First tranche of privacy reforms bring progress but no long-term clarity

The Bill amends Australian Privacy Principle (APP) 1 to require that organisations using automated decision-making (ADM) disclose this in their privacy policy. This obligation applies where ADM substantially or directly utilises the personal information of individuals to make decisions that could 'reasonably be expected to significantly affect the rights or interests…' of an individual. This includes requirements for transparency over the types of personal information used for, and the types of decisions made by or subject to, ADM. Organisations will have significant lead time to ensure their privacy policies are updated to achieve compliance with the proposed amendment to APP 1, as there is a two-year grace period from the date the Bill receives Royal Assent.

Practically, this is a transparency obligation alone. It is unclear how an organisation will assess whether the use of ADM may 'significantly affect the rights or interests' or an individual. Many organisations may form the view that it would never do so. It does not afford individuals a right:

• not to be subject to a decision based solely on automated processing; or
• to request information about how decisions utilising ADM have been made,

as is included in the GDPR.

Nevertheless, the recent proposals paper for introducing mandatory guardrails for use of AI in high-risk settings does foreshadow requirements as to human oversight of, and intervention in, AI system deployment, as well as requirements to inform end-users about how AI is being used and where it affects them. Given this, we expect these issues may be picked up in separate regulation or a future amendment to the Privacy Act.

For further information in relation to the proposed guardrails for the use of AI and the Government's Proposal Paper for 'Introducing Mandatory Guardrails in High-Risk Settings', please see our update.

The Bill proposes to introduce amendments to APP 8 that are intended to facilitate the overseas disclosure of personal information to jurisdictions prescribed by regulations. Where a jurisdiction is prescribed, an entity would not need to comply with APP 8 by ensuring that the offshore recipient does not breach the APPs.

In order to prescribe an overseas jurisdiction, the Minister must be satisfied that the privacy laws of the jurisdiction:

• have the effect of protecting personal information in a way that is substantially similar to the APPs; and
• have mechanisms in place that an individual can access to enforce the protection of their personal information.

This approach is similar in effect to the 'adequacy decision' mechanism in the GDPR and would be a welcome development. To date, the OAIC has been resisting providing a 'white list' of jurisdictions to which offshore disclosure is permitted, leaving assessment of the adequacy of overseas legal frameworks to individual entities considering offshore disclosure.

Relevantly, the Minister cannot prescribe an overseas jurisdiction unless its privacy laws would enable Australian individuals to enforce the protection of their personal information. This may limit how many offshore jurisdictions can be white-labelled in practice.

The Bill makes a minor amendment to APP 11 to clarify that the reasonable steps an organisation must take to protect personal information in accordance with APP 11 include both technical and organisational measures. This provides legislative certainty that APP 11 requires adequate governance and organisational structures to be in place, not just technical data security protections. This is consistent with the OAIC's existing approach to privacy compliance and enforcement.

We note that additional substantive reforms had been proposed in relation to APP 11 (particularly affecting organisational transparency about data retention periods) which have not been included in this first tranche of reforms. While further reform in this area may be forthcoming in future tranches, organisational data retention obligations remain a quagmire. We anticipate that this area will remain so for some time, given the complexities of resolving it (and with likely little political appetite to focus energy on such a technical and somewhat unglamorous issue).

The Bill proposes to do the following:

• Remove references to 'repeated' in section 13G to clarify that a single act or practice may amount to a serious interference with privacy. Helpfully, the reforms also seek to introduce a set of (non-exhaustive) matters that can be taken into account when determining if an interference with privacy is 'serious'—largely codifying existing OAIC guidance on the matter.
• Introduce a new mid-range civil penalty provision (up to 2000 penalty units, currently $626,000) under section 13H for general interferences with privacy, where the act or practice does not amount to a 'serious' interference. This seeks to address a gap in enforcement where the OAIC was previously only able to seek civil penalties for the most egregious interferences with privacy.
• Provide new powers to the OAIC to issue infringement notices (imposing civil penalties of up to 200 penalty units, currently $62,600) for prescribed breaches of the APPs. The provision largely focuses on breaches relating to privacy policy requirements and processes around direct marketing and correction of information. APP 2.1, being the requirement to allow individuals to engage on an anonymous or pseudonymous basis, has also specifically been called out. We expect that this group of APPs may become a key focus area for upcoming OAIC enforcement activity, and may indicate the OAIC is looking to act similarly to the way the ACMA regulates the Spam Act, where an infringement-notice regime facilitates the more frequent imposition of penalties. The ACMA has, in recent years, been highly active in its use of the infringement notice mechanism and organisations should expect the OAIC to follow a similar path.

The Bill introduces additional powers for both the OAIC and Federal Court to issue declarations requiring organisations to take steps to redress, prevent and reduce loss or damage resulting from contraventions of the Privacy Act, where these are found to have occurred either in the course of an OAIC investigation or civil penalty proceedings in the Federal Court.

Other enforcement-related amendments include changes to the OAIC's monitoring and investigation powers (bringing them into closer alignment with existing powers of other federal regulators). We see these changes as reflective of the OAIC's increasing enforcement maturity.

The Bill introduces powers for the Minister to make 'eligible data breach declarations' to prevent or reduce a risk of harm arising from unauthorised access or disclosure to personal information.

In essence, this would permit entities to disclose personal information for permitted purposes related to the principle of preventing or reducing harm (in a manner that may not otherwise be permitted under the APPs). Notably, the Bill contemplates scenarios related to the prevention, response and remediation of cybersecurity incidents. These amendments are likely a response to concerns raised in the course of the Optus data breach as to whether information should be shared with certain organisations (eg financial institutions) for harm-mitigation purposes.

While this a helpful step in managing cyber incidents, given the requirement for a declaration from the Minister, it will likely only be in place for the most material or high-profile cyber incidents. We anticipate that this declaration power may encourage organisations to engage more with the Government's cyber incident response apparatus (eg the Cyber Coordinator and the Cyber Security Response Coordination Unit) in an effort to benefit from the declaration.

The Bill requires the OAIC to develop a Children's Online Privacy Code (COP Code) to address online privacy for children. We anticipate that this will be one of the more impactful outcomes from this reform, but the extent of the impact will not be known until the details of the forthcoming COP Code are determined.

The COP Code is intended to apply to APP entities that are providers of a social media service, relevant electronic service or designated internet service (within the meaning of the Online Safety Act 2021 (Cth)), where the service is likely to be accessed by children. Again, we will not know what will constitute a service that is 'likely to be accessed by children' until details of the Code are finalised, but it will likely include any broadly accessible platform service that does not impose restrictions on access by children. The Bill's Explanatory Memorandum suggests that service providers should have regard to:

• whether the service has a particular appeal to children;
• market research on the user base of the service; and
• the way in which the service is accessed, and whether there are measures in place to prevent children from accessing the service.

The OAIC will be required to make a draft of the COP Code available for public consultation, with the Government setting a deadline of two years from the date the reforms come into force to finalise and register the COP Code.

The proposed reforms specify that the Minister may direct the OAIC to develop and register an APP code, or temporary APP code, where the Minister is satisfied it is in the public interest to do so. The directions may specify the matters that the APP code must deal with, and the APP entities or class of APP entities that are to be bound by the code.

Temporary APP codes can be introduced where the Minister determines it is in the public interest and where such code should be developed urgently.

The Government has indicated that these reforms shall allow greater efficiency and flexibility to the APP code-making process.

The Bill introduces a new cause of action in tort for intentionally or recklessly intruding upon a person's seclusion or misusing information that relates to them, in circumstances where a reasonable expectation of privacy exists. The tort will only apply where the invasion of privacy was 'serious'.

A statutory tort of this kind has been under consideration for many years, with the Government's model drawing upon recommendations by the Australian Law Reform Commission in its 2014 report on Serious Invasions of Privacy in the Digital Era.

Several exceptions and defences have been contemplated, most notably including a journalism exemption, covering invasions of privacy involving the collection, preparation or publication of 'journalistic material' by journalists and other categories of employees in the media sector. We anticipate two major issues with the proposed exception. First, the exception only covers journalists, the employers of journalists and certain persons assisting a journalist. It does not provide an exception for the publisher of journalistic material. This appears to be a significant omission, particularly given that the publishers of material are often not the same entity as the employer of a journalist and, in some cases, publishers source journalistic material from self-employed journalists or other content providers. Second, we expect the Government's definition of 'journalistic material' will be particularly scrutinised by media organisations given the breadth of activities undertaken in the media sector and the narrow approach to the term adopted in the Bill.

Where a defendant brings evidence that there was a public interest in the invasion of privacy, the Bill requires the plaintiff to demonstrate that this public interest is outweighed by the public interest in protecting their privacy.

The Bill also grants the court the power to provide injunctive relief restraining the invasion of privacy (though the court must have particular regard to the public interest where it involves a publication).

Despite these exceptions and defences, the introduction of the statutory tort could have the potential to significantly impact public discourse in Australia, particularly given that (unlike in comparable jurisdictions) a fundamental right of freedom of expression has (other than the implied right of political communication) not been enshrined in statute. Notably, the Bill contemplates that a defendant can adduce evidence relating to freedom of expression, when no such general right exists.

The Government had also agreed in principle with a recommendation to afford individuals a direct right of action for contraventions of the Privacy Act, but that amendment has not been picked up in this tranche of legislation and it remains to be seen whether it will be implemented in future. The introduction of a direct right of individual action for Privacy Act contraventions has been seen as a significant precursor to the potential expansion of privacy-related class action claims in Australia. In its absence, there may be efforts to leverage the statutory tort for serious invasions of privacy by organisations as a substitute.

The Bill proposes to introduce two new offences into the federal Criminal Code relating to doxxing—which, in the language of the proposed amendments, refers to the use of a carriage service to make available, publish or otherwise distribute personal data in a way that reasonable people would regard as being menacing or harassing towards the individual(s) concerned.

The first offence carries a maximum penalty of six years' imprisonment and deals with the doxxing of an individual. The second, which carries a maximum penalty of seven years' imprisonment, covers the doxxing of members of a group (eg distinguishable on the basis of race, religion, sexual orientation and certain other identified characteristics).

Doxxing had not originally been covered in the Attorney-General's review of the Privacy Act, and was instead the subject of a separate consultation in March 2024. In its submission to that consultation, the Law Council of Australia identified the need to strike a balance between addressing the harms posed by doxxing on the one hand, and protecting legitimate instances of information publication on the other.

The Government has not introduced any defences or exceptions to the new doxxing offences, and the drafting is quite broad in places. For example, there is no minimum threshold on the required degree of publicity, potentially meaning that the distribution of information to a closed group of people could qualify as doxxing if the distribution has the requisite harassing or menacing character. It is also unclear from the drafting how the offences will operate alongside implied rights of political communication, and we expect this will be an area requiring significant judicial consideration.