A spotlight on Australia Privacy Reform: A long awaited first step – First tranche privacy reforms introduced to Parliament

Authors: Julie Cheeseman, James Hoy, Emma Croft, Jonathan Tay, Evelyn Park and Ruby Simpson

On 12 September 2024, the Australian Government introduced the Privacy and Other Legislation Amendment Bill 2024 (Bill) to the House of Representatives containing the first tranche of long-awaited reforms to the Privacy Act 1988 (Cth) (Privacy Act).

Arriving almost one year after the Government published its Response to the Privacy Act Review (Response) and indicated that a generational overhaul of Australia’s Privacy Act was needed, the reforms contained in the Bill are far more limited in scope. The Bill focuses on three categories of amendments to Australia’s privacy, regulatory and criminal laws:

1. measures to enhance the privacy of individuals, including by strengthening the Office of the Australian Information Commissioner’s (OAIC) enforcement toolkit, introducing new tiers of civil penalties, requiring the development and registration of a Children’s Online Privacy Code, and increased transparency requirements for automated decision making;
2. the introduction of a new statutory cause of action for serious invasions of privacy; and
3. the introduction of new offences to specifically criminalise ‘doxxing’.

Notably, the Bill does not include the most ambitious reforms which the Government had previously ‘agreed’ or ‘agreed in principle’ in its Response, such as the removal of the small business exemption, amendment of the definition of ‘personal information’ (PI), the introduction of the controller/processor distinction, the proposed requirement that the collection, use and disclosure of PI be fair and reasonable and new definitions for direct marking, targeting and trading. Given that the Government plans to further consult regarding the next (and more ambitious) tranche of reforms, we are unlikely to see any further reforms arrive in Parliament until after the 2025 federal election.

If the Bill is passed, it will nevertheless be a significant first step towards Australia’s privacy laws being made fit for purpose in the digital age.  Our more detailed comments on these three categories of reforms are below.

CATEGORY 1 - MEASURES TO ENHANCE THE PRIVACY OF INDIVIDUALS

The most significant category 1 amendments are new civil penalties and a stronger enforcement toolkit for the OAIC, a new Children’s Online Privacy Code, and increased transparency requirements for automated decision making.

Civil penalties and enforcement powers: Schedule 1 of the Bill amends Australia’s privacy laws  to strengthen the enforcement powers of the OAIC and the Courts by providing the Commissioner and the judiciary with a broader range of enforcement options and new functions and capabilities to address actual or suspected privacy interferences (see Parts 8 - 11 and 13 - 14 of Schedule 1 of the Bill).

If implemented as drafted, these amendments apply to acts done or practices engaged in after commencement. In particular, the Bill proposes to:

• provide guidance on factors which may be taken into account to determine whether an interference with privacy is ‘serious’, for the purposes of availing the Commissioner of the civil penalty provision for serious interferences of privacy;
• remove the previous civil penalty provision for repeated interferences with privacy (as civil penalties for individual interferences of privacy are proposed to be introduced);
• introduce a new civil penalty for interference with the privacy of an individual, notwithstanding the seriousness of that interference (capped at 2,000 penalty units);
• introduce new civil penalties and the power for the Commissioner to issue infringement notices for breaches of some of the APPs and the preparation of non-compliant eligible data breach statements (capped at 200 penalty units);
• provide a legislative means by which, in court proceedings for serious interferences of privacy, the Court may order an entity pay civil penalties in circumstances where it is satisfied that entity interfered with the privacy of an individual but is not satisfied that the interference with privacy is serious;
• empower the Court, when it has or will determine that an entity has contravened a civil penalty provision under the Act, to make an order to direct the entity to redress or pay compensatory damages for the loss or damage suffered or likely to be suffered by any individual. Individuals have a limitation period of 6 years to apply to the Court for an order of this kind and any amount payable to the individual may be recoverable as a debt;
• empower the Commissioner to conduct a public inquiry into matters relating to privacy, at the direction of the Minister;
• empower the Commissioner to make determinations following an investigation declaring that entities perform any reasonable act or course of conduct to redress forward looking, reasonably foreseeable loss or damage likely to be suffered;
• amend the definition of ‘privacy matters’ which must be included in the Commissioner’s annual report to:
  • limit the statement of the performance of the privacy functions relating to the year referable to the annual report;
  • include details of the number of complaints made to the Commissioner over the year referable to the annual report; and
  • include details of the grounds for the Commissioner’s decision not to investigate complaints over the year referable to the annual report (see Part 12, Schedule 1 of the Bill);
• enable the Commissioner to decide not to investigate a complaint in circumstances where the complaint has already been dealt with by a recognised external dispute resolution scheme (see Part 13, Schedule 1 of the Bill); and
• introduce new monitoring and investigative powers which enable the Commissioner (or its staff) to:
  • monitor certain information and matters, including by of exercise entry and inspection powers with either consent or judicial authorisation in the form of a warrant; and
  • investigate things with respect to which a civil penalty provision under the Act has been contravened or is suspected, on reasonable grounds, to have been contravened, including by exercise of entry, search and seizure powers with either consent or judicial authorisation in the form of a warrant.

Increased transparency regarding automated decision making: Part 15, Schedule 1 of the Bill contains amendments introducing requirements for entities to include information in privacy policies about the kinds of PI used in, and kinds of decisions made by, automated decision making systems, where such decisions could reasonably be expected to significantly affect the rights or interests of an individual.

In particular, if entities arrange for computer programs to use PI about individuals to make (or do a thing that is substantially or directly related to making) decisions which could reasonably be expected to significantly affect the rights or interests of those individuals, their privacy policy must contain:

• the kinds of PI used in the operation of such computer programs;
• the kinds of such decisions made solely by the operation of such computer programs; and
• the kinds of such decisions for which a thing, that is substantially and directly related to making the decision, is done by the operation of such computer programs.

The Bill provides the following examples of the kinds of decisions that may affect the rights or interests of individuals:

• a decision made under a provision of an Act or a legislative instrument to grant, or to refuse to grant, a benefit to them;
• a decision that affects their rights under a contract, agreement or arrangement; and
• a decision that affects their access to a significant service or support.

New Children’s Online Privacy Code: Part 4 of Schedule 1 of the Bill contains amendments to the Privacy Act that will promote the right to privacy for children. As well as introducing a new definition of a “child” (as an individual who has not reached 18 years), the Bill will require the Information Commissioner to develop and register an APP code about online privacy for children (the Children’s Online Privacy Code (COP Code)). The Commissioner may consult with persons the Commissioner considers appropriate in developing the COP Code. The COP Code:

• will be an enforceable APP code which sets out how one or more of the APPs are to be applied or complied with in relation to the privacy of children;

• will impose obligations to providers of social media services, relevant electronic services or designated internet services (as defined in the Online Safety Act 2021 (Cth)), where the service is likely to be accessed by children and the entity is not providing a health service, and to entities or a class of entities who are specified in the COP Code;
• can also specify entities, or a class of entities, who will not be bound by the COP Code;
• the Commissioner may make written guidelines to assist entities to determine if a service is likely to be accessed by children; and
• to the extent possible, will align with similar overseas children’s codes, such as the UK’s Age Appropriate Design Code.

If the Bill is passed, the Commissioner will be required to:

• make a draft of the COP Code publicly available and invite the public to make submissions within a specified period (which must run for at least 40 days). Then, the Commissioner must consult with the eSafety Commissioner and the National Children’s Commissioner; and
• develop and register the COP Code within the period of 24 months beginning on the day the amending legislation receives Royal Assent (i.e. we anticipate if the Bill is passed in 2025, the COP Code will be in force by 2027).

The Government has also announced that, if the COP Code amendments are passed, the OAIC will be provided AU$3million over 3 years to assist with the development of the COP Code.

Currently, it is unclear whether the remaining recommendations which received in-principle support (such as direct marketing, targeting and trading of the PI of children (see our previous article here)) will be addressed by the draft COP Code, or whether they will be released with next tranche of reforms. 

Any exceptions to the COP Code obligations will likely be addressed in the draft COP Code.

Other category 1 amendments

In addition, other category 1 amendments include:

• Clarification of Privacy Act objects: Amendments to the objects of the Privacy Act to clarify that they include promoting the protection of individual’s PI, and to recognise the public interest in protecting privacy (see Part 1, Schedule 1 of the Bill).
• Enhanced code making powers: Amendments which provide greater flexibility and efficiency to the existing APP code-making processes by empowering the Information Commissioner to develop and register codes or temporary codes if directed to do so by the Minister (see Part 2, Schedule 1 of the Bill).
• Targeted emergency declarations: Amendments to the Privacy Act’s existing emergency/disaster declaration provisions requiring that they specify the kinds of PI that may be handled, the types of entities permitted to collect, use or disclose the information, and the purposes for which that PI may be collected, used or disclosed (see Part 3, Schedule 1 of the Bill).
• Security, retention and destruction of PI: Amendments to APP 11 to include a new subclause 11.3 which clarifies that the steps that entities should consider when determining how they should protect PI should include both technical and organisational measures (see Part 5, Schedule 1 of the Bill).
• Overseas disclosures of PI: Amendments to introduce a mechanism by which countries and binding schemes that provide substantially similar privacy protections to the APPs can be prescribed (see Part 6, Schedule 1 of the Bill).
• Eligible data breach declarations: Amendments to include new provisions in Part IIIC of the Privacy Act to facilitate information sharing where there has been an eligible data breach of an entity in order to prevent or reduce the risk of harm arising from misuse of PI.The amendments would give a new power to the Minister to make a written declaration enabling specified entities to handle PI in a manner that would otherwise not be permitted under privacy and secrecy laws (e.g. by disapplying the protections that would otherwise apply to the collection, use or disclosure of PI) in order to prevent or reduce the risk of harm to individuals in the event of an eligible data breach.Other amendments include a range of safeguards to minimise potential adverse privacy impacts of the new declaratory power (see Part 7, Schedule 1 of the Bill).

2. NEW STATUTORY TORT FOR SERIOUS INVASIONS OF PRIVACY

The Bill would also introduce a new statutory tort for serious invasions of privacy, as ‘Schedule 2’ to the Privacy Act. To establish a cause of action under the proposed statutory tort, it is proposed that a plaintiff must prove four essential elements, as follows:

1. the defendant invaded the plaintiff’s privacy by doing one or both of the following:
   • intruding upon the plaintiff’s seclusion (e.g. by physically intruding into the plaintiff’s private space, or by watching, listening to, or recording their private activities or private affairs); or
   • misusing information that relates to the plaintiff (including but not limited to the collection, use or disclosure of information about the plaintiff), whether that information is true or not;
2. a person in the position of the plaintiff would have had a reasonable expectation of privacy in all of the circumstances;
3. the invasion of privacy was committed intentionally or recklessly; and
4. the invasion of privacy was serious.By way of example, when considering seriousness, a court may take into account:
   • the degree of any offence, distress or harm to dignity that the invasion of privacy would likely cause to a person of ordinary sensibilities in the position of the plaintiff;
   • whether the defendant knew or ought to have known that the invasion of privacy was likely to offend, distress or harm the dignity of the plaintiff; and
   • if the invasion of privacy was intentional—whether the defendant was motivated by malice.

Significantly for defendants who might be subject to a claim following the occurrence of a data breach, the invasion of privacy tort is actionable without proof of damage.

Where a defendant adduces evidence that there was a public interest in the invasion of privacy (e.g. on the grounds of freedom of expression, including political communication, freedom of the media, the proper administration of government, open justice, public health and safety, national security, the prevention and detection of crime and fraud), the plaintiff must satisfy the court that that the public interest was outweighed by the public interest in protecting the plaintiff’s privacy;

 Defences to the plaintiff’s claim are proposed to include the following:

• Authorisation by law: where the invasion of privacy was required or authorised by or under an Australian law or court/tribunal order;
• Consent: the plaintiff (or someone authorised on their behalf) expressly or impliedly consented to the invasion of privacy;
• Health, life or safety: the defendant reasonably believed that the invasion of privacy was necessary to prevent or lessen a serious threat to the life, health or safety of a person;
• Defence of person or property: the invasion of privacy was:
  • incidental to the exercise of a lawful right of defence of persons or property; and
  • proportionate, necessary and reasonable.
• Defamation overlap: where the defendant would be able to establish the defence of absolute privilege, publication of public documents, or fair report of proceedings of public concern in relation to information published about the plaintiff if the claim was brought under an Australian law that deals with defamation.;

Exemptions apply in relation to an invasion of privacy:

• by a journalist, the journalist’s employer, or certain persons assisting the journalist to the extent the invasion involves the collection, preparation for publication or publication of journalistic material;
• by an enforcement body to the extent that the body reasonably believes that the invasion of privacy is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body;
• by intelligence agencies, or to the extent the invasion involves the disclosure of information to or by an intelligence agency; and
• by a person who is under 18 years of age.

As for relief, Courts would be entitled to grant injunctions (including interim injunctions), give summary judgment, award damages (including for emotional distress but not aggravated damages), exemplary or punitive damages (in exceptional circumstances), an account of profits, orders requiring an apology from the defendant, correction orders, destruction orders and declarations.

Damages awarded for non-economic loss and exemplary/punitive damages, are proposed to be capped at the amount that is the greater of $478,550 or the maximum amount of damages for non-economic loss that may be awarded in defamation proceedings under an Australian law.

Other than in particular circumstances, plaintiffs will be required to commence proceedings within 3 years of the invasion of privacy occurring or (for plaintiffs that were 18 or over at the time of publication) within a year of becoming aware of the invasion (whichever is earlier).

Relevantly for international organisations carrying on business in Australia, the extra-territorial provisions are proposed not to apply to the statutory tort.

3. CRIMINAL OFFENCES TARGETING ‘DOXXING’

The Bill also includes amendments to the Criminal Code Act 1995 (Cth) to introduce new criminal offences to target ‘doxxing’, which is a form of abuse that disproportionately affects women. ‘Doxxing’ refers to the publication or distribution of personal data using a carriage service in a manner that reasonable persons would regard as being menacing or harassing. ‘Personal data’ in this context refers to information about an individual that enables that individual to be identified, contacted or located, such as their name, photograph, telephone number, email address, online account information, residential or work address, and place of education or worship.

The Bill would introduce an offence carrying 6 years imprisonment, and a further, more serious offence carrying 7 years imprisonment if the individual or group of individuals is targeted because of their race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality, or national or ethnic origin. These penalties are consistent with the penalties introduced in June 2024 for the creation and sharing of sexually explicit material (including deepfakes) without consent.

WHAT’S NEXT

Debate on the Bill has been adjourned (and made an order of the day for the next sitting). However, with only limited sittings remaining in 2024, there is a distinct possibility the Bill will not pass this calendar year.

The next tranche of (more ambitious) reforms will be the subject of further consultation by the Government and are unlikely to reach Parliament before the 2025 federal election.

Notwithstanding the above, some key takeaways for entities already regulated by the Privacy Act are that:

• Privacy enforcement risk remains high in Australia. If passed, the reforms will give the OAIC access to a broader range of enforcement options, as well as new functions and capabilities. These include provisions which allow for the appropriate tailoring of civil penalties to the level of seriousness of the breach, access to the general investigation and monitoring powers under the Regulatory Powers (Standard Provisions) Act 2014 (Cth). The reforms will also enhance the powers of the Court in civil penalty proceedings beyond pecuniary penalties, to enable the making of any order in relation to the contravention;
• Enhanced privacy protections for children are looking likely to arrive in Australia in the next few years. Entities should have a clear understanding of what information they hold about children (likely to be defined as <18) so that they are ready for this change. There will likely be efficiencies for entities with global operations given the Australian Government’s intent to align the COP Code with similar overseas children’s codes, such as the UK’s Age Appropriate Design Code.
• Several other reforms aimed at ensuring transparency and certainty regarding the handling of PI are also on the immediate horizon. If passed, these reforms will require entities to review and update their existing practices and policies to ensure compliance with the amended privacy laws. This will include updating their privacy policy to include information about any use of PI to make substantially automated decisions which could reasonably be expected to significantly affect the rights or interests of individuals;
• Significantly for defendants who might be subject to a claim following the occurrence of a data breach, the proposed statutory tort for serious invasions of privacy is actionable without proof of damage. While a plaintiff must prove that the relevant invasion was committed intentionally or recklessly, in a data breach context, the vulnerability leading to the breach may have been well known to the defendant or in the industry, potentially providing a basis for a finding of recklessness or imputed intent.

Our leading Data Protection team maintains a page which hosts articles on various aspects of confirmed and anticipated Australian privacy reform.

If you have any questions on how your business may be affected by the proposed reforms or would like to understand how your business can prepare for them, please contact our Australian Data Protection team.