On 12 September 2024, the Australian Government introduced the Privacy and Other Legislation Amendment Bill 2024 (Bill) to the House of Representatives containing the first tranche of long-awaited reforms to the Privacy Act 1988 (Cth) (Privacy Act).
Arriving almost one year after the Government published its Response to the Privacy Act Review (Response) and indicated that a generational overhaul of Australia’s Privacy Act was needed, the reforms contained in the Bill are far more limited in scope. The Bill focuses on three categories of amendments to Australia’s privacy, regulatory and criminal laws:
measures to enhance the privacy of individuals, including by strengthening the Office of the Australian Information Commissioner’s (OAIC) enforcement toolkit, introducing new tiers of civil penalties, requiring the development and registration of a Children’s Online Privacy Code, and increased transparency requirements for automated decision making;
the introduction of a new statutory cause of action for serious invasions of privacy; and
the introduction of new offences to specifically criminalise ‘doxxing’.
Notably, the Bill does not include the most ambitious reforms which the Government had previously ‘agreed’ or ‘agreed in principle’ in its Response, such as the removal of the small business exemption, amendment of the definition of ‘personal information’ (PI), the introduction of the controller/processor distinction, the proposed requirement that the collection, use and disclosure of PI be fair and reasonable and new definitions for direct marketing, targeting and trading. Given that the Government plans to further consult regarding the next (and more ambitious) tranche of reforms, we are unlikely to see any further reforms arrive in Parliament until after the 2025 federal election.
If the Bill is passed, it will nevertheless be a significant first step towards Australia’s privacy laws being made fit for purpose in the digital age. Our more detailed comments on these three categories of reforms are below.
CATEGORY 1 - MEASURES TO ENHANCE THE PRIVACY OF INDIVIDUALS
The most significant category 1 amendments are new civil penalties and a stronger enforcement toolkit for the OAIC, a new Children’s Online Privacy Code, and increased transparency requirements for automated decision making.
Civil penalties and enforcement powers: Schedule 1 of the Bill amends Australia’s privacy laws to strengthen the enforcement powers of the OAIC and the Courts by providing the Commissioner and the judiciary with a broader range of enforcement options and new functions and capabilities to address actual or suspected privacy interferences (see Parts 8 - 11 and 13 - 14 of Schedule 1 of the Bill).
If implemented as drafted, these amendments apply to acts done or practices engaged in after commencement. In particular, the Bill proposes to:
provide guidance on factors which may be taken into account to determine whether an interference with privacy is ‘serious’, for the purposes of availing the Commissioner of the civil penalty provision for serious interferences of privacy;
remove the previous civil penalty provision for repeated interferences with privacy (as civil penalties for individual interferences of privacy are proposed to be introduced);
introduce a new civil penalty for interference with the privacy of an individual, notwithstanding the seriousness of that interference (capped at 2,000 penalty units);
introduce new civil penalties and the power for the Commissioner to issue infringement notices for breaches of some of the APPs and the preparation of non-compliant eligible data breach statements (capped at 200 penalty units);
provide a legislative means by which, in court proceedings for serious interferences of privacy, the Court may order an entity pay civil penalties in circumstances where it is satisfied that entity interfered with the privacy of an individual but is not satisfied that the interference with privacy is serious;
empower the Court, when it has or will determine that an entity has contravened a civil penalty provision under the Act, to make an order to direct the entity to redress or pay compensatory damages for the loss or damage suffered or likely to be suffered by any individual. Individuals have a limitation period of 6 years to apply to the Court for an order of this kind and any amount payable to the individual may be recoverable as a debt;
empower the Commissioner to conduct a public inquiry into matters relating to privacy, at the direction of the Minister;
empower the Commissioner to make determinations following an investigation declaring that entities perform any reasonable act or course of conduct to redress forward looking, reasonably foreseeable loss or damage likely to be suffered;
amend the definition of ‘privacy matters’ which must be included in the Commissioner’s annual report to:
limit the statement of the performance of the privacy functions relating to the year referable to the annual report;
include details of the number of complaints made to the Commissioner over the year referable to the annual report; and
include details of the grounds for the Commissioner’s decision not to…