Proposed reforms to the Privacy Act 2024

In September 2024, the Australian government introduced the Privacy and Other Legislation Amendment Bill 2024 to the floor of Parliament. The Bill proposes various measures to improve privacy protection for individuals in the context of a rapidly evolving digital landscape, with the risk of personal data being subject to misuse or mishandling increasing amidst the broad adoption and reliance on digital technologies. This bill aims to take a major step toward enhancing the rights of individuals in Australia while ensuring that businesses and organizations operate with transparency, accountability, and respect for personal information.

The need for comprehensive privacy reforms in Australia has grown as digital services, e-commerce, and online platforms have become integral parts of everyday life. Personal data is now being collected, stored, and analysed on an unprecedented scale, often across multiple sectors, including health, finance, government, and retail. While this data-driven economy has brought significant benefits, it has also led to increasing concerns about privacy breaches, misuse of data, and surveillance practices.

In the wake of high-profile data breaches, including incidents involving large corporations and government agencies, there has been mounting pressure on the Australian government to update its privacy laws to reflect modern realities. The introduction of the Privacy and Other Legislation Amendment Bill 2024 signals the government’s recognition of these concerns and its commitment to safeguarding individuals’ rights in an increasingly interconnected world.

The proposed amendments follow the publication of the Privacy Act Review Report which contained 116 proposals for reform, the Bill implementing 23 of the proposals agreed to by the Government.

 

Key reforms

Expansion of the Information Commissioner’s Powers

If passed, the Bill would see an expansion in the enforcement powers of Australia’s federal privacy regulator, the Office of the Australian Information Commissioner (OAIC), as well as granting it new functions and capabilities.

 

Children’s Online Privacy Code

Amidst concerns surrounding children’s right to privacy, the amendments would require the Information Commissioner to develop and register a Children’s Online Privacy Code (COP Code) within two years of the commencement of the relevant provisions.

While the Information Commissioner has previously provided guidance as to how privacy protections under the Privacy Act should apply to children, the Bill proposes the imposition of specific enforceable obligations with respect to the handling of children’s personal information, increasing protections for children available under Australian law. The COP Code would apply to online services likely to be accessed by children, including broadly accessible platforms which do not have measures to prevent access by children.

A draft of the COP Code will be made available for public consultation prior to its finalisation and registration.

 

Automated Decision-Making

Given concerns about the potential for automated decision-making to result in unfair treatment and discrimination, particularly in relation to the use of biased or inaccurate information and in application to unique circumstances, the Bill proposes various measures to increase transparency where the use of computer programs may reasonably be expected to significantly affect an individuals’ rights or interests. This may include where automated decision-making is used to determine issues like individual’s access to healthcare; housing benefits; or contractual rights.

If passed, the Bill will increase individuals’ capacity to ascertain what personal information about them is held by entities and for what purposes. Further, individuals may request that entities amend information held or take further action if the use of automated decision-making has result in an interference with their privacy or unlawful discrimination.

 

Statutory Tort for Serious Invasions of Privacy

While Australia has a range of laws which seek to address invasions of privacy, their content varies between jurisdictions. The Bill proposes a new statutory tort for serious invasions of privacy in circumstances where a reasonable expectation of privacy exists.

While the tort seeks to improve protections for individuals against invasions of privacy, it includes various defences and exemptions for legitimate activities considered essential to the proper functioning of Australia’s democracy. For example, where a defendant claims that there was a public interest involved in the invasion of privacy, the plaintiff must demonstrate that the public interest in privacy protection is of greater importance.

 

‘Doxxing’ Made an Offence

The proposed Bill would make amendments to the Criminal Code Act 1995 to introduce two new offences targeting ‘doxxing’ practices, broadly considered the ‘intentional malicious exposure of an individuals’ personal data online’.

If passed, the Bill would make it an offence to publish an individual’s personal data using a carriage service in a manner considered menacing or harassing. The Bill would introduce a further offence where an individual is targeted based on the possession of a protected attribute, such as race, religion, or sex.

 

Facilitating Information Sharing

Despite generally increasing privacy protections, the Bill gives the Minister authority to make ‘eligible data breach declarations’ to prevent or mitigate the risk of harm in the event of a significant data breach. This would allow entities to disclose personal data for specified purposes related to protecting individuals from harm.

 

Overseas data flows

The Bill proposes amendments to increase the ease of the overseas disclosure of personal information. The Minister may prescribe an overseas jurisdiction if satisfied that it has a substantially similar privacy framework to Australia, meaning entities will not be required to take ‘reasonable steps’ to ensure the recipients’ practices are compliant with domestic law. Importantly, the Minister will be unable to prescribe a jurisdiction if its privacy laws would not allow individuals to enforce the protection of their personal information.

 

Criticisms

Despite the broad support for the reforms, the Privacy and Other Legislation Amendment Bill 2024 has not been without criticism. Some stakeholders, particularly within the tech industry, have expressed concerns about the potential compliance costs and the burden that the new regulations could place on small businesses. Others have raised questions about the effectiveness of the bill in addressing the challenges posed by rapidly advancing technologies, such as artificial intelligence, which may not be fully accounted for in the proposed framework.

Additionally, there are ongoing debates about how the bill balances privacy protections with the need for innovation and technological advancement. Some experts have argued that the bill could benefit from more nuanced provisions that account for the complexities of emerging technologies, while others worry that overly stringent regulations may stifle innovation.

 

Takeaways

The Bill proposes substantive changes to the Privacy Act and is expected to be followed by further amendments to Australia’s privacy regime. It reflects the growing recognition of the need for robust privacy laws in an increasingly digital world, where personal data is a valuable commodity, and its protection is paramount.

Australian entities should review their existing compliance practices and develop plans to address any gaps, particularly in relation to areas expected to receive increased scrutiny if the Bill is passed.

 

*This article was prepared with the assistance of Clea Phillips