The Privacy and Other Legislation Amendment Bill 2024 (the POLA Bill) is currently before the Australian Parliament. It has been described by the government as the ‘first tranche’ in the long running project to reform the Privacy Act 1988.
The more significant, impactful proposals to reform the Privacy Act – such as the ‘fair and reasonable’ test long flagged as its policy intent by the Government and expected by industry – have been left out of this Bill, with the suggestion being that they will be in a ‘second tranche’ Bill sometime after the next election.
But overlook the first tranche reforms and you might be in for a rude shock.
Tranche 1 reforms
Much of the initial commentary on the POLA Bill focused on novel aspects such as the introduction of a statutory tort for serious privacy infringements, a Children’s Online Privacy Code, and the addition of a new ‘doxxing’ crime to the Criminal Code to cover the malicious release of personal information online.
However, for regulated entities seeking to understand the most immediate and likely impacts on their business activities, the effect of the POLA Bill’s amendments to the Australian Privacy Principles (APPs) should not be overlooked – particularly when considered in combination with the changes to the civil penalty regime, and the limited lead time before these amendments will take effect.
The APPs form the backbone of the obligations placed on regulated entities when collecting and handling personal information. The 13 APPs outline requirements and prohibitions related to personal information handling throughout the information lifecycle, from collection through storage and use through to disclosure and disposal.
While the POLA Bill does not introduce any wholesale reforms to the APPs, it does include amendments in three key areas:
- APP 1 – the Accountability principle: introducing greater transparency requirements for entities using automated decision making
- APP 8 – the Transborder Disclosure principle: the introduction of a mechanism to ‘whitelist’ countries considered to have a substantially similar privacy regime, thus streamlining legal review processes for companies trading with partners in those whitelisted countries, and
- APP 11 – the Data Security principle: clarifying that data security is not purely a technical concern.
Address your data security weak spots, pronto
The POLA Bill clarifies that the data security obligations on organisations, outlined in APP 11, are not limited to ‘technical’ controls such as role-based access controls, encryption or penetration testing. The amendment will legislate that the types of ‘reasonable steps’ expected of organisations to protect personal information from loss, misuse and unauthorised access or disclosure, will also include non-technical ‘organisational’ measures.
Examples of organisational measures to protect data security include robust governance, a comprehensive policy suite, procedures to operationalise those policies, and mandatory privacy compliance training for all staff.
Regulated entities which do not have policies setting out data retention periods, or which do not operationalise those policies, could now be found in breach of APP 11. Likewise, a failure to adequately train staff in their personal information handling obligations could be seen as a breach of APP 11.
This change to APP 11 will have immediate effect once the Bill becomes law; there is no proposed transition period.
New civil penalty regime makes enforcement more likely
In the wake of the Optus and Medibank data breaches, the Government moved quickly to significantly increase the maximum civil penalties applicable for breaches of the APPs. In 2022 the maximum civil penalty for a ‘serious or repeated’ breach by a body corporate was increased to whichever is the greater of: $50 million; 30% of turnover; or three times the benefit obtained from the breach. For individuals (e.g. sole traders), partnerships and other unincorporated entities, the maximum penalty is $2.5 million.
However, those penalties only apply to ‘serious’ or ‘repeated’ breaches, and the regulator, the Office of the Australian Information Commissioner (OAIC), must apply to the Federal Court to request such penalties. To date, no penalties have been issued.
The POLA Bill will remove the ‘repeated’ element in relation to the top tier penalties.
The POLA Bill also seeks to address the inflexibility of the existing regime, with two additional tiers of penalties:
- a mid-tier civil penalty of up to $3.3M (or $660,000 for individuals) for interferences with privacy which lack the ‘serious’ element required for the top tier fines, and
- a low-tier penalty for specified breaches, for which the OAIC can issue infringement notices.
Infringement notices for up to $330,000 (or $66,000 for individuals) can be issued by the OAIC for certain breaches of the APPs or the notifiable data breach scheme under the Privacy Act, including:
- Not having a clear, up-to-date and easily accessible Privacy Policy
- Poorly drafted notices to individuals about a notifiable data breach
- Not having a simple mechanism by which people can opt out of receiving direct marketing, or
- Failing to deal with an access or correction request within 30 days.
Note: These proposed new civil penalties are set with reference to the value of penalty units at the time. While the expectation is that the value of a civil penalty unit will have increased from $313 to $330 by the time of commencement of the POLA Bill, as at the date of writing this change had not yet come into effect.
This new tiered penalty regime will have immediate effect once the Bill becomes law; there is no proposed transition period.
A trip hazard to watch out for: non-compliant Privacy Policies
It is already the law that every regulated entity must have a “clearly expressed and up to date” Privacy Policy, made publicly available. APP 1.4 sets out what a Privacy Policy must include.
Given that not having a Privacy Policy – or having a poorly expressed, out-of-date or inadequate Privacy Policy – could lead to an infringement notice for up to $330,000 from the OAIC, from as soon as the POLA Bill receives royal assent, regulated entities should be checking their current state practices, and their current Privacy Policy, immediately.
Tip: if your Privacy Policy mentions the National Privacy Principles, you know it is at least 10 years out of date! You may be surprised how often we still see the old NPPs mentioned in privacy policies.
Checking an entity’s website for a compliant Privacy Policy will take minimal effort from the regulator and requires no co-operation or input from the regulated entity. This could be seen as a ‘low hanging fruit’ for the OAIC, keen to flex their new infringement notice muscle.
Heightened rules if using automated decision making
The POLA Bill also proposes to increase the transparency requirements on regulated entities using automated decision making. It does so by adding to the list of requirements under APP 1.4, for inclusions in a privacy policy.
For organisations using computer programs to make decisions (or assist in making decisions) that “significantly affect the rights or interests of an individual” – such as decisions impacting rights under a contract, access to a significant service or support, or the granting or refusal of a benefit – the Privacy Policy will also need to explain:
- what personal information is used by the automated decision-making system
- the types of decisions made, and
- whether the decisions are made by the computer program ‘solely’.
These rules apply regardless of whether the decision is beneficial or adverse to the individual.
This is one of only two components of the Bill with a delayed commencement date (the other being the introduction of a statutory tort, for which up to six months is allowed). This new requirement to add specific details about automated decision making to an entity’s Privacy Policy will not commence for two years – by which stage we hope to see more significant Tranche 2 reforms come into effect as well.
Acknowledgement: Part of this blog was based on an earlier article published in LSJ Online.