Australia introduces limited package of Privacy Act reforms to Parliament

Despite the high expectations - and following a long consultation process which spanned over four years - the amendments focus on the structural framework and powers which underpin the legislation and some enhancements, rather than major fundamental changes.  

The Bill has had its second reading in Federal Parliament and if passed will amend the Privacy Act 1988 (Cth) to address 23 out of the 25 legislative proposals that the government agreed to in its response to the Privacy Act Review Report – except for the statutory tort for serious invasions of privacy, which was ‘agreed in principle’. The proposed amendments if passed would mostly take effect once the Bill receives royal assent.

While the package progresses the reform process, without more the government will not achieve the objectives hoped for to bring Australian privacy law more in line with global standards and increase individual protections in a digital economy.

Instead, the Bill sets the stage for increased legal action for serious breaches of privacy and enforcement for infringements of the Australian Privacy Principles (APPs). One of the welcome proposals – to increase transparency about the use of personal information to make automated decisions – will not take effect for two years. This means a further delay, while the adoption of new technologies advances at pace.  

 The path to Privacy Act reform

The Bill’s introduction comes after a comprehensive review process by the Attorney-General's Department that began in late 2020, following recommendations made by the Australian Competition and Consumer Commission (ACCC) in its 2019 Digital Platforms Inquiry Report. The review process included an issues paper, a discussion paper and significant public consultation.

In February 2023, the Attorney-General’s Department published its Privacy Act Review Report, which included 166 proposed reforms. The government published its response in September 2023, agreeing with 38 proposals, agreeing in principle with 68 proposals, and rejecting 10 proposals.

The government responded to the Report in September 2023.  It was not until Privacy Awareness Week in May this year that the attorney-general announced he had been asked by the prime minister to introduce legislation to “overhaul” the Privacy Act by mid 2024.

The Bill was introduced on 12 September accompanied by the 'explanatory memorandum' and had its second reading moved.

What’s next

It is expected that the Bill will go to parliamentary committee for review. However the next and final parliamentary sitting for the year is in November, which does not leave much time for the Bill’s final reading and passage.

The attorney-general has also forecast a second tranche of reforms following further consultation, although it seems very unlikely that any further amendments could be introduced before the next federal election.

What’s missing

Missing from the Bill are some of the more impactful proposed amendments that were agreed to in principle by the government. This includes to the Notifiable Data Breach Scheme. While the Bill does introduce the agreed recommendation for government information sharing following a data breach, it does not include the ‘agreed in principle’ recommendations for entities to be required to take steps to mitigate harm to individuals following a data breach, nor the clarification of the time within which eligible data breaches must be notified.

The Bill also does not include several other significant proposals that the government had agreed to in principle, which were:

• inserting a ‘fair and reasonable’ test for the collection and use of personal information;
• updating and introducing key definitions including of personal information;
• removing the small business and employee record exemptions;
• restricting data trading and targeting advertising; 
• introducing a right to erasure and other enhanced privacy rights;
• introducing a direct right to bring claims for breaches of the Privacy Act; and
• the requirement for entities to establish minimum and maximum retention periods, which has been a key issue in many of the high profile cyber attacks over the last two years.

The regulator’s response

In response to the introduction of the Bill, the Office of the Australian Information Commissioner (OAIC) welcomed the changes proposed by the reforms and stated that they would provide it "with greater discretion and flexibility to apply a risk-based approach to enforcement”. However, it also called for additional changes such as the introduction of the fair and reasonable test to be introduced urgently in the second tranche of privacy reforms.

In a statement, Privacy Commissioner Carly Kind said: “The coverage of Australia’s privacy legislation lags behind the advancing skills of malicious cyber actors. Further reform of the Privacy Act is urgent, to ensure all Australian organisations build the highest levels of security into their operations and the community’s personal information is protected to the maximum extent possible.”

While there will be more targeted funding for the development of the Children’s Online Code, the commissioner noted that some of the OAIC’s funding was coming to an end.

Key provisions in the Bill

Some of the key proposed changes to the Privacy Act, including the APPs and regulator powers, are outlined below.

Recognising public interest in protecting privacy

In introducing the Bill, the attorney-general said: “Australians have a right to have their privacy respected, and when they are asked to hand over their personal data they have a right to expect it will be protected.”

This sentiment is echoed in the OAIC’s 2023 Community Attitudes to Privacy Survey, in which Australians clearly indicated they place importance on the protection of their information. 70% of respondents to that survey stated they place a high level of importance on their privacy when choosing a product or service.

To support these views, the Bill clarifies that the objects of the Privacy Act include:

• promoting the protection of the privacy of individuals with respect to their personal information; and
• recognising the public interest in protecting privacy.

Although the fair and reasonable test has not been introduced yet, entities subject to the Privacy Act should keep these objects in mind, as well as broad community expectations and other regulators expectations, when assessing their personal information processing practices.

New APP obligations

APP1 – transparency in relation to automated decision making

A key theme in the ACCC’s Digital Platform Inquiry Report was the need for greater transparency and simplicity in privacy policies. Coupled with this, is the government’s recognition of the need for the Privacy Act to reflect changes in the digital world. According to the attorney-general: “Strong privacy laws are essential to Australia’s trust and confidence in the digital economy and digital services provided by governments and industry”. The amendments regarding automated decision making are intended to address this need.

If the Bill is passed as drafted, entities will be required to update their privacy policies to set out information about their use of automated decision-making tools, where the decision could reasonably be expected to significantly affect the rights or interests of an individual. This change is one of only a handful of amendments the Bill proposed to make to the APPs.

The Bill sets out the following examples of decisions that may affect the rights or interests of an individual:

• a decision made under a provision of an Act or a legislative instrument to grant, or to refuse to grant, a benefit to the individual;
• a decision that affects the individual’s rights under a contract, agreement or arrangement; and
• a decision that affects the individual’s access to a significant service or support.

Entities which use automated tools to make decisions in these circumstances will need to identify:

• the kinds of personal information used in the operation of these computer programs; 
• the kinds of decisions made solely by the operation of these computer programs; and
• the kinds of decisions for which a thing, that is substantially and directly related to making the decision, is done by the operation of these computer programs.

While the amendments represent a significant uplift for entities that rely on automated decision-making tools, the two-year transition period for these amendments to take effect could delay any meaningful impacts for individuals and the ability to exercise their rights for some time.

APP8 - Disclosing personal information overseas with more confidence

For entities which disclose personal information overseas, the Bill would introduce a mechanism for regulations to be made under APP 8 to prescribe countries that are subject to a law or binding scheme that protects personal information of individuals in a way that is substantially similar to the APPs while there are mechanisms that individuals can access to enforce that protection.

Effectively, this will create a ‘white list’ of countries, similar to the General Data Protection Regulation (GDPR) ‘adequacy’ recognition mechanism, for the purposes of relying on the exception in APP8.2(a) in place of complying with the conditions in APP8.1. Given the transfer of personal information across borders is now commonplace, this will make it easier for entities to rely on the APP 8.2(a) exception in future, without the need to undertake costly exercises to try and assess for themselves whether an overseas country meets these requirements. However, it does not assist Australian based entities in meeting the requirements for transfers of data to them from jurisdictions with strong data protection laws and transfer requirements, such as EU member states.

APP11 – clarity about reasonable steps obligations

The Bill clarifies the reasonable steps an entity must take in accordance with APP 11 to protect personal information and will include both technical and organisational measures. This will mean that entities will be required to implement not only technical data security protections, but also adequate governance and organisational structures. Examples given include encrypting data, securing access to systems and premises, and undertaking staff training - all measures which should be ‘business as usual’ for entities.

Responding to large-scale eligible data breaches

The amendments generally address the challenge of coordinating the response to a large-scale cyber event in relation to sharing personal information between entities involved and among agencies. The Bill grants the relevant minister the power to make an ‘eligible data breach declaration’ if it is necessary or appropriate to prevent or reduce the risk of harm arising from a misuse of personal information following an eligible data breach – such as scam activity or identity theft - and to address malicious cyber activity. A declaration can specify:

• the types of personal information that can be collected, used and disclosed;
• the entities that are subject to the declaration; and
• the purposes for information sharing.

Statutory tort for serious invasions of privacy

The Bill introduces the long-awaited statutory tort for serious invasions of privacy. Previous efforts to amend the Privacy Act have ignored various law reform recommendations to introduce the tort - including the Australian Law Reform Commission in 2014.  The government has now included the tort in the Bill to address, in part, invasions of privacy that can flow from conducting our lives online, but that may not be captured by the ‘doxxing’ offences proposed by the Bill, such as an invasion of privacy through the use of smart devices.

Key elements of the cause of action include:

• it only applies to serious invasions of privacy where the plaintiff would have a reasonable expectation of privacy and the defendant’s conduct was reckless or intentional; and
• a ‘public interest balancing test’ where a court must be satisfied that the public interest in protecting the plaintiff’s privacy outweighs any public interest in the invasion of privacy.

There would also be a range of defences, including absolute privilege, publication of public documents, and fair report of proceedings of public concern, with a specific exemption for journalists.

It is not clear why the government decided to introduce the tort as part of the first tranche of reforms and not a direct right of action, as was recommended in the Privacy Act Review Report. The absence of this right is considered to be one of the reasons why Australian privacy laws are not equivalent to stricter global privacy laws such as the GDPR.

Criminal doxxing offences

The attorney-general has previously indicated that one of the key drivers of this tranche of the reforms was the introduction of doxxing criminal offences. As a result, while not part of the recommended reforms, the Bill proposes to introduce two offences in the Criminal Code Act 1995 (Cth). These are for:

• publishing or distributing the ‘personal data’ of one or more individuals, using a carriage service – that is, online - in a way that would reasonably be considered to be menacing or harassing to those individuals; and
• the offence as described above in circumstances where the information is personal data of one or more members of a group and the person engaging in the publication or distribution believes that the whole or part of that group is distinguished by race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality or national or ethnic origin.

The commission of an offence in the first scenario would carry a term of imprisonment of up to six years - or seven years if the conduct is aimed at targeting one or more of the specified traits.

Enhancing enforcement and code making powers

Tiered penalty system

The Bill introduces a new penalty regime, with new infringement notices and clarity about what constitutes a ‘serious’ breach.

In addition to the existing civil penalty provision for ‘serious’ interferences with privacy, interferences with privacy would attract a civil penalty of up to 2,000 penalty units for individuals – which is currently AU$660,000 - and 10,000 penalty units for entities, which is currently AU$3.3 million. 

The OAIC will also be able to issues infringement notices attaching a civil penalty of up to 200 penalty units, without the need to issue proceedings, for certain breaches of the APPs and ‘notifiable data breach’ scheme requirements which are not considered to be ‘serious’. These include:

• APP 1.3 - the requirement to have a privacy policy;
• APP 1.4 - the contents that must be in a privacy policy;
• APP 2.1 - enabling individuals to choose not to identify themselves when dealing with entities;
• APP 6.5 - failing to make a written note if an entity believes the use of personal information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body;
• APP 7.2(c) or 7.3(c) – failing to provide a simple means for individuals to opt out of direct marketing;
• APP 7.3(d) – failing to draw attention to ability to opt out of direct marketing;
• APP 7.7(a) - where an organisation uses or discloses personal information for direct marketing purposes - either for itself or for the purpose of facilitating direct marketing by other organisations and the individual has made a request not to receive direct marketing from either organisation - the failure to give effect to that request within a reasonable period;
• APP 7.7(b) - notification of the source of information disclosed for direct marketing purposes;
• APP 13.5 - failing to respond to requests to correct personal information within required timeframes – which is 30 days for agencies and a ‘reasonable time’ for organisations; and
• Section 26WK(3) - failing to include all the required matters in an eligible data breach statement (‘notice’) that is submitted to the OAIC.

Additional powers for the OAIC

The information commissioner will be given a range of new powers, including:

• monitoring powers that will be extended under the Regulatory Powers Act - for example, monitoring of certain provisions such as those under the Data-matching Program (Assistance and Tax) Act 1990 (Cth), or monitoring of information provided in compliance with the Privacy Act, such as the obligation to respond to the commissioner’s request for information relating to an eligible data breach; and
• the power to develop an APP code, if directed to, or to temporarily respond to urgent situations, without waiting for industry to propose a code.

The information commissioner would also be required to develop a Children’s Online Privacy Code that will set out how the APPs are to be applied to the privacy of children. Entities falling within the Code’s remit include:

• entities that provide social media services, electronic services or designated internet services as defined in the Online Safety Act 2021 (Cth) that are likely to be accessed by children, but not providing a health service; and
• other entities that will be specified in the Code.

In addition, the attorney-general would have the power to direct the information commissioner to conduct a public inquiry into privacy matters.

Additional powers for certain federal courts

The Federal Court of Australia and Federal Circuit and Family Court of Australia would have expanded powers in civil penalty proceedings to make a range of additional orders in addition to civil penalties.

These include ordering the payment of compensation to individuals and requiring a defendant to take steps to minimise the impacts of an interference with privacy.

Next steps

Even though the Bill does not cover all the ‘agreed in principle’ recommendations from the Privacy Act Review Report that were hoped for, the proposed tiered penalty regime together with regulatory appetite for taking enforcement action, as well as the new tort, means entities could face enforcement action and claims for failures to comply with the APPs and the notifiable data breaches scheme.

Entities should be taking the following steps:

• understanding their data holdings as foundational steps to reviewing their compliance across the APPs and data lifecycle;
• planning to make uplifts to meet existing APP and data breach notification obligations where necessary and improving privacy practices;
• reviewing the use of automated decision-making tools to understand the way they use personal information and planning to uplift their privacy policies, as this may be a complex and lengthy process; and

• reviewing the technical and organisational measures in place to protect the security of personal information and ensure it is destroyed or deidentified when it can no longer be retained.

Co-written by Jason Kaye and Gagan Singh of Pinsent Masons.