Privacy & Data Law Series | Where are we now?

2024 is proving to be another significant year in the evolving privacy and data law environment. We have had some watershed announcements following the developments that took place during 2023, including the Government’s proposal to fast-track to August 2024 certain of the agreed changes proposed in their response to the Privacy Act Review Report (in particular relating to doxing); new appointments to the lead Commissioner roles at the Office of the Australian Information Commissioner (OAIC); a flexing of the OAIC’s new regulatory powers, as well as notable civil penalty actions for serious data breach being initiated. We have also heard from the Government on regulatory proposals for high-risk AI as part of its Safe And Responsible AI consultation; the launch of a statutory review of the Online Safety Act and related online safety standards; new Digital ID laws being approved; proposals to further amend the Security of Critical Infrastructure legislation, as well as other sector-specific privacy legislative proposals forecast across financial services, health and energy – and much, much more.

In light of the rapid pace of these ongoing developments, our newly launched ‘Privacy & Data Law Series’ aims to keep you posted on the most recent changes, as they happen. We will provide insights on the likely implications for your business, stakeholders and boards arising out of the various changes, and arm you with some practical tips and takeaways.

Our series will cover many of the key data and privacy focused changes forecast and anticipated in Australia, including:

• The upcoming August 2024 Privacy Act Reforms:[1]
  • The proposed introduction of a new statutory tort of privacy – could this set the stage for mass data privacy litigation across Australia? We consider the issues and what it may mean for your business.
  • Proposed new individual rights of objection, erasure and opt-out – what actions should you be taking now to manage compliance?
  • Regulator enforcement powers and penalties – in light of the recent decision by the OAIC to take civil penalty action against Medibank, what key issues and implications does this mean for your business and stakeholders?
  • The employee records exemption –the Australian Privacy Commissioner, Carly Kind, in the recent case of ALI and ALJ (Privacy) [2024] AICmr 131 awards non-economic loss and other compensation for a breach of employee privacy – an example of ‘hard cases make bad law’, or a forewarning on what to expect under the future reforms?

• Digital ID Act
  • The new Digital ID Act 2024 (Cth) (Digital ID Act) will commence on 1 December 2024, with Digital ID Rules and Standards to come following further consultation. We will consider the privacy safeguards arising under this new legislation and the additional complexity they are likely to add for public and private sector entities (once expanded to the latter) grappling with an already abundant array of privacy regulation in Australia.

• Safe & Responsible Use of AI
  • The Government is poised to introduce changes to existing legislation and/or new AI-specific regulation to promote the safe design, development, and deployment of AI systems. These “mandatory guardrails for high-risk settings“[2] will have significant implications for AI developers, users, and deploying organisations. We will explore what these changes could look like, the likely privacy law impacts and offer some practical solutions for business to help mitigate the perceived risks.

Our series will build upon our earlier consideration of some of these issues, including Gadens’ insights on the proposed reforms for individual rights (including the right of access, objection, erasure and correction), the Government’s prioritised changes following the Government’s Review Report in 2023 and most recent amendments to the Privacy Act 1988 (Cth) (Privacy Act) to introduce materially increased penalties for breach, all of which can be accessed here by way of recap.

The series will focus not only on privacy and data law implications but also assess the potential for increased regulatory and/or sector-focused litigative activity that may arise, with a view to supporting your business in the development of strategies to mitigate anticipated and/or potential impacts.

So, in the lead up to the long-awaited tranche of Privacy Act Reform legislation being published in August, please keep an eye on our insights series to help you stay abreast of your changing privacy and data regulatory requirements.

The year so far – some notable highlights

2024 – a recap

As part of its review into doxing laws, the Government announced in May that certain aspects of the long-awaited tranche of reforms to the Privacy Act would be tabled before the House of Representatives next month (early August). It is expected that the draft legislation will include proposals for a new online statutory tort of privacy, new and enhanced rights for individuals, tiered civil penalties for breach, and more. See our recent publication on this here.

The month of May also saw the signing into law of the Digital ID Act and related digital identity legislation, here. The Digital ID Act, and its related Rules and Standards to follow, will build upon protections in the Privacy Act with additional safeguards for individuals using a Digital ID. The Act will also introduce new penalties for accredited Digital ID service providers who breach applicable accreditations standards on the protection of privacy and security (this will initially focus on public sector providers with a phased expansion to the private sector).

2024 has also seen confirmation from the Government on its proposed new regulatory framework to be introduced for ‘high-risk’ AI settings as part of their response to the Safe and Responsible Use of AI consultation released here earlier this year.

There also have been some notable decisions and actions to date in 2024, as well as others anticipated shortly, including:

• by the Online Safety Regulator on data sovereignty in the context of a recent case taken by the eSafety Commissioner;
• by the OAIC, including in its highly publicised civil penalty claim against Medibank Private; and
• a potentially imminent OAIC update regarding their investigation into the 2023 Latitude Financial Services data breach.

Further and since the Government’s in-principle agreement in December 2023 to the ACCC’s recommendations in the fifth Digital Platform Services Inquiry Report, we are also awaiting an update on the introduction of proposed mandatory obligations on all digital platforms to address scams, fake reviews and harmful apps. In particular, the Government committed to developing ‘internal and external dispute resolution requirements’ for digital platforms to ensure accountability, transparency, and the ability to escalate to a human representative by July 2024, so we are expecting to see an update on this from Treasury soon.

Some sector-specific updates include:

• the Australian Prudential Regulatory Authority’s (APRA) introduction of the new prudential standard, CPS 230, for financial service providers, to strengthen management of data and operational risk and responses to business disruption, in particular by relevance to data;
• further changes to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) proposed in the 2023-2030 Australian Cyber Security Strategy Consultation Paper and corresponding Strategy on 22 November 2023 which include amending the definitions of ‘asset’ and ‘material risk’ to account for ‘business critical data’; legislating an ‘all-hazards power of last resort’ that would help critical infrastructure entities manage the consequences of significant incidents, and revising the definition of ‘protected information’ to simplify the way Government and industry share information in crisis situations. Submissions on amendments to the SOCI Act closed on 1 March 2024 – we are awaiting an update from Home Affairs on the outcome of this review, expected in the next quarter.
• a statutory review of online safety laws including the Online Safety Act 2021 (Cth) to increase the protection of children online and to regulate the use of generative AI capabilities, amongst others. The recent Bill to criminalise the sharing of deepfake pornography, introduced to the House in June 2024, is viewed as a key step in this review; and
• Treasury’s review of Australia’s credit reporting framework under the Privacy Act and the National Consumer Credit Protection Act 2009 (Cth) which commenced in March (and on which an initial report is due from Treasury by 1 October this year).

Further changes are anticipated as part of the Government’s Future Made in Australia 2024-25 budget announcements.

For example, the Government has allocated $21.6 million over five years[3] to integrate AI expertise in Australia across policy development and programs. This includes the establishment of an advisory body and creation of the National Artificial Intelligence Centre as a flagship organisation for engaging with industry in Australia.[4] In March 2024, the Senate also established a ‘Select Committee on Adopting Artificial Intelligence’ to report on opportunities and impacts of the increasing use of AI technologies in Australia. Written submissions closed in May – we will provide an update on the incoming report scheduled to be released before mid-September this year.

Further, as one of the first major projects of the Government’s Future Made in Australia agenda, the Federal and Queensland State Governments have proposed an almost $1bn investment into quantum computing company PsiQuantum to build the World’s First Useful Quantum Computer, with likely data storage and security associated challenges. See the media release here.

The Government separately confirmed it will invest $288.1 million to support the further delivery and expansion of Australia’s Digital ID system, plus the following:[5]

To ensure that the millions of Australian myGov accounts remain contemporary, secure, and fit for purpose, the Government is investing $580.3 million over four years from 2024–25 and $139.6 million per year ongoing to sustain the myGov platform and identify future potential enhancements. A further $50.0 million will also improve the usability, safety and security of the myGov platform and ensure Services Australia can support people to protect their information and privacy.

Combining all of the above, you would be forgiven for thinking that almost every aspect of Australian data, privacy and/or security laws related to doing business online have been affected this year.

For support or for additional information on any of these proposals, please contact any member of our team.

Stay abreast of these changes and sign up for our series here.

Authored by: 

Sinead Lynch, Partner
Lucy Hardyman, Lawyer

[1] Attorney General’s Department, Privacy Act Review (Report, 16 February 2023).

[2] The Hon Ed Husic MP, Minister for Industry and Science, ‘Action to help ensure AI is safe and responsible’ (Media Release, 17 January 2024).

[3] Department of Industry, Science and Resources, ‘Announcing the 2024-25 Budget’, (News, 15 May 2024) <https://www.industry.gov.au/news/announcing-2024-25-may-budget>.

[4] Ibid.

[5] Federal Government, Budget Paper No. 1 (Federal Budget, 14 May 2024) Statement 1: Budget Overview.