The first tranche of the Federal Government’s privacy reforms has passed Parliament, with automated decision-making, overseas data flows and new “anti-doxxing” measures among the new laws.
The landmark Privacy and other Legislation Amendment Bill 2024 also addresses children’s privacy and introduces a new statutory tort for serious invasions of privacy.
The Bill was introduced on September 12 following an extensive consultation process after a two-year review of the Privacy Act, and was passed by Parliament on November 29.
Among the most significant changes in this tranche are:
- Overseas data flows. The Bill aims to provide greater certainty about when personal information can be disclosed overseas, and increases mechanisms to facilitate the free flow of information across national borders while ensuring that the privacy of individuals is respected.
- Automated decision-making. Entities would be required to include information in privacy policies about automated decisions that significantly affect the rights or interests of an individual.
- New penalties. The Bill introduces new civil penalties for breaches of the Privacy Act. For interferences with privacy that are not serious, such as when an entity fails to notify individuals of an eligible data breach as soon as practicable, the maximum penalty would be $660,000 for an individual or $3.3 million for a body corporate.
- Statutory tort for serious invasions of privacy. This would provide individuals with the ability to better protect themselves and seek compensation for a broader range of serious invasions of privacy, including physical privacy, as well as misuse of information.
- Anti-doxxing. The Bill proposes to criminalise “doxxing” (the intentional malicious exposure of an individual’s personal data online), with a penalty of up to six years in jail (or seven years in jail where the conduct is targeting a protected group distinguished by race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality, national or ethnic origin).
- Children’s privacy. To strengthen and protect the privacy of children online, the Information Commissioner would also be required to develop and register a Children’s Online Privacy Code (COP Code) within two years of commencement of the relevant provisions.
The provisions of the Act will apply as follows:
- APP codes, Children’s privacy, overseas data flows, penalties and doxxing offences (the day after the Act receives Royal Assent)
- Statutory tort for serious invasions of privacy (a date fixed by proclamation or within six months of Royal Assent)
- Provisions relating to automated decisions (two years after Royal Assent)
Cass Wright, CCIWA Legal Director Commercial Law, says legislation for the second tranche of changes is expected in 2025 covering, amongst other things, exemption of employee records and small business.
She says it is important that businesses understand what personal information is being collected and how, and are prepared now to adapt to the pending changes. Organisations using a computer program to automate decision making that is reasonably expected to significantly affect the rights or interests of an individual will also need to document this in a privacy policy.
Wright says while the threshold for the statutory tort provisions “requires recklessness or intent to invade an individual’s seclusion or misuse of their information, the civil liability for serious invasion represents a significant shift in providing individuals with rights and remedies where their privacy has been invaded, absent any requirement of proof of damage”.
“Businesses can stay ahead by obtaining a well-written privacy policy that is understandable, concise and aligned to business practices for collecting and storing personal information, as well as establishing minimum and maximum retention periods for the different types of personal information held by the business,” she says.
Want advice on this or other commercial legal matters? Get in touch on (08) 9365 7560 or via [email protected].
