Key takeaways
- Significant changes to Australia’s privacy laws are on the horizon.
- New civil penalties and infringement notices will target lower-level breaches and compliance issues, such as not having a compliant privacy policy and failing to provide an opt-out mechanism for direct marketing.
- Organisations should act now to ensure their privacy policies and procedures are robust, compliant and up-to-date.
Background
In September 2023, the Australian Government responded to 116 proposals within the Privacy Act Review Report, foreshadowing the most significant changes to privacy legislation in Australia since the commencement of the Privacy Act 1988 (Cth) (Privacy Act).
The Government agreed to a number of the proposals and accepted the majority of the remaining proposals ‘in principle’ and subject to further consultation.
On 12 September 2024, the first tranch of amendments to the Privacy Act were introduced by the Privacy and Other Legislation Amendment Bill 2024 (the Bill).
Whilst the more extensive reforms, such as removing the exemption for small businesses, have not been addressed in the Privacy Bill, the incoming changes will carry significant ramifications if proactive steps are not taken by businesses to prepare.
Incoming changes
Key changes introduced by this Bill include:
1. Multi-tier penalty system
The Privacy Act currently provides significant civil penalties for serious or repeated interferences with privacy, but this does not provide a significant incentive for businesses to address lower-level interferences and day-to-day compliance issues.
The Bill aims to address this by creating a multi-tier system where there are:
- significant penalties for “serious” interferences with privacy, with various circumstances to be taken into account to make that determination, including whether the interference is repeated;
- lower penalties for interferences with privacy that do not meet the threshold of “serious”; and
- infringement notices for a whole raft of breaches of the Australian Privacy Principles (APPs), including:
- not having a privacy policy (APP 1.3);
- having a privacy policy that does not contain the required information (APP 1.4);
- not providing individuals with the option of using a pseudonym where practicable (APP 2.1);
- not providing written notice where personal information has been used or disclosed for enforcement related activities (APP 6.5);
- not providing a simple opt-out mechanism where personal information is used for direct marketing (APP 7.2(c) and 7.3(c));
- not drawing a person’s attention to the opt-out mechanism (APP 7.3(d));
- not acting promptly on a person’s request not to receive direct marketing material (APP 7.7(a));
- not advising a person of the source of their personal information (APP 7.7(b)); and
- not promptly dealing with requests to correct personal information (APP 13.5).
This has the potential to focus much more attention on how businesses are drafting their privacy policies and otherwise complying with the APPs.
2. Statutory Tort of Privacy
The Bill introduces a new statutory tort of privacy that will allow action to be taken against a person who invades another person’s privacy. The tort will potentially cover a broader range of actions than under the Privacy Act, as it addresses both misusing information and intruding on a person’s seclusion. The tort is limited to “serious” invasions of privacy and the person would need to have a reasonable expectation of privacy in the circumstances. However, action could be taken against both individuals and businesses, and proof of damage is not required. The court would also have the power to grant a variety of remedies including damages for non-economic loss and punitive damages.
3. Children's Online Privacy Code
The Bill is the first step to increasing privacy protections for children as it will require the Commissioner to develop a Children’s Online Privacy Code.
The Code will apply to APP entities that provide a social media service, relevant electronic service or a designated internet service, where that service is likely to be accessed by children and the entity is not providing a health service, but the Code can also specify other entities or classes of entities to whom the Code will apply. The Code is likely to align with similar codes in other jurisdictions that require children’s personal information to be handled with consideration of what is in the best interests of the child.
4. Security
APP 11 already requires organisations to take reasonable steps to protect personal information from misuse or interference. The Bill will expand APP 11 to specify that those steps include technical and organisational measures. An example of a technical measure might be multi-factor authentication for access to an organisation’s systems. An example of an organisational measure might be prohibiting employees from taking documents containing personal information home to work on.
5. Overseas data flows
According to the current APP 8, entities must not disclose personal information overseas unless they have taken reasonable steps to ensure the overseas recipient will not breach the APPs. One way to satisfy this requirement is to reasonably believe that the overseas recipient is subject to a law or binding scheme that is comparable to the Privacy Act and that there are mechanisms in place for the individual to enforce their rights under that scheme. This is challenging because it requires the entity to assess the privacy laws of other countries. The Bill has introduced an amendment to facilitate the Commissioner prescribing which countries meet this requirement, which would be of great assistance to entities navigating this clause.
6. Automated Decision Making
Where an organisation has arranged for a computer program to make decisions that may significantly affect the rights or interests of an individual, the organisation will need to disclose this in their privacy policy.
7. Doxxing
The Bill introduces the new criminal offence of doxxing into the Criminal Code, namely, using a carriage service to publish personal data of an individual (name, address, photograph, etc.) in a way that reasonable people would regard as being menacing or harassing towards those individuals.
How can we help?
Given these impending changes, it is more important than ever for businesses to ensure their practices and procedures are Privacy Act compliant.
We can assist with drafting or reviewing your:
- privacy policy
- privacy collection statements
- data breach response plans
- internal procedures and guidelines
Please contact Russell Kennedy’s expert Privacy team for advice on all aspects of privacy, cybersecurity and data protection in Australia.
If you’d like to stay up to date with Russell Kennedy Alerts and Events, you can subscribe to our mailing list here.
The information contained in this Insight is intended as general commentary and should not be regarded as legal advice. Should you require specific advice on the topics or areas discussed please contact the Russell Kennedy team.