Australian Government announces overhaul of Privacy Act and doxxing reforms

The Australian Government has announced it will be “bringing forward legislation in August to overhaul the Privacy Act 1988 (Cth) (Privacy Act) and protect Australians from doxxing”. News of the change in timing came in a joint media release, ‘Tackling online harms’, and speech by the Attorney-General, The Hon Mark Dreyfus KC MP.[1]

The speech made it clear that “doxxing reforms would be covered” but did not otherwise specify what reforms would be included.  Many people expect that the Government will publish draft legislation for many of, and potentially all of, the proposed reforms which have been “agreed” or “agreed in principle” at that time.  What is clear is that doxxing will be covered.

This article provides an outline of the reforms under consideration, and provides some context in relation to the doxxing aspects of the reform process.  

1. Overhaul of the Privacy Act

Since 2020, the Australian Government has been consulting with individual consumers, industry participants, media organisations and cybersecurity experts in relation to an overhaul of the Privacy Act to better protect Australians’ privacy in the digital age. This work culminated in the Privacy Act Review Report released in December 2022 and the Australian Government’s Response to the proposals in the Privacy Act Review Report in September 2023. The further steps outlined in the Australian Government’s Response were the development of legislative proposals which are agreed; engagement with entities on proposals which are agreed in-principle and progressing of further advice to the Government this year.

In its Response, the Australian Government agreed to some proposals in the Privacy Act Review Report, including:

• a requirement that a media organisation adhere to privacy standards overseen by an oversight body such as ACMA or standards dealing with privacy, in order to benefit from the journalism exemption;
• in relation to automated decision making:
  • a requirement that privacy policies set out the types of personal information that will be used in substantially automated decisions with a legal or similarly significant effect on individual rights;
  • high-level indicators of the types of decisions with a legal or similarly significant effect on an individual’s rights in the Privacy Act;
  • a right for an individual to request information about how substantially automated decisions with legal or similarly significant effect are made;
• amending the requirement in Australian Privacy Principle 11.1 that an APP entity takes reasonable steps to protect personal information so that it specifies that ‘reasonable steps’ include technical and organisational measures;
• for the purpose of disclosure of personal information outside of Australia, a mechanism to prescribe countries and certification schemes as providing substantially similar protection to the APPs;
• the introduction of tiers of civil penalty provisions for more targeted regulatory responses; and
• giving the Information Commissioner the power to undertake public inquiries and reviews into specified matters upon approval or direction by the Attorney-General.

Many proposals in the Privacy Act Review Report were ‘agreed in-principle’, such that the Government will engage with entities to consider how these can be implemented in a way that balances privacy needs with other considerations such as regulatory burden. These included:

• an amended definition of “personal information” so that it refers to “information or an opinion that relates to an identified individual” instead of “about an identified individual”;
• the introduction of the concepts of “controller” and “processor”, which already exist in the EU GDPR;
• a requirement that consent be voluntary, informed, current, specific and unambiguous;
• a requirement to obtain consent to trade an individual’s personal information;
• new rights to erasure, correction and de-indexing of personal information, subject to exceptions e.g. for competing public interests (such as freedom of communication);
• an unqualified right to opt-out of the use and disclosure of personal information for direct marketing purposes;
• prohibitions on:
  • direct marketing to children unless the personal information used for direct marketing was collected directly from the child and the direct marketing is in the best interests of the child;
  • targeting to a child unless the targeting is in the best interests of the child; and
  • trading in children’s personal information;
• the introduction of an express requirement in APP 5 that collection notices are clear, up-to-date, concise and comprehensible;
• amending the Privacy Act so that the collection, use and disclosure of personal information must be fair and reasonable in the circumstances, based on an objective test;
• a requirement that targeting individuals be fair and reasonable in the circumstances;
• a prohibition on using sensitive information (except for political opinions, membership of a political association or membership of a trade union) to target individuals with an exception for socially beneficial content;
• a requirement that entities provide information about targeting e.g. use of algorithms;
• a requirement for APP entities to conduct a Privacy Impact Assessment before commencing high privacy risk activities;
• a statutory tort for serious invasions of privacy (see section 5 of this article for details); and
• a direct right of action for individuals, who suffer loss or damage as a result of an interference with their privacy, to claim compensation.

If enacted, these reforms to the Privacy Act will have significant impact on businesses and individuals. We will provide more information once draft legislation is released and/or consultations are announced.

Doxxing reforms

In the next sections of this article, we explore the background to the announcement of the doxxing reforms and what they may include.

2. What is doxxing?

Doxxing is when a person intentionally discloses an individual’s personal information online without their consent. The media release has referred to doxxing as the release of private information online with an “intent to cause harm”. Doxxing can put individuals in danger of multiple harms such as reputational damage and distress and can be associated with identity theft and cyberstalking.

Examples of doxxing given by the Government include:

• identification of someone who has used a pseudonym;
• disclosure of contact or location information about an individual; and
• revelation of information which de-legitimises someone (such as private medical, legal or financial records, or personal messages and photos usually kept out of view).

3. What is the background to the announcement regarding doxxing?

This announcement follows a consultation run by the Attorney-General’s Department in March 2024 (Doxxing Consultation) on how to address doxxing through civil remedies, including the Privacy Act. The Doxxing Consultation sought responses as to whether:

• existing measures sufficiently address doxxing;
• a proposed statutory tort for serious invasions of privacy would improve options for individual victims; and
• there are any other options (legislative or non-legislative) in responding to doxxing^. [2]

When introducing the Doxxing Consultation, the Attorney-General’s Department stated that the proposed privacy protections in response to the Privacy Act Review that could be used to address doxxing include:

• a new statutory tort for serious invasions of privacy such that individuals could take court action for doxxing; and
• more control and transparency over personal information, such as enhanced or new individual rights to access, object, erase, correct, and de-index personal information.

The Doxxing Consultation comes in the context of a broader review of the Privacy Act mentioned earlier.

The idea of a tort for serious invasions of privacy has been heavily contested. For example, media organisations have submitted in the Privacy Act Review consultations that there is no need for such a tort as existing measures including relevant obligations and restrictions are sufficient. Existing measures include obligations under the broadcasting codes of practice and press council standards, and a large number of statutory restrictions on publication.

4. Current state of play

Currently, the Australian Privacy Principles in the Privacy Act do not apply to the collection, use or disclosure of personal information, or personal information held by an individual, only for their personal affairs,^[3] or to acts by persons who are not “APP entities” (as defined in the Privacy Act). This means that individuals have no recourse under the Privacy Act if they are a victim of doxxing by a non-APP entity. The speech by the Attorney-General indicates that the proposed statutory tort would, if enacted, regulate privacy harms such as physical intrusion into a person’s private space and would cover individuals and entities who are not otherwise subject to the Privacy Act.

There are some existing protections in place. The Online Safety Act 2021 (Cth) (Online Safety Act) aims to protect individuals from illegal or harmful online content or behaviour. For example, individuals who are victim to doxxing can make complaints under the Adult Cyber Abuse Scheme operated by eSafety under the Online Safety Act. Specifically, a complaint can be made if an individual has first reported the cyber abuse to the relevant online service provider and circumstances exist such that a reasonable person would conclude that:

• the doxxing conduct is intended to cause serious harm to a particular Australian adult; and
• the material is menacing, harassing or offensive.

If satisfied of these matters, the e-Safety Commissioner can issue a notice to a relevant service provider requiring that the material be taken down within 24 hours. Similar remedies are available in respect of non-consensual sharing of intimate images and in respect of cyber abuse directed at children^.[4]

5. What the reforms may look like

The announcement does not provide any details as to what the legislation to prohibit doxxing may include. 

The proposal that is most relevant to doxxing (and which has been agreed in the Government’s Response to the Privacy Act Review) is the introduction of a criminal offence for malicious re-identification of de-identified information where there is an intention to harm another or obtain an illegitimate benefit, subject to appropriate exceptions. The introduction of such criminal offence appears to be one of the simplest options available to the Government in this area, in that it is targeted and specific (though issues in relation to its construction and breadth would still arise).

Other potential reforms highlighted in the Doxxing Consultation and the Privacy Act Review (such as the right to request search engines to de-index particular online search results and right to erasure of personal information) may also be included in the draft legislation.

Based on the topics of discussion in the Doxxing Consultation, a proposed statutory tort for serious invasions of privacy may be one of the measures being considered. In particular, the Office of the Australian Information Commissioner’s submission in response to the Doxxing Consultation stated that the proposed statutory tort for serious invasions of privacy would mean that individuals could obtain compensation and other remedies through the courts for some serious instances of doxxing under the ‘misuse of private information’ limb of the tort, where the balancing of other interests such as freedom of expression and public interest in media reporting does not result in a finding for the respondent.^[5] The Law Council of Australia argued that any regulatory framework designed to address doxxing needs to carefully balance addressing harm to individuals by illegitimate doxxing behaviours and protecting public interest journalism which may necessitate the publication of some private information^.[6]

Any cause of action would have broader ramifications for internet publication, the media and the public more generally and we expect that this proposal will continue to be heavily debated.

Constitutional considerations will also come into play. In Australia, there is an implied constitutional freedom of expression in relation to government and political matters which will be relevant to construing the legislation (potentially narrowly^[7]) and could be used by defendants to argue the legislation is invalid. Where it applies, it is necessary to take this into account in order to construe laws as there is a presumption that each law was intended to be constitutionally valid and to be construed accordingly. The success of such challenges will turn on three questions.

1. First, whether the law effectively burdens the freedom in its terms, operation and effect. That part is likely to be satisfied here as the laws affect what can lawfully be said, including in relation to government and political matters.
2. Second, whether the purpose of the law and the means adopted to achieve that purpose are legitimate, in the sense that they are compatible with the maintenance of the constitutionally prescribed system of representative government (referred to as compatibility testing).
3. Third, whether the law is reasonably appropriate and adapted to advance that legitimate object. Thus, it is very important for the Government to take a measured approach.

Given that the Doxxing Consultation invited participants to provide other options to address doxxing, the legislation could include other remedies. For example, the Law Council of Australia, in its submission, argued that an individual victim seeking an apology, or a takedown, would be more feasible than seeking damages or compensation. There are existing takedown provisions in the Online Safety Act which will apply in some circumstances (as described above).^[8]

The speech by the Attorney-General indicates that the proposed statutory tort will balance privacy protection with other considerations such as freedom of speech and freedom of the media. The balance to be struck will not be clear until the exposure draft provisions are released.  A key question will be whether any tort will include a media exemption to preserve the ability of the media to report on important matters such as police investigations which have been the subject of successful tort actions in the UK.

We will provide a further update when the Attorney-General’s Department engages in further consultation and/or releases draft legislation.

Important Disclaimer: The material contained in this article is comment of a general nature only and is not and nor is it intended to be advice on any specific professional matter. In that the effectiveness or accuracy of any professional advice depends upon the particular circumstances of each case, neither the firm nor any individual author accepts any responsibility whatsoever for any acts or omissions resulting from reliance upon the content of any articles. Before acting on the basis of any material contained in this publication, we recommend that you consult your professional adviser. Liability limited by a scheme approved under Professional Standards Legislation (Australia-wide except in Tasmania).