Intellectual Property, Information Technology & Cybersecurity

As we discussed in our insight last year, in September 2023, the Government released its response to the Attorney-General Department’s comprehensive review report into the Privacy Act. The Government agreed to 25 proposals that require changes to the Privacy Act, agreed in-principle to a further 56 proposals and “noted” eight proposals.

Twelve months later, on 12 September 2024, the Government introduced into Parliament the Privacy and Other Legislation Amendment Bill 2024 (Bill) to implement the first tranche of reforms to the Privacy Act (addressing 23 of the 25 agreed proposals).

The key changes are as follows:

• The introduction of a statutory tort of “serious invasion of privacy”;
• The criminalisation of “doxxing” individuals;
• A new children’s privacy code, focused on age assurance measures and other age appropriateness provisions, to be developed within two years of commencement of the relevant provisions;
• Transparency requirements over the use and disclosure of personal information in automated decision-making processes;
• Giving the Minister the power to make declarations about data breaches to assist the sharing of information about the data breach; and
• Increased penalties for contraventions of the Privacy Act, greater enforcement options available to the Office of the Australian Information Commissioner (OAIC) and giving the Federal Court of Australia the power to make any order in relation to contraventions of the Privacy Act.

The statutory tort of “serious invasion of privacy”

The Bill outlines the Government’s model for a statutory cause of action for serious invasion of privacy.

What constitutes a “serious invasion of privacy”?

An invasion of privacy includes an intrusion into the individual’s seclusion (including, but not limited to, physical intrusion and watching, listening to or recording the individual’s private activities or affairs) and misuse of information (including, but not limited to, collecting, using or disclosing information about the individual).

The individual has a cause of action if the individual suffers an invasion of privacy where:

• A person in their position would have had a reasonable expectation of privacy in all the circumstances;
• The invasion of privacy was intentional or reckless; and
• The invasion of privacy was serious.

The Court would not have limits on assessing the matters in determining whether the invasion is serious, but would have the ability to take into account:

• The degree of any offence, distress or harm to dignity that the invasion was likely to cause to a person of “ordinary sensibilities” in the plaintiff’s position;
• Whether the defendant knew (or ought to have known) that the invasion was likely to offend, distress or harm the plaintiff’s dignity; and
• If the invasion of privacy was intentional, whether the defendant was malicious.

Notably, the plaintiff would not have a cause of action if the invasion of privacy was negligent.

Defences and exemptions

The Bill proposes that that the following defences would be available to a defendant:

• the invasion of privacy was required or authorised by or under Australian law or a court/tribunal order;
• the plaintiff (or a person having lawful authority to do so for the plaintiff) expressly or impliedly consented to the invasion of privacy; and
• the defendant reasonably believed that the invasion of privacy was necessary to prevent or lessen a serious threat to the life, health or safety of a person.

Criminalisation of “doxxing”

The Bill would amend the Criminal Code to introduce a new offence for using a carriage service to make available, publish or distribute personal data, where the person engages in the conduct in a way that a reasonable person would regard as being menacing or harassing, and introduce a further offence where a person or group is targeted due to their race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality or national or ethnic origin.

The new children’s privacy code

The Bill proposes that the Privacy Act is amended to require the Privacy Commissioner to develop the Children’s Online Privacy Code. The Code would need to set out how one or more of the Australian Privacy Principles (APPs) are to be applied in relation to children’s privacy.

The Code would apply to social media service providers and certain internet service providers, where the service is likely to be accessed by persons under the age of 18, and the entity is not providing a health service.

In developing the Code, the Commissioner may consult with children, organisation’s concerned with children’s welfare, and any other person considered appropriate. The Commissioner would need to publicise the draft Code and seek feedback, and finalise the Code within 24 months from commencement of the amended Privacy Act.

Greater transparency over the use and disclosure of personal information in automated decision-making processes

The Bill would amend the Privacy Act to require greater transparency concerning the use and disclosure of personal information in automated decision-making processes by requiring APP entities to disclose in their privacy policies that:

• the entity has arranged for a computer program to make, or do a thing that is substantially and directly related to making, a decision; and
• the decision could reasonably be expected to significantly affect the individual’s rights or interests; and
• personal information about the individual is used in the computer program to make the decision or do the thing that is substantially and directly related to making the decision.

The information covered by this provision is the kinds of personal information used in operation of such computer programs, the kinds of decisions made solely by the operation of the computer programs and the kinds of such decisions for which a thing, that is substantially and directly related to making the decision, is done by the operation of such programs.

Amendments to the Privacy Act regarding eligible data breaches

Currently, Australian organisations must notify the OAIC and affected individuals of an “eligible data breach” (essentially, a data breach where the individuals affected by the breach are at risk of serious harm).

The Bill would amend the Privacy Act to confer on the responsible Minister the power to make a declaration regarding an eligible data breach, where the Minister is satisfied that making the declaration is necessary or appropriate to prevent or reduce a risk of harm arising from a misuse of personal information about one or more individuals following unauthorised access to, or unauthorised disclosure of, that personal information from the eligible data breach of the entity.

The purpose of the declaration would be to “disapply” the privacy protections that would otherwise apply to collection, use and disclosure of personal information, but only in circumstances where it is necessary to prevent or reduce the risk of harm arising from a misuse of personal information following the data breach.

A declaration would only operate for a maximum of 12 months and recipients of information received under a declaration would need to keep such information secure and destroy the information when no longer required.

The Bill also creates an offence for unauthorised secondary disclosures, unless an exception applies. A secondary disclosure occurs when a person to whom personal information has been disclosed pursuant to the declaration subsequently discloses that information.

Updating the penalties regime

The Bill would amend the Privacy Act to introduce a new civil penalty provision where the data breach statement made by an APP entity that has suffered a data breach is non-compliant with the Privacy Act. The maximum civil penalty would be 200 penalty units (currently, $66,000) for individuals and 1,000 penalty units (currently $330,000) for bodies corporate.

The Bill would also amend the Privacy Act to clarify the circumstances where an interference with privacy is serious. In particular, the Government proposes to add factors that a court may take into account when assessing whether an interference with privacy is serious. These factors include the kind(s) of information involved, the sensitivity of the information, the consequences of the interference with privacy, the number of individuals affected by the interference, and whether the individuals affected by the interference with privacy are children or persons experiencing vulnerability.

Further, the Government proposes to impose civil penalty provisions for breaching certain specific APPs, with a maximum penalty of 1,000 penalty units (currently, $330,000) for bodies corporate for each breach.

Under the Bill, the Federal Court would have the discretion to make orders if the Court has determined that the entity has contravened a civil penalty provision in the Privacy Act. The Court would have the power to make orders directing the entity to perform acts to “redress the loss or damage suffered” by the victims, as well as orders directing the entity to pay damages to the victims by way of compensation, as well as other orders.

What is not addressed

The Government has deferred to a later date certain amendments to the Privacy Act and the Attorney-General intends to engage in further “targeted” consultation over some of these amendments. The Bill introduced into Parliament does not address:

• The removal of the small business exemption (whereby most businesses with an annual turnover of $3 million or less are exempt from the Privacy Act);
• The removal of the employee record exemption from the Privacy Act;
• The requirement that collection, use and disclosure of personal information be “fair and reasonable in the circumstances”;
• Tightening the timeframes for investigating and notifying a data breach;
• An obligation to undertake privacy impact assessments for “high risk” activities;
• Refining the definitions of “personal information”, “collection”, “disclosure” and “consent”; and
• A direct right of individuals to seek relief for contraventions of the APPs by an organisation.

Conclusion

Reform to Australia’s privacy laws has taken time to progress to the point of legislation being introduced into Parliament. It is not yet clear whether these laws will progress quickly through Parliament or whether the other political parties will seek to introduce their own amendments to the legislation.

However, the introduction of the legislation into Parliament is a significant milestone for the reform to Australia’s privacy laws. Of particular importance is the potential for tougher penalties for the misuse of personal information by businesses.

At this stage, businesses should keep a watch on the progress of the legislation through Parliament and prepare to take action to update their privacy policies and practices concerning the collection, use and disclosure of personal information.

Key Takeaways 

• On 11 September 2024, the Government introduced its legislation addressing the first tranche of reforms to the Privacy Act
• These reforms include a new statutory cause of action for serious invasion of privacy, greater transparency over the use of personal information in automated-decision making, criminalisation of “doxxing”, and greater capacity to share information in the context of an eligible data breach and a revised approach to penalties for contraventions of the Privacy Act
• The reforms do not address other areas previously considered for reform by the Government, including the removal of the small business and employee records exemptions, updating the definitions of “personal information” and “consent”, and the introduction of a “fair and reasonable” test for the collection, use and disclosure of personal information
• We await to see how these reforms will progress through the current Parliament and the Government’s position with respect to those areas that have not been addressed in the current Bill