Follow us


Almost a year after the Government announced that it ‘agreed’ or ‘agreed in-principle’ with 106 of the 116 recommended reforms in the Attorney-General’s Department Privacy Act Review Report 20221  (Review Report), the Privacy and Other Legislation Amendment Bill 2024 (Cth) (Bill) today passed both Houses of Parliament .

This Bill sets out amendments designed to address most of the 25 ‘agreed’ proposals directed at legislative change, including in relation to automated decisions, overseas disclosure of personal information, data security and data breaches, children’s privacy, civil penalties, enforcement powers, and a statutory tort for serious invasions of privacy.

These aspects of the Bill are discussed further below, as well as new offences to be added to the Criminal Code Act 1995 (Cth) (Criminal Code) in relation to ‘doxxing’, being the malicious release of personal data by telephone/online.

While the Bill contains some important reforms, many of the ‘agreed in-principle’ proposals from the Review Report remain unaddressed. The Attorney-General stated in September that his Department intended to prepare draft legislation for Tranche 2 in the coming months, for consultation with stakeholders. We expect this will occur in 2025. These other proposals include a large number of important issues relating to the exemptions for employee records, small business and journalism, expanded individual rights, direct marketing and targeting, fairness, data retention, privacy impact assessments, compliance records and allocating responsibility between ‘controllers’ and ‘processors’. See ‘What’s not included’ below for more.

What are the key impacts for your business?

APP entities should now turn their attention to:

  • identifying their practices in relation to automated decisions based on personal information, to determine what will need to be added to their APP privacy policies (see ‘Automated decisions’ below);
  • revisiting their practices in relation to private information as the Bill increases litigation and class action risk, with the introduction of a statutory tort for serious invasions of privacy which must be intentional or reckless but does not require proof of damage;
  • reviewing compliance of all business practices with the Privacy Act (not just those that could give rise to serious interferences with privacy) as the amendments increase regulatory risk by exposing lower-level breaches to a broader range of penalties. In particular the lowest tier of penalties will potentially see much greater enforcement in relation to administrative types of breaches in relation to privacy policies, records of law enforcement disclosures and marketing opt-outs]; and
  • considering how they wish to participate in continuing reform and consultation processes, including further privacy codes and future tranches of reform.

Please see our earlier article on ‘Navigating Australian Privacy Reform’ which considers the broader reform agenda and what can be done to prepare.

While Tranche 2 has been deferred, the Government has again committed to progressing it. In addition, many of those pending reforms can be seen as clarifications or codifications of current regulatory expectations. Together with the previous penalty increases and Tranche 1’s introduction of penalty tiers, new enforcement powers, and the new statutory tort, it is more important than ever to ensure robust compliance with the Privacy Act (even as it currently stands). In particular, areas such as data retention, privacy impact assessment, quality of consent, and data breach preparation make sense to focus on ahead of the Tranche 2 reforms relating to those topics.

What changes have been made to the Bill?

The Bill as passed includes limited changes to the version of the Bill introduced into Parliament in September. Notable changes include:

  • the introduction of a compliance notice regime, which can be issued prior to an infringement notice; and
  • broadening-out of the public interest protections relating to the statutory tort.

These changes largely reflect recommendations by the Senate Legal and Constitutional Affairs Legislation Committee in their November report on the first reading version of the Bill.

When do the reforms come into effect?

The Bill has now passed.  Once the Bill is formally signed into law (by Royal Assent), most provisions will come into effect immediately.

However, there are some provisions which will be subject to deferred commencement, notably:

  • the statutory tort for serious invasions of privacy will commence six months after Royal Assent or on a date to be proclaimed; and
  • the provisions relating to automated decisions will commence two years after Royal Assent.

The two-year grace period for the automated decisions reforms also suggests that a similar grace period is likely for many of the Tranche 2 reforms which will also impact the Australian Privacy Principles (APPs) in the Privacy Act 1988 (Cth) (Privacy Act).

The Bill will require privacy policies to be updated where an individual’s personal information is used by a computer program to make a decision reasonably expected to significantly affect the rights or interests of the individual, or to do something substantially and directly related to making that decision (APP 1.7).

Examples given of potentially relevant decisions include decisions:

  • to grant or withhold a benefit under a law;
  • affecting rights under a contract, agreement, or arrangement; and
  • affecting access to a significant service or support.

Privacy policies will need to address:

  • the kinds of personal information used in these computer programs;
  • the kinds of decisions made solely by these programs; and
  • the kinds of decisions for which the programs do something substantially and directly related to the decision. (APP 1.8)

Entities will need to understand how they use automated decisions throughout their organisations, and potentially document this in order to assess where personal information is used, the extent of the automated input into the decision and the significance of the decision for individuals. These points will assist entities to determine which decisions should be referenced in their privacy policies.The following proposals from the Review Report relating to automated decisions are not included in the Bill:

  • a right to request meaningful information about how the automated decisions are made – this may be addressed as part of artificial intelligence law reforms; and
  • a requirement to conduct a privacy impact assessment before commencing a high privacy risk activity.

The Bill introduces a tiered approach to civil penalties and infringement notices into the Privacy Act (as proposed by the Review Report), as follows:

  • A new civil penalty of up to 2,000 penalty units (currently $660,000) for any interference with the privacy of an individual.
  • Up to 200 penalty units (currently $66,000) for certain breaches of a more administrative nature, with a mechanism for the Office of the Australian Information Commissioner (OAIC) to directly issue infringement notices for these penalties without Court approval. Examples include failure to have a privacy policy or required content in the policy and not having a simple opt out mechanisms for direct marketing or not drawing attention to this mechanism.

The OAIC can issue a compliance notice before issuing an infringement notice (although it does not need to do this), to encourage an entity to remedy an alleged breach of a civil penalty provision under ss 13K(1) or (2). This is aimed at encouraging organisations to comply in a consultative manner. Failure to comply with such notice would also be a breach of a civil penalty provision.

The above changes supplement the existing civil penalty provision for serious or repeated interferences with privacy, where the maximum penalty is the greatest of:

  • $50 million;
  • 3x the benefit from the breach; or
  • 30% of the adjusted turnover (if the benefit cannot be determined) over 12 months or the breach period if that was longer.

The Bill now limits the existing provision to serious interferences with privacy, that is, it removes the ‘repeated’ limb, albeit repetition is a factor listed in the Bill as relevant to assessing seriousness. Some other factors include the kind of information affected and its sensitivity, the potential consequences on individuals, the number, and any vulnerability of affected individuals and any policy or systems failure by the entity.

This tiered enforcement toolkit significantly expands the type of conduct captured by the civil penalty provisions – it will not only cover serious interferences with privacy, but any interferences with privacy. The ability for the OAIC to obtain outcomes via an infringement notice without Court action is also significant. This represents a corresponding heightening of regulatory risk for Australian businesses.

If the Court finds an entity has breached a civil penalty provision, the Bill also gives it power to make a range of orders including to pay damages, redress the loss or damage suffered, or publish a statement. Where a civil penalty provision has been breached, an individual can also apply for such orders if they have suffered (or are likely to suffer) loss or damage (noting this does not enable individuals to sue directly for privacy breaches).

Other new enforcement powers introduced by the Bill include the following:

  • Enhanced coercive powers for the OAIC in relation to investigations into breaches of civil penalty provisions, including powers to search premises and seize evidence. This brings the OAIC in line with other regulatory bodies.
  • The ability for the OAIC to undertake public inquiries with approval from the Attorney-General. Such inquiries could be used to examine systemic issues, new technologies, and particular industries or sectors. We have seen these types of powers used extensively by other regulators like the ACCC.
  • A power for the OAIC to require a respondent in a complaint to mitigate damage by preventing or reducing any likely loss or damage that was reasonably foreseeable.

The Bill introduces a new statutory tort for serious invasions of privacy, in accordance with the Review Report’s recommendation, which in turn was based on recommendations made by the Australian Law Reform Commission in 2014.

The tort would not be specifically triggered by a breach of the APPs or other Privacy Act provisions. A separate proposal for a direct right of action in those circumstances has been deferred for further consideration as part of Tranche 2 of the reforms.

Under the statutory tort, an individual would have a cause of action if:

  1. they suffer an invasion of their privacy (in the form of an intrusion into their seclusion or a misuse of information);
  2. they had a reasonable expectation of privacy in the circumstances - the Bill lists relevant factors in this assessment as including use of devices or technology, the individual’s personal attributes such as age or cultural background, and the individual’s conducting including whether they invited publicity.
  3. the invasion of privacy was intentional or reckless;
  4. the invasion of privacy was serious – the Bill lists a non-exhaustive list of factors to consider, including the offence, distress, or harm to dignity likely caused to a person of ordinary sensibilities in the position of the plaintiff, whether the defendant knew or ought to have known that the invasion of privacy was likely to cause this impact, and whether the invasion of privacy was intentional or motivated by malice; and
  5. the public interest in the individual’s privacy outweighed any countervailing public interest.

Importantly, no proof of damage is required for a claim to be brought.

The remedies for breach include damages (including for non-economic loss and emotional distress), an account of profits, an injunction, an apology, a declaration that the defendant has seriously invaded their privacy, and destruction or delivery up of material.

How does this differ from other jurisdictions?

The elements of this new tort bear some similarities to other common law torts of invasion of privacy which have developed internationally, but the statutory tort includes intrusion into seclusion (which does not form part of UK law) and introduces a clear fault element of intention or recklessness (whereas the UK’s High Court has observed that a ‘misuse’ of private information may include an unintentional use, although it requires a positive action).2

The express provision in the statutory tort that damage is not required is a significant departure from other common law torts.

What exceptions are there?

As noted, there is a public interest protection, safeguarding freedom of expression and media, open justice, national security, etc – similar to those in other common law jurisdictions such as the UK and NZ. This aligns with one of the new objects of the Privacy Act added by the Bill, to ‘recognise that the public interest in protecting privacy is balanced with other public interests’.

The Senate amendments also broaden the circumstances in which certain exemptions apply (regarding journalists, law enforcement and intelligence agencies and minors). Further, an application as to whether an exemption applies may be determined at any stage of the legal proceedings, and the Court should do so as soon as practicable upon application unless special circumstances apply. The Court may also consider whether an exemption applies on its own initiative.

While there are exemptions for journalists, enforcement bodies and intelligence agencies, the APP exemptions for small business operators and employee records will not apply in relation to this tort.

What does this mean?

The introduction of this tort for serious invasions of privacy provides another avenue for plaintiffs and class action claimants in Australia to bring claims for impacts to personal information. It is likely to be an attractive basis for a claim given there is no requirement of proof of damage and the broad range of available remedies (including for non-financial loss).

However, the requirement for a fault element of intention or recklessness does present a challenge for plaintiffs successfully making this out where the position is simply that ‘more could have been done’ by a company to avoid an interference with privacy, such as in the context of better systems or processes to mitigate against a cyber attack. More than mere negligence is needed for this statutory tort to be made out.

Further, the new statutory tort exposes businesses to a broad range of claims involving sensitive personal information outside of just the cyber attack space. For example, it is conceivable that claims could be brought under this tort for the collection and use of facial recognition information without consent or another Privacy Act basis for doing so.

 

Currently APP 8 limits the circumstances in which ‘cross-border disclosure’ of personal information is permitted. One of the current grounds is where the overseas recipient is subject to a law or binding scheme which is substantially similar to the APPs, and which gives the individual rights to take action. It is currently up to the entity transferring the personal information to determine whether another law or scheme meets this standard. The Bill seeks to implement a proposal which would allow particular laws or schemes to be prescribed by regulations. This would reduce the costs for Australian entities associated with assessing foreign regimes and entering into contractual arrangements.

This amendment in the Bill would merely provide the mechanism for recognising foreign laws and schemes. None are listed at this stage. Given that the European Union’s General Data Protection Regulation (GDPR) is widely considered to be among the highest global standards for privacy regulation, it is possible that UK and European Economic Area countries where the GDPR applies, and the other countries assessed as ‘adequate’ by the EU for similar purposes, will be a starting point for Australia’s ‘whitelist’. However, the EU’s list notably excludes the US (other than in relation to an EU-specific scheme) and most Asia-Pacific nations, so Australia may also want to prioritise some of those jurisdictions for assessment.

The following proposals from the Review Report relating to overseas disclosures are not included in the Bill, and are anticipated to be in the draft bill for Tranche 2:

  • standard contractual clauses or a mechanism allowing for standard contractual clauses;
  • stricter requirements where consent is relied on;
  • additional notice requirements; and
  • defining ‘disclosure’ in the Act.

In relation to APP 11, which deals with data security and data retention, the Bill clarifies that ‘reasonable steps’ under that APP should include ‘technical and organisational measures’. This is language also used in the GDPR, and is not a controversial amendment, with technical measures referring to things like encryption, strong passwords and building locks, and organisational measures covering things like staff training and security procedures.

The Bill further introduces a right for the Attorney-General to make an ‘eligible data breach declaration’ where an eligible (i.e. notifiable) data breach occurs. The declaration would permit limited sharing and handling of personal information in a manner which would not otherwise be permitted by the APPs and some other laws. The purpose of the declaration – and any handling of personal information relying on the declaration – must be to prevent or reduce the risk of harm to individuals whose personal data has been breached. This could enable entities such as banks to swiftly implement safeguards to prevent the use of compromised credentials (i.e. to prevent financial crime).

The Bill requires the Information Commissioner to develop and register a Children’s Online Privacy Code (COP Code). The COP Code will apply to APP entities that provide a broad range of online or electronic services – similar to the Online Safety Act 2021 (Cth) – where the service is likely to be accessed by children and is not a health service. The COP Code may also specifically include or exclude particular entities.

The OAIC will receive $3 million in funding to assist with the development and implementation of the COP Code. The COP Code must be registered within 2 years of Royal Assent, including at least 60 days for public submissions to be made in response to a draft. The OAIC will also be required to consult with relevant industry bodies or organisations when developing the COP Code. The Review Report and aspects of the Bill suggest an intention to align the COP Code with the UK’s Age Appropriate Design Code where appropriate.

The Bill introduces new offences to the Criminal Code (not the Privacy Act) to outlaw ‘doxxing’, being the release of personal data through telephone or online in a way that is menacing or harassing.

‘Personal data’ will mean information about an individual that allows them to be identified, contacted, or located, and will include an individual’s name, phone number, photograph, email address, online account, residential or work address, and place of education or worship.

There will be two offences, with one for doxxing that is menacing or harassing towards an individual, and one for doxxing targeting one or members of a group (based on race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality or national, or ethnic origin).

Importantly, as these changes will be implemented in the Criminal Code, they will be outside the scope of the Privacy Act. Therefore, there are no exemptions or other protections for employers, employees, small businesses, journalists, or individuals acting in relation to personal or family matters that would apply under the Privacy Act. Any of these people could commit a doxxing offence and be found guilty.

The Bill introduces several other changes including:

  • clarifying the objects of the Privacy Act to explicitly recognise that there is a public interest in protecting privacy;
  • enabling the Information Commissioner to make APP Codes on the direction of the Attorney-General where in the public interest – the expansion of this code-making power could see a greater use of this power to regulate emerging technologies, industry sectors and activities for which non-binding guidance is not seen to be sufficiently effective;
  • enabling the Information Commissioner to make temporary APP Codes to respond to urgent situations; and
  • enabling the Attorney-General to make declarations permitting the sharing and handling of personal information in emergency situations to assist individuals involved in or affected by emergencies or disasters.

Proposals from the Review Report not addressed in the Bill include proposals relating to the following categories or topics:

  • Direct marketing, targeting, and trading in personal information.
  • The employee records exemption, including reducing the scope of the exemption.
  • The small business exemption, including staged removal of the exemption.
  • The journalism exemption, although there is an additional journalism exemption in relation to the statutory tort described above.
  • Data breach notification, including a 72 hour timeframe for notifying the OAIC.
  • A direct right of action to sue for Privacy Act breaches, separate from the statutory tort described above.
  • Expanded individual rights (e.g. right to erasure of personal information).
  • Fair and reasonable handling of personal information.
  • High privacy risk activities, including privacy impact assessment requirements.
  • Expansion of the definition of personal information.
  • Privacy policies, notices, consents, and defaults, except in respect of automated decisions as described above.
  • Handling personal information for research.
  • Organisational accountability, including record-keeping and allocation of responsibility for privacy.
  • Retention and destruction of personal information.
  • The controller/processor distinction: to allocate obligations between the entities with primary responsibility for personal information (controllers), and the entities which handle personal information on the controller’s behalf (processors).
  • Information under the direction of another entity.
  • Children’s privacy, except in respect of the COP Code discussed above.
  • People experiencing vulnerability.
  • Genomic information.
  • OAIC funding, except in respect of COP Code development and implementation discussed above.
  • Additional matters relating to automated decisions and overseas disclosures.
  • Proposals requiring the OAIC to develop guidance.
  • Proposals specified as requiring consultation.
  • Proposals not agreed by the Government (primarily relating to de-identified information and the political exemption).

Footnotes

  1. See our earlier briefings on the Attorney General Report here and on the Government’s response here.
  2. Warren v DSG Retail Ltd [2021] EWHC 2168 (QB) at [27].

Navigating Australian Privacy Reform:

Your guide to the changes ahead

Key contacts

Kaman Tsoi photo

Kaman Tsoi

Special Counsel, Melbourne

Kaman Tsoi
Julian Lincoln photo

Julian Lincoln

Partner, Head of TMT & Digital Australia, Melbourne

Julian Lincoln
Peter Jones photo

Peter Jones

Partner, Sydney

Peter Jones
Christine Wong photo

Christine Wong

Partner, Sydney

Christine Wong
Katherine Gregor photo

Katherine Gregor

Partner, Melbourne

Katherine Gregor
Kwok Tang photo

Kwok Tang

Partner, Sydney

Kwok Tang
Brendan Donohue photo

Brendan Donohue

Senior Associate, Melbourne

Brendan Donohue

Stay in the know

We’ll send you the latest insights and briefings tailored to your needs

Sydney Australia Perth Brisbane Melbourne Technology, Media and Entertainment, and Telecommunications Data Protection and Privacy Financial Institutions Mining Pharmaceuticals and Healthcare Technology, Media and Telecommunications Manufacturing and Industrials Private Capital Professional Support and Business Services Energy Real Estate Infrastructure Consumer Data and Privacy Kaman Tsoi Julian Lincoln Peter Jones Christine Wong Katherine Gregor Kwok Tang Brendan Donohue