Express Law No. 325

27 September 2024

First tranche of privacy reforms tabled in Parliament

Privacy and Other Legislation Amendment Bill 2024
The Government has tabled in Parliament the Privacy and Other Legislation Amendment Bill 2024 (Cth) (the Bill), which proposes to amend various Acts to enhance Australia’s privacy framework.

Background

The Bill is the first tranche of privacy reforms arising out of the Privacy Act Review Report (the Report). The Bill addresses some of the recommendations in the Report, with other recommendations to be addressed in further tranches of reforms.
Key areas of focus for the Bill include:

• strengthening the Information Commissioner’s (the Commissioner) enforcement powers and increasing new penalties
• improving options for redress for individuals for serious invasions of privacy and criminalising doxxing
• building on the current privacy code framework
• amending the Australian Privacy Principles (APPs) to improve handling of personal information.

Enforcement and penalties

Penalty provisions

The Bill will amend s 13G of the Privacy Act 1988 (Cth) (Privacy Act) to introduce factors that clarify what conduct may be considered a serious interference with privacy, including whether the conduct was done repeatedly or continuously. This change makes it clear that an interference with privacy may be serious even if it is a single act or practice. 
The Bill will also create a civil penalty provision in s 13H for an interference with privacy that does not meet the seriousness threshold of s 13G. 
Additionally, the new ‘low-level’ civil penalty provisions will apply to minor contraventions of the Privacy Act, for which infringement notices may be issued. This will be available if an entity does an act or engages in a practice that breaches specific privacy obligations in the APPs, or if an entity does not comply with s 26WK(3) of the Privacy Act.

Monitoring and investigation powers, and public inquiries

The Bill provides additional monitoring and investigation powers to the Commissioner by triggering monitoring powers contained in Parts 2 and 3 of the Regulatory Powers (Standard Provisions) Act 2014 (Cth). The Minister will also be able to direct the Commissioner to conduct, or approve the Commissioner to conduct, a public inquiry into a specified matter or specified matters relating to privacy.

Statutory tort for serious invasions of privacy and criminalisation of doxxing

Statutory tort for serious invasions of privacy

The Bill will create a new statutory tort for serious invasions of privacy. This tort will provide an individual with a cause of action in tort against another person if the other person intentionally or recklessly invaded the individual’s privacy by intruding upon their seclusion and/or misusing information that relates to them. The cause of action will only arise where the invasion of privacy was serious and, objectively, there was a reasonable expectation of privacy. 
If the defendant adduces evidence that there was a public interest in the invasion of privacy, a plaintiff must satisfy the court that this public interest is outweighed by the public interest in protecting their privacy. A plaintiff will not need to show that the invasion of privacy caused damage.
A range of defences will also be available, including where the invasion of privacy was required or authorised by or under an Australian law or court/tribunal order. Exemptions will be available for journalists, enforcement bodies, intelligence agencies and persons under 18.

Criminalisation of doxxing

The Bill creates 2 new offences to target the malicious release of personal information online, otherwise known as doxxing. The Bill amends the Criminal Code Act 1995 (Cth) to introduce a new offence, with a maximum penalty of 6 years’ imprisonment, that applies where a person uses a carriage service to make available, publish or otherwise distribute personal data of one or more individuals, and does so in a way that reasonable persons would regard as being menacing or harassing towards those individuals. The Bill also introduces a further offence, with a more serious penalty of 7 years’ imprisonment, where a person or group is targeted because of their race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality, or national or ethnic origin.

Privacy codes

The Commissioner will be required to develop a Children’s Online Privacy Code (COP Code) within 2 years of the Bill receiving Royal Assent. The COP Code will set out how APPs are to be applied or complied with in relation to the privacy of children. The COP Code will apply to entities that provide a social media service, relevant electronic service or designated internet service that is likely to be accessed by children, provided the entity is not providing a health service. The COP Code will also apply to APP entities specified in that code. The Commissioner may consult on the development of the COP Code, and must invite public submissions on the code before registering it.
The Bill also provides the Minister with the power to direct the Commissioner to develop an APP code, including a temporary APP code, if the Minister is satisfied that it is in the public interest to develop the code and for the Commissioner to develop it.

Strengthening the APPs

APP 1 – Open and transparent management of personal information

The Bill will insert an additional obligation into APP 1 to require an APP entity to provide detail in their privacy policy if the entity uses personal information in making automated decisions or substantially automated decisions that could reasonably be expected to significantly affect the rights or interests of an individual. The requirement applies if the entity has arranged for a computer program to make or do a thing that is substantially and directly related to making the decision. The Bill includes examples of the kinds of decisions that may affect the rights or interests of individuals. The changes to APP 1 will not commence until 2 years after the Bill receives Royal Assent.

APP 8 – Cross-border disclosure of personal information

The Bill will amend APP 8 to provide an exception to APP 8.1. An entity disclosing personal information to an overseas recipient will not need to comply with APP 8.1 if the recipient is subject to a law of a country, or a participant in a binding scheme, that is prescribed by regulations. Before making regulations, the Minister must be satisfied that:

• the laws of the country, or the binding scheme, has the effect of protecting personal information about an individual in a way that, overall, is at least substantially similar to the way in which the APPs protect the information, and
• there are mechanisms that the individual can access to enforce that protection.

Regulations may also specify conditions attached to a specific country or binding scheme which is the subject of this exception.

APP 11 – Security of personal information

The Bill will clarify that reasonable steps for the purposes of APP 11 include technical and organisational measures (such as encrypting data, securing access to systems and premises, and undertaking staff training).

Other provisions

Eligible data breach declarations

The Minister will be empowered to make an eligible data breach declaration if there is an eligible data breach of an entity and the Minister is satisfied that making the declaration is necessary or appropriate to prevent or reduce a risk of harm to individuals from a misuse of personal information. A declaration may authorise an entity to collect, use and disclose personal information for permitted purposes related to preventing or reducing a risk of harm arising from the misuse of personal information following its unauthorised access or disclosure in the eligible data breach.

Emergency declarations

The Bill will also amend aspects of the emergency declarations part of the Privacy Act to be more targeted by empowering the Minister or Prime Minister to specify authorised information handling practices in the event of an emergency or a disaster.

Focus points for agencies

Many of these reforms are relevant to Commonwealth agencies. In particular, agencies should consider if their current privacy practices comply with the proposed changes to the APPs. Agencies may also be impacted by the creation of the statutory tort, as this will apply to agencies, as well as the COP Code if the agency provides an online service likely to be accessed by children.

The draft Bill can be accessed through the Parliament of Australia website at: Privacy and Other Legislation Amendment Bill 2024 – Parliament of Australia (aph.gov.au).