Tax News Update    Email this document    Print this document  

Executive summary

On 12 September 2024 the Australian Government introduced the first tranche of reforms to the Privacy Act 1988 (Cth) (Privacy Act) into Parliament, in the Privacy and Other Legislation Amendment Bill 2024 (the Bill).

The Bill is the latest development in a four-year process, following a review by the Attorney General's Department, stakeholder consultation and the government's response. If enacted, the Bill would enhance privacy protections for individuals by:

• Granting the Office of the Australian Information Commissioner (the independent national regulator for privacy and freedom of information) greater enforcement powers
• Establishing a right for individuals to sue for serious privacy breaches
• Mandating clearer disclosures about the use of personal information in automated decision-making
• Strengthening privacy safeguards for children
• Criminalizing the act of doxing to deter the malicious sharing of personal information online

In response to polling conducted by the Information Commissioner,¹ 89% of Australians indicated they support reform to the Privacy Act to make it fit for the digital age; these reforms are squarely on the government's legislative agenda. While the Bill introduces some added protections for consumers, this first tranche of reforms only gets part of the way there. Many of the significant changes expected based on the government's response to the Attorney General's review have been excluded from this first tranche. Further changes will likely be introduced in future legislative updates, following additional consultation with stakeholders.

The Government is likely to introduce further reforms to help Australia keep up with privacy and data protection laws globally, but it is not yet clear when this will happen.

With a Federal Election approaching in early 2025, the path forward for privacy reform in Australia continues to be unpredictable.

Key features of the Bill

If enacted as drafted, the Bill would introduce the following changes to the Privacy Act:

• Broader enforcement powers for the Australian Information Commissioner: The Information Commissioner would have increased authority to investigate privacy breaches, enforce compliance with privacy laws and impose penalties on organizations that violate privacy regulations.
• Statutory tort for serious invasions of privacy: A statutory tort would create a new civil wrong, allowing individuals to sue for compensation if their privacy is seriously invaded without their consent. This could cover a range of actions, including unlawful surveillance, hacking or the dissemination of personal information.
• Greater transparency for automated decision-making: This change would require organizations to be more open about how they use personal information to make automated decisions. This could include decisions made by algorithms or artificial intelligence (AI), and the requirement could extend to providing individuals with explanations of how such decisions are made. In parallel, the Government has introduced a policy for the responsible use of AI for Federal Government departments and agencies.
• Additional protections for children's privacy: Enhanced protections for children could involve stricter rules on the collection, use and disclosure of children's personal information, recognizing the increased vulnerability of young people in the digital environment.
• Criminal offense to outlaw doxing: Doxing is the act of publishing private or identifying information about an individual on the internet, typically with malicious intent. Making doxing a criminal offense would mean that individuals engaging in doxing could face criminal charges and potential imprisonment. The Bill introduces maximum penalties of six and seven years prison time for offenders where a group is targeted based on race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality or national or ethnic origin.
• Simplified international data sharing: The government plans to identify countries and certification schemes that offer privacy protections comparable to Australia's, simplifying the process for organizations to share information internationally — a critical aspect of the digital economy without borders. This move will be a relief for private sector organizations that have previously grappled with the complexity of assessing the "adequacy" of foreign privacy laws or creating contractual measures to compensate for it. However, foreign investors in Australia should be aware that the Foreign Investment Review Board's (FIRB) data conditions are still likely to be attached to how those investors hold data about Australians, particularly sensitive data or data about defense personnel.
• Streamlined information sharing in the case of an emergency or eligible data breach: The efficient exchange of information during emergencies or qualified data breaches can reduce the consequences of significant data breaches incidents. For instance, this system could alert financial institutions when identity documents are at risk, allowing them to implement increased surveillance and additional protective measures to shield clients from potential financial fraud.

What do the changes mean?

• Increased compliance obligations: With broader enforcement powers for the Information Commissioner and the introduction of a statutory tort for serious invasions of privacy, organizations handling personal information will need to ensure they have robust privacy practices in place. This includes securing personal information, obtaining clear consent for its use, and being transparent about data processing activities.
• Enhanced transparency requirements: The requirement for greater transparency around automated decision-making means that organizations handling personal information will need to disclose more about their use of algorithms and AI in processing personal information. They may need to provide individuals with explanations when decisions are made automatically, which could require adjustments to their systems and processes.
• Special considerations for children's data: The additional protections for children's privacy will necessitate stricter controls over the collection, use and sharing of data belonging to minors. This may involve implementing age-verification mechanisms and obtaining parental consent where necessary.
• Legal risks from doxing: The criminalization of doxing introduces a new legal risk, emphasizing the importance of safeguarding personal information to prevent unauthorized disclosure that could harm individuals.
• Easier international data sharing: The mechanism to identify countries and certification schemes with privacy protections similar to Australia's will streamline the process for clients to share information internationally. This reduces the burden of assessing foreign privacy regimes' adequacy and negotiating contractual safeguards, making compliance easier and potentially opening up new markets. However, foreign investors that are subject to data conditions should check with FIRB regarding how they will be impacted by these proposed data sharing arrangements.
• Streamlined information sharing during emergencies or eligible data breaches: This change would require an organization handling personal information to adapt to new compliance requirements, but it also offers the advantage of enhanced fraud prevention measures and the potential for increased trust and reputation protection by taking proactive personal information protection efforts.

Actions to consider now

Organizations operating in Australia, as well as global companies with Australian customers, will need to closely monitor these developments and prepare to comply with the new requirements.

In light of reforms proposed in the Bill, affected parties will want to consider actions such as:

• Become compliant with the current requirements of the Privacy Act now — the Information Commissioner will have more funding and powers to investigate breaches and enforce the law.
• Undertake a privacy compliance gap assessment and get support from a privacy subject-matter expert to recommend remediation actions and build out a roadmap toward compliance. This will include having in place strong privacy governance and practices, as well as practical policies and processes, to help organizations implement compliance with the Privacy Act into business-as-usual practices.
• Pay attention to data-breach response plans, data retention and third-party supplier management — these issues are common areas of struggle.
• Note that a business's employees and the third parties with which personal information is shared are the business's greatest source of privacy risk. Institute mandatory privacy training for all employees and create a strong vendor vetting, onboarding and management framework.
• Take special precautions when implementing new technologies or processing activities like the use of AI. Undertaking a Privacy Impact Assessment is best practice.
• Pay attention to international disclosures of personal information — have appropriate terms in place with third parties to ensure personal information is protected. If you are subject to FIRB data conditions, make sure that your privacy governance framework and contracting arrangements support this compliance.
• Know that international privacy laws (like the General Data Protection Regulation) have extraterritorial application and can affect Australian-based organizations.
• Be aware that law reform and guidance is being issued by government and regulatory authorities in relation to other key digital issues like cybersecurity, the use of AI and combating the online spread of misinformation and disinformation.
• Keep in mind that further changes to the Privacy Act are anticipated.

What next?

The Bill is expected to undergo Parliamentary Committee review and will likely be made into law in 2025.

Expect a second tranche of even more substantial changes to be published in the near future. The second tranche is not the only piece of legislation that the Government is considering, however. Additional guidance for AI and data is likely. There may also be further legislative developments in the States — such as age verification of children on social media platforms in South Australia and AI in New South Wales.