16 September 2024
4 min read
Published by:
On 12 September 2024, a long-awaited Privacy and Other Legislation Amendment Bill (Bill) proposing a number of amendments to the Privacy Act 1988 (Privacy Act), was introduced into the House of Representatives.
While the Bill introduces a radical new criminal sanction for doxxing and an online Children’s Privacy Code, there is much for businesses to be concerned about.
This Bill marks the beginning of a shift in privacy legislation. It introduces provisions that signal the beginning of serious privacy reform which will require businesses to uplift their privacy practices. While the Bill does not include the “fair and reasonable test” that was agreed to be implemented as part of the Privacy Act Review, it set the groundwork for that change to follow.
The Bill proposes a change to Australian Privacy Principle (APP) 11 which states that reasonable steps to protect information will now include technical and organisational measures. This means that if an organisation faces a challenge, such as a breach, its justification of the extent of organisational and technical steps taken will be tested to determine whether they were reasonable under the circumstances.
Readers might remember that many of the recent breaches have resulted from failures to:
Organisations will now need to take a serious look at the adequacy of their budgets and the robust nature of their processes for information security to see if they pass the “reasonable steps” test.
The Office of the Australian Information Commissioner (OAIC) has been granted a range of additional powers to effectively issue infringement notices quickly for breaches of privacy. This allows them to act swiftly without the need to take claims through the court system. This brings them into line with other regulators, such as ACMA who regularly issue such notices for Spam Act infringements.
Interestingly, the new Bill also grants the Commissioner the power to conduct public inquiries. This provides an opportunity for the OAIC to call-out corporate behaviour that might not be a clear breach of existing law but would benefit from public scrutiny. For example, think about the Commissioner’s recent public comments about Tik Tok and the fact that no investigation was pursued due to the likelihood of not breaching existing laws. A public inquiry could have brought the issue into the open and potentially led to a deterrent outcome.
In addition, the statutory tort for invasion of privacy would give individuals the right to seek compensation in the event of a breach which caused them harm.
The new tort considers both physical invasions of privacy – intruding upon seclusion – and misuse of personal information. It is also relevant that the objective of the Privacy Act is being extended to recognise the public interest in protecting privacy and there is no need to prove damages.
A claimant must prove the invasion of their privacy was serious.
The Bill limit damages for non-economic loss to $478,550 or the current limit applicable in defamation proceedings.
In the case of a major data breach, this sort of straightforward claim for multiple victims may be attractive to class action lawyers. There is good reason for businesses to revisit their privacy data collection and data protection settings.
There is also a provision in the Bill which requires organisations to include information in privacy policies about automated decisions that significantly affect the rights or interests of an individual. For organisations adopting AI and automated processes that may have a negative impact on individuals, there will be a requirement to explain what has been done. Given the Privacy Act applies to commonwealth government agencies as well, this requirement could impose a significant burden and add another layer of complexity to the use of AI for automating processes.
This is the first tranche in the Privacy Act reforms that was agreed by the government in 2023. At that time, they agreed to 89 proposals requiring legislative change – 25 were agreed and 56 were agreed in principle. The current Bill implements 23 of the first 25 proposals, meaning there are 58 yet to come.
As consumer sentiment and the public appetite for greater privacy protection continues, it is likely that these will be introduced in 2025 although the current government may run out of time before the next election. Regardless of the election outcome, the public demand for the foreshadowed changes will not diminish and we could reasonably expect that they would appear on the legislative calendar next year.
Now is clearly the time for businesses to begin uplifting their privacy posture and supporting policies and procedures.
If you have any questions about the proposed changes or need assistance with reviewing your privacy policies or undertaking a privacy impact assessment, please get in touch with our Data & Privacy team below.
Disclaimer
The information in this article is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this article is accurate at the date it is received or that it will continue to be accurate in the future.
Published by: