The Privacy and Other Legislation Amendment Bill 2024: First Impressions

The long-awaited Privacy and Other Legislation Amendment Bill 2024 was introduced to Parliament on 12 September 2024. The Government has framed its content as a first tranche of reforms to the Privacy Act 1988 (Cth) (Privacy Act) ‘to implement a number of the legislative proposals that were agreed by the Government in its September 2023 Response to the Privacy Act Review’.[i] Other more recent Government policy and priorities are also reflected in the Bill.

In this first tranche then, among the reforms that made the cut for inclusion are:

• Provisions to strengthen avenues of enforcement by the Office of the Information Commissioner (OAIC) including a new mid-tier civil penalty for interferences with privacy and a low-level civil penalty provision for specific administrative breaches of the Privacy Act, together with infringement notice powers;
• Introduction of a cause of action in tort for serious invasions of privacy, modelled on the Australian Law Reform’s 2014 report Serious Invasions of Privacy in the Digital Era (ALRC Report 123) A range of defences and exceptions are included. This statutory tort would provide for remedies including compensation;
• Amendment to the Criminal Code Act 1995 (Cth) to introduce new offences focussed on release of personal data using a carriage service in a manner that would be menacing or harassing – ie ‘doxxing’;
• A requirement for the OAIC to develop a new Children’s Online Privacy Code to enhance privacy protections for children in the online environment, especially when using digital platforms;
• Measures to increase transparency and certainty including:
  • Introducing a mechanism to prescribe countries and binding schemes as providing ‘substantially similar’ protections to the Australian Privacy Principles (APPs), intended to assist entities to assess whether they can lawfully disclose personal information to an overseas recipient (see APP 8.2(a) [Cross-border disclosure];
  • Requiring entities to include information in privacy policies about automated decisions that significantly affect the rights or interests of an individual.
• Greater flexibility to disclose personal information to appropriate entities under an emergency declaration in specified circumstances.

While this first tranche is a good start, it leaves a long list of other agreed and agreed in principle reforms for (possibly much) later introduction. Among the highly anticipated reforms not introduced in this tranche were:

• Changes to reduce risks to privacy resulting from the small business, employee records, political and journalism exemptions, to meet current community expectations;
• Introduction of an overarching fair and reasonable test requirement for collection, use and disclosure of personal information, supported by specified relevant considerations;
• Introduction of a requirement for all AAP entities (not just Government) to conduct a Privacy Impact Assessment for all high privacy risk activities;
• Introduction of a requirement for APP entities to establish their own maximum and minimum retention periods, to review periodically and destroy/deidentify personal information when no longer needed, and to specify retention periods in privacy policies.

Note that the Proposal to introduce an unqualified right for individuals to opt out of their personal information being used/disclosed for marketing and receiving targeted advertising; and to introduce a consent requirement to trading personal information, had not been agreed by the Government, but noted only.

This tranche of reform certainly arms the OAIC with greater enforcement powers and enables individuals to seek remedies in ways previously unavailable. It also gives greater scope for Ministerial intervention, as for example in relation to eligible data breaches where a provision of the Bill would empower the Minister to make a declaration enabling entities to handle personal information in a manner that would otherwise not be permitted under the APPs or certain secrecy provisions.

However, this Bill undoubtedly leaves behind many of the most urgently needed reforms proposed, possibly in favour of more industry consultation. As Privacy Commissioner Carly Kind stated in response to the Bill’s introduction:

The coverage of Australia’s privacy legislation lags behind the advancing skills of malicious cyber actors. Further reform of the Privacy Act is urgent, to ensure all Australian organisations build the highest levels of security into their operations and the community’s personal information is protected to the maximum extent possible.[ii]

Next steps

If you require assistance ahead of the commencement of this tranche of Privacy Act reforms, please contact Deidre Missingham.

This article is for general information purposes only and does not constitute legal or professional advice.  It should not be used as a substitute for legal advice relating to your particular circumstances.

[i] Explanatory memorandum p. 3

[ii] https://www.oaic.gov.au/news/media-centre/oaic-welcomes-first-step-in-privacy-reforms