Australian privacy law reforms: What you may have missed

On 12 September 2023, the Commonwealth Government introduced the Privacy and Other Legislation Amendment Bill 2024 containing the first tranche of amendments to the Privacy Act 1988 (Cth). The key amendments include a statutory tort for serious invasions of privacy and doxxing offences. In this article we discuss a number of less headline-grabbing measures which may nevertheless have a significant impact on your organisation’s privacy risk profile.

A privacy cop with increased powers and more ways to punish

The Commissioner’s enhanced powers

The Bill seeks to expand the Office of the Australian Information Commissioner’s (OAIC) regulatory toolkit by better enabling it to monitor compliance, investigate potential contraventions, and mould relief to fit the offence. This includes:

1. New monitoring and investigatory powers – The Commissioner is to have additional powers to monitor and investigate:
   1. 1. offence and civil penalty provisions in the Privacy Act;
      2. certain privacy related civil penalty provisions within the Commissioner’s remit under the Digital ID Act 2024 (Cth), Healthcare Identifiers Act 2010 (Cth), My Health Records Act 2012 (Cth) and the Competition and Consumer Act 2010 (Cth); and
      3. certain offence provisions in the Crimes Act 1914 (Cth) and the Criminal Code.

The increased powers will enable the OAIC to search premises and seize evidence, bringing it in line with other Commonwealth regulatory bodies.

2. Greater range of outcomes following investigation of complaints – The Commissioner currently has the power to require a respondent to take steps or perform certain actions following the investigation of a complaint. The Bill proposes to expand the scope of the determinations the Commissioner can make to include directions that the respondent is to prevent or reduce any reasonably foreseeable loss or damage that is likely to be suffered. This would require the respondent to identify any reasonably foreseeable consequences of a breach, and to take reasonable steps to mitigate those risks.
3. Undertaking public inquiries – The Commissioner will be able to seek the approval of the Minister to undertake public inquiries and prepare a report in relation to specified matters relating to privacy, such as investigating systemic industry-wide acts and practices. The Commissioner would have the power to require the production of documents and information and invite submissions to assist them to conduct the public inquiries.

New penalties for privacy breaches

Presently, the OAIC can only seek civil penalty orders where there have been serious interferences with privacy. This is a high bar, with very few prosecutions having been pursued. The Bill would introduce new “mid-tier” and “low-tier” civil penalty provisions for specific breaches of the Privacy Act.

The “mid-tier” civil penalty would see corporations liable for up to $3,300,000 ($660,000 for other entities) for an act or practice that is an interference with the privacy of an individual.

The explanatory memorandum provides guidance for what may constitute a contravention of the mid-tier civil penalty provision. This includes where an organisation fails to notify individuals of an eligible data breach as soon as practicable. It is also intended to act as a deterrent against organisations gaining commercially or obtaining a competitive advantage by using or disclosing personal information for an unrelated secondary purpose without having obtained the necessary consent from individuals in accordance with Australian Privacy Principle (APP) 6. Certain breaches of the Data Availability Act 2022 (Cth), Digital ID Act 2024 (Cth) and Identity Verification Services Act 2023 (Cth) may also amount to a contravention of the mid-tier civil penalty provision.

The “low-tier” civil penalty regime would see corporations liable for up to $330,000 ($66,000 for other entities) for a failure to comply with certain parts of the APPs, including a failure to have a compliant privacy policy, a failure to provide written notice of certain uses or disclosures of personal information, and the failure to provide a simple means for an individual to opt out of direct marketing communications. The penalty can also be sought for a failure to include the mandated content in a statement about an eligible data breach. The Commissioner can issue an infringement notice for such breaches up to a maximum of $19,800 for corporations or $66,000 for listed corporations. If an organisation does not agree to pay the fine, civil penalty proceedings may be brought against them.

The Bill also proposes to give the Federal Court of Australia and Federal Circuit and Family Court of Australia the power to make other orders where a contravention is established. These orders include directing the contravening entity to redress or pay compensation for the loss or damage suffered by an individual, to engage or not engage in an act or practice to avoid repeating or continuing contraventions, or to communicate a statement about a contravention.

Amendments to the APPs

Improved overseas data flows on the horizon

The Bill proposes amendments to APP 8 (cross-border disclosure of personal information) that are intended to enhance the free flow of information across national borders.

APP 8.1 currently requires entities to take reasonable steps prior to disclosing personal information offshore to ensure the overseas recipient does not breach the APPs in relation to the information. The disclosing entity is held accountable if the overseas recipient breaches the APPs (even if the disclosing entity took the reasonable steps required under APP 8.1). This framework is intended to ensure that personal information leaving Australia continues to have an appropriate level of privacy protection when it is handled offshore.

The requirement in APP 8.1 is subject to certain exceptions, including if the entity reasonably believes that the overseas recipient is subject to a law or binding scheme that has the effect of protecting the information in a way that is substantially similar to the way in which the APPs protect the information, and there are mechanisms that individuals can access to take action to enforce that protection. To date, the OAIC has not provided guidance on whether particular laws or schemes satisfy this exception, leaving entities to struggle with their own assessments about the adequacy of foreign laws and schemes.

The Bill proposes to introduce a new mechanism for the Government to prescribe countries or binding schemes that provide substantially similar privacy protections to the APPs and enforcement mechanisms for individuals. Where an overseas recipient is subject to the laws of a prescribed country, or a prescribed scheme, an entity would not need to comply with the requirement in APP 8.1 before disclosing personal information to the overseas recipient, and it would not be held accountable for any privacy breaches by the overseas recipient. This development would reduce the current burden on entities in making adequacy assessments and provide greater certainty about whether personal information is permitted to be disclosed offshore.

Automated decision-making (ADM) processes

To address the use of ADM processes in decisions that may significantly affect an individual, the Bill proposes amendments to APP 1 (open and transparent management of personal information) which would require a privacy policy to address the use of ADM processes, including the kinds of personal information used and whether the decision is made solely, or substantially and directly, by the operation of the ADM process.

The Government also agreed with the introduction of a right to request meaningful information about how ADM processes are made and which is likely to be the subject of a later tranche of amendments to the Privacy Act. Interestingly, none of these proposed amendments impose an obligation on an organisation in relation to the efficiency and utility of ADM processes to eliminate harm, bias or discrimination, which was a key feature of Western Australia’s recent Privacy and Responsible Information Sharing Bill 2024 (WA).

Security and destruction of personal information

It is also proposed that APP 11 (security of personal information) be amended to clarify that “reasonable steps” to secure personal information include “technical and organisational measures”. Examples of technical measures would include the use of encryption, multifactor identification and strong passwords; and organisational measures would include ensuring policies and procedures are operationalised through, for example, training. While these changes are not controversial and have long been considered best practice, their express inclusion leaves organisations little excuse should such measures not be in place or not kept to current best practice.

The next tranche of privacy reforms – and what you can do now

The Attorney-General has indicated that draft legislation will be prepared for the second tranche of amendments to the Privacy Act in the coming months.

What will be dealt with in this next tranche is not known. However, there are a number of key areas for reform identified during the Government’s Privacy Act Review which are yet to be addressed, including changes to the definition of “personal information” and “sensitive information”, a new “fair and reasonable” test to govern the collection, use and disclosure of personal information, amendments to improve transparency over an organisation’s privacy practices, and empowering individuals in respect of their personal information.

We discuss these anticipated changes in more detail here and here.

There are steps that can be taken now to prepare for the implementation of the new privacy obligations in the Bill and prepare for future amendments. These include:

1. Reviewing your governance framework. This will include reviewing any policies (ie. your privacy policy and data breach response plan), collection notices, procedures and guides and considering them against how you collect and handle personal information through its lifecycle.
2. Reviewing your contracts. This will include reviewing contracts which involve the sharing of personal information to ensure that the counterparty is under sufficiently robust contractual obligations with respect to privacy. The new penalty provisions might cause you to revisit any previous decision not to include indemnities for breaches of privacy obligations.
3. Operationalising policies, procedures and guides through ongoing training and simulations.

If you would like to discuss how these amendments will impact your privacy and data protection obligations and practices, please do not hesitate to contact us.