“The Privacy and Other Legislation Amendment Bill 2024 is a significant step forward for Australian privacy law. It begins the much-needed work of updating our privacy laws to be fit-for-purpose in the digital age.” The Hon Mark Dreyfus KC MP, Second Reading Speech, 12 September 2024
There is no question that Australia’s Privacy Act is out-of-date and out-of-step with international standards for data protection and information security.
Following more than three years of review, public consultation and strong advocacy, the long-awaited Privacy and Other Legislation Amendment Bill 2024 (Cth) (Reform Bill) was introduced on 12 September 2024 as the first step in making Australia’s privacy laws fit for purpose.
While not the “big bang” of significant reforms that most had hoped for, the Reform Bill seeks to implement the first tranche of recommended reforms to the Privacy Act.
This includes some of the key reforms agreed by the Government in response to the Privacy Act Review, such as increased protection for children’s privacy, and enhanced regulatory powers. It also includes, for the first time in Australia, a statutory tort of privacy and the criminalisation of “doxxing” (malicious release of personal information online).
Most notable, however, is what was not included in this first round of reforms.
This includes a number of fundamental reforms to the Privacy Act that are key to ensuring Australia’s privacy laws align with international benchmarks, provide regulatory certainty for businesses, and provide the protections and rights for individuals to ensure privacy is protected into the future.
The Government has committed to developing the next tranche of reforms over the coming months, with targeted consultation. In his second reading speech of the Reform Bill, Attorney-General Mark Dreyfus said these reforms “begin the work of bringing Australia’s privacy protection framework into the digital age [and] re-affirm the Government’s view that entities have a responsibility to protect Australians’ personal information and not treat it merely as a commercial asset.”
What reforms to the Privacy Act are included in Round 1?
Data security and data breaches
- Clarification that “reasonable steps” under APP 11 (data security and data retention) includes technical and organisational controls.
- Introduction of “eligible data breaches declarations” to facilitate information sharing after an eligible data breach or emergency. The safeguards that apply include that sharing of information must only be for the purpose of preventing or reducing the risk of harm to individuals.
Children’s privacy
- New definition of “child” – person under the age of 18.
- OAIC to develop a Children’s Online Privacy Code (funded). This reform is consistent with the UK approach to children’s online privacy and recommendations in the Privacy Act Review.
Further enhanced regulatory powers and civil penalties
- New civil penalty tier (for non-serious invasions of privacy)
- Expanded infringement notices, with penalties
- Enhanced enforcement powers for the OAIC
Transparency for automated decision making
- Privacy Policies to disclose use of personal information in automated decision making which significantly affects individuals’ interests.
- Within 2 years of reforms coming into effect.
White-list for overseas data transfers
- Power for Minister to prescribe countries that have data protection and privacy protections necessary for an APP entity to rely on the exceptions to the accountability regime in APP 8 and s16C of the Privacy Act. Comparable to a “adequacy decision” in the EU context, this is a welcomed practical reform and will provide regulatory certainty for APP entities disclosing personal information to overseas recipients.
- The Reform Bill does not include any of the other measures “agreed-in-principle” to be introduced to facilitate overseas data transfers, including model clauses or “standard contractual clauses” (SCCs), similar to the mechanism in the EU, UK and New Zealand. It may be that these are included in the next tranche.
There are other key reforms included in Round 1 that are important, which we’ll address in a separate article.
What’s to come in Round 2?
There are some key anticipated reforms to the Privacy Act that were not included in Round 1, including those previously agreed by the Government in response to the Privacy Act Review.
It is anticipated that a number of the remaining reforms that were “agreed” or “agreed in principle” by the Government will be included in Round 2. These reforms, if introduced, would impactfully update the Privacy Act and make it fit for purpose of the digital economy, including:
Expanded scope of ‘personal information’
This had been anticipated to be included as it was a recommend reform with which the Government “agreed” and would address some of the key issues fundamental to the application of the Privacy Act in the digital economy, including “individuation”.
Introduction of an overarching “fair and reasonable” test
One of the most potentially significant and important proposed reforms to Australia’s Privacy Act is to introduce a new overarching principle of “fair and reasonable” handling of personal information. The Government “agreed in principle” with this proposed reform, which would apply irrespective of whether consent has been obtained, as well as the proposed list of matters to be taken into account when making an assessment (such as the type of information, risk of harm, and whether the impact on an individual’s privacy is proportionate to be benefit achieved through the handling of that information).
Expanded individual rights, including the recommended “right to be forgotten”
The Government “agreed in principle” with the proposal to introduce a right for an individual to request deletion of their personal information held by an entity. The introduction of this right has potentially significant operational and compliance implications for regulated entities.
The small business, and employee records, exemption remains – for now
The removal of these exemptions would be a significant change to the privacy landscape in Australia. For small businesses across Australia, removal of the exemption would likely require a major uplift to practices and require significant Government support and education. We suspect any removal (or partial removal) of the small business exemption will be part of the further targeted consultation.
What do organisations need to do now?
There is no proposed ‘grace period’ or transitional arrangement for the majority of the reforms in Round 1. Once the Bill is passed and receives Royal Assent, the reforms in Round 1 will commence the following day, with the exception of the transparency obligations around automated decision-making (which has a 2-year transition period).
Organisations should take the following steps:
1. Data security and retention.
Review what “reasonable steps” the organisation takes with respect to data security and data retention, and ensure these include technical and organisation measures. See our article here for more information.
2. Data breach response
Review data breach response plans and playbooks to understand how an information sharing declaration may impact the organisation’s response to a significant cyber incident or other “eligible data breach”.
3. Children’s Online Services Code
In anticipation of the OAIC developing a binding code, organisations that provide an online service that is likely to be accessed by children under the age of 18 (and is not a health service), should engage in consultation on the code and review information handling practices against overseas children’s online privacy regulation, such as the UK Children’s Online Safety Code, which is likely to inform the Australian code.
4. Privacy Management Plan and risk registers
Given the enhanced penalty regime, investigative and other enforcement powers, together with the statutory tort of privacy, organisations should revisit their overall privacy management plan, level of compliance, and how it assesses and mitigates privacy risk across the organisation. Organisations must ensure they have practices, procedures and systems in place to ensure they comply with their obligations under the Australian Privacy Principles and the Privacy Act more broadly. The risk profile of privacy in Australia has significantly changed over the past couple of years, and organisations should update their risk assessments and measures, and resourcing of privacy, accordingly.
5. Automated decision-making
In order to comply with the transparency obligation, organisations will need to understand their use of personal information in automated decision making and then assess whether such uses significantly affect individuals’ interests. While there is some time before this reform takes effect, work should start now on this internal review and procurement and in-house development projects should be kept under review.
While the detail of the next tranche of reforms is not yet known, we do know that the Government intends for further privacy law reform over the remaining months of 2024 and into 2025. Organisations can (and should) start to prepare now.
Not sure what these changes mean for your organisation, or need help to prepare? Reach out to Sophie Bradshaw or David Tulacz.
This post was created in collaboration with Nicole Stephensen from Ground Up Privacy.