A small but significant first step forward: new Australian Privacy Act reforms introduced

When the Privacy Act 1988 (Cth) (the “Privacy Act”) was first enacted in 1988, it only applied to the Commonwealth public sector. Nevertheless, it was state-of-the-art data protection legislation for its time.

Today, the Privacy Act looks increasingly out of date in a world of cyber incidents and data breaches. While Europe’s General Data Protection Regulation (“GDPR”) leads the way, and other Asia Pacific countries are busy introducing or updating their data protection laws, the Privacy Act has not had a major overhaul since 2012. Significant reforms are well overdue.

In response to this need for reform, the Commonwealth Government introduced its first round of proposed amendments to the Privacy Act. The Privacy and Other Legislation Amendment Bill 2024 (Cth) (the “Bill”) was tabled in the House of Representatives on 12 September 2024.

It is no exaggeration to say that these reforms have been long-awaited. The Bill is a response to the Attorney-General’s review of the Privacy Act, which was originally announced in late 2020, and completed in March 2023.

As such, it is slightly disappointing that the Bill contains only a handful of the 116 reforms proposed by the Attorney-General’s review with which the Government agrees in principle. The Government is presenting the Bill as merely the “first tranche” of its proposed reforms to the Privacy Act - however, it would seem that it will be the only round of reforms that has a chance of being enacted before the 2025 Federal election.

While it may be limited in scope, the Bill does include some significant changes. The Bill:

  • sets out a new system of civil penalties for interferences with privacy;
  • creates a statutory tort of the serious invasion of privacy;
  • requires that privacy policies include details about automated decision-making processes;
  • provides for a “whitelist” of overseas jurisdictions to which transfers of personal information will be permitted without restriction;
  • specifies that organisations must take reasonable “technical and organisational measures” to protect personal information;
  • permits organisations to disclose personal information in ways that would otherwise breach the Australian Privacy Principles during data breaches and other emergencies;
  • grants the Office of the Australian Information Commissioner (“OAIC”) several new powers to assist in its investigative and enforcement functions;
  • provides for the development of a Children’s Online Privacy Code; and
  • creates new criminal offences for doxxing.

New civil penalties

It may be surprising to learn that, currently, most contraventions of the Privacy Act are not actually offences. A breach of the Australian Privacy Principles and various other contraventions of the Privacy Act constitute an “interference with the privacy of an individual”. However, an interference with the privacy of an individual is currently only punishable by a civil penalty if it is serious or repeated.

The Bill introduces a three tier system of fines and penalties:

  1. A serious interference with the privacy of an individual remains punishable by the existing level of civil penalties in the Privacy Act – for a body corporate, the maximum penalty is A$50 million, three times the value of any benefit obtained from the interference, or 30% of the annual turnover for the body corporate over a minimum 12 month period.

A “repeated” interference with the privacy of an individual will no longer attract a penalty – this is because each separate interference will now be subject to a civil penalty.

  1. An interference with the privacy of an individual that is not serious will be punishable by a lower level of civil penalties. However, these civil penalties will still be substantial – for a body corporate, the maximum penalty is A$3.13 million.
  2. In addition, a system of administrative fines will apply to breaches of specific obligations under the Australian Privacy Principles - for example, a failure to have a privacy policy. While the OAIC must apply to the Federal Court to impose civil penalties, the OAIC can issue infringement notices imposing administrative fines directly. The onus is on the entity receiving the notice to apply to the Federal Court if it wishes to dispute the notice. The maximum administrative fine for a body corporate is A$313,000.

While the administrative fines are the lowest tier of penalties, we expect that they will have the biggest effect on compliance in practice. We expect that the OAIC will be far more willing to issue these smaller fines against offenders than it is to apply to court to impose civil penalties.

It should be noted that the value of a Commonwealth penalty unit is expected to shortly increase from A$313 to A$330 – in which case, these penalties and fines will increase accordingly.

Statutory tort for serious invasions of privacy

Unlike the US, where the courts recognised a tort of privacy almost a century ago, and the UK, where the doctrine of breach of confidence was extended to cover invasion of privacy 20 years ago, Australian common law has never recognised a right of action for invasion of privacy.

The Bill establishes a statutory tort of serious invasion of privacy which is similar to that originally proposed by the Australian Law Reform Commission in 2014. The cause of action will be established if:

  • the defendant invaded the plaintiff's privacy by intruding upon the plaintiff’s seclusion (which may include where a defendant watches or eavesdrops on the private activities or affairs of the plaintiff) or misusing information that relates to the plaintiff;
  • the plaintiff had a reasonable expectation of privacy in all of the circumstances;
  • the invasion of privacy was intentional or reckless; and
  • the invasion of privacy was serious.

Significantly, the plaintiff is not required to show proof of damage.

If the defendant shows that there was a public interest in the invasion of privacy, the plaintiff must satisfy the court that that the public interest in the invasion of privacy was outweighed by the public interest in protecting the plaintiff’s privacy.

Defences are proposed to include that the plaintiff had consented, that the invasion of privacy was authorised by law, and that the invasion of privacy was necessary to prevent or lessen a serious threat to the life, health or safety of a person or defend property.

The Bill provides an exemption for invasions of privacy by journalists and media outlets, where the invasion involves the collection, preparation for publication or publication of journalistic material. It also provides an exemption for law enforcement and intelligence.

Courts would be entitled to award damages (including for emotional distress) or an account of profits, grant injunctions, and make a range of other orders including requiring an apology from the defendant. The Bill caps damages for non-economic loss and punitive damages at the greater of A$478,550 or the maximum amount of damages for non-economic loss that could be awarded under defamation proceedings.

Plaintiffs will be required to commence proceedings within three years of the invasion of privacy occurring, or within a year of becoming aware of the invasion of privacy, whichever is earlier.

Privacy policies

The Bill requires entities which use automated processes to make decisions that could reasonably be expected to significantly affect the rights or interests of individuals, to include details about their use of automated decision-making in their privacy policy. This would bring the Privacy Act into line with the EU and the UK, which already require automated decision-making to be disclosed in privacy policies.

Overseas data transfers

The Bill provides for a ‘whitelist’ of overseas jurisdictions to be developed and included in the Privacy Regulations. Organisations would be able to transfer personal information to recipients subject to the laws of these whitelisted jurisdictions without further protections (such as putting contractual clauses in place).

Technical and organisational security measures

The Bill expands upon the existing requirement under Australian Privacy Principle 11 that organisations take reasonable steps to protect personal information, by specifying that these steps include reasonable “technical and organisational measures”. This would bring the Privacy Act into line with the EU and the UK, which already specify that security measures include both technical and organisational measures. “Organisational measures” to protect personal information would include putting appropriate policies and processes in place and providing security training to employees.

Information sharing during data breaches

The Bill allows declarations to be made permitting organisations to disclose personal information in ways that would otherwise breach the Australian Privacy Principles during data breaches and other emergencies, for the purpose of reducing the risk of harm to individuals. For example, if a data breach involved unauthorised access to government-issued identifiers, organisations would be permitted to share details of affected individuals with government agencies to enable those agencies to provide enhanced protections to those individuals.

Further enhancement of OAIC regulatory powers

The Bill grants the OAIC several new powers to assist in its investigative and enforcement functions, including a power to conduct public inquiries, and investigations powers under the Regulatory Powers (Standard Provisions) Act 2014 (Cth) (which include entry, search and seizure powers).

Children’s Online Privacy Code

To strengthen and protect the privacy of children online, the Bill requires the OAIC to develop and register a Children’s Online Privacy Code within two years. The OAIC will be required to seek public submissions on the draft Code and consult with the eSafety Commissioner and National Children’s Commissioner.

The Code will set out how the Australian Privacy Principles are to be applied in relation to the privacy of people under 18 years of age, and will apply to entities that provide social media services, relevant electronic services or designated internet services which are likely to be accessed by children.

Doxxing

The Bill amends the Criminal Code Act 1995 (Cth) to introduce new criminal offences prohibiting the malicious release of personal data online (known as ‘doxxing’).

What doesn’t the Bill do?

As noted above, the Bill does not contain a large number of reforms proposed by the Attorney-General’s review of the Privacy Act, including:

  • the removal of the employee records and small business exemptions;
  • requiring privacy impact assessments to be conducted for high-risk information processing activities;
  • introducing the roles of “controller” and “processor” which are used in the data protection laws of many other jurisdictions;
  • introducing standard contractual clauses for the overseas transfer of personal information;
  • introducing a 72 hour requirement for notifying OAIC of an eligible data breach;
  • a direct right of action for individuals whose personal information has been handled in contravention of the Privacy Act; and
  • the introduction of additional individual rights, such as the right to be forgotten.

Some of these reforms may have been considered too controversial to introduce shortly before an election – the removal of the employee records and small business exemptions, for example, would increase the compliance burden on many businesses. Whether these reforms are ever introduced may depend on the outcome of the 2025 Federal election.

Please feel free to contact a member of our Cyber & Data Privacy Team if you would like more detail about these proposed reforms.

Read other items in London Market Brief - September 2024

Locations