Australian Privacy Law Reform – The Wait is (Almost!) Over
By: Cameron Abbott, Stephanie Mayhew, and Rob Pulham
The long-awaited privacy reform has finally been introduced into the Australian Parliament today with the introduction of the Privacy and Other Legislation Amendment Bill 2024. Described as ‘Tranche 1’ of the reforms, the Bill introduces significant uplifts to several aspects of Australia’s privacy laws.
The proposed changes include:
- The long-touted statutory tort for serious invasions of privacy;
- As we predicted, new ‘tiered’ penalty provisions which will apply as soon as the law comes into force, allowing the Commissioner to issue infringement notices of up to AU$66,000 for specific breaches of the Australian Privacy Principles (APPs), including:
- Not having a privacy policy, or not having a fully compliant privacy policy;
- Not allowing individuals to remain anonymous or use a pseudonym (unless it is impracticable to do so);
- Not keeping written records of certain disclosures;
- Not complying with the direct marketing provisions in APP 7;
- Not dealing with correction requests; and
- Not providing compliant notifications about data breaches.
- Introduction of an ‘adequacy’ recognition mechanism into APP 8, to make it easier for organisations to disclose personal information to third parties outside Australia – specific permitted countries or binding schemes will be specified for these purposes in the regulations, and disclosures to third parties in those countries or subject to those binding schemes will be permitted without the disclosing organisation being required to take additional steps to ensure the recipient complies with the APPs in relation to that information;
- Additional notice requirements in entities’ privacy policies regarding use of automated decision-making (the transitional provisions allow for a period of 24 months before this takes effect);
- Additional protections for minors, by paving the way for the introduction of a Children’s Online Privacy Code, which must be developed and registered by the Commissioner within 24 months of the law coming into force;
- A new criminal offence for malicious release of personal data online, known as ‘doxxing’, with jail terms for publishing private details with the intent of causing harm, including up to 7 years’ imprisonment if the person or group is targeted on the basis of their race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality or national or ethnic origin;
- Additional entry, search and seizure powers to the Commissioner; and
- Additional orders which may be made by the Federal Court for contraventions of the Privacy Act.
Although the changes are yet to be passed, now is most certainly the time to ensure your organisation has at least the most basic (and visible) privacy compliance measures in place, and to start considering the make-up of your organisation’s privacy reform project team.