Privacy reform update: First tranche of Privacy Act reforms revealed

On 12 September 2024, the Attorney-General introduced the highly anticipated amendments to the Privacy Act 1988 (Cth) (Privacy Act) to the Australian Federal Parliament. The Privacy and Other Legislation Amendment Bill 2024 (Amending Bill) is currently in the House of Representatives, kicking off the first tranche of reforms to the Privacy Act.

The first tranche of reforms is not as far-reaching as anticipated, but nevertheless introduces some important changes that will impact organisations and individuals alike.

Key reforms

Notably, the Amending Bill:

• mandates the development of a Children’s Online Privacy Code to better protect the online privacy of children
• introduces new tiered civil penalty provisions for interferences with privacy
• introduces a statutory tort for the serious invasion of privacy
• amends the Commonwealth Criminal Code to introduce criminal penalties for doxxing, being the malicious release of personal data online, and
• introduces a requirement that privacy policies contain information about how automated decision-making processes are used by an entity.

Children’s Online Privacy Code

New section 26GC will require the Information Commissioner to develop a Children’s Online Privacy Code to safeguard the privacy of minors. An entity will be bound by the Code if:

(a) all the following apply:

• it is a provider of a social media service, relevant electronic service or designated internet service, (all within the meaning of the Online Safety Act 2021 (Cth));
• the service is likely to be accessed by children; and
• the entity is not providing a health service; or

(b) the entity is a class of entities specified in the Code.

New tiered penalties for interference with privacy

Item 50 of the Amending Bill repeals and replaces section 13G(1) of the Privacy Act. An entity will now contravene section 13G(1) if it does an act, or engages in a practice, that is an interference with the privacy of an individual, and the interference with privacy is "serious". Importantly, an interference with the privacy of an individual will no longer need to be a “repeated” interference. The current penalties will continue to apply to contraventions of this section.

Specific factors relevant to determining whether an interference is "serious" are set out in the Amending Bill. These include the sensitivity of personal information involved and the consequences or potential consequences for the individual concerned.

Item 56 of the Amending Bill introduces a new section 13H, which is a civil penalty provision for interferences with privacy that warrant enforcement action but may not meet the "serious" threshold. An entity will contravene this new civil penalty provision if it does an act, or engages in a practice, that is an interference with the privacy of an individual. The maximum penalty is 2,000 penalty units for individuals (i.e. $626,000) and 10,000 penalty units for corporations (i.e. $3,130,000).

Further, a new civil penalty provision will apply to breaches of specific obligations under the Australian Privacy Principles (APPs) (new section 13K). These breaches may result in an infringement notice being issued under Part 5 of the Regulatory Powers (Standard Provisions) Act 2014 (Cth). The penalty provisions target specific APP obligations that are of an administrative nature, where a contravention can be easily established - for example, an organisation's failure to have a clearly expressed and up-to-date APP policy. The maximum penalty is 200 penalty units for individuals (i.e. $62,600) or 1,000 penalty units for corporations (i.e. $313,000).

At the time of introduction of the Amending Bill, one penalty unit equates to $313. However, draft legislation is expected to be passed soon that will increase this amount to $330.

Statutory tort for serious invasions of privacy

The Amending Bill inserts a new Schedule 2 to the Privacy Act, which establishes a cause of action in tort for serious invasions of privacy.

Section 7 of this Schedule 2 sets out that such cause of action will be established if:

1. the defendant invaded the plaintiff's privacy by doing one or both of the following:

• intruding upon the plaintiff’s seclusion; or
• misusing information that relates to the plaintiff;

2. a person in the position of the plaintiff would have a reasonable expectation of privacy in all of the circumstances;
3. the invasion of privacy was intentional or reckless; and
4. the invasion of privacy was serious.

No proof of damages is required for this cause of action to arise.

Schedule 2 sets out the categories of evidence the defendant may adduce regarding the action, and the court's considerations when determining whether the plaintiff has a reasonable expectation of privacy.

The Amending Bill provides that damages for non-economic loss and punitive damages may not exceed the greater of: (i) $478,550; and (ii) the maximum amount of damages for economic loss that may be awarded under defamation proceedings. The Amending Bill also provides for other remedies the court may consider awarding.

Importantly, Schedule 2 provides an exemption for invasions of privacy by a journalist, the journalist’s employer, or certain persons assisting the journalist, where the invasion involves the collection, preparation for publication or publication of journalistic material.

Criminal penalty for doxxing

Schedule 3 of the Amending Bill introduces offences under the Criminal Code Act 1995 (Cth) for persons using a carriage service¹ to make available, publish or otherwise distribute personal data in a "menacing or harassing" manner. Such activity will attract a maximum penalty of six years' imprisonment.

If a person uses a carriage service to make available, publish or distribute personal data about one or more members of a group, and the person engages in the conduct because they believe the targeted group is distinguished by "race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality or national or ethnic origin", the maximum penalty is seven years' imprisonment.

Automated decision-making process disclaimers

Schedule 1, Part 15 of the Amending Bill calls for greater transparency from entities that employ automated processes involving personal information to make decisions that could significantly affect the rights of an individual (for example, decisions relating to housing benefits or healthcare access). Entities will be required to include this information in their privacy policy.

Key takeaways

The Amending Bill represents the first tranche of privacy reforms, a number of which were proposed in the Attorney-General's Department's Privacy Act Review Report. This signals a positive step forward by the Australian Government to implement a number of the proposals it agreed to in its Response to the Privacy Act Review.

The Amending Bill does not address the more “contentious” reforms, such as the removal of the employee records and small business exemptions. We expect the Government to undertake further consultation on these proposed reforms. Instead, the focus of a number of the amendments has been on protecting the privacy rights of individuals.

For now, organisations currently bound by the Privacy Act should pay close attention to the passage of the Amending Bill as it moves through Parliament and start preparing for the enactment of the Amending Bill.

Please contact our team of experienced privacy lawyers to understand the implications of the Amending Bill and how your organisation can prepare for the first tranche of privacy reforms.

¹ I.e. any form of electronic communication.