This morning the Attorney-General tabled before Parliament the Australian Government’s initial tranche of proposed privacy reforms in the form of the Privacy and Other Legislation Amendment Bill 2024.
The Bill represents a landmark suite of reforms and is the culmination of a lengthy Government consultation process. It seeks to implement several of the legislative proposals that were agreed or “agreed in-principle” in the “Government response to the Privacy Act Review”.
These reforms signal a tougher approach overall to privacy protection. Among other proposed changes, they enhance existing privacy measures and introduce a new statutory tort for serious invasions of privacy. The full ramifications will be considered in future articles. We outline some of the key proposed reforms set out in the Bill below.
Anti-doxxing
The Bill proposes to criminalise “doxxing” (the release of an individual’s personal information using a carriage service that is menacing or harassing towards the individual). The proposed new offence carries a hefty penalty of six years jail time (or seven years’ jail time if a person carries out doxxing in whole, or in part, because they are targeting a person due to the person’s race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality or national or ethnic origin).
Statutory tort for serious invasions of privacy
The Bill proposes to establish a new statutory tort for serious invasions of privacy, which has been on the horizon for several years but until now had not seen fruition in the form of a Bill. Under the proposed reforms, to succeed in a cause of action for a serious invasion of privacy against another person (a defendant), the plaintiff must establish:
- the defendant invaded the plaintiff’s privacy by doing one or both of the following:
- intruding upon the plaintiff’s seclusion; or
- misusing information that relates to the plaintiff;
- a person in the position of the plaintiff would have had a reasonable expectation of privacy in all of the circumstances;
- the invasion of privacy was intentional or reckless; and
- the invasion of privacy was serious.
The new proposed tort is subject to an important public interest balancing test where a court must be satisfied, based on evidence adduced by the plaintiff, that the public interest in protecting the plaintiff’s privacy outweighs any public interest in the invasion of the privacy.
The Bill proposes that an invasion of privacy is actionable without proof of damage.
The Bill provides for a series of exemptions to the statutory tort, including for enforcement bodies, intelligence agencies and for journalists in respect of “journalistic material” (that is, material which has the character of news, current affairs or a documentary or consists of commentary or opinion on, or analysis of, news, current affairs or a documentary).
Automated decision-making
The Bill provides individuals with greater transparency in respect of the use of their personal information in computer automated decisions that significantly affect their rights or interests. The Bill proposes that APP entities will be required to provide information about such automated decision-making activities and the kinds of personal information used in such activities, within their privacy policy.
Children’s Online Privacy Code
The Bill requires the Information Commissioner to develop a Children’s Online Privacy Code about online privacy for children. Some APP entities will be bound by this Code in circumstances where they provide social media or other online services and the service is likely to be “accessed by children”.
Information sharing
Subject to parameters, the Bill facilitates the sharing of personal information in specified additional circumstances, including where a Minister’s declaration is in place and there has been an eligible data breach of an entity and the sharing of personal information is required to prevent or reduce the risk of harm arising from the misuse of personal information. For example a declaration could be made which permits the disclosure of personal information to banks to enable them to undertake enhanced monitoring and safeguards for their customers affected by the breach. The Bill also introduces new controls in relation to the sharing of personal information during emergencies or disasters.
Cross-border data transfers
The Bill builds on APP 8 and includes a mechanism to permit the disclosure of personal information to an overseas recipient who is subject to the laws of a prescribed country or a prescribed scheme. Countries and schemes can be prescribed that provide substantially similar privacy protections to the APPs. This is a mechanism that is intended to enhance the free flow of information across national borders by providing greater certainty to entities that disclose personal information offshore,
Enhanced privacy measures
The Bill enhances the Information Commissioner’s powers and introduces new civil penalties for particular breaches of the Privacy Act 1988 (Cth), including where an entity breaches specific Australian Privacy Principles. The Bill also provides additional rights to the Minister, including to make declarations in respect of various matters relating to privacy.
Other amendments
The Bill contains a number of other amendments, which we have not summarised, including specifying the implementation of technical and organisational measures as reasonable steps that should be taken to destroy or de-identify personal information when it is no longer needed.
Further privacy reforms
In introducing the Bill into Parliament today, the Attorney-General foreshadowed that these privacy reforms will not be the last and that further reforms will be developed by the Commonwealth in the coming months. It will be interesting to see what shape any future reforms take, including how the Government addresses existing exemptions under the current form of the Privacy Act 1988 (Cth).
Please feel free to contact us if you would like more detail about these proposed reforms.