The first tranche of the Federal Government’s privacy reforms is before Parliament, with automated decision-making, overseas data flows and new “anti-doxxing” measures among the proposed changes.
The landmark Privacy and other Legislation Amendment Bill 2024 also addresses children’s privacy and introduces a new statutory tort for serious invasions of privacy.
The Bill was introduced on September 12 following an extensive consultation process after a two-year review of the Privacy Act.
The Senate referred the Bill to the Legal and Constitutional Affairs Committee, which is expected to report by the end of November.
Among the most significant changes in this tranche are:
- Overseas data flows. The Bill aims to provide greater certainty about when personal information can be disclosed overseas, and increases mechanisms to facilitate the free flow of information across national borders while ensuring that the privacy of individuals is respected.
- Automated decision-making. Entities would be required to include information in privacy policies about automated decisions that significantly affect the rights or interests of an individual.
- New penalties. The Bill introduces new civil penalties for breaches of the Privacy Act. For interferences with privacy that are not serious, such as when an entity fails to notify individuals of an eligible data breach as soon as practicable, the maximum penalty would be $660,000 for an individual or $3.3 million for a body corporate.
- Statutory tort for serious invasions of privacy. This would provide individuals with the ability to better protect themselves and seek compensation for a broader range of serious invasions of privacy, including physical privacy, as well as misuse of information.
- Anti-doxxing. The Bill proposes to criminalise “doxxing” (the intentional malicious exposure of an individual’s personal data online), with a penalty of up to six years in jail (or seven years in jail where the conduct is targeting a protected group distinguished by race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality, national or ethnic origin).
- Children’s privacy. To strengthen and protect the privacy of children online, the Information Commissioner would also be required to develop and register a Children’s Online Privacy Code (COP Code) within two years of commencement of the relevant provisions.
Cass Wright, CCIWA Legal Director Commercial Law, says the proposed changes in this Bill are only the start, with the more contentious proposals in the Privacy Act review still to come.
She says it is important that businesses understand what personal information is being collected and how, and are prepared now to adapt to the pending changes.
“Businesses can stay ahead by obtaining a well-written privacy policy that is understandable, concise and aligned to business practices for collecting and storing personal information, as well as establishing minimum and maximum retention periods for the different types of personal information held by the business,” she says.
Want advice on this or other commercial legal matters? Get in touch on (08) 9365 7560 or via [email protected].