By Chong Shao

The Australian Government has introduced the Privacy and Other Legislation Amendment Bill 2024, as part of the first tranche of its long-awaited response to the Privacy Act Review. We knew that progress would be measured in years, and so far this is proving out.

The headline changes touted by the government include:

  • A new statutory tort to address serious invasions of privacy.

  • Development of a Children’s Online Privacy Code to better protect children from online harms (accompanied by further funding to support the OAIC in development the code).

  • Greater transparency for individuals regarding automated decisions that affect them.

  • Streamlined and protected sharing of personal information (PI) in situations of a declared emergency or eligible data breach.

  • Stronger enforcement powers for the Australian Information Commissioner.

  • A new criminal offence to outlaw doxxing (i.e., the malicious release of personal data online that could enable individuals) to be identified, contacted, or located).

For many, these reforms are modest and therefore disappointing, given the scope and duration of the Privacy Act Review.

Notably missing from the Bill is:

  • Any update to the definition of Pl.

  • Inclusion in the Bill of the four elements along EU GDPR lines that make a consent valid.

  • The introduction of a ‘fair and reasonable test’ for the handling of PI.

  • A requirement for APP entities to conduct a Privacy Impact Assessment for activities with high privacy risks.

  • The right for individuals to request erasure of their PI.

Also missing is one of the more contentious recommendations, the gradual removal of the small business exemption.

On the other hand, the changes represent a moderate progression from the status quo, which needs to be monitored closely and will likely have bigger implications over time.

Some key takeaways:

1. Privacy as a major intersection point

The Bill confirms that privacy sits at the intersection of the major technological and societal issues of our time.

For example:

  • The statutory tort introduces a cause of action for individuals against another person or organisation where there is a serious invasion of privacy – organisations should be aware of this provision (no small business exemption here!); although it should not be an issue if they are focused on “doing the right thing”.

  • A Children’s Online Privacy Code will be developed alongside other initiatives in the online safety space, including Online Safety Codes and the eSafety Commissioner’s research and work on age assurance.

  • Greater transparency regarding automated decision-making comes as part of a broader push by the government around promoting safe and responsible AI.

  • The streamlining of PI sharing in emergency and eligible data breach scenarios is a welcome move but will have to be considered alongside notification requirements in other laws and schemes such as the Security of Critical Infrastructure Act 2018, Data Availability and Transparency Act 2022, and APRA’s Prudential Standard CPS 234 Information Security.

The Bill is a microcosm of the complex privacy, cyber security, and digital regulatory landscape that is taking shape in Australia. The picture is getting (understandably!) complicated, and the Bill contributes to this.

2. Enforcement will matter more

The government’s touting of ‘stronger enforcement powers’ for the Australian Information Commissioner is a bigger deal than it appears on the surface.

On closer inspection, the Bill provides a series of changes that enable more flexible and effective enforcement of the Privacy Act:

  • A civil penalty provision for interference with privacy of individuals (not just ‘serious’ interference).

  • Separately, the civil penalty for serious interference with privacy of individuals is retained, with better elaboration of factors that may be considered in determining if the interference is serious.

  • The Commissioner may seek civil penalty orders and issue infringement notices for breaches of certain Privacy Act provisions and certain Australian Privacy Principles (APPs).

  • Additional monitoring and investigation powers.

One of the biggest issues with compliance and enforcement of the Privacy Act has been the relative lack of flexibility with the existing law, where there is a (recently strengthened) civil penalty provision for ‘serious and repeated interferences with privacy’. OAIC enforcement actions have been few and far between, typically reserved for ‘high profile’ cases such as Meta (Facebook), Medibank, and Australian Clinical Labs.

These changes to the Privacy Act, especially in relation to civil penalty orders and infringement notices, provide the OAIC with a bigger ‘toolkit’ to enforce breaches of the Privacy Act and the APPs.

Privacy Commissioner Carly Kind, in a Privacy Awareness Week Sydney event earlier this year, spoke of the ‘exciting opportunity for the OAIC to become a more enforcement-based regulator’. During the Q&A, she noted that for the first time in a decade there are three dedicated commissioners, and that they would be thinking a lot more about how to conduct proactive and proportionate enforcement.

This was confirmed by the OAIC’s Corporate plan 2024-25, which commits the OAIC to a ‘risk-based, education and enforcement-focused’ posture.

The true effectiveness of the regulator will depend on the extent to which it is sufficiently resourced. We have been advocating for greater funding for the OAIC for over a decade in speeches, forums and submissions. We eagerly await the next budget to see if the government will put its money where its mouth is and that they are indeed serious about ‘ensuring the Privacy Act works for all Australians and is fit for purpose in the digital age’.

Nevertheless, the Bill and the OAIC’s recently publicised posture demonstrate a clear intent and capability for the regulator to conduct more enforcement. Organisations should take note.

3. Keep sticking to the basics

The Privacy Act Review was flagged five years ago, as part of the ACCC’s 2019 Digital platforms inquiry. In the meantime, organisations are facing an increasingly challenging environment:

  • Cyber security incidents (including data breaches and the sophistication of bad actors) continue to increase in size and scale.

  • The growing data economy and technologies like AI heighten business pressures to collect and use personal information, while exposing organisations to greater data governance risks.

  • Australians care more than ever about privacy – according to the OAIC’s Australian Community Attitudes to Privacy Survey 2023, 82% of respondents care enough about protecting their PI to do something about it, and 84% want more control and choice over the collection and use of their PI.

It has been a slow and winding journey to reach the first tranche of changes to the Privacy Act. 

Our key takeaway is not to get over-excited, nor complacent. Not over-excited, because in many ways these are modest changes that will take time to realise their full effects. Not complacent, because the Bill heralds a new era of enforcement for the OAIC, including compliance with the existing Privacy Act and its APPs.

Instead, we think it is best to keep calm and stick to the basics. This means:

  • Assess your privacy practices against the existing APPs with a focus on Pl collection and handling practices and ensure you are taking ‘reasonable steps’ (including technical and organisational measures) in securing and protecting personal information. [1]

  • Know what PI (including sensitive information) you have now, where it is, whether you should still have it and the ways in which you are using it.

  • Assess cyber security risks and controls and consider certification against relevant standards.

  • Establish an improvement and remediation plan based on the findings of points 1, 2 and 3.

Putting the foundations in place now will give you a simpler path to compliance and good practice for both the current legislative requirements and the new requirements to come, including whatever Tranche Two will bring.

IIS can help

IIS and our subsidiary TrustWorks 360 can help you:

  • Navigate the complexity of the privacy, cyber security, and digital regulatory landscape.

  • Get the basics right and help you comply with current and incoming requirements, to satisfy customer expectations and to avoid regulator scrutiny and enforcement.

  • Move beyond compliance to performance and resilience that builds trust and achieves business objectives in a fast-changing world.

Why? Because as we have said at IIS for two decades, “It is just good business.”

Please contact us if you have any questions about the Privacy Act reforms and how it may affect your organisation. You can also subscribe to receive regular updates from us about key developments in the privacy and security space.

[1] In a separate interview, Commissioner Kind discussed the OAIC’s enforcement action against Medibank, for activities leading up to the data breach. The OAIC is making the case that Medibank didn’t take ‘reasonable steps’ to protect the personal information they collected and held. Reasonable steps are described as:

  • State of the art security

  • Good governance

  • Organisational responsibilities.

Comment