From Data Security to Doxxing: unpacking the first tranche of Privacy Act Reforms.
The Australian Government has taken a first step forward in its effort to bring Australian Privacy laws into the digital age, with the introduction of the Privacy and Other Legislation Amendment Bill 2024 (Bill) into Parliament last week.
This announcement comes just shy of the one-year anniversary of the release of the Australian Government’s response to the Attorney General’s Privacy Act Review Report, whereby it accepted the need for a privacy regime that offered greater privacy protections, and would remain “fit-for-purpose” in the evolving digital economy.
Though the Bill is not yet the fundamental overhaul that was ultimately anticipated, it does contain a number of reforms that will impact the way businesses manage, store, and handle personal information and data, and will form the basis of a realignment of Australians’ expectations of a broader right to privacy.
Highlights
- The changes signal a major shift in personal data management in Australia, aligning privacy laws with modern digital realities.
- Key reforms include addressing doxxing, enhancing children’s privacy protections, and introducing a Children’s Privacy Code.
- Businesses must update their privacy systems to ensure compliance with the new laws, particularly in areas like automated decision-making transparency.
- The reforms also aim to facilitate seamless global data transfers, helping Australian businesses compete internationally.
Background
In our previous article, we discussed the Government’s formal position on each of the 116 recommendations provided for in the Privacy Act Review Report, and touched on the changes that were to be implemented immediately through the new legislation. Of the agreed proposals, we discussed:
Additional protection for individuals, which would address the need for greater transparency with respect to the full range of purposes for which personal information is being used, and provide specific protections or considerations for children privacy in the digitised environment;
Operational clarity for overseas transfers and data security, which would see the introduction of an adequacy mechanism to prescribe countries and certification schemes that provide protection that is ‘substantially similar’ to the Australian Privacy Principles (APPs); and
More nuanced enforcement, which would offer lower tiers of penalty for wrongdoings that fail to satisfy the threshold for ‘serious or repeated’ interferences with privacy that allow for enforcement actions to be taken under the current regime.
Key changes
In what the government has called a “first tranche” of reform, the Bill introduces a statutory tort for serious invasions of privacy, expands investigative powers for the Australian Information Commissioner, and establishes new criminal offences targeting harmful practices such as doxxing. It also imposes second-tier civil penalties for non-serious privacy breaches, and outlines how personal information should be handled during emergencies. Many updates are designed with the digital age in mind, including new transparency obligations for the use of AI and the introduction of a children’s privacy code to strengthen online protections for minors.
Notably, many of the proposed reforms that were put forward in last years’ Privacy Act Review Report, have been omitted from the Bill. For instance, some of the most significant ‘agreed in principle’ proposals we discussed in our previous article, such as updating the definition of “personal information” and abolishing exceptions for small businesses, have been left out.
Of course, that is not to say that the changes the draft legislation captures are insignificant. Rather, it illustrates the considerable reforms still needed to make Australia’s Privacy Laws entirely fit for purpose in the digital age.
Enhanced Privacy Protections and Enforcement
The Bill proposes several key reforms that, if enacted into law, will serve to enhance the protections offered by the Act, and provide additional enforcement powers for interferences with privacy. These are outlined below:
- Code-making powers
Provisions have been introduced strengthening the Information Commissioner’s power to develop and implement new APP codes. These can be used to address specific use cases that present unique or immediate privacy impacts. - Provisions for Emergency Data Sharing
New guidelines for sharing personal information during emergencies require that emergency declarations clearly outline what information can be handled, which entities are authorised to manage it, who can receive it, and the purposes for its use. This ensures enhanced protection of personal privacy while still allowing effective emergency responses. - Children’s Online Privacy Code (COP Code)
To enhance privacy protections for children in the digital space, the Information Commissioner will be required to develop and register a COP Code (an enforceable APP code) within two years of the Bill’s coming into force. The COP Code will apply to entities providing services to children, such as social media platforms. - Security, retention and destruction
Further clarification has been provided regarding the measures entities are expected to take to ensure the security and protection of personal data. This includes implementing both ‘technical and organisational’ measures, such as securing access to premises, encrypting data, and training employees on data protection. - Overseas data transfers
New mechanisms have been introduced to facilitate the safe transfer of personal data across borders, including to prescribed ‘white listed’ countries and the use of binding schemes, which provide substantially similar privacy protections to the APPs. These measures are intended to ease the burden on entities having to assess the ‘adequacy’ of overseas regimes or having to negotiate detail privacy arrangements with data recipients, enabling less friction when dealing with overseas trading partners. - Eligible data breaches
The Minister may now make an ‘eligible data breach declaration’, allowing entities to handle personal information in a manner that would not normally be allowed under the APPs. This right may only be exercised when it is necessary to prevent or reduce the harm to individuals following an eligible data breach. - Increased clarity on serious breaches
The Bill has clarified what courts will consider when deciding whether a privacy breach is ‘serious’, for instance, the sensitivity of the information and the consequences of the breach. - Non-serious breaches
The Bill introduces a second-tier of civil penalties for non-serious privacy interferences, meaning that entities can now be held accountable for a wider range of breaches. Examples of non-serious breaches include not having a privacy policy or having one which lacks the required information. - Increased monitoring and investigative powers
The Bill introduces the right for the Information Commissioner to conduct public inquires into specified matters, subject to ministerial approvals. - Determinations following investigations
The Bill expands the scope of determinations that the Information Commissioner can make following a privacy breach. The Commissioner can not only require an entity responsible for a privacy breach to take reasonable actions to address any damage already suffered, but can also now demand that an entity takes steps to prevent or reduce future loss or damage. - Transparency and Automated Decision-Making
Entities will be required to disclose when personal information is being used in automated decision-making processes that significantly affect an individual’s rights or interests. Privacy policies will now be required to include details of kinds of information that will be used through computer programs (to include AI and machine learning), and the types of decisions that are being made by those programs.
New Statutory Tort for Serious Invasions of Privacy
Individuals can seek remedies against other individuals for intentional or reckless intrusions of privacy. This applies when a person has a reasonable expectation of privacy, and the invasion is serious. Conceptually, this may be the most significant change to the Act if passed, as it would regulate privacy rights as between individuals, rather than addressing the handling of personal information by agencies and organisations. Together with the doxxing proposals, we see an evolution towards the establishment of a sense of online ‘privacy’, and actionable privacy rights between individuals.
Doxxing
Criminal offences for doxxing have been introduced which deal with the release of personal information with malicious intent. The use of communication platforms (such a social media) to distribute personal data in a manner considered to be menacing or harassing has been criminalised, with imprisonment as the penalty. Increased sentences apply where a person is targeted based on race, gender, religion, or other protected characteristics.
Key takeaways
These changes mark a significant shift in how personal data is managed in Australia, by beginning to align privacy laws with the realities of the digital age through increased regulation of agencies and organisations, and the express recognition of personal privacy rights as an actionable concept between individuals.
It is crucial for businesses to understand these reforms and ensure their privacy systems are up to date to maintain compliance. The new laws addressing doxxing and enhancing protections for children’s privacy are particularly important, as they address the need to protect individuals from online harm. Similarly, compliance with a new Children’s Privacy Code, and transparency around automated decision making, will require specific attention.
On the other hand, there is recognition of the need to provide lawful mechanisms to support frictionless digital, global transactions. The reforms also present opportunities for easier global data transfers, enabling Australian entities to compete more effectively in international markets.
Are you ready?
When was the last time you reviewed your privacy policy or assessed the strength of your privacy mechanisms? With the proposed changes, it is a good time to conduct a privacy risk assessment to stay ahead of the evolving regulations and ensure your business remains compliant.
If you have any questions, or require any assistance, please don’t hesitate to contact our team of privacy experts.
This publication covers legal and technical issues in a general way. It is not designed to express opinions on specific cases. It is intended for information purposes only and should not be regarded as legal advice. Further advice should be obtained before taking action on any issue dealt with in this publication.