On 1 May 2024, the Australian Government announced that some of the (agreed in-principle) proposed changes to the Privacy Act 1988 (Cth) (‘Privacy Act’)will be fast-tracked to be put to Parliament in August 2024. These include:
outlawing the release of private information online with an intent to cause harm (known as doxxing), including by way of a statutory tort of privacy; and
the introduction of new or strengthened individual rights to allow individuals to access, object, erase, correct, and de-index their personal information.
In addition, the Government has announced that it will trial age assurance technology (encompassing both age verification and age estimation technology) to protect children from high-impact online content.
It is not yet clear whether:
the proposed reforms (which have previously been the subject of extensive review and consultation in the course of the ‘Privacy Act Review’, see our articles here and here) are intended to apply broadly to any personal information governed by the Privacy Act or initially only to doxxing;
any grace period will apply to entities governed by the Privacy Act (APP Entities), to allow time for compliance; or
each of the above reforms will be in the form proposed in the Privacy Act Review.
A brief summary of each of the proposals (as set out in the Privacy Act Review) is set out below.
We otherwise expect that further information regarding these proposals will be released as an exposure draft in the coming months, at which point we will publish a further update.
Statutory tort of privacy
In September 2023, the Government agreed in principle to the introduction of a statutory tort for serious invasions of privacy, based on the ALRC model. Under this model, a plaintiff:
would be able to pursue action in respect of either a serious intrusion into seclusion or a serious misuse of private information; and
would be required to prove that:
there was a serious invasion with their privacy;
they had a reasonable expectation of privacy;
the invasion was committed intentionally or recklessly (not merely negligently); and
the public interest in privacy outweighs any other countervailing public interest.
Individual rights
In September 2023, the Government also agreed in principle to the creation of new individual rights in respect of personal information, including:
Access rights: a right to access, and an explanation about, their personal information (in response to an access request) with the following new features:
a requirement that APP entities:
identify the source of the personal information it has collected indirectly, on request by the individual;
provide an explanation or summary of what it has done with the personal information (on request);
Objection rights: (not currently in existence under the Privacy Act) a right to object to the collection, use or disclosure of personal information (and requirement on APP entities to provide written reasons with any response to such an objection);
Correction rights:expansion of the right to correction to generally available publications online over which an APP entity maintains control;
Erasure rights: (not currently in existence under the Privacy Act) a right to erasure with the following features:
APP entities who have collected personal information from a third party or disclosed the information to a third party must inform the individual about the third party and notify the third party of the erasure request unless it is impossible or involves disproportionate effort; and
certain limited information will be required to be quarantined rather than erased on request, to ensure that the information remains available for the purposes of law enforcement;
De-index rights: (not currently in existence under the Privacy Act) a right (jurisdictionally limited to Australia) to de-index online search results containing personal information which is:
sensitive information;
information about a child;
excessively detailed; or
inaccurate, out-of-date, incomplete, irrelevant, or misleading.
The Government did agree in principle to the introduction of exemptions in respect of each of the individual rights, for example in the following circumstances:
competing public interests: where complying with a request would be contrary to public interests, including freedom of expression and law enforcement activities;
relationships with a legal character: where complying with the request would be inconsistent with another law or a contract with the individual; and
technical exceptions: such as where it would be technically impossible, or unreasonable, and frivolous or vexatious to comply with the request.
Given some of these proposals may require back-end changes to systems, it is recommended that APP Entities assess which of their systems will be impacted, in preparation for such reforms.