On 12 September 2024, the Australian Government introduced the Privacy and Other Legislation Amendment Bill 2024 (Bill) which represents the first tranche of Australian privacy law reforms and aims to implement some of the legislative proposals identified from Australia’s long running review of, and consultation regarding, reform of the Australian Privacy Act 1988 (Cth) (the Privacy Act). The Office of the Australian Information Commissioner (Commissioner or OAIC) described the Bill as “an important first step in strengthening Australia’s privacy framework”, while acknowledging that “much more needed to be done” to deliver on proposed updates to Australia’s privacy regime.

The sentiment from the Commissioner and stakeholders generally is that the Bill, while proposing to deliver a handful of critical updates to the Australian privacy compliance and enforcement ecosystem, contains fewer updates to Australia’s governing ‘privacy principles’ than were originally flagged in the Privacy Act Review Report released in February 2023. While the Australian Government ‘agreed’ or ‘agreed in principle’ to over 100 recommendations from the Privacy Act Review Report, this Bill implements a mere portion of those recommendations. Notably, the Bill does not propose any changes to the scope of ‘personal information’ or the principles concerning collection, use or disclosure of information generally and does not amend the uniquely Australian concepts of the ‘small business’ exemption nor the ‘employee record’ exemption.

The Bill proposes to amend the objects of the Privacy Act to clarify its purpose of promoting the protection of the privacy of individuals and to recognise the public interest in protecting privacy. The Bill also proposes to enhance the powers of the Commissioner to make APP codes including temporary APP codes, investigate compliance with, and enforce, the Privacy Act, and conduct public inquiries. These changes follow the Australian Government’s recent trend of strengthening enforcement options in respect of Australian privacy laws, but are unlikely to change the day to day operations of businesses complying with Australian privacy law (other than in respect of increased risks for non-compliance).

The material privacy reform that the Bill does propose, include:

  • Tort for Invasion of Privacy – Representing the single largest change to the Australian privacy compliance space proposed to date, the Bill includes a statutory cause of action in tort for serious invasions of privacy. The tort would give individuals a cause of action against businesses who have, intentionally or recklessly, seriously invaded an individual’s privacy. Australian law and the Privacy Act have not previously allowed for enforcement by individuals directly against entities on the basis of privacy compliance, with the risk of non-compliance currently limited to investigation, enforcement and penalty from the OAIC. This privacy tort would allow individuals to seek compensation directly from businesses and may give rise to individual and class action lawsuits for serious breaches of privacy in Australia.
  • Greater Certainty for Overseas Data Disclosures – To enhance the flow of data across borders, the Bill proposes to introduce a mechanism for the Governor-General to ‘whitelist’ certain overseas jurisdictions by prescribing that a country or binding scheme provides substantially similar privacy protections to the APPs, and thereby allowing overseas disclosure to that jurisdiction in compliance with APP 8. It is anticipated that this change would facilitate simpler disclosures of data by Australian businesses to their related parties and service providers overseas subject to high-watermark privacy standards, such as the European Union’s GDPR. Notably, the Australian Privacy Act itself remains not ‘adequate’ for the purposes of the GDPR (due largely to the substantial exceptions for small businesses under Australian privacy law), which is not expected to change as a result of this Bill. Therefore, the hopes for reciprocal data import freedoms from GDPR-compliant businesses into Australia continue to be a far-off goal.  
  • Greater Transparency on the Use of Automated Decision Making – In what may be the only mandatory changes to Australian businesses’ privacy policies, the Bill proposes to amend APP 1 to require that the organisation disclose the details of the kinds of information and types of decisions that are subject to automated processes to the extent such automated decision making may significantly affect the rights or interests of an individual. This change would come into effect 24 months after the Bill receives royal assent, giving organisations the opportunity to update their privacy policies accordingly. Other than increased disclosure obligations, the amendments proposed by the Bill do not contemplate other rights or obligations concerning automated decision making that are common in jurisdictions around the world, such as opt-in or opt-out rights in respect of automated decision making or obligations on entities to complete impact assessments in respect of potential automated bias.
  • Creation of a Minors’ Online Privacy Scheme – The Bill introduces a definition of ‘child’ to mean an individual who has not reached 18 years and requires the Commissioner to develop a Children’s Online Privacy Code which applies to providers of social media services, relevant electronic services, or a designated internet service which are likely to be accessed by minor children. This change is expected to impact how social media platforms and other online services interact with minor children online.
  • Data Breach Response Declarations – The Bill proposes to grant the Minister the power to make an ‘eligible data breach declaration’ to facilitate information sharing by affected entities that may otherwise be restricted by the Privacy Act where necessary to prevent or reduce the risk of harm to affected individuals.

The Bill also includes criminal offences for ‘doxxing’ (the intentional disclosure of an individual’s personal data online in a manner that is menacing or harassing’), however these changes are targeted to individuals rather than business privacy compliance.

The Bill is currently before the Australian Parliament and remains subject to Parliamentary debate and review. We will continue to update you as the Bill progresses through Parliament and as it comes into law.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.