Corporate & Commercial

Privacy Act reforms – first tranche of major privacy reforms introduced

20 November 2024

The Federal Government has introduced the first tranche of privacy reforms which includes a range of measures designed to increase protection of personal information and the privacy of individuals. The Privacy and Other Legislation Amendment Bill 2024 (Cth) (Privacy Bill) was introduced to Parliament on 12 September 2024 and the second reading agreed to on 9 October 2024. The Privacy Bill, if enacted, will primarily amend the Privacy Act 1988 (Cth) (Privacy Act). Further significant privacy reforms are anticipated in the second tranche of legislative amendments likely within the next year.

Background

In the wake of a number of high-profile data breaches, the Federal Government has made privacy regulation a priority.

In 2022, the Attorney-General’s Department undertook a review of the Privacy Act. The outcomes of the review were compiled into the Privacy Act Review Report (the Report) and was published on 16 February 2023. The report contains 116 proposals to strengthen and modernise Australian privacy laws as discussed by us in 2023 here.

The Privacy Bill will implement 23 of the legislative proposals that were agreed to by the Government in its response to the 116 proposals set out in the Report.

Key Features of the Privacy Bill

We have set out a summary of some of the key features of the Privacy Bill below:

  • Automated decision-making – Where personal information will be used by a computer program to make a decision (solely or substantially) on behalf of an organisation that ‘could reasonably be expected to significantly affect the rights or interests of an individual’, then the organisation will be required to be open and transparent in its privacy policy to explain the kinds of personal information used in such programs and the kinds of decisions made by these programs.
  • Statutory tort for invasions of privacy – The Privacy Bill introduces a new statutory tort for invasions of privacy where there has been either serious intrusion upon an individual’s seclusion (i.e. physical intrusion on their private space) or serious misuse of information that relates to the individual and the individual has a reasonable expectation of privacy in all of the circumstances.
  • Cross-border disclosures – The Privacy Bill proposes a mechanism for recognising foreign laws and schemes and relaxing requirements for cross border disclosures to recipients in countries with substantially similar (or stronger) privacy laws to Australia.
  • Clarification of data security requirements – The requirement to take ‘reasonable steps’ to protect personal information has been clarified and will include both technical and organisational measures. Technical measures are physical measures such as securing access to premises, encrypting data, anti-virus software and strong passwords. Organisational measures are measures such as privacy training for employees and developing standard operating procedures and policies for securing personal information.
  • Children’s Privacy Code – The Privacy Bill requires the OAIC to develop a Children’s Online Privacy Code (COP Code) to address online privacy for children (under 18 years of age). The COP Code will apply to organisations that provide services likely to be accessed by children including apps, websites and messaging platforms.
  • Doxxing The Privacy Bill makes doxxing a criminal offence under the Criminal Code Act 1995 (Cth). Doxxing is the act of publishing or distributing the personal information of one or more individuals in a menacing or harassing manner.
  • Changes to civil penalty provisions – The Privacy Bill introduces a new tiered civil penalty regime which includes:
    • a new mid-tier civil penalty for interferences with privacy that do not meet the ‘serious’ threshold – maximum penalty is 2,000 penalty units for individuals (i.e. $626,000) and 10,000 penalty units for corporations (i.e. $3,130,000); and
    • a new lower-level civil penalty for administrative breaches (e.g. where an organisation fails to have a privacy policy that complies with the Australian Privacy Principles) – maximum penalty is 200 penalty units for individuals (i.e. $62,600) or 1,000 penalty units for corporations (i.e. $313,000). Note that the Commissioner can also issue infringement notices for these administrative breaches.

Next steps

We recommend that all organisations should review and update their privacy policies and ensure compliance with the Privacy Act. Organisations should also regularly conduct an audit of their data security measures and proactively monitor their compliance with the Privacy Act and changes to the Privacy Act. Page Seager is able to assist with all aspects of privacy law compliance and advice.

If you would like further information about this article, please contact:

Kathryn Speed

Principal Lawyer

P:(03) 6235 5105
M:0408 446 013
E:[email protected]
Linkedin
View profile

Esther Chai

Lawyer

P:(03) 6235 5196
E:[email protected]
Linkedin
View profile
Let us know how we can help
Contact