The Australian Government tabled the Privacy and Other Legislation Amendment Bill 2024 on 12 September, marking a significant shift in the way businesses must handle personal data.
In the 2023 Government response to the Attorney-General’s Privacy Act Review Report, the Government ‘agreed’ to 38 of the 116 proposals from the Report, with a further 68 ‘agreed-in-principle.’ The Amendment Bill specifically implements 23 of the ‘agreed’ proposals directed at legislative changes, leaving out the ‘agreed-in-principle’ proposals, which are primarily focused on enhancing guidance from the Office of the Australian Information Commissioner (OAIC) and further consultation.
These changes are part of a broader effort to modernise the Privacy Act 1988 (Cth), ensuring it remains fit for purpose. With the rise of data breaches, identity theft, and other online harms, the new amendments aim to bolster privacy protections for individuals while placing new responsibilities on businesses.
The Bill introduces several important reforms that businesses must be aware of, including the introduction of a new cause of action in tort for serious invasions of privacy and the criminalisation of doxxing—both of which have significant implications.
One of the most significant changes for businesses is the introduction of stronger penalties for breaches of the Australian Privacy Principles (APPs). The Office of the Australian Information Commissioner (OAIC) now has access to a broader range of enforcement options, including the ability to seek civil penalties tailored to the severity of the privacy breach. This change addresses a gap in the current law, where penalties were previously reserved only for the most egregious violations.
For businesses, this means that even minor or repeated breaches of privacy could result in substantial financial penalties. The maximum penalty for a person will be $660,000. For bodies corporate, the maximum penalty will be $3.3 million.
Companies will need to ensure their data handling practices are robust and compliant to avoid these new penalties.
The amendments introduce new requirements for transparency, particularly in how businesses handle personal data, including:
Security of Personal Information: The Bill introduces a new requirement under APP 11.3 that clarifies ‘reasonable steps’ to protect personal information, explicitly including technical and organisational measures. This aligns with international standards, such as the EU’s General Data Protection Regulation (GDPR).
Facilitating Overseas Data Flows: To support cross-border information flow, the Bill proposes a mechanism that allows the Government to prescribe countries with privacy laws equivalent to the APPs. This should simplify the process for businesses considering whether to transfer data overseas.
Automated Decision-Making Systems: The Bill requires that privacy policies explicitly disclose when personal information is used by automated systems to make decisions that could significantly affect an individual’s rights or interests. This ensures greater transparency in the use of AI and other automated technologies.
As a result, companies will need to include detailed information in their privacy policies about automated decision-making processes that significantly affect individuals. This is particularly relevant for businesses using AI and other automated systems to process customer data.
Moreover, the new legislation mandates that businesses take “reasonable steps” to protect personal information, explicitly requiring technical and organisational measures. This could include implementing encryption, securing access to systems, and regular staff training. These steps are crucial not only for compliance but also for protecting customer trust in a data-driven economy.
Another critical aspect of the amendments is the provision for handling personal data during emergencies. The Privacy Act now allows for more flexible and targeted sharing of personal information in response to emergencies or disasters. This is particularly relevant for businesses in sectors like health, emergency services, or any industry that may be involved in disaster response.
Businesses will need to understand the new rules surrounding emergency declarations and ensure they are prepared to handle personal information in these situations without contravening the Act. This could involve updating internal policies and training staff on the specific conditions under which personal data can be shared during emergencies.
The introduction of a statutory tort for serious invasions of privacy represents a significant legal shift. This new tort allows individuals to seek compensation if their privacy is invaded, either through the misuse of their information or physical intrusion. For businesses, this means that any privacy breach, intentional or otherwise, could lead to legal action.
To establish a claim, the plaintiff must prove the following:
This cause of action provides for various remedies, including injunctions, declarations, apologies, and compensation, with caps on certain types of damages. Notably, the plaintiff does not need to prove actual damage to bring a claim, which broadens the scope for potential litigation.
Companies must be vigilant in their data protection practices, ensuring they have robust safeguards in place to prevent privacy invasions. This could involve regular audits, updating security protocols, and ensuring that all data handling practices are fully compliant with the new legislation.
The amendments also introduce new criminal offences targeting the malicious release of personal data, commonly known as doxxing. This is a direct response to the growing issue of online harassment and abuse, where individuals’ personal information is shared with malicious intent.
Two specific offences have been introduced:
For businesses, particularly those operating online platforms or social media, this means stricter monitoring and control over how personal data is shared and stored. Companies must ensure that they have policies in place to prevent doxxing and other forms of data misuse, as failing to do so could result in criminal liability.
The Bill expands the authority of the Federal Court of Australia and the Federal Circuit and Family Court of Australia in civil penalty proceedings, allowing them to issue broader remedies beyond pecuniary penalties. Additionally, the OAIC is empowered with enhanced investigative and monitoring powers, including the ability to conduct public inquiries into privacy matters.
The amendments to the Privacy Act represent a comprehensive update designed to address the challenges of the digital age. For businesses, this means greater responsibility and accountability in how they handle personal data. By taking proactive steps now—such as reviewing and updating privacy policies, enhancing data security measures, and training staff—companies can ensure they remain compliant and continue to build trust with their customers in this new regulatory environment.
de.iterate can help you improve your Privacy Act compliance.