Navigating Australian Privacy Reform:
Your guide to the changes ahead
Almost a year after the Government announced that it ‘agreed’ or ‘agreed in-principle’ with 106 of the 116 recommended reforms in the Attorney-General’s Department Privacy Act Review Report 20221 (Review Report), the Privacy and Other Legislation Amendment Bill 2024 (Cth) (Bill) today passed both Houses of Parliament .
This Bill sets out amendments designed to address most of the 25 ‘agreed’ proposals directed at legislative change, including in relation to automated decisions, overseas disclosure of personal information, data security and data breaches, children’s privacy, civil penalties, enforcement powers, and a statutory tort for serious invasions of privacy.
These aspects of the Bill are discussed further below, as well as new offences to be added to the Criminal Code Act 1995 (Cth) (Criminal Code) in relation to ‘doxxing’, being the malicious release of personal data by telephone/online.
While the Bill contains some important reforms, many of the ‘agreed in-principle’ proposals from the Review Report remain unaddressed. The Attorney-General stated in September that his Department intended to prepare draft legislation for Tranche 2 in the coming months, for consultation with stakeholders. We expect this will occur in 2025. These other proposals include a large number of important issues relating to the exemptions for employee records, small business and journalism, expanded individual rights, direct marketing and targeting, fairness, data retention, privacy impact assessments, compliance records and allocating responsibility between ‘controllers’ and ‘processors’. See ‘What’s not included’ below for more.
What are the key impacts for your business?APP entities should now turn their attention to:
Please see our earlier article on ‘Navigating Australian Privacy Reform’ which considers the broader reform agenda and what can be done to prepare. While Tranche 2 has been deferred, the Government has again committed to progressing it. In addition, many of those pending reforms can be seen as clarifications or codifications of current regulatory expectations. Together with the previous penalty increases and Tranche 1’s introduction of penalty tiers, new enforcement powers, and the new statutory tort, it is more important than ever to ensure robust compliance with the Privacy Act (even as it currently stands). In particular, areas such as data retention, privacy impact assessment, quality of consent, and data breach preparation make sense to focus on ahead of the Tranche 2 reforms relating to those topics. |
The Bill as passed includes limited changes to the version of the Bill introduced into Parliament in September. Notable changes include:
These changes largely reflect recommendations by the Senate Legal and Constitutional Affairs Legislation Committee in their November report on the first reading version of the Bill.
The Bill has now passed. Once the Bill is formally signed into law (by Royal Assent), most provisions will come into effect immediately.
However, there are some provisions which will be subject to deferred commencement, notably:
The two-year grace period for the automated decisions reforms also suggests that a similar grace period is likely for many of the Tranche 2 reforms which will also impact the Australian Privacy Principles (APPs) in the Privacy Act 1988 (Cth) (Privacy Act).
The contents of this publication are for reference purposes only and may not be current as at the date of accessing this publication. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.
© Herbert Smith Freehills 2024
We’ll send you the latest insights and briefings tailored to your needs