Some important developments, but uncertainty remains
The first tranche of reforms to the Privacy Act 1988 (Cth) — the Privacy and Other Legislation Amendment Bill 2024 (the Bill)—will be law after it passed the Senate on 29 November 2024. The Bill (as passed) contained minor changes made by the Senate to the version introduced by the Government on 12 September 2024.
These amendments to the Privacy Act 1988 (Cth) (the Privacy Act) mark the Government's first legislative response to long-awaited reforms to Australia's privacy legislation, but many of the most significant proposed changes have been left for future tranches of reform, leaving the future shape of Australian privacy law in limbo.
Key takeaways
- The Bill (as passed) implements 23 of the legislative proposals that were agreed to by the Government in its response to the 116 proposals set out in the Privacy Act Review Report (Report).
- The Bill (as passed) does not provide anticipated long-term clarity on reform to the fundamental pillars of Australian privacy law. The amendments are also less comprehensive than expected, focusing on 'quick wins', without delving into the thornier issues the Government had agreed to in principle only, or that required further consultation.
- However, the amendments do address some items of significance, most notably the introduction of a tiered penalty regime for contraventions of the Privacy Act, which is likely to result in a higher degree of OAIC enforcement activity, a statutory tort for serious invasions of privacy, two new 'anti-doxxing' offences and new transparency requirements for organisations regarding automated decision-making.
How did we get here?
In September 2023, the Government released its response to the Privacy Act Review Report (the Response), indicating that it 'agreed' or 'agreed in principle' to the majority of the 116 proposals outlined in the report. In the years following, the Government has continued to suggest that widespread reforms would be introduced in 2024. Touted to be the most comprehensive reforms to the Privacy Act since 2014, the reforms promised to bring Australia's privacy landscape up to speed with increasing data and privacy risk and the rapidly evolving digital economy.
The Bill addresses 23 of the 25 legislative proposals that were 'agreed to' in the Response and directed at legislative change (the Government agreed to 38 proposals in total, some of which were to be actioned through other activities such as the development of guidance). The Bill was passed in an expedited session of Parliament ahead of the summer recess, with only a few amendments. The amendments to the Privacy Act without legislated grace periods will commence once Royal Assent is received (expected by the end of the year).
The remaining proposals signalled as 'agreed' or 'agreed in principle' are expected to be introduced in a second tranche of legislative reform, with timing for such reform unknown. Attempts by the Greens to amend the Bill to include some elements slated for tranche 2 were unsuccessful. With the federal election looming by May 2025, we will likely have to wait until after the election to see what further changes are in store.
This means further uncertainty for businesses waiting for clarity on the thornier of the proposed reforms. These include the proposed removal of the small business exemption, the removal or modification of the employee records exemption, as well as amendments targeting consent, the fair and reasonable collection of personal information, and targeting/marketing provisions.
What is covered in this tranche of reform?
Reforms affecting information handling practices
The Bill amends Australian Privacy Principle (APP) 1 to require that organisations using automated decision-making (ADM) disclose this in their privacy policy. This obligation applies where ADM substantially or directly utilises the personal information of individuals to make decisions that could 'reasonably be expected to significantly affect the rights or interests…' of an individual. This includes requirements for transparency over the types of personal information used for, and the types of decisions made by or subject to, ADM. Organisations have significant lead time to ensure their privacy policies are updated to achieve compliance with the proposed amendment to APP 1, as there is a two-year grace period from the date the Bill receives Royal Assent.
Practically, this is a transparency obligation alone. It is unclear how an organisation will assess whether the use of ADM may 'significantly affect the rights or interests' of an individual. Many organisations may form the view that it would never do so. It does not afford individuals a right:
- not to be subject to a decision based solely on automated processing; or
- to request information about how decisions utilising ADM have been made,
as is included in the GDPR.
Nevertheless, the recent proposals paper for introducing mandatory guardrails for use of AI in high-risk settings does foreshadow requirements as to human oversight of, and intervention in, AI system deployment, as well as requirements to inform end-users about how AI is being used and where it affects them. Given this, we expect these issues may be picked up in separate regulation or a future amendment to the Privacy Act.
For further information in relation to the proposed guardrails for the use of AI and the Government's Proposal Paper for 'Introducing Mandatory Guardrails in High-Risk Settings', please see our update.
Action: organisations that use ADM to make decisions that could 'reasonably be expected to significantly affect the rights or interests…' of an individual will need to disclose this in their privacy policy. |
The Bill amends APP 8 to enable overseas disclosure of personal information to jurisdictions prescribed by regulations. Where a jurisdiction is prescribed, an entity does not need to comply with APP 8 by ensuring that the offshore recipient does not breach the APPs.
In order to prescribe an overseas jurisdiction, the Minister must be satisfied that the privacy laws of the jurisdiction:
- have the effect of protecting personal information in a way that is substantially similar to the APPs; and
- have mechanisms in place that an individual can access to enforce the protection of their personal information.
This approach is similar in effect to the 'adequacy decision' mechanism in the GDPR and is a welcome development. To date, the OAIC had been resisting providing a 'white list' of jurisdictions to which offshore disclosure is permitted, leaving assessment of the adequacy of overseas legal frameworks to individual entities considering offshore disclosure.
Relevantly, the Minister cannot prescribe an overseas jurisdiction unless its privacy laws would enable Australian individuals to enforce the protection of their personal information. This may limit how many offshore jurisdictions can be white-labelled in practice.
Action: any changes to offshore disclosure practices (where the Minister prescribes relevant overseas jurisdictions) will need to be reflected in updated privacy policies and collection notices. |
APP 11 is amended to clarify that the reasonable steps an organisation must take to protect personal information in accordance with APP 11 include both technical and organisational measures. This provides legislative certainty that APP 11 requires adequate governance and organisational structures to be in place, not just technical data security protections. This is consistent with the OAIC's existing approach to privacy compliance and enforcement.
Additional substantive reforms that had been proposed in relation to APP 11 (particularly affecting organisational transparency about data retention periods) were not included in this first tranche of reforms. While further reform in this area may be forthcoming in future tranches, organisational data retention obligations remain a quagmire. We anticipate that this area will remain so for some time, given the complexities of resolving it (and with likely little political appetite to focus energy on such a technical and somewhat unglamorous issue).
Action: organisations will need to ensure they have both governance and technical structures in place to address compliance with APP 11. |
Increased penalties and developments in OAIC enforcement powers
The Bill:
- Removes references to 'repeated' in section 13G to clarify that a single act or practice may amount to a serious interference with privacy. Helpfully, the reforms also introduce a set of (non-exhaustive) matters that can be taken into account when determining if an interference with privacy is 'serious'—largely codifying existing OAIC guidance on the matter.
- Introduces a new mid-range civil penalty provision (up to 2000 penalty units, currently $660,000) under section 13H for general interferences with privacy, where the act or practice does not amount to a 'serious' interference. This seeks to address a gap in enforcement where the OAIC was previously only able to seek civil penalties for the most egregious interferences with privacy.
- Provides new powers to the OAIC to issue infringement notices(imposing civil penalties of up to 200 penalty units, currently $66,000) for prescribed breaches of the APPs and the mandatory data breach notification obligations. The APP breaches are largely focused on breaches relating to privacy policy requirements and processes around direct marketing and correction of information (though more provisions may be added by regulation). APP 2.1, being the requirement to allow individuals to engage on an anonymous or pseudonymous basis, has also specifically been called out. We expect that this group of APPs may become a key focus area for upcoming OAIC enforcement activity, and may indicate the OAIC is looking to act similarly to the way the ACMA regulates the Spam Act 2003 (Cth), where an infringement-notice regime facilitates the more frequent imposition of penalties. The ACMA has, in recent years, been highly active in its use of the infringement notice mechanism and organisations should expect the OAIC to follow a similar path.
- Introduces a new mechanism for the Commissioner to issue compliance notices in respect of the same set of APPs and data breach obligations, where the Commissioner reasonably believes that an entity has contravened such obligations. This mechanism is an alternative to financial recourse through infringement notices, and works in a similar way to an enforceable undertaking (as the OAIC may specify actions that the entity must take, and the entity may be required to produce evidence of compliance). While a compliance notice regime was not expressly considered by the Report, it similarly mimics the increased use of 'compliance alerts' by ACMA, and organisations should expect it to be a commonly used tool in the OAIC enforcement arsenal. Where an entity complies, it is not taken to have contravened the civil penalty provision, nor to have admitted any contravention The compliance notice does have some bite to it, as a failure to comply with a notice is, in and of itself, a contravention (of up to 200 penalty units ($66,000)). Failure to comply would also leave the entity open to other enforcement action, such as a separate application to the Federal Court for contravention of a civil penalty provision (this cannot occur while a compliance notice is in place). The Federal Court can confirm, cancel or vary a compliance notice, if the entity seeks review on the basis that it has not committed the contravention set out in the notice (which we think is a reasonable level of judicial oversight, given the potential burden an organisation may experience in meeting a compliance notice).
Action: organisations should consider how these amendments might alter their privacy risk profile, having regard to specific potential non-compliance (and not just 'systemic' non-compliance). |
The OAIC and Federal Court now have additional powers to issue declarations requiring organisations to take steps to redress, prevent and reduce loss or damage resulting from contraventions of the Privacy Act, where these are found to have occurred either in the course of an OAIC investigation or civil penalty proceedings in the Federal Court.
Other enforcement-related amendments include changes to the OAIC's monitoring and investigation powers (bringing them into closer alignment with existing powers of other federal regulators). We see these changes as reflective of the OAIC's increasing enforcement maturity.
The Minister will now have the power to make 'eligible data breach declarations' to prevent or reduce a risk of harm arising from unauthorised access to or disclosure of personal information.
In essence, this permits entities to disclose personal information for permitted purposes related to the principle of preventing or reducing harm (in a manner that may not otherwise be permitted under the APPs). Notably, the Bill contemplates scenarios related to the prevention of, response to and remediation of cybersecurity incidents. These amendments are likely a response to concerns raised in the course of the Optus data breach as to whether information should be shared with certain organisations (eg financial institutions) for harm-mitigation purposes.
While this a helpful step in managing cyber incidents, given the requirement for a declaration from the Minister, it will likely only be in place for the most material or high-profile cyber incidents. We anticipate that this declaration power may encourage organisations to engage more with the Government's cyber incident response apparatus (eg the Cyber Coordinator and the Cyber Security Response Coordination Unit) in an effort to benefit from the declaration.
Action: organisations should consider whether it may be appropriate to reference the potential for such declarations to be made in their cyber incident response plans and playbooks. |
Code development: children's privacy and future privacy codes
The OAIC must develop a Children's Online Privacy Code (the COP Code) to address online privacy for children. We anticipate that this will be one of the more impactful outcomes from this reform, but the extent of the impact will not be known until the details of the forthcoming COP Code are determined.
The COP Code is intended to apply to APP entities that are providers of a social media service, relevant electronic service or designated internet service (within the meaning of the Online Safety Act 2021 (Cth)), where the service is likely to be accessed by children. Again, we will not know what will constitute a service that is 'likely to be accessed by children' until details of the Code are finalised, but it will likely include any broadly accessible platform service that does not impose restrictions on access by children. The Bill's Explanatory Memorandum suggests that service providers should have regard to:
- whether the service has a particular appeal to children;
- market research on the user base of the service; and
- the way in which the service is accessed, and whether there are measures in place to prevent children from accessing the service.
The OAIC will be required to make a draft of the COP Code available for public consultation, with the Government setting a deadline of two years from the date the reforms come into force to finalise and register the COP Code.
Action: organisations that may be regulated by the COP Code should continue to monitor its development. |
The Minister may direct the OAIC to develop and register an APP code, or temporary APP code, where the Minister is satisfied it is in the public interest to do so. The directions may specify the matters that the APP code must deal with, and the APP entities or class of APP entities that are to be bound by the code.
Temporary APP codes can be introduced where the Minister determines it is in the public interest and where such a code should be developed urgently.
The Government has indicated that these reforms shall allow greater efficiency and flexibility to the APP code-making process.
New avenues of individual action and new offences
The Bill introduces a new cause of action in tort for intentionally or recklessly intruding upon a person's seclusion or misusing information that relates to them, in circumstances where a reasonable expectation of privacy exists. The tort will only apply where the invasion of privacy was 'serious', and where the public interest in the individual's privacy outweighs any countervailing public interest. A non-exclusive list of matters of public interest have been included, such as freedom of expression; freedom of the media; public health and safety; national security, and the prevention and detection of crime and fraud.
A statutory tort of this kind has been under consideration for many years, with the Government's model drawing upon recommendations by the Australian Law Reform Commission in its 2014 report on Serious Invasions of Privacy in the Digital Era. [Prior to introduction and passing of the statutory tort, the Victorian County Court recognised a common law action for invasion of privacy.1 This recognition was novel and rather tentative, and while we expect it is likely to be subsumed by the Federal legislative version, the common law may still guide or fill in the gaps].
The Coalition unsuccessfully sought to excise Schedule 2, dealing with the statutory tort, from the Bill pending further consultation regarding potential unintended consequences.
Several exceptions and defences are contemplated, most notably including a journalism exemption, covering invasions of privacy involving the collection, preparation or publication of 'journalistic material' by journalists and other categories of employees in the media sector.
We anticipated two major issues with the exception as originally proposed. First, the exception only covered journalists, the employers of journalists and certain persons assisting a journalist. It did not provide an exception for the publisher of journalistic material. This appeared to be a significant omission, particularly given that the publishers of material are often not the same entity as the employer of a journalist and, in some cases, publishers source journalistic material from self-employed journalists or other content providers. These concerns were addressed by Senate amendments that (A) extended the exemption to persons 'engaging in' journalism, or employed by or engaged by the journalist's employer, and (B) also disapplied the relevant Schedule to the extent that the invasion of privacy involves the publication or distribution of journalistic material that was prepared for publication by a journalist.
Second, we expected the Government's definition of 'journalistic material' would be particularly scrutinised by media organisations given the breadth of activities undertaken in the media sector and the narrow approach to the term adopted in the Bill. Senate amendments expanded the definition to capture editorial content – which alleviates these concerns to some extent.
The court also now has the power to provide injunctive relief restraining the invasion of privacy (though the court must have particular regard to the public interest where it involves a publication).
Despite these exceptions and defences, the introduction of the statutory tort could have the potential to significantly impact public discourse in Australia, particularly given that (unlike in comparable jurisdictions) a fundamental right of freedom of expression has (other than the implied right of political communication) not been enshrined in statute. Notably, freedom of expression is listed as a matter that may constitute a countervailing public interest (so that the plaintiff must establish that the public interest in their privacy outweighs it), when no such general right exists.
The Government had also agreed in principle with a recommendation to afford individuals a direct right of action for contraventions of the Privacy Act, but that amendment has not been picked up in this tranche of legislation and it remains to be seen whether it will be implemented in future. The introduction of a direct right of individual action for Privacy Act contraventions has been seen as a significant precursor to the potential expansion of privacy-related class action claims in Australia. In its absence, there may be efforts to leverage the statutory tort for serious invasions of privacy by organisations as a substitute.
The amendments introduce two new offences into the federal Criminal Code relating to doxxing — which refers to the use of a carriage service to make available, publish or otherwise distribute personal data in a way that reasonable people would regard as being menacing or harassing towards the individual(s) concerned.
The first offence carries a maximum penalty of six years' imprisonment and deals with the doxxing of an individual. The second, which carries a maximum penalty of seven years' imprisonment, covers the doxxing of members of a group (eg distinguishable on the basis of race, religion, sexual orientation and certain other identified characteristics).
Doxxing had not originally been covered in the Attorney-General's review of the Privacy Act, and was instead the subject of a separate consultation in March 2024. In its submission to that consultation, the Law Council of Australia identified the need to strike a balance between addressing the harms posed by doxxing on the one hand, and protecting legitimate instances of information publication on the other.
The Government has not introduced any defences or exceptions to the new doxxing offences, and the drafting is quite broad in places. For example, there is no minimum threshold on the required degree of publicity, potentially meaning that the distribution of information to a closed group of people could qualify as doxxing if the distribution has the requisite harassing or menacing character. It is also unclear from the drafting how the offences will operate alongside implied rights of political communication, and we expect this will be an area requiring significant judicial consideration.
The Bill (as passed) includes an amendment agreed by the Senate that the Minister must cause an independent review of the anti-doxxing measures within 24 months of their commencement.
Next steps
Reforms to the Privacy Act have been long awaited and this first tranche is likely to prove unsatisfying for organisations who had been awaiting regulatory clarity on key matters such as consent, online targeting practices and the 'fair and reasonable' test. Nonetheless, there are several key areas where amendments require Australian organisations to implement uplift activities and assess their existing compliance practices. In particular:
- Organisations that utilise automated decision-making should consider whether updates to privacy policies, notices and other collateral are required to provide the degree of transparency required under new APPs 1.7- 1.9. These requirements will be subject to a two-year transitional period.
- Social media and other internet / electronic service providers will need to assess whether they are likely to be captured by the new Children's Online Privacy Code. The Code will be subject to a public consultation process, and we recommend these organisations consider contributing to the consultation.
- The new tiered penalty regime is likely to facilitate a higher degree of OAIC enforcement activity (with associated civil penalties, compliance notices and infringement notices). We recommend all organisations take stock of their Privacy Act compliance levels and implement plans to address compliance gaps. In particular, we recommend paying close attention to compliance gaps affecting the following APPs (for which the OAIC will be empowered to issue infringement notices):
- APPs 1.3 and 1.4 (requirement to have APP privacy policy, and content requirements for APP privacy policies);
- APP 2.1 (the requirement to allow individuals not to identify themselves in dealing with entities, unless impracticable);
- APP 6.5 (keeping written notes of uses or disclosures of personal information for law enforcement-related purposes);
- Various APPs covering direct marketing (APP 7), including ensuring individuals have a simple means to opt out of direct marketing communications, requirements to draw attention to an individual's ability to opt out of direct marketing communications, giving effect to opt-out requests, and notifying individuals of the source for direct marketing information; and
- APP 13.5 (dealing with personal information access requests).
Footnotes
-
See WALLLER Lynn (A Pseudonym) v BARRETT Romy (A Pseudonym) [2024] VCC 962 (28 June 2024).