orders • Provides new rights for the Federal Court to make any order it sees fit if the Court is satisfied there has been a breach of a civil penalty provision.

• This includes monetary damages and other appropriate orders, including requiring an entity to publish a statement about the contravention, and avoid repeating or continuing a contravention.
• Promotes the right to privacy by expanding the jurisdiction of the Federal Court and Federal Circuit and Family Court. Court can order APP entity to publish a statement or avoid repeating the contravention.

• Provides for greater public accountability, in addition to civil damages for breach - generally sought in the course of civil penalty proceedings.
OAIC to conduct public inquiries • The Minister may direct or approve the Commissioner to conduct a public inquiry into a specified matter or a specific matter related to privacy. The Commissioner is not bound by the rules of evidence.

• This allows examination of the acts or practices relevant to the inquiry, the types of personal information, the APP entities subject of the enquiry, and other relevant matters.

• After completing the public inquiry, the Commissioner must prepare a written report (not generally publicly available) and provide it to the Minister.
• If enacted, there is likely to be a greater identification of acts or practices that may identify industry-wide or systemic issues.

• If any APP entity is not willing to address concerns uncovered by an inquiry, the Information Commissioner may commence an investigation into their acts and practices.

• We are likely to see greater flexing of OAIC muscles with these new public enquiry powers.
New OAIC Monitoring and investigation Powers• Introduction of several new provisions and categories of information that are now subject to monitoring under the Regulatory Powers Act, repealing the Information Commissioner’s entry and inspection powers under the Privacy Act - which will then fall under the Regulatory Powers Act.

• Civil penalty orders may be sought under the Regulatory Powers Act from a relevant court in relation to contraventions of civil penalty provisions.

• Infringement notices, undertakings, and injunctions can all be given under the Regulatory Powers Act.
• At present, the Information Commissioner has a range of monitoring, assessment and investigative powers under the Privacy Act. This new proposal purports to amend the Privacy Act to apply all monitoring and investigation powers currently enshrined in the Regulatory Powers Act to the OAIC. These include entry, search and seizure powers.

• Aligning the Commissioner’s powers with those in the Regulatory Powers Act will provide additional powers and rights to the OAIC similar to comparable domestic regulators (e.g. AUSTRAC). We may see a similar uplift in importance and enforcement by the OAIC if similar investigatory powers are used for serious or egregious breaches of privacy (i.e. dawn raids?)
Automated decision-making • Increased transparency is required where entities are engaging in automated decision making (ADM) using personal information.

• The new changes propose that an APP entity privacy policy must contain additional information transparency including:

• the kinds of personal information used in the operation of ADMs;
•the kinds of decisions made solely by the operations of ADMs; and
• the kinds of decisions for which a thing, that is substantially and directly related to decision making, is completed by the operation of ADMs.

• Transparency requirements will apply where a decision may affect the rights of an individual, including whether those rights or interests are beneficial or adverse to the person.
• Businesses must consider their use of ADM, and relevant transparency requirements, in their day-to-day business activities

• These transparency requirements apply to the use of ADM – which is distinct from the use of AI technologies, though it is expected that the proposals are likely to be aligned with separate ongoing regulation changes regarding AI – and as such the Government’s approach on AI and ADM is likely to evolve over time.

• These proposals underscore that the use of privacy impact assessments (PIAs) and Privacy Governance Frameworks, including on ADM, are essential for businesses to get underway

• Reviewing technical systems and controls and determining how decisions are made in the use of ADM will also be critical.
A new statutory tort for serious privacy breaches • Individuals who have suffered loss or damage as a result of a serious invasion of privacy will be allowed to directly claim against entities, providing a direct pathway to compensation not only for monetary loss but also potential pecuniary losses, under the Privacy Act.

• The proposed tort is likely to allow affected individuals if the invasion was either:

• an intrusion into seclusion; or
• misuse of private information.

• Examples of applicable conduct include physical intrusion or misuse of information in circumstances where there is a reasonable expectation of privacy.

• The invasion must have been intentional or reckless, and the public interest must outweigh countervailing interest

• Individuals may seek compensation as a group but proof of damage may not be required.

• Exemptions apply, including for journalists, enforcement bodies and intelligence agencies to ensure press freedom and legitimate activities of Government (with conditionality).
• Provides statutory protection for serious invasions of privacy, for both an individual breach of privacy as well as business misuse of personal information

• As anticipated, this new tort raises the potential for increased class action-style litigation activity for serious data breach incidents

• Businesses should be aware of increased insurance risks due to litigation exposure.

• The tort aligns Australia laws with those in other comparable jurisdictions such as: (i) in New Zealand, courts have recognised common law torts of misuse of private information and intrusion; and (ii) in the UK, there are extensive legal protections including by extending the equitable action for breach of confidence, notably under the Human Rights Act 1988 (UK).
New ‘Doxxing’ criminal offences • New criminal offences introduced targeting release of personal data which is ‘menacing or harassing’.

• Menacing or harassing is not defined in the Bill and is applied by reference to the reasonable person test – i.e. if a reasonable person would consider that the conduct is menacing or harassing.

• A new definition of ‘personal data’ in the context of ‘doxxing’ is proposed - meaning information about a person that enables them to be identified, contacted or located, and includes not only a person’s name, but also their photograph, email address or online account details.

• Penalties proposed include 6 years imprisonment, with 7 years in the event the person is targeted on the basis of protected attributes (e.g. race, region, sexual identity etc).
• ‘Doxxing’ is a form of conduct that can affect all Australians, but is often used against women, particularly victims of domestic violence.

• Linked with the statutory tort, this new offence provides increased protection for individuals who have been victims of cyber-attacks.

• The Bill specifically addresses “a person” using a “carriage service”. Carriage services will likely include social media platforms and telecommunications devices. As such, an entity will not be liable for claims or acts related to ‘doxxing’, but the individuals who perform the acts.

• This raises an interesting question on the obligation on social media companies to trace individuals who commit conduct of this nature. Individuals can easily establish burner accounts to remain anonymous, making it difficult for law enforcement to trace them. The Bill does not outline those obligations on media entities, but there is likely to be some debate on the impact of these changes on journalism and freedom of the press.
APP Codes • A new right for the OAIC (at the Attorney General’s direction) to develop APP Codes. These codes would require at least 40 days of public consultation.

• A new right for the OAIC (at the Attorney General’s direction) to develop temporary APP Codes that are in the public interest and need to be developed urgently. Temporary APP Codes will not be longer than 12 months.
• APP Codes could apply to a specific sector, category of personal information, relevant activity, or use of specific technology (e.g. an AI code).

• Temporary codes are likely to be applied in similar situations such as high profile or egregious data breaches

• Businesses will need to monitor when an APP Code may be introduced to either consult with the Attorney General in the 40-day timeframe, or adequately prepare for new requirements.
Emergency Declarations by the AG OfficeThe ability for the Attorney General to make emergency declarations in response to an emergency or disaster to assist the Government to respond to situations by allowing, for example, the sharing of Personal Information that would usually contravene the Privacy Act.Emergency declaration powers may be used by the Attorney General in emergency situations such as natural disasters (as seen in New Zealand in relation to the Christchurch Earthquake) or in the event of pandemics or epidemics or other emergency health scenarios. We also saw similar action taken by the Government post recent high profile data breaches where telecom operators were authorised to share personal information with financial institutions and government agencies to detect and mitigate the risks of malicious activity, including ID theft and scams.
Children’s Online Privacy Code • Introduction of an APP Code for Children by the Commissioner, with a ‘child’ being defined as a person under the age of 18.

• The Code will apply to APP entities if they are social media, electronic service or designated internet service providers, where the service is likely to be accessed by children. Certain exemptions apply.

• The Code will cover how the APPs are to be applied to or complied with in relation to the protection of children’s personal information online.
• Businesses will need to consider whether their services will be ‘likely’ to be accessed by children

• Further questions regarding the proper processes to be put in place on age verification and how this aligns with data minimisation principles in the Act will need to be considered.

• The Code is likely to include further details regarding businesses being required to ensure consideration of the best interests of the child in their online activities, and specifics on the process for notice to, and seeking consent, by children.

• In anticipation, businesses should review their data collection and handling processes to determine and consider personal information they may collect online in relation to individuals under the age of 18 years old and how they may need to uplift processes, systems and policies to meet the new anticipated requirements.

What next?

Although only the first reading of this Bill, and there may be changes and updates before the Bill is finally passed – with a second reading and debate now held over to the October sittings. But it is most likely that the Bill will pass before year end and organisations should review and familiarise themselves with the proposed changes and likely impacts in early course.

We will be providing an in-depth analysis on these proposed amendments to the Privacy Act and how they will affect APP entities in the coming weeks. We will also touch on what the anticipated next tranche of reforms next year may look like, and timings. So, watch this space, and please reach out to any member of our Privacy & Data team if you would like to know more or require any support on these changes.

If you found this insight article useful and you would like to subscribe to Gadens’ updates, click here.


Authored by:
Sinead Lynch, Partner
Dudley Kneller, Partner
Antoine Pace, Partner
Michael Morris, Partner
Eve Lillas, Senior Associate
Lucy Hardyman, Lawyer
Wen Wong, Lawyer
Matt Schwab, Lawyer

This update does not constitute legal advice and should not be relied upon as such. It is intended only to provide a summary and general overview on matters of interest and it is not intended to be comprehensive. You should seek legal or other professional advice before acting or relying on any of the content.

Get in touch