The Australian Government has released its first round of proposed amendments to the Privacy Act 1988 (Cth) as part of The Privacy and Other Legislation Amendment Bill 2024 (Cth). Kennedys Cyber & Data Privacy specialist Nick Blackmore breaks down the first tranche of reforms and what the doesn’t the Bill do.

Defences are proposed to include that the plaintiff had consented, that the invasion of privacy was authorised by law, and that the invasion of privacy was necessary to prevent or lessen a serious threat to the life, health or safety of a person or defend property.

The Amendment Act provides an exemption for invasions of privacy by journalists and media outlets, where the invasion involves the collection, preparation for publication or publication of journalistic material. It also provides an exemption for law enforcement and intelligence.

Courts would be entitled to award damages (including for emotional distress) or an account of profits, grant injunctions, and make a range of other orders including requiring an apology from the defendant. The Amendment Act caps damages for non-economic loss and punitive damages at the greater of $478,550 or the maximum amount of damages for non-economic loss that could be awarded under defamation proceedings.

Plaintiffs will be required to commence proceedings within three years of the invasion of privacy occurring, or within a year of becoming aware of the invasion of privacy, whichever is earlier.

Privacy policies

The Amendment Act requires entities which use automated processes to make decisions that could reasonably be expected to significantly affect the rights or interests of individuals, to include details about their use of automated decision-making in their privacy policy. This would bring the Privacy Act into line with the EU and the UK, which already require automated decision-making to be disclosed in privacy policies.

This requirement will only come into effect 24 months after the Amendment Act receives Royal Assent.

Overseas data transfers

The Amendment Act provides for a ‘whitelist’ of overseas jurisdictions to be developed and included in the Privacy Regulations. Organisations would be able to transfer personal information to recipients subject to the laws of these whitelisted jurisdictions without further protections (such as putting contractual clauses in place).

Technical and organisational security measures

The Amendment Act expands upon the existing requirement under Australian Privacy Principle 11 that organisations take reasonable steps to protect personal information, by specifying that these steps include reasonable “technical and organisational measures”. This would bring the Privacy Act into line with the EU and the UK, which already specify that security measures include both technical and organisational measures. “Organisational measures” to protect personal information would include putting appropriate policies and processes in place and providing security training to employees.

Information sharing during data breaches

The Amendment Act allows declarations to be made permitting organisations to disclose personal information in ways that would otherwise breach the Australian Privacy Principles during data breaches and other emergencies, for the purpose of reducing the risk of harm to individuals. For example, if a data breach involved unauthorised access to government-issued identifiers, organisations would be permitted to share details of affected individuals with government agencies to enable those agencies to provide enhanced protections to those individuals.

Further enhancement of OAIC regulatory powers

The Amendment Act grants the OAIC several new powers to assist in its investigative and enforcement functions, including a power to conduct public inquiries, and investigations powers under the Regulatory Powers (Standard Provisions) Act 2014 (Cth) (which include entry, search and seizure powers).

Children’s Online Privacy Code

To strengthen and protect the privacy of children online, the Amendment Act requires the OAIC to develop and register a Children’s Online Privacy Code within two years. The OAIC will be required to seek public submissions on the draft Code and consult with the eSafety Commissioner and National Children’s Commissioner.

The Code will set out how the Australian Privacy Principles are to be applied in relation to the privacy of people under 18 years of age, and will apply to entities that provide social media services, relevant electronic services or designated internet services which are likely to be accessed by children.

Doxxing

The Amendment Act amends the Criminal Code Act 1995 (Cth) to introduce new criminal offences prohibiting the malicious release of personal data online (known as ‘doxxing’).

What doesn’t the Amendment Act do?

As noted above, the Amendment Act does not contain a large number of reforms proposed by the Attorney-General’s review of the Privacy Act, including:

the removal of the employee records and small business exemptions;
requiring privacy impact assessments to be conducted for high-risk information processing activities;
introducing the roles of “controller” and “processor” which are used in the data protection laws of many other jurisdictions;
introducing standard contractual clauses for the overseas transfer of personal information;
introducing a 72 hour requirement for notifying OAIC of an eligible data breach;
a direct right of action for individuals whose personal information has been handled in contravention of the Privacy Act; and
the introduction of additional individual rights, such as the right to be forgotten.

Some of these reforms may have been considered too controversial to introduce in the year before an election – the removal of the employee records and small business exemptions, for example, would increase the compliance burden on many businesses. Whether these reforms are ever introduced may depend on the outcome of the 2025 federal election.

A small but significant first step forward: new Australian Privacy Act reforms enacted