Australian Privacy Reform Bill Tranche 1: Key impacts for your business

The Bill adopts the proposals in the Review Report to introduce a tiered approach to civil penalties and infringement notices into the Privacy Act, as follows:

• Up to $50 million, or potentially more based on turnover, or benefit from the breach, for serious interferences with privacy. This level of penalties was previously available for serious or repeated breaches, but the Bill now limits this to serious breaches, with repetition being one of the listed factors to consider in determining seriousness, amongst others including the information involved, number of individuals, any vulnerability, potential or actual consequences, and controls in place.
• Up to 2000 penalty units (currently $660,000) for interferences with privacy not deemed ‘serious’.
• Up to 200 penalty units (currently $66,000) for certain breaches of a more administrative nature, with a mechanism for the Office of the Australian Information Commissioner (OAIC) to directly issue infringement notices for these penalties, without needing to apply to a Court.

This means that there is a significant broadening in the scope of conduct which is captured by the civil penalty provisions – it will not only cover serious interferences with privacy, but any interferences with privacy. This represents a significant heightening of regulatory risk for Australian businesses.

The Bill has also introduced the power for a Court to make a range of orders for entities which contravene the tiered penalty provisions. This includes orders to pay damages, redress the loss or damage suffered or publish a statement. In a change not previously addressed in the Review Report or Discussion Paper, not only can the Court make such orders on its own initiative, but an individual can apply for such orders if they have suffered, or are likely to suffer, loss or damage.

Other new enforcement powers introduced by the Bill include the following:

• Enhanced coercive powers for the OAIC in relation to investigations into breaches of civil penalty provisions, including powers to search premises and seize evidence. This brings the OAIC in line with other regulatory bodies.
• The ability for the OAIC to undertake public inquiries with approval from the Attorney-General. Such inquiries could be used to examine systemic issues, new technologies, and particular industries or sectors.
• A power for the OAIC to require a respondent in a complaint to mitigate damage by preventing or reducing any likely loss or damage that was reasonably foreseeable.

The statutory tort introduced by the Bill as a new Schedule to the Privacy Act aligns with the recommendations in the Review Report.

The tort would not be specifically triggered by a breach of the APPs or other Privacy Act provisions. A separate proposal for a direct right of action in those circumstances appears to have been deferred for further consideration as part of Tranche 2 of the reforms.

Rather, an individual would have a cause of action if:

• they suffer an invasion of their privacy in the form of an intrusion into their seclusion or a misuse of information;
• they would have had a reasonable expectation of privacy in the circumstances;
• the invasion of privacy was intentional or reckless; and
• the invasion of privacy was serious.

These elements of the new tort bear some similarities to some common law torts of invasion of privacy which have developed internationally, but unlike some other jurisdictions, the statutory tort includes intrusion into seclusion (which does not form part of UK law) and introduces a clear fault element of intention or recklessness (whereas a UK Court has observed that a ‘misuse’ of private information may include an unintentional use, although it requires a positive action).²

Another significant departure from the common law position in other jurisdictions is the express provision in the statutory tort that no proof of damage is required.

The Bill sets out factors which may be taken into account in determining whether an individual had a reasonable expectation of privacy. This includes the use of devices or technology, the individual’s personal attributes such as age or cultural background, and the individual’s conducting including whether they invited publicity. It also introduces a non-exhaustive list of factors separate to the civil penalty provisions for determining whether an invasion of privacy was serious. This includes the degree of offence, distress or harm to dignity likely caused to a person of ordinary sensibilities in the position of the plaintiff, whether the defendant knew or ought to have known that the invasion of privacy was likely to offend, distress or harm the dignity of the plaintiff, and whether the invasion of privacy was intentional or motivated by malice.

There is a public interest ‘defence’, similar to those in other common law jurisdictions such as the UK and New Zealand. This aligns with one of the new objects of the Privacy Act added by the Bill, to ‘recognise that the public interest in protecting privacy is balanced with other public interests’.

The Bill introduces a raft of remedies for the statutory tort. A claimant can seek damages (including for non-economic loss and emotional distress), an account of profits, an injunction, an apology, a declaration that the defendant has seriously invaded their privacy, and destruction or delivery up of material.

The introduction of this tort for invasion of privacy represents a significant shift in the privacy litigation landscape in Australia and is likely to create class actions for entities given the availability of a clear action for breach of privacy (without any requirement of proof of damage) and the broad range of available remedies. The new statutory tort exposes businesses to a broad range of claims involving sensitive personal information outside of just the cyber attack space. For example, it is conceivable that claims could be brought under this tort for the collection and use of facial recognition information without consent or another Privacy Act basis.

However, the requirement for a fault element of intention or recklessness is likely to make it challenging to successfully make out where the position is simply that ‘more could have been done’ by a company to avoid an interference with privacy, such as in the context of better systems or processes to mitigate against a cyber attack. More than mere negligence is needed for the tort to apply. However, a separate cause of action in negligence may still be relevant where a duty of care can be established.

While there are exemptions for journalists, enforcement bodies and intelligence agencies, the APP exemptions for small business operators and employee records will not apply in relation to this tort.

Currently APP 8 limits the circumstances in which ‘cross-border disclosure’ of personal information is permitted. One of the current grounds is where the overseas recipient is subject to a law or binding scheme which is substantially similar to the APPs, and which gives the individual rights to take action. Currently it is up to the entity transferring the personal information to determine whether another law or scheme meets this standard. The Bill seeks to implement a proposal which would allow particular laws or schemes to be prescribed by regulations. This would reduce the costs for Australian entities associated with assessing foreign regimes and entering into contractual arrangements.

This amendment in the Bill would merely provide the mechanism for recognising foreign laws and schemes. None are listed at this stage. Given that the European Union’s General Data Protection Regulation (GDPR) is widely considered to be among the highest global standards for privacy regulation, it is possible that UK and European Economic Area countries where the GDPR applies, and the other countries assessed as ‘adequate’ by the EU for similar purposes, will be a starting point for Australia’s ‘whitelist’.

The following proposals from the Review Report relating to overseas disclosures are not included in the Bill:

• standard contractual clauses or a mechanism allowing for standard contractual clauses;
• stricter requirements where consent is relied on;
• additional notice requirements; and
• defining ‘disclosure’ in the Act.

In relation to APP 11, which deals with data security and data retention, the Bill clarifies that ‘reasonable steps’ under that APP should include ‘technical and organisational measures’. This is language also used in the GDPR, and is not a controversial amendment, with technical measures referring to things like encryption, strong passwords and building locks, and organisational measures covering things like staff training and security procedures.

The Bill further introduces a right for the Attorney-General to make an ‘eligible data breach declaration’ where an eligible (i.e. notifiable) data breach occurs. The declaration would permit limited sharing and handling of personal information in a manner which would not otherwise be permitted by the APPs and some other laws. The purpose of the declaration – and any handling of personal information relying on the declaration – must be to prevent or reduce the risk of harm to individuals whose personal data has been breached. This could enable entities such as banks to swiftly implement safeguards to prevent the use of compromised credentials (i.e. to prevent financial crime).

The Bill requires the Information Commissioner to develop and register a Children’s Online Privacy Code (COP Code). The COP Code will apply to APP entities that provide a broad range of online or electronic services – similar to the Online Safety Act 2021 (Cth) – where the service is likely to be accessed by children and is not a health service. The COP Code may also specifically include or exclude particular entities.

The OAIC will receive $3 million in funding to assist with the development and implementation of the COP Code. The COP Code must be registered within 2 years of Royal Assent, including at least 40 days for public submissions to be made in response to a draft. The Review Report and aspects of the Bill suggest an intention to align the COP Code with the UK’s Age Appropriate Design Code where appropriate.

The Bill introduces new offences to the Criminal Code (not the Privacy Act) to outlaw ‘doxxing’, being the release of personal data through telephone or online in a way that is menacing or harassing.

‘Personal data’ will mean information about an individual that allows them to be identified, contacted or located, and will include an individual’s name, phone number, photograph, email address, online account, residential or work address and place of education or worship.

There will be two offences, with one for doxxing that is menacing or harassing towards an individual, and one for doxxing targeting one or members of a group (based on race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality or national or ethnic origin).

Importantly, as these changes will be implemented in the Criminal Code, they will be outside the scope of the Privacy Act. Therefore, there are no exemptions or other protections for employers, employees, small businesses, journalists, or individuals acting in relation to personal or family matters that would apply under the Privacy Act. Any of these people could commit a doxxing offence and be found guilty.

The Bill introduces several other changes including:

• clarifying the objects of the Privacy Act to explicitly recognise that there is a public interest in protecting privacy;
• enabling the Information Commissioner to make APP Codes on the direction of the Attorney-General where in the public interest;
• enabling the Information Commissioner to make temporary APP Codes to respond to urgent situations; and
• enabling the Attorney-General to make declarations permitting the sharing and handling of personal information in emergency situations to assist individuals involved in or affected by emergencies or disasters.

Proposals from the Review Report not addressed in the Bill include proposals relating to the following categories or topics:

• Direct marketing, targeting and trading in personal information.
• The employee records exemption, including reducing the scope of the exemption.
• The small business exemption, including staged removal of the exemption.
• The journalism exemption, although there is an additional journalism exemption in relation to the statutory tort described above.
• Data breach notification, including a 72 hour timeframe for notifying the OAIC.
• A direct right of action to sue for Privacy Act breaches, separate from the statutory tort described above.
• Expanded individual rights (e.g. right to erasure of personal information).
• Fair and reasonable handling of personal information.
• High privacy risk activities, including privacy impact assessment requirements.
• Expansion of the definition of personal information.
• Privacy policies, notices, consents and defaults, except in respect of automated decisions as described above.
• Handling personal information for research.
• Organisational accountability, including record-keeping and allocation of responsibility for privacy.
• Retention and destruction of personal information.
• The controller/processor distinction, to allocate obligations between the entities with primary responsibility for personal information (controllers), and the entities which handle personal information on the controller’s behalf (processors).
• Information under the direction of another entity.
• Children’s privacy, except in respect of the COP Code discussed above.
• People experiencing vulnerability.
• Genomic information.
• OAIC funding.
• Additional matters relating to automated decisions and overseas disclosures.
• Proposals requiring the OAIC to develop guidance.
• Proposals specified as requiring consultation.
• Proposals not agreed by the Government (primarily relating to de-identified information and the political exemption).