Some important developments, but uncertainty remains
Yesterday, the Australian Government introduced into Parliament the first tranche of reforms to the Privacy Act 1988 (Cth) under the Privacy and Other Legislation Amendment Bill 2024 (the Bill). The Bill marks the Government's first legislative response to long-awaited reforms to Australia's privacy legislation, but many of the most significant proposed changes have been left for future tranches of reform, leaving the future shape of Australian privacy law in limbo.
In this Insight, we discuss the reform implications and actions for organisations to implement in response.
Key takeaways
- The Bill implements 23 of the legislative proposals that were agreed to by the Government in its response to the 116 proposals set out in the Privacy Act Review Report (Report).
- The Bill does not provide anticipated long-term clarity on reform to the fundamental pillars of Australian privacy law. The proposed reforms are also less comprehensive than expected, focussing on 'quick wins', without delving into the thornier issues the Government had agreed to in principle only, or that required further consultation.
- However, the Bill does address some items of significance, most notably the introduction of a tiered penalty regime for contraventions of the Privacy Act which is likely to result in a higher degree of OAIC enforcement activity, a statutory tort for serious invasions of privacy, two new 'anti-doxxing' offences and new transparency requirements for organisations regarding automated decision-making.
How did we get here?
In September 2023, the Government released its response to the Privacy Act Review Report (the Response), indicating that it 'agreed' or 'agreed in principle' to the majority of the 116 proposals outlined in the report. In the years following, the Government has continued to suggest that widespread reforms would be introduced in 2024. Touted to be the most comprehensive reforms to the Privacy Act 1988 (Cth) since 2014, the reforms promised to bring Australia's privacy landscape up to speed with increasing data and privacy risk and the rapidly evolving digital economy.
The Bill now seeks to address 23 of the 25 legislative proposals that were 'agreed to' in the Response and directed at legislative change (the Government agreed to 38 proposals in total, some of which were to be actioned through other activities such as the development of guidance). The remaining proposals signalled as 'agreed' or 'agreed in principle' are expected to be introduced in a second tranche of legislative reform, with timing for such reform unknown. With the federal election looming in May 2025, we will likely have to wait until after the election to see what further changes are in store.
This means further uncertainty for businesses waiting for clarity on the thornier of the proposed reforms. These include the proposed removal of the small business exemption, the removal or modification of the employee records exemption, as well as amendments targeting consent, the fair and reasonable collection of personal information, and targeting/marketing provisions.
What is covered in this tranche of reform?
Reforms affecting information handling practices
The Bill amends Australian Privacy Principle (APP) 1 to require that organisations using automated decision-making (ADM) disclose this in their privacy policy. This obligation applies where ADM substantially or directly utilises the personal information of individuals to make decisions that could 'reasonably be expected to significantly affect the rights or interests…' of an individual. This includes requirements for transparency over the types of personal information used for, and the types of decisions made by or subject to, ADM. Organisations will have significant lead time to ensure their privacy policies are updated to achieve compliance with the proposed amendment to APP 1, as there is a two-year grace period from the date the Bill receives Royal Assent.
Practically, this is a transparency obligation alone. It is unclear how an organisation will assess whether the use of ADM may 'significantly affect the rights or interests' or an individual. Many organisations may form the view that it would never do so. It does not afford individuals a right:
- not to be subject to a decision based solely on automated processing; or
- to request information about how decisions utilising ADM have been made,
as is included in the GDPR.
Nevertheless, the recent proposals paper for introducing mandatory guardrails for use of AI in high-risk settings does foreshadow requirements as to human oversight of, and intervention in, AI system deployment, as well as requirements to inform end-users about how AI is being used and where it affects them. Given this, we expect these issues may be picked up in separate regulation or a future amendment to the Privacy Act.
For further information in relation to the proposed guardrails for the use of AI and the Government's Proposal Paper for 'Introducing Mandatory Guardrails in High-Risk Settings', please see our update.
Action: organisations that use ADM to make decisions that could 'reasonably be expected to significantly affect the rights or interests…' of an individual will need to disclose this in their privacy policy. |
The Bill proposes to introduce amendments to APP 8 that are intended to facilitate the overseas disclosure of personal information to jurisdictions prescribed by regulations. Where a jurisdiction is prescribed, an entity would not need to comply with APP 8 by ensuring that the offshore recipient does not breach the APPs.
In order to prescribe an overseas jurisdiction, the Minister must be satisfied that the privacy laws of the jurisdiction:
- have the effect of protecting personal information in a way that is substantially similar to the APPs; and
- have mechanisms in place that an individual can access to enforce the protection of their personal information.
This approach is similar in effect to the 'adequacy decision' mechanism in the GDPR and would be a welcome development. To date, the OAIC has been resisting providing a 'white list' of jurisdictions to which offshore disclosure is permitted, leaving assessment of the adequacy of overseas legal frameworks to individual entities considering offshore disclosure.
Relevantly, the Minister cannot prescribe an overseas jurisdiction unless its privacy laws would enable Australian individuals to enforce the protection of their personal information. This may limit how many offshore jurisdictions can be white-labelled in practice.
Action: any changes to offshore disclosure practices (where the Minister prescribes relevant overseas jurisdictions) will need to be reflected in updated privacy policies and collection notices. |
The Bill makes a minor amendment to APP 11 to clarify that the reasonable steps an organisation must take to protect personal information in accordance with APP 11 include both technical and organisational measures. This provides legislative certainty that APP 11 requires adequate governance and organisational structures to be in place, not just technical data security protections. This is consistent with the OAIC's existing approach to privacy compliance and enforcement.
We note that additional substantive reforms had been proposed in relation to APP 11 (particularly affecting organisational transparency about data retention periods) which have not been included in this first tranche of reforms. While further reform in this area may be forthcoming in future tranches, organisational data retention obligations remain a quagmire. We anticipate that this area will remain so for some time, given the complexities of resolving it (and with likely little political appetite to focus energy on such a technical and somewhat unglamorous issue).
Action: organisations will need to ensure they have both governance and technical structures in place to address compliance with APP 11. |
Increased penalties and developments in OAIC enforcement powers
The Bill proposes to do the following:
- Remove references to 'repeated' in section 13G to clarify that a single act or practice may amount to a serious interference with privacy. Helpfully, the reforms also seek to introduce a set of (non-exhaustive) matters that can be taken into account when determining if an interference with privacy is 'serious'—largely codifying existing OAIC guidance on the matter.
- Introduce a new mid-range civil penalty provision (up to 2000 penalty units, currently $626,000) under section 13H for general interferences with privacy, where the act or practice does not amount to a 'serious' interference. This seeks to address a gap in enforcement where the OAIC was previously only able to seek civil penalties for the most egregious interferences with privacy.
- Provide new powers to the OAIC to issue infringement notices (imposing civil penalties of up to 200 penalty units, currently $62,600) for prescribed breaches of the APPs. The provision largely focuses on breaches relating to privacy policy requirements and processes around direct marketing and correction of information. APP 2.1, being the requirement to allow individuals to engage on an anonymous or pseudonymous basis, has also specifically been called out. We expect that this group of APPs may become a key focus area for upcoming OAIC enforcement activity, and may indicate the OAIC is looking to act similarly to the way the ACMA regulates the Spam Act, where an infringement-notice regime facilitates the more frequent imposition of penalties. The ACMA has, in recent years, been highly active in its use of the infringement notice mechanism and organisations should expect the OAIC to follow a similar path.
Action: organisations should consider how these amendments might alter the privacy risk profile of their organisation, having regard to specific potential non-compliance (and not just 'systemic' non-compliance). |
The Bill introduces additional powers for both the OAIC and Federal Court to issue declarations requiring organisations to take steps to redress, prevent and reduce loss or damage resulting from contraventions of the Privacy Act, where these are found to have occurred either in the course of an OAIC investigation or civil penalty proceedings in the Federal Court.
Other enforcement-related amendments include changes to the OAIC's monitoring and investigation powers (bringing them into closer alignment with existing powers of other federal regulators). We see these changes as reflective of the OAIC's increasing enforcement maturity.
The Bill introduces powers for the Minister to make 'eligible data breach declarations' to prevent or reduce a risk of harm arising from unauthorised access or disclosure to personal information.
In essence, this would permit entities to disclose personal information for permitted purposes related to the principle of preventing or reducing harm (in a manner that may not otherwise be permitted under the APPs). Notably, the Bill contemplates scenarios related to the prevention, response and remediation of cybersecurity incidents. These amendments are likely a response to concerns raised in the course of the Optus data breach as to whether information should be shared with certain organisations (eg financial institutions) for harm-mitigation purposes.
While this a helpful step in managing cyber incidents, given the requirement for a declaration from the Minister, it will likely only be in place for the most material or high-profile cyber incidents. We anticipate that this declaration power may encourage organisations to engage more with the Government's cyber incident response apparatus (eg the Cyber Coordinator and the Cyber Security Response Coordination Unit) in an effort to benefit from the declaration.
Action: organisations should consider whether it may be appropriate to reference the potential for such declarations to be made in their cyber incident response plans and playbooks. |
Code development: children's privacy and future privacy codes
The Bill requires the OAIC to develop a Children's Online Privacy Code (COP Code) to address online privacy for children. We anticipate that this will be one of the more impactful outcomes from this reform, but the extent of the impact will not be known until the details of the forthcoming COP Code are determined.
The COP Code is intended to apply to APP entities that are providers of a social media service, relevant electronic service or designated internet service (within the meaning of the Online Safety Act 2021 (Cth)), where the service is likely to be accessed by children. Again, we will not know what will constitute a service that is 'likely to be accessed by children' until details of the Code are finalised, but it will likely include any broadly accessible platform service that does not impose restrictions on access by children. The Bill's Explanatory Memorandum suggests that service providers should have regard to:
- whether the service has a particular appeal to children;
- market research on the user base of the service; and
- the way in which the service is accessed, and whether there are measures in place to prevent children from accessing the service.
The OAIC will be required to make a draft of the COP Code available for public consultation, with the Government setting a deadline of two years from the date the reforms come into force to finalise and register the COP Code.
Action: organisations which may be regulated by the COP Code should continue to monitor its development. |
The proposed reforms specify that the Minister may direct the OAIC to develop and register an APP code, or temporary APP code, where the Minister is satisfied it is in the public interest to do so. The directions may specify the matters that the APP code must deal with, and the APP entities or class of APP entities that are to be bound by the code.
Temporary APP codes can be introduced where the Minister determines it is in the public interest and where such code should be developed urgently.
The Government has indicated that these reforms shall allow greater efficiency and flexibility to the APP code-making process.
New avenues of individual action and new offences
The Bill introduces a new cause of action in tort for intentionally or recklessly intruding upon a person's seclusion or misusing information that relates to them, in circumstances where a reasonable expectation of privacy exists. The tort will only apply where the invasion of privacy was 'serious'.
A statutory tort of this kind has been under consideration for many years, with the Government's model drawing upon recommendations by the Australian Law Reform Commission in its 2014 report on Serious Invasions of Privacy in the Digital Era.
Several exceptions and defences have been contemplated, most notably including a journalism exemption, covering invasions of privacy involving the collection, preparation or publication of 'journalistic material' by journalists and other categories of employees in the media sector. We anticipate two major issues with the proposed exception. First, the exception only covers journalists, the employers of journalists and certain persons assisting a journalist. It does not provide an exception for the publisher of journalistic material. This appears to be a significant omission, particularly given that the publishers of material are often not the same entity as the employer of a journalist and, in some cases, publishers source journalistic material from self-employed journalists or other content providers. Second, we expect the Government's definition of 'journalistic material' will be particularly scrutinised by media organisations given the breadth of activities undertaken in the media sector and the narrow approach to the term adopted in the Bill.
Where a defendant brings evidence that there was a public interest in the invasion of privacy, the Bill requires the plaintiff to demonstrate that this public interest is outweighed by the public interest in protecting their privacy.
The Bill also grants the court the power to provide injunctive relief restraining the invasion of privacy (though the court must have particular regard to the public interest where it involves a publication).
Despite these exceptions and defences, the introduction of the statutory tort could have the potential to significantly impact public discourse in Australia, particularly given that (unlike in comparable jurisdictions) a fundamental right of freedom of expression has (other than the implied right of political communication) not been enshrined in statute. Notably, the Bill contemplates that a defendant can adduce evidence relating to freedom of expression, when no such general right exists.
The Government had also agreed in principle with a recommendation to afford individuals a direct right of action for contraventions of the Privacy Act, but that amendment has not been picked up in this tranche of legislation and it remains to be seen whether it will be implemented in future. The introduction of a direct right of individual action for Privacy Act contraventions has been seen as a significant precursor to the potential expansion of privacy-related class action claims in Australia. In its absence, there may be efforts to leverage the statutory tort for serious invasions of privacy by organisations as a substitute.
The Bill proposes to introduce two new offences into the federal Criminal Code relating to doxxing—which, in the language of the proposed amendments, refers to the use of a carriage service to make available, publish or otherwise distribute personal data in a way that reasonable people would regard as being menacing or harassing towards the individual(s) concerned.
The first offence carries a maximum penalty of six years' imprisonment and deals with the doxxing of an individual. The second, which carries a maximum penalty of seven years' imprisonment, covers the doxxing of members of a group (eg distinguishable on the basis of race, religion, sexual orientation and certain other identified characteristics).
Doxxing had not originally been covered in the Attorney-General's review of the Privacy Act, and was instead the subject of a separate consultation in March 2024. In its submission to that consultation, the Law Council of Australia identified the need to strike a balance between addressing the harms posed by doxxing on the one hand, and protecting legitimate instances of information publication on the other.
The Government has not introduced any defences or exceptions to the new doxxing offences, and the drafting is quite broad in places. For example, there is no minimum threshold on the required degree of publicity, potentially meaning that the distribution of information to a closed group of people could qualify as doxxing if the distribution has the requisite harassing or menacing character. It is also unclear from the drafting how the offences will operate alongside implied rights of political communication, and we expect this will be an area requiring significant judicial consideration.
Next steps
Reforms to the Privacy Act have been long-awaited and this first tranche is likely to prove unsatisfying for organisations who had been awaiting regulatory clarity on key matters such as consent, online targeting practices and the 'fair and reasonable' test. Nonetheless, there are several key areas where the Bill will—if passed—require Australian organisations to implement uplift activities and assess their existing compliance practices. In particular:
- Organisations that utilise automated decision-making should consider whether updates to privacy policies, notices and other collateral are required to provide the degree of transparency required under new APPs 1.7- 1.9. These requirements will be subject to a two-year transitional period.
- Social media and other internet / electronic service providers will need to assess whether they are likely to be captured by the new Children's Online Privacy Code. The Code will be subject to a public consultation process, and we recommend these organisations consider contributing to the consultation.
- The new tiered penalty regime is likely to facilitate a higher degree of OAIC enforcement activity (with associated civil penalties and infringement notices). We recommend all organisations take stock of their Privacy Act compliance levels and implement plans to address compliance gaps. In particular, we recommend paying close attention to compliance gaps affecting the following APPs (for which the OAIC will be empowered to issue infringement notices):
- APPs 1.3 and 1.4 (requirement to have APP privacy policy, and content requirements for APP privacy policies);
- APP 2.1 (the requirement to allow individuals not to identify themselves in dealing with entities, unless impracticable);
- APP 6.5 (keeping written notes of uses or disclosures of personal information for law enforcement-related purposes);
- Various APPs covering direct marketing (APP 7), including ensuring individuals have a simple means to opt out of direct marketing communications, requirements to draw attention to an individual's ability to opt out of direct marketing communications, giving effect to opt-out requests, and notifying individuals of the source for direct marketing information; and
- APP 13.5 (dealing with personal information access requests).