Australian Federal Government's proposed amendments to the Privacy Act - the long awaited changes are here!
By Katherine Jones, Morgan Lane, Lana Remedi and Jessica Yazbek
In brief
It has been four years since the start of the Privacy Act Review in Australia, but on 12 September 2024, the first substantial amendments to the Privacy Act were tabled by the Federal Government in the 81 page Privacy and Other Legislation Amendment Bill 2024 (the Bill).
Overview of changes
According to the Government, the Bill seeks to implement the first tranche of agreed recommendations from the Privacy Act Review Report, including:
-
a new statutory tort to address serious invasions of privacy;
-
development of a Children’s Online Privacy Code to better protect children from a range of online harms, where it will be the Office of the Australian Information Commissioner (OAIC) developing this Code;
-
greater transparency for individuals regarding automated decisions that affect them;
-
streamlined information sharing in the case of an emergency or eligible data breach, while ensuring that information is appropriately protected; and
-
stronger enforcement powers for the Australian Information Commissioner.
The introduction of a statutory tort of privacy is a substantial change to the long standing common law position in this country that the tort of privacy does not exist. This will be of significance in multiple areas of Australian society:
-
how celebrities and high profile individuals will look to rely on it;
-
how the everyday individual will seek recourse of breaches of privacy via the use of camera phones and social media;
-
how this will affect interactions between business and individuals is one to watch, particularly for businesses with larger databases and resources where, if a privacy breach occurs, tend to be more susceptible to class actions.
The introduction of criminalisation of doxxing was foreseeable as the practice was becoming more prevalent, more weaponised and was causing very personal damage. Whatever background, culture or political viewpoint was targeted, it is recognised that the targeted person would almost always suffer real personal injury which affects families, lives and livelihoods.
What is missing from the changes?
These changes are likely to be the first tranche of changes to the Privacy Act. In next iterations, we would be on the lookout for:
-
Removal of the small business (<$3 million turnover) exemption.
-
Removal of the employee records exemption.
-
A right to be erased (as exists in the EU under the GDPR).
-
A requirement that use and disclosure of personal information be fair and reasonable (irrespective of consent)
-
The expansion of the definition of 'personal information'.
-
Additional transparency requirements around automated decision making and/or AI profiling.
More detail
The proposed amendments are split into three schedules, Schedule 1 focusing on privacy reforms, Schedule 2 on serious invasions of privacy and Schedule 3 to outlaw doxxing offences.
The key takeaways from the changes are:
Schedule 1
Greater enforcement power
The Bill expands the regulatory powers available to the Information Commissioner and Federal Court to enforce the Act, including:
(a) increased monitoring and investigative powers including search and seizure rights;
(b) power to conduct public inquiries;
(c) introduction of civil penalties for interference with the privacy of an individual (irrespective of seriousness) - up to 2,000 penalty units / $626,000;
(d) introduction of civil penalties, and for the OAIC to issue notices for contraventions, including non-compliant privacy policies, and non-compliant data breach statements - up to 200 penalty units / $62,600.
Increased focus on children's privacy
Acknowledging that children now grow up in a digital age where social media has been a part of their lives since they were born, the Bill seeks to address the estimated 72 million pieces of data collected about a child before they turn 13.
The Bill requires the development of a Children’s Online Privacy Code, which will apply to services accessed by children online such as social media and other internet services. To develop the code over the next 3 years there will be funding of $3 million to the OAIC.
Data flow overseas
APP 8 is set to be enhanced with mechanisms to enhance the flow of information across borders, provided:
a) those countries have privacy laws protecting personal information about an individual in a way that is overall the same or similar to the Privacy Act and APPs in Australia; and
b) there are mechanisms that the individual can access to take action to enforce that protection.
Schedule 2
Statutory tort of privacy
The Bill provides for a tort for 'serious invasions' of privacy. The amendments intend to provide an individual with a cause of action against another person if:
a) the other person invaded the individual’s privacy by intruding upon their seclusion or
b) misusing information relating to the individual.
The cause of action requires there to be a reasonable expectation by the individual of privacy, and fault being either intentional or reckless.
There are defences and exclusions, including that the person acted with lawful authority, in circumstances involving consent, necessity or the defence of persons or property. Journalists would also be exempt.
By virtue of this amendment a Court could order an injunction restraining persons from invading an individuals privacy and grant relief of damages.
Schedule 3
Doxxing as a criminal offence
The Bill proposes to amend the Criminal Code 1995 to create new criminal offences focusing on the release of personal data in a manner that is menacing or harassing—a practice known as ‘doxxing’.
The consequence of 'doxxing' including a maximum penalty of 6 years' imprisonment for the malicious use of personal data, and 7 years' imprisonment, where a person or group is targeted because of their race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality or national or ethnic origin.