13 September 2024

Privacy law reforms unveiled in Canberra

Sophie Dawson, Helen Clarke, Jennifer Dean, Christine Ecob, Phillip Magness, Viva Swords, Emily Lau, Lydia Cowan-Dillon, Suvina Wong, Hamish Lennon

On 12 September 2024, the Government tabled in Parliament a Bill containing 23 of the 25 privacy reform proposals agreed to by the Government.  A large number of “agreed in principle” reforms have been deferred to a later date, and will most likely be considered after the Federal Government election which must be held by the end of May 2025.

This article considers key reforms and their practical implications. Many entities will be relieved that it is not necessary to implement more extensive reforms at this stage.  However it is still prudent for entities to regularly review their privacy practices and documentation in the increasingly strict enforcement environment, particularly in light of the magnitude of the penalties that have been sought in recent proceedings (such as a 21.5 trillion dollar penalty sought against Medibank in respect of an alleged breach of APP 11.1).

Some of the changes will affect different types of entities differently. For example, the proposed tort will not apply to certain conduct of journalists and certain people that assist them when it comes to the preparation and publication of news, documentaries and current affairs content. However it may have a significant impact in the social media sphere, where the exemption will not apply to most content. 

Executive summary

The Privacy and Other Legislation Amendment Bill 2024 (Cth) contains:

(a) new infringement notice powers for Australia’s privacy regulator, the Office of the Australian Information Commissioner (OAIC);

(b) a statutory tort for certain serious invasions of privacy, which includes a journalism exemption (Tort);

(c) powers to prescribe foreign jurisdictions as having adequate privacy laws for the purpose of overseas disclosure of personal information under Australian Privacy Principle (APP) APP 8;

(d) clarification of entities’ information security obligations under APP 11;

(e) updates to the notifiable data breaches regime to provide additional flexibility in handling notifiable data breaches to reduce harm to individuals;

(f) provisions mandating the development of a Children’s Privacy Code;

(g) new offences to be included in the Criminal Code Act 1995 (Cth) for certain online communications that are “menacing or harassing” (referred to as “doxxing”); and

(h) new transparency requirements in relation to entities’ use of personal information for automated decision-making.

Each draft amendment is discussed below.

OAIC’s new infringement notice power

The Bill introduces a new power for Australia’s privacy regulator, the OAIC, to issue infringement notices for breaches of specified APPs. Non-compliances for which an infringement notice may be issued are:

  • failure to have a privacy policy (APP 1.3) which meets the requirements in APP 1.4 and the new automated decision-making transparency requirements (new APP 1.7) – see the section on “Automated decision making to be addressed in privacy policies” below for more detail;
  • failure to give individuals the right to be anonymous or use a pseudonym (where lawful and practicable) (APP 2.1);
  • failure to keep a written record of the use and disclosure of personal information for enforcement related activities conducted by, or on behalf of, enforcement bodies (APP 6.5);
  • where other marketing laws, such as the Spam Act 2003 (Cth) (Spam Act), do not apply:

- failure to provide a simple mechanism to opt out of direct marketing (where other marketing laws such as the Spam Act do not apply) (APPs 7.2(c) and 7.3(c)) and to draw attention to it when required (APP 7.3(d));

- failure to give effect to an opt-out request within a reasonable period (APP 7.7(a));

- failure to respond to a request to identify the source of personal information used for direct marketing (APP 7.7(b));

  • failure to respond to a request to correct personal information within a reasonable timeframe (APP 13.5(a));
  • charging an individual for making a correction request, or for responding to, or actioning, that request (APP 13.5(b)); and
  • preparing a notifiable data breach statement that fails to address the required matters in section 26WK(3) of the Privacy Act.

Compliance with these specific requirements should be an immediate area of focus for entities, given the relative ease with which the OAIC will be able to take action if there is a non-compliance.

The Australian Communications and Media Authority, the regulator of the Spam Act, has recently been particularly active in issuing infringement notices in relation to Spam Act non-compliances. There may be a similar use of this infringement notice power by the OAIC. This is foreshadowed by the Explanatory Memorandum to the Bill, which explains that infringement notices give the OAIC an option to penalise entities without protracted litigation, allowing it to resolve matters more efficiently.

The pecuniary penalty for a contravention of any of these provisions (if the OAIC applied to a court for the award of a civil penalty) is 200 penalty units – which will soon be $66,000 for bodies corporate (legislation updating the value of a penalty unit passed Parliament on 11 September 2024 and is awaiting Royal Assent. The updated penalty unit value will take effect 14 days after Royal Assent).

Infringement notices for each contravention by a body corporate (other than a publicly listed corporation) will be limited to less than the maximum civil penalty – the Explanatory Memorandum states that it will be $19,800. Infringement notices for each contravention by a publicly listed company is 200 penalty units – which will soon be $66,000.

The existing power to issue infringement notices for failure to give information as required under the Privacy Act under section 66 is unaffected.

A new tort of privacy

A key feature of the Bill is a new cause of action in tort for serious invasions of privacy.

The Bill provides that an individual will have a cause of action in tort against another person for certain serious invasions of privacy, that are intentional or reckless, where the individual would have a reasonable expectation of privacy in the circumstances. The tort applies to invasions of privacy comprised of doing one of the following:

(i) intruding upon the plaintiff’s seclusion; or

(meaning to physically intrude into the person’s private space or watching, listening to or recording the person’s private activities or private affairs)

(ii) misusing information that relates to the plaintiff.

(including, but not limited to, collecting, using or disclosing information about the individual, whether true or not)

In certain circumstances described below, a public interest balancing test and certain defences are available.

Relevant factors
ElementDescription
Seriousness

When assessing if an invasion of privacy is serious, a court may consider:

(i) the degree of offence, distress or harm to dignity that the invasion of privacy was likely to cause to a person of ordinary sensibilities in the position of the plaintiff;

(ii) whether the defendant knew or ought to have known the invasion of privacy was likely to offend, distress or harm the dignity of the plaintiff; and

(iii) if the invasion of privacy was intentional or motivated by malice.

Reasonable expectation of privacy

When assessing if a person has a reasonable expectation of privacy in all of the circumstances, a court may consider:

(i) the means or technology used to invade privacy;

(ii) the purpose behind the invasion;

(iii) the plaintiff’s attributes, including age, occupation or cultural background;

(iv) if the plaintiff invited publicity or manifested a desire for privacy;

(v) the location where any intrusion upon seclusion occurred; and

(vi) for misuse of information;

a. the nature of the information and its sensitivity;

b. the plaintiff’s treatment of the information; and

c. the prior availability of the information.


Remedies available include damages to the plaintiff (notably for emotional distress), injunctions (including interim injunctions), account of profits, apology and correction orders, orders for the delivery up, destruction and/or removal of material, and declarations.

Limitations

Generally, a plaintiff must commence proceedings before the earlier of:

(i) a year after the plaintiff becomes aware of the invasion of privacy; or

(ii) three years after the invasion of privacy occurred.

If a plaintiff was under 18 years of age when the invasion of privacy occurred, proceedings must be commenced before the plaintiff’s 21st birthday.

A plaintiff may apply for an order to commence proceedings later where it was not reasonable in the circumstances to have commenced proceedings in accordance with the above limitations. However, proceedings may not be commenced any later than six years after the invasion of privacy.

Public interest considerations

Where a defendant adduces evidence that there was a public interest in the invasion of privacy, the onus will be on the plaintiff to satisfy the court that their right to privacy outweighed any public interest.

Examples of evidence going to a public interest consideration include, but are not limited to: (i) freedom of expression, including political communication; (ii) freedom of the media; (iii) proper administration of government; (iv) open justice; (v) public health and safety; (vi) national security; and (vii) crime and fraud prevention and detection.

Defences and exemptions

Defences to the cause of action include if the invasion of privacy was: (i) required or authorised by law; (ii) expressly or impliedly consented to by the plaintiff or someone with lawful authority to consent for the plaintiff; (iii) necessary to lessen a serious threat to a person’s health or safety; or (iv) incidental to defence of persons or property (where proportionate, necessary and reasonable). Where the invasion of privacy occurs through publication, the defences of absolute privilege, publication of public documents or providing a fair report of public proceedings are also available.

The Bill also specifies the following exempt circumstances where no cause of action arises:

ExemptionDescription
Journalists

No cause of action to the extent that the invasion of privacy involves the collection, preparation for publication or publication of journalistic material by: (i) a journalist; (ii) an employer of a journalist; or (iii) a person assisting a journalist, who is engaged by the journalist’s employer or in the person’s professional capacity.

(A journalist is a professional journalist who is subject to standards of professional conduct or a journalists’ code of practice – noting it is immaterial if codes or standards are breached in an invasion of privacy)

(material is journalistic material if it: (i) has the character of news, current affairs or a documentary or (ii) consists of commentary or opinion on, or analysis of, news, current affairs or a documentary)

Enforcement bodiesNo cause of action arises where an enforcement body invades an individual’s privacy to the extent the enforcement body reasonably believes the invasion of privacy is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body.
Intelligence agenciesNo cause of action arises where there is an invasion of privacy: (i) by an intelligence agency; (ii) to the extent it involves a disclosure of information to an intelligence agency; or (iii) to the extent it involves information disclosed by an intelligence agency.
ChildrenNo cause of action is available where a person under 18 invades an individual’s privacy.
Deceased personsInvasions of privacy cannot be asserted by deceased persons or their personal representatives.

New powers to ‘whitelist’ overseas jurisdictions for the purposes of overseas disclosure of personal information

The Bill introduces a mechanism for the Governor-General to prescribe countries and binding schemes as providing substantially similar protection to the APPs – akin to the GDPR’s “adequacy decisions”. The aim is to give more certainty to entities as to whether they can disclose personal information to an overseas recipient, and to facilitate the free flow of information from Australia in international markets while respecting individual privacy.

Currently, unless permitted bases in APP 8 exist, an entity is required to take reasonable steps to ensure that an overseas recipient will not breach the APPs in relation to the personal information and, should the overseas recipient handle personal information in a way that breaches the APPs, the entity is accountable for such breach. The Bill proposes that in addition to the existing permitted bases in APP 8 for overseas disclosure of personal information, there will be a new basis that permits overseas disclosure to a recipient subject to a ‘whitelisted’ jurisdiction or binding scheme.

This reform will simplify a disclosure of personal information to overseas recipients in whitelisted jurisdictions.

Information security obligations clarified

An amendment to APP 11 in the Bill adds a new APP 11.3, which clarifies that entities’ obligations to take reasonable steps under APP 11.1 and 11.2 include technical and organisational measures.

Subject to exceptions, APP 11 requires entities bound by the Privacy Act to take such steps as are reasonable in the circumstances to keep information secure (APP 11.1), and to destroy or de-identify information when it is no longer needed for a purpose for which the entity may use or disclose it consistently with the APPs (APP 11.2).

The Explanatory Memorandum gives the following examples of technical and organisational measures that could be put in place:

  • technical measures include securing access to premises, encrypting data, anti-virus software and strong passwords; and
  • organisational measures include training employees on data protection, and developing standard operating procedures and policies for securing personal information.

Entities should ensure that both types of measures are documented in their security management plans and are included in their document retention and destruction policies and practices. They should also retain evidence that those plans, policies and procedures are implemented and that compliance is regularly audited so that they can prove compliance with APP 11.

Notifiable data breaches

The Bill introduces a new regime under which, in the wake of a notifiable data breach, a Minister can permit by way of declaration certain collections, uses and disclosures of personal information (that would otherwise breach privacy laws, duties of confidence or some statutory secrecy provisions) for the purposes of reducing the risk of harm to individuals affected by the data breach.

The Explanatory Memorandum gives the example that this regime could be used to allow an entity to share information of affected individuals with services such as banks to allow those services to conduct additional monitoring and implement additional safeguards for affected individuals. The purposes of such a declaration may include:

  • preventing or responding to a cybersecurity incident, fraud, scam activity or identity theft;
  • responding to the consequences of a cybersecurity incident, fraud, scam activity, identity crime and misuse, financial loss, emotional and psychological harm, family violence and physical harm or intimidation; and
  • addressing malicious cyber activity.

The declaration cannot permit disclosure to media organisations. While an entity may collect, use and disclose personal information pursuant to a declaration without contravening privacy laws, duties of confidence and some statutory secrecy provisions, there is a list of designated secrecy provisions which the entity must continue to comply with.

If personal information is disclosed to a recipient pursuant to a declaration, that person is prohibited from disclosing the information to another person except in a list of specified narrow circumstances. This prohibition on on-disclosure also applies to State and Territory bodies, who are not otherwise bound by the APPs.

This change may assist entities who have suffered a notifiable data breach, by broadening the steps that they can take to mitigate harm to individuals. It remains to be seen how often this regime is accessed, or whether it is reserved for the highest profile incidents only.

New Children’s Online Privacy Code to be developed for online services that are accessed by children

The Bill introduces provisions which mandate the development of a new APP code, the Children’s Online Privacy Code (Children’s Code), which will apply to online services that are “likely to be accessed by children” and do not provide health services.

The Bill provides that the OAIC must develop the Children’s Code within 24 months from the day the Bill receives Royal Assent. The OAIC must make a draft publicly available for a minimum 40 day consultation period prior to registering the Children’s Code.

The OAIC will issue further guidance as to what services it considers are “likely to be accessed by children” on its website as it develops the Children’s Code and earlier reform discussions have indicated that the Children’s Code is likely, to the extent practicable, to broadly align with the scope of the UK Age-Appropriate Design Code.

New offences: “Doxxing”

Two new criminal offences have been introduced to the Criminal Code Act 1995 (Cth). The Explanatory Memorandum explains that they are to address the practice of “doxxing”.

The offences in the Bill are significantly different from the doxxing offence in Proposal 4.7 of the Government’s Response to the Privacy Review Report dated 28 September 2023. Unlike Proposal 4.7, they do not contain any requirement to prove malice or an intention to cause harm.

Using a carriage service to make available personal data of one or more individuals

Proposed new section 474.17C of the Criminal Code Act will, if enacted, make it an offence if:

(a) a person uses a carriage service to make available, publish or otherwise distribute information;

(b) the information is personal data (information that enables the individual to be identified, contacted or located) of one or more individuals; and

(c) the person engages in the conduct in a way that reasonable persons would regard as being, in all the circumstances, menacing or harassing towards those individuals.

The penalty for this offence is imprisonment of up to six years.

Using a carriage service to make available personal data of one or more members of certain groups

Proposed section 474.17D of the Criminal Code Act will, if enacted, make it an offence where a person:

(a) uses a carriage service to make available, publish or otherwise distribute information;

(b) the information is personal data of one or more members of a group;

(c) the person engages in the conduct in whole or in part because of the person’s belief that the group is distinguished by race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality or national or ethnic origin; and

(d) the person engages in the conduct in a way that reasonable persons would regard as being, in all the circumstances, menacing or harassing towards those members.

The penalty for this offence is seven years’ imprisonment.

The offences are similar to the existing offence in section 474.17 which prohibits conduct using a carriage service which a reasonable person would think is menacing, harassing or offensive.

The examples given in the Bill of offending conduct include publication of the names, images and addresses of members of a private online religious discussion group on websites, together with encouragement to block entryways or otherwise harass members of that group.

The implied constitutional freedom of speech is likely to be relevant to construing these offences, as they affect freedom of speech and therefore must be reasonably appropriate and adapted in the sense of being proportionate in order to be constitutionally valid.  In Monis v the Queen (2013) 249 CLR 92, three members of the High Court attributed a narrow meaning to “offensive” in a similar provision on the basis that there is a statutory presumption that it was intended to be consistent with the constitutional freedom.

Automated decision making required to be addressed in privacy policies

The Bill seeks to enhance transparency about the use of automated decision-making (ADM) tools, by requiring entities to address the use of personal information for ADM in their privacy policy.

When will ADM requirements apply?

The new ADM requirements will require disclosures to be made in an entity’s privacy policy if:

  • the entity has arranged for a computer program to make, or do a thing that is substantially and directly related to making a decision;
  • the decision could reasonably be expected to significantly affect the rights or interests of an individual; and
  • personal information about the individual is used in the operation of the computer program described above.

A number of these concepts are clarified under proposed APP 1.9. In particular:

  • making a decision or “doing a thing” includes refusing or failing to make a decision or “do a thing”;
  • the effect of the decision on the individual’s rights or interests could be an adverse or beneficial effect; and
  • there is non-exhaustive list of the kinds of decisions that may affect an individual’s rights or interests – for example, decisions that:

- are made under a law to grant, or refuse to grant, a benefit to the individual;

- affect the individual’s rights under a contract, agreement or arrangement; and

- affect the individual’s access to a significant service or support.

What must be addressed in the privacy policy

Under proposed APP 1.8, the entity’s privacy policy must address the kinds of:

  • personal information used in the operation of the computer program;
  • decisions that will be made solely by the operation of the computer program; and
  • decisions for which “a thing” (that is substantially and directly related to making the decision) “is done” by the operation of such computer programs.
How to prepare

Entities should consider whether they use ADM processes in their business and, if so, the types of personal information these processes use, and the likely effect on individuals of decisions made using these processes.

The Bill does not include some of the additional ADM recommendations from the reforms process, including providing individuals with meaningful information about how ADMs are made, and conducting privacy impact assessments for high privacy risk activities. These changes may be introduced at a later stage.

Next steps

If you have any questions about which of these the privacy reform proposals are likely to affect your business and how you can best prepare, please contact our Technology team.