Modernising Australia’s Privacy Act: Navigating the first stage of proposed reforms

“Woefully outdated and unfit for the digital age”. These were the words of the Attorney General who last week moved amendments to the Privacy Act 1988 seeking to address technological innovations, expand personal protections and keep in-line with international counterparts.

Should the proposed changes become law, here’s what you need to know to stay compliant.

Last week (12 September 2024) the Attorney-General introduced three bills including the Privacy Act and Other Legislation Amendment Bill 2024 (Bill).

The long-awaited proposed reforms follow the Government Response (in September 2023) to the Privacy Act Review Report (PARR) issued by the Department of Attorney-General in February 2023. The PARR detailed 116 recommendations, with 38 being accepted in full, another 68 originally accepted in-principle, and another 10 proposals being ‘noted’ such as the right to opt-out of targeted advertising.This first tranche of proposed reforms to Australia’s information privacy laws represents just some of the recommendations from the PARR, with some notable omissions which we previously summarised here.

The proposed changes include larger enforcement and investigative jurisdiction for the Information Commissioner, new data breach protocols and the introduction of new statutory tort which would transform litigation in Australian privacy law.

Right of individual action for serious invasion of privacy

In what would represent a major shift in the Australian privacy landscape if enacted, the Government has proposed introducing a statutory tort for serious invasions of privacy.

Countries such as New Zealand, the United Kingdom, the United States, and Canada have civil causes of action for privacy invasions. In Australia, similar protections have long been debated and were first formally recommended by the Australian Law Reform Commission in its 2014 report, "Serious Invasions of Privacy in the Digital Era".

Currently, individuals who feel aggrieved have limited recourse, typically involving making a complaint to the Commissioner about an APP entity's "interference with privacy," with the Commissioner having powers to seek undertakings or apply for penalty orders. Or alternatively, personal or class action claim arising from breaches of privacy, such as the Optus data breach class action, have generally been based on breach of contract or for negligence.

The introduction of a specific tort for serious invasions of privacy in Schedule 2 would create a more robust litigation framework for individuals to pursue remedies for severe privacy intrusions.

To succeed in an action for the proposed tort of serious invasion of privacy, the following criteria would need to be met:

1. The defendant must have invaded the plaintiff’s privacy by doing one or both of the following:

          a. intruding upon the plaintiff’s seclusion; or 

          b. misusing information related to the plaintiff (regardless of whether the information is true).

2. A person in the plaintiff’s position must have had a reasonable expectation of privacy under the circumstances.

3. The invasion of privacy must have been intentional or reckless.

4. The invasion of privacy must be considered “serious”.

Assessing seriousness

When assessing the seriousness of an invasion of privacy, courts must evaluate factors such as the nature of the offense, the harm or distress caused to the plaintiff's dignity, whether the defendant should have anticipated that their actions were likely to offend, and whether the action was intentional or motivated by malice. It is important to note that the threshold for ‘seriousness’ in the context of the privacy invasion tort differs from that applied in determining civil penalties under Section 13G for serious interference with privacy.

In an individual action for invasion of privacy, the elements of the tort focus on the impact or likely impact on the plaintiff. This contrasts with the civil penalty framework, which assesses objective factors such as the types of information accessed, the number of individuals affected, the vulnerability of those affected, whether the intrusion was continuous or repeated, and whether the entity failed to implement procedures to comply with its obligations. In the civil framework, factors such as intent aren’t necessarily considered.

Therefore, subject to judicial interpretation, there is likely a lower threshold for APP entities to face civil penalties for serious privacy breaches compared to the standard required for a tort claim.

Additionally, while damage may be a factor in determining the seriousness of the invasion and the appropriate remedies, plaintiffs would not need to prove actual damage to bring a successful claim.

Remedies

If a plaintiff succeeds in an action for serious invasion of privacy, the courts will have powers to order remedies which are "reasonable and appropriate" in the circumstances, including damages (excluding aggravated damages), compensation for non-economic loss, an order requiring the defendant to apologise, an injunction, or other remedies.

Availability and liability

While in general, journalists, enforcement bodies and intelligence agencies would be exempt from legal claims involving the proposed tort, if the plaintiff can demonstrate that the public interest in protecting their privacy outweighs any competing public interests, they may succeed in their claim. Other public interests, such as freedom of expression, national security, and crime prevention, may also be considered.

The elements of the proposed cause of action do not appear to provide a basis for an individual affected by a data breach to bring a claim against the organisation who fell victim to a data breach caused by a threat actor. This will be welcome news to business and cyber insurers.

However, a data breach or other contravention of the Privacy Act caused by an organisation’s staff member misusing information related to a plaintiff could give rise to a cause of action against both the staff member and the organisation if vicarious liability can be established and the other elements of the cause of action above are otherwise satisfied.

PARR proposal 4.3 recommended broadening the definition of “personal information” to mean information ‘relating to’ an individual, with the aim of ensuring that the connection between the individual and the information is "not too tenuous or remote". Such a change would have helped clarify and potentially limit liability for entities in certain circumstances. Although the term "relating to" is used in section 7 of Schedule 2 of the Bill, there has been no formal amendment to the definition elsewhere in the Bill to reflect this change in scope.

Responsibilities for data sent overseas

The proposed amendment to overseas data flow measures aims to streamline compliance procedures for businesses who transfer personal information to particular countries. It will also introduce changes favourable to industry regarding liability for APP entities when disclosing personal information to those particular countries.

Currently under APP 8.2, an APP entity can disclose personal information to an overseas recipient without adhering to APP 8.1 (which requires entities to take reasonable steps to ensure that an overseas recipient does not breach the Australian Privacy Principles other than APP 1 in relation to the information), if relevantly, the APP entity 'reasonably believes' that the overseas recipient is subject to a law or scheme which protects personal information in a way that is substantially like the protections under the Australian Privacy Principles and individuals to whom the information relates can access mechanisms to enforce this foreign law or scheme. However, under this system, there is a significant potential for remaining liability for the APP entity, given that section 16C of the Privacy Act currently holds the disclosing APP entity liable for breaches of the APPs (other than APP 1).

New APP 8.3 would, if the proposed changes are accepted, allow the Governor General to make regulations to simply prescribe a particular country or binding scheme, provided the Attorney-General is satisfied of the similarity in privacy regulations and availability for enforcement. This change will provide APP entities with greater assurance, as they will no longer need to demonstrate not only a reasonable belief, but also a reasonable basis for their belief (as required under APP 8.20). However, this amendment could pose challenges for entities that send data to countries they consider as having acceptable standards, but where the Australian Government does not agree.

Conflicts around such models have arisen previously and led to the invalidation of the US-EU Privacy Shield in 2020 following the case of Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems. The European Court of Justice found that the privacy protections offered by the US were inadequate compared to GDPR requirements. This was due to concerns about US surveillance programs' jurisdiction to potentially access information of Schrems or other EU residents, but which also did not provide Schrems with an avenue for effective enforcement of privacy protections.

Expanded OAIC investigation and enforcement powers

Under the proposed reforms, the Office of the Australian Information Commissioner (OAIC) would gain broader investigative and enforcement jurisdiction.

The bill incorporates the agreed in-principle recommendation to enable the OAIC to directly enforce penalties without requiring a Federal Court order. It also introduces a tiered civil penalties regime and grants new investigative powers.

The Regulatory Powers Act2014 outlines a framework for investigating whether a regulatory provision has been contravened, including powers of entry, inspection, search, and seizure. The proposed amendments would authorise the Information Commissioner and their staff to act as applicants under this framework.

Additionally, the Information Commissioner would gain the power to issue a range of tiered civil penalties (fines) for violations of specific APP obligations, such as the requirement to have a privacy policy (APP 1.3), the requirement to inform individuals of their ability to opt out of marketing material (APP 7.3), or … ; and failures to give sufficient information or provide timely notice to individuals affected by an eligible data breach.

Under the legislation, the Minister would also be able to approve a public inquiry into certain APP entities – undoubtedly posing a public relations nightmare for entities found to have contravened.

With such an increasingly stringent enforcement and investigative regime potentially around the corner, APP entities must use this time to ensure APP compliance.

Transparency requirements for automated decision making

Entities that use machine learning, artificial intelligence, or other automated decision-making programs will be subject to more stringent responsibilities under the Act. This includes programs that assess an individual’s eligibility for significant services or their rights under a contract.

Going forward, these entities will need to explicitly state which information is used by such automated systems in compliance with APP 1.8, and this information must be presented in an ‘easy-to-navigate’ web publication. This requirement applies to entities that are wholly or substantially automated, ensuring that minimal, ‘tokenistic’, human involvement cannot be used to circumvent the regulation.

Given the widespread use of automated processes, particularly in the recruitment, technology, insurance and financial services industries, updating procedures to comply with these requirements before commencement will be crucial if the Bill is passed.

Organisations will need to undertake a review of what automated decision-making processes take place in their organisations and update their privacy compliance documentation.

Perhaps in a nod to the significant organisation adaptations that may need to occur, these new regulations would only commence 24 months after ascent.

Data breach declarations

Following an ‘eligible data breach,’ the proposed changes would allow the Attorney General to issue a declaration if they determine it is necessary and appropriate to prevent or reduce the risk of harm from the misuse of personal information.

This declaration would enable the affected entity to share personal information (in circumstances or to recipients which would otherwise cause the entity to breach the Privacy Act) to mitigate risk of harm occurring to individuals. For example, it could allow an entity who suffered a data breach to provide banks with the names of individuals whose details have been compromised, helping to protect their accounts. Such measures will likely be welcomed by both consumers and APP entities, to avoid significant harm to their users.

Provisions also allow for the sharing of personal information between government agencies for disaster and emergency responses, with the purpose of identifying individuals who are deceased, at risk of injury, or otherwise affected by the event.

Children’s Online Privacy Code

The proposed Bill aims to establish a Children's Online Privacy Code, modelled after a similar protocol in the United Kingdom. This initiative is expected to complement the Federal Government broader online safety agenda, including a recent announcement that it plans to introduce legislation banning social media accounts for minors by the end of the year.

The Code will apply to social media services, websites frequently visited by children, and potentially other APP entities specified in the Code. Private sector and independent schools will likely be impacted by these changes.

As the legislation currently only enables the Information Commissioner to develop the Code, details about specific protections are not yet available. However, clues may be found in the initial Government Response to the PARR, which agreed in-principle that organisations collecting data from minors should assess on a case-by-case basis whether an individual under 18 has the capacity to consent. The recommendation is that consent is valid only if it is reasonable to expect that the individual understands the nature, purpose, and consequences of the information collection.

New criminal offence of doxxing

While not related to commercial compliance, Schedule 3 of the proposed changes aims to introduce two new criminal offences to address the increasing issue of online ‘doxxing’ — the malicious act of revealing personal information about someone online.

A person will be guilty of an offence if they use a carriage service to distribute someone’s personal data in a manner that a reasonable person would consider menacing or harassing. ‘Personal data’ is defined as any information that can be used to identify, contact, or locate an individual.

The offence carries a maximum penalty of six years imprisonment. If the victim is targeted due to their race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality, or ethnic origin, a more aggravated offence applies, carrying a maximum penalty of seven years imprisonment.

Penalties for interferences with privacy that are “serious”

Under the current provisions of the Privacy Act, an APP entity may be liable to a civil penalty provision if it “does an act or engages in a practice. that is a serious interference with the privacy of an individual”, or “the entity repeatedly does an act, or engages in a practice, that is an interference with the privacy of one or more individuals” (our emphasis added).

The Bill would remove “repeated” as a relevant factor for a breach, meaning that (for the purposes of applying the higher-tiered civil penalty provisions) an APP entity may be liable of it does an act or engages in a practice that is “an interference with the privacy of an individual”, and the interference is “serious”, regardless of whether the act or practice is repeated.

The Bill would also enshrine the matters to which a court may have regard when determining whether the interference is “serious”. The proposed matters are:

• the particular kind or kinds of information involved;
• the sensitivity of the personal information;
• the consequences or potential consequences of the interference with privacy for the affected individual;
• the number of individuals affected by the interference with privacy;
• whether the individual is a child or person experiencing vulnerability;
• whether the act or practice was done repeatedly or continuously;
• whether the contravening entity failed to take steps to implement practices, procedures and systems to comply with their [privacy] obligations in relation to privacy in a way that contributed to the interference with privacy; or
• any other relevant matter.

What’s next?

With a federal election due at the latest, by May 2025, the Government will likely seek to expedite the passage of legislation within the next six months.

If passed, most provisions would take effect immediately following royal assent. However, a specific civil penalty related to individual privacy under the Digital ID Act would only apply at the earliest on December 1, 2024, when that Act commences. Additionally, the rules governing automated decisions will not come into effect for two years, presumably to allow entities sufficient time to update their procedures to ensure compliance. The new statutory tort will take effect no later than six months after royal assent.

With over a hundred remaining agreed in-principle changes, industry should also be aware of the prospect of further amendments being introduced in the next parliamentary term.

How to prepare

Overall, the proposed reforms seek to target the harmful privacy practices and to provide a more robust regulatory regime, and without placing a new costs burden on Australian businesses.

Organisations should take this time to prepare for these privacy law changes, including by taking steps such as:

• Regularly review internal processes, risk management strategies, data breach privacy compliance documentation, and information collection and handling practices. Pay particular attention to practices that are high-risk or intrusive, or involve tracking, monitoring or surveillance of individuals, particularly children.
• Regularly (such as annually) review and update the organisation’s privacy policy and collection notices.
• Examine information collection, data storage practices and access controls to consider whether these can be further limited to improve privacy compliance.
• Minimise the risk of information misuse, by doing data de-identification or destruction for non-critical data (while also balancing the organisation’s remaining data retention obligations).
• Consider whether any current uses of personal information could cut across the public interest in protecting privacy, and accordingly may need to be altered or discontinued to remain compliant with the Privacy Act.