Australian government takes first step towards significant and well-overdue privacy reform

Earlier this month, the Privacy and Other Legislation Bill 2024 (Bill) was introduced to the House of Representatives and contains the first of many proposed amendments to the Privacy Act 1988 following the Attorney-General's Privacy Act Review Report released in February 2023 and the Government's response to that report. We consider that this is the first step on the long path to modifying, modernising and finally reforming Australia's privacy laws. The Bill and the laws it aims to enact, seek to enhance the protection of personal data and privacy for Australians, reflecting a growing global emphasis on safeguarding individual information in the digital age. Notably, following high media attention earlier this year following the leak of Whatsapp messages, the Bill introduces wide reaching criminal offences for 'doxxing' and an online Children's Privacy Code. There are also significant considerations for business as the changes will impact the Australian Privacy Principles and the reasonable steps that must be taken by business to protect information. The Bill's key features include:

1. Implementation of Australian Privacy Principle (APP) 11.3: this new APP adopts the wording used in Article 32 of the EU General Data Protection Regulation. The Bill's explanatory memorandum provides examples of technical measures however there is currently limited practical guidance as to how businesses can protect personal information.
2. Introduction of the 'White List': the Bill proposes to better support the international data flow by allowing the government to prescribe countries with similar privacy laws to allow businesses to better assess whether to disclose personal information to an overseas recipient. This will enhance compliance with the APPs and the obligation to take reasonable steps to ensure that an overseas recipient does not contravene the APPs. It is unclear at this time which countries might be included on this 'White List'.
3. Stricter data protection standards: the Bill seeks to strengthen existing privacy laws by imposing stricter requirements on businesses and organisations that collect personal data. Practically, businesses will need to be more transparent with customers as to how they handle personal information.
4. Increased civil penalties for non-compliance: businesses that fail to comply with any new laws that pass could face high penalties. These penalties will be commensurate with the seriousness of the interference with privacy.
5. The requirement for greater transparency in relation to automated decision making: the Bill proposes that businesses will be required to update their privacy policies to set out information about their use of automated decision tools where the decisions could reasonably be expected to significantly affect the rights or interest of an individual.
6. Proposed statutory tort for serious invasions of privacy: the Bill proposes the implementation of a cause of action that will allow individuals to sue for serious invasions of privacy in circumstances where the individual had a reasonable expectation of privacy. There are however proposed limitations and exceptions to this.
7. Enhanced rights for individuals: The Bill proposes to give individuals more control over their personal data. This includes rights to access, correct, and delete their information, making it easier for individuals to manage what data businesses hold about them.
8. Data Breach Notification: In the event of a data breach, businesses are already required to notify affected individuals promptly. The Bill takes this a step further by introducing 'eligible data breach declarations'. A declaration will permit the sharing of personal information following a notifiable data breach of the purpose of preventing or reducing the risk of harm to individuals. An eligible data breach declaration can be issued quickly and will make clear the kinds of personal information that may be shared, and with whom they may be shared, which may include state and territory agencies. This will enable entities to act quickly to prevent the misuse of compromised personal information but will be subject to safeguards to ensure that a declaration can only be made for a purpose that is related to preventing or reducing a risk of harm to individuals arising from a data breach. While this has admirable aims, the Bill does not clarify the time within which eligible data breaches must be notified.

The Bill also includes proposed amendments to allow for more powers to be vested in the Federal Court and Family Court, the OAIC and the Information Commissioner. This includes the ability to implement more targeted emergency declaration provision, the ability for the Commissioner to make codes that offer guidance on how to apply or comply with APPs, and the implementation of a Children's Online Privacy Code within 2 years of the provisions being proposed coming into effect. While the Bill takes steps to implement some of the recommendations made in the review report and the Government's response, it does not include a large number of the recommended reforms which the Government had previously agreed to such as the amendment of the definition of personal information, the implementation of a 'fair and reasonable' test for the collection and use of personal information, provisions for entities to be required to take septs to mitigate harm to individuals following a data breach, and the removal of the small business exemption. Overall, the provisions proposed in the Bill aim to empower consumers to have more power over their own data. For Businesses, it aims to invoke greater accountability and will likely mean that businesses must invest more resources in ensuring that they comply. The Bill represents a significant step towards improving privacy protections in Australia. By increasing accountability, empowering consumers, and enhancing data security, this Bill could transform how the community interacts with businesses, and the steps business must take to safeguard an individual's personal information. It is important for businesses to be proactive in reviewing and updating their privacy policies and supporting procedures to ensure that they are not caught out when these changes are codified. Watch this space as the Bill continues to be debated and further reforms are considered as to how this will impact your business. Written by: Andrew Campbell, Partner and Emma Yazbek, Lawyer Hunt & Hunt Lawyers NSW