Insight,

Privacy,

Privacy Act Reforms – A Long Running Saga, Yet Still to be Continued …

12 September 2024

Our People
KWM Kinetic
Owl Advisory
AU | EN
Current site :    AU   |   EN
Australia
EN |
China
JP | ZH | EN |
China Hong Kong SAR
ZH | EN |
Japan
JP | ZH | EN |
Singapore
ZH | EN |
United States
EN |
Global
ZH | EN |

Tell me in a minute

A privacy reform Bill has been introduced to parliament.  If enacted, the Bill will implement significant changes to the Privacy Act, including introducing broader enforcement powers for the Australian Information Commissioner, a statutory tort for serious invasions of privacy, greater transparency for individuals regarding use of personal information for automated decision-making, and additional protections for children’s privacy.  A new criminal offence to outlaw doxxing (in short, publishing private information without consent for a menacing or harassing purpose) will also be introduced. 

However, other more substantive changes that had been widely anticipated, based on the Government’s response to previous reform proposals, have been omitted.  These may still feature in subsequent tranches of legislation, after further consultation.  However, with a federal election looming in early 2025 the future of privacy reform in this country remains as uncertain as ever.

Looking beyond this Bill to the future reforms that still lie ahead, businesses should be thinking now about how they will comply with the new privacy landscape – experience from the introduction of the GDPR in Europe shows that major privacy compliance programs are complex and time consuming.  Wherever possible, businesses should be acting now to design systems that will enable them to comply not only with the current law but with the anticipated future state.

In this alert, we will:

  • give a brief background to the changes
  • run through an overview of the reforms contained in the Bill
  • flag some of the most important ‘missing’ elements that we may expect (or hope) to see in a subsequent tranche of reforms
  • look at the potential implications of deferring further changes

A long-awaited step forward

The current phase of privacy law reform in Australia is already a long running affair, with its origins tracing back to the final report in the ACCC’s Digital Platforms Inquiry in July 2019.  An issues paper formally commencing a review of the Privacy Act was issued in October 2020.  Several rounds of consultation followed, with the consistent theme throughout this process being that the Act in its current form is outdated and not fit for the digital age.  Almost four years later, the Privacy and Other Legislation Amendment Bill 2024 was today introduced into Parliament, notionally to help address these concerns.

The Bill is a significant step and, if passed, would enact some important reforms.  However, the scope of the Bill is not as sweeping as many privacy advocates would have hoped.  Of the 116 proposed reforms put forward by the Attorney General’s Department in 2022, the vast majority of which were notionally agreed or agreed-in-principle by the Government in February 2023, only a relative minority feature in the Bill.  Those proposals that have been addressed may be considered to be low hanging fruit – reforms that are relatively uncontroversial in nature.  More substantive (and politically challenging) proposals have been held over for subsequent tranches of reform, possibly following additional stakeholder consultation.

As the current Government is now counting the months remaining in its term, with a federal election due by May 2025, possibly sooner, time for further comprehensive privacy law reform in this term of office is running desperately short.  If successful at the election, a second term Albanese Government may continue down the current reform path.  However, the election of a Dutton Government may create more uncertainty, especially given the relative lack of progress made in this area by the previous Coalition Government.  The struggle to make meaningful strides forward in this area reflects the difficulty of charting a path that everyone can support – all stakeholders (consumers, businesses, government, civil society, academia) hold strong views on privacy and balancing competing interests is a highly complex matter.  By seeking to pass a select group of less controversial changes, the Government has recognised that some progress is better than none, but it is still hard not to feel that the Bill that has been introduced is somewhat anticlimactic.

The difficult path towards reform

The tortuous path these reforms have followed, and the long wait for the Bill to be introduced, reflects the complexity of the issues raised along with the wide range of highly engaged stakeholders.  For example, the Government received approximately 500 written submissions on the Privacy Act Review Report, which were considered in formulating the Government’s response.  A subsequent narrow consultation on reforms to address the practice of doxxing (shorthand for publishing private information or documents on the internet for a malicious purpose) of itself generated 99 written submissions.  This level of engagement reflects the broad impact that comprehensive privacy reforms will have, and are reflected in the practical and political challenges the current Government (like its predecessors) has faced in progressing these reforms.  

'There have been murmurings that despite the lengthy process, some industry groups feel that the level of consultation has been inadequate and that given the potential administrative burden on businesses the Government should consult on specific changes in greater detail before pushing ahead.  This seems to be reflected in the limited scope of the Bill that the Government has put forward.' KWM Partner Michael Swinson

SIDEBAR
Watch the OAIC speak about privacy reforms

Australia’s Privacy Commissioner Carly Kind and former Information Commissioner Angelene Falk spoke with KWM partner Michael Swinson on the key privacy challenges as part of the KWM Digital Future Summit. Read the takeaways and watch their discussion of the ‘perfect storm’ of risks emerging here: When innovation meets regulation: The KWM Digital Future Summit 2024 - KWM

Key reforms featured in the Bill

While not as comprehensive as originally anticipated, there is still a lot in the Bill introduced today.  We will provide more detailed analysis in subsequent alerts.  However, from our first read, here are some key features worth highlighting:

  • a new statutory tort to address serious invasions of privacy, based on a model first proposed in a report by the Australian Law Reform Commission in 2014 (in itself a sign of just how long we have been talking about these issues - debates trace back to the 1960s, as Attorney-General Mark Dreyfus noted in his second reading speech!) – the tort will address broader notions of privacy than apply under the Privacy Act, which is focussed on information privacy. With the decision not to introduce a direct right of action under the Privacy Act (at least not yet), we now expect this tort will receive more serious consideration from plaintiffs (and litigation funders) seeking access to courts and compensation than originally anticipated.  For more on the background to the proposed tort, see our previous alert here.
  • a requirement for the Australian Information Commissioner to develop and register a Children’s Online Privacy Code within 24 months of the Bill taking effect to better protect children from a range of online privacy risks. The objective of the Code would be to set out how relevant Australian Privacy Principles would apply to the privacy on children online.  For example, this could extend to ways of providing notice or seeking consent from children, using graphical as well as textual elements.  The Code would apply to services that are likely to be accessed by children, with social media services being the obvious target though with a wide range of online services (including messaging services, gaming services, and even general websites technically being within scope).  The OAIC will receive additional funding of $3 million over 3 years to assist with the development of the Code.  The Explanatory Memorandum and the Attorney-General’s second reading speech makes clear that the objective will be to align where possible with similar regulatory instruments in other jurisdictions (e.g. the Age Appropriate Design Code in the UK).
  • measures requiring greater transparency to be provided when using personal information to make automated decisions that may significantly affect the rights or interests of an individual. Examples given include decisions to grant or refuse a benefit (such as a right to enter the country or to receive a housing benefit), decisions affecting contractual rights (such as under an insurance policy), and decisions that affect access to a significant service or support (such as access to healthcare).  The transparency requirements will apply where automated means are used substantially and directly to make a relevant decision and so cannot be avoided simply by including some incidental involvement of a human in the decision-making process.  It is unsurprising that this is one reform that the Government would seek to push through, given it is broadly aligned with the Voluntary AI Safety Standard and the draft Mandatory Guardrails for AI in High-Risk Settings released in the last week, both of which prominently feature requirements around transparency of AI-enabled decision making.
  • streamlined information sharing in the case of an emergency or eligible data breach, to help mitigate the impact of major data breaches. For example, this framework could enable banks to be alerted where identity documents have been compromised, so that they can apply enhanced monitoring and other safeguards to protect customers against risk of financial fraud.
  • stronger enforcement powers for the Australian Information Commissioner, including the introduction of new mid-tier and low-tier civil penalty provisions for breaches that do not meet the ‘serious’ or ‘repeated’ threshold that applies under existing civil penalty provisions (which will itself be reduced to a single ‘serious’ breach threshold, with repetition being one factor to be considered in assessing the seriousness of a breach, along with a number of other factors outlined in the Bill). The maximum penalty for mid-tier breaches will be 2,000 penalty units ($3.3 million for companies, based on current unit rates).  The Commissioner will also gain powers to issue infringement notices of up to 200 penalty units ($330,000 for companies based on current rates) for certain prescribed types of ‘administrative’ breach (such as having a deficient privacy policy, failing to provide opt-out controls for direct marketing communications, not properly dealing with information correction requests, or providing a deficient data breach notice) without having to go to court.  This power could possibly be a game-changer for the Commissioner for whom the cost and risk associated with litigation has always been a significant barrier to more active enforcement.
  • mechanisms for Government to prescribe countries and certification schemes that provide substantially similar privacy protections to Australia, with the objective of making it easier for organisations to share information outside Australia (an essential feature of an increasingly borderless digital economy). This will be a welcome relief for private sector organisations who have long struggled with the complexity of having to make their own decisions about the ‘adequacy’ of foreign privacy regimes or otherwise designing contractual safeguards to serve as a proxy.

In addition, prompted by the controversial leaking earlier this year of private details from a WhatsApp discussion group for members of the Australian Jewish community, the Bill will also introduce new anti-doxxing offences into the Commonwealth Criminal Code.  The offences will occur where a person uses a carriage service to make available, publish or otherwise distribute personal data about a person or group (e.g. names, photographs, contact details, details of a place of business, education or workshop etc) in a way that a reasonable person would regard as being menacing or harassing.  There will be a maximum penalty of 6 years’ imprisonment or 7 years’ imprisonment where a group is targeted based on race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality or national or ethnic origin.

Key reforms that were expected but are missing from the Bill

Perhaps even more noteworthy than what the Bill does cover is what it does not.  This includes many of the more substantive reforms proposed by the Attorney General’s Department in 2022, including those that had been ‘agreed-in-principle’ by the Government in its response in 2023.  Indeed, apart from a minor clarification to the effect that information security protections required under APP 11 may include both technical and organisational measures, the additional transparency requirements around automated decision-making and the new mechanism to facilitate overseas data disclosures, the Australian Privacy Principles are not amended at all by the Bill.

Key reform proposals that were recommended but not taken up in this round include:

  • the introduction of a new general obligation to ensure all handling of personal information is ‘fair and reasonable’ – this was one of the marquee reform proposals, with recently appointed Australian Information Commissioner Elizabeth Tydd stating as recently as September 5 - the week before the Bill's introduction - in an address at the RIMPA Live 2024 conference that she would like to see it become a ‘keystone of the Australian privacy framework’.
  • an expansion of the definition of ‘personal information’ to cover online identifiers and other information that can be used to target individuals even without revealing their underlying legal identity;
  • new individual rights, such as rights to ask for information to be deleted and for online search engine results to be de-indexed;
  • the removal or narrowing of current exemptions for small businesses (of which there are approximately 2.5 million currently in Australia) and for employers dealing with employee records (a significant issue for some major employers concerned by the potential cost of having to implement new information handling practices in relation to information about their workers);
  • changes to rules around use of personal information for direct marketing and targeted advertising, including stronger opt-out rights;
  • clarification of the extra-territorial operation of the Privacy Act, with previous changes having significantly (and perhaps unintentionally) expanded the operation of the Act to potentially cover information about individuals with no clear connection with Australia; and
  • rights for individuals to take direct action in court in response to breaches of the Privacy Act (something that would have further increased the prospects of seeing a more litigious privacy landscape in future).

Attorney-General Mark Dreyfus has indicated that the Government will continue targeted consultations with industry, consumer groups and other stakeholders on further reforms.

The Australian people expect greater protections, transparency and control over their personal information and this legislation begins the process of delivering on those expectations.’  Almost four years since the reform process was formally kicked off, it is somewhat dispiriting to hear that we are still only at the beginning. Attorney-General Mark Dreyfus, announcing the Bill

What does this mean from an enforcement perspective?

The reforms proposed by the Attorney-General’s Department were built around five key themes:

  1. bringing the Privacy Act into the digital age,
  2. uplifting privacy protections,
  3. increasing clarity and simplicity for entities and individuals,
  4. improving transparency and control, and
  5. strengthening enforcement.

In practice, the reforms featured in the Bill have largely focussed on the last theme of strengthening enforcement.  Changes in other areas will have to wait for a later date.

In the meantime, we are left with a Privacy Act in limbo.  Despite this, there is greater potential than ever before for the limits of the Act, and privacy rights more broadly, to be tested in Court.  Indeed, the OAIC has consistently indicated that it intends to be more active in enforcing the Act in future.  In the OAIC’s most recent annual corporate plan, the Commissioner’s foreword clearly signalled that we may expect to see a slightly more aggressive stance from the OAIC going forward, noting a strategic review had recommended that the OAIC ‘accelerate our shift to a more risk-based and education and enforcement-focused posture.’ 

We are focused on identifying the unseen harms that curtail privacy rights in the digital environment. This means implementing a program of targeted, proactive investigations that will not only uncover latent harms and provide avenues for remediation, but will also set the standard for industry practice. Even ahead of reforms, the regulated community should be alert that the OAIC will ensure compliance with the law, and where there are egregious privacy breaches, we will hold organisations to account. Australian Information Commissioner Elizabeth Tydd

To date, there have been few chances for the Courts to consider the Privacy Act in a meaningful way.  However, given the recent fighting talk from the OAIC, it seems that may soon change.  In some ways, with legislators finding themselves bogged down, we may see the baton of reform effectively passed to the Courts, with greater impact coming from the clarification of the current law in practice rather than from mooted changes in the law that may never see the light of day. 

Certainly, businesses operating in Australia should not be complacent about the lack of progress in Parliament, as the changes that are being made will give the current law more teeth and it may bite even in areas where the OAIC has historically been reluctant to intervene.  For example, in June this year the OAIC indicated that it would not continue an investigation into TikTok’s use of online tracking technology in Australia, because of the current uncertainty in the state of the law:

'Unless and until the government introduces [privacy law reforms], there’s no clear route for me as Privacy Commissioner to take action against TikTok for its use of pixels. A regulator like the OAIC must always direct its attention – and its resources – to where they will have the greatest impact. This case raises issues that are sadly not unique to TikTok, and any litigation or investigation by the OAIC would be on uncertain legal footing.'

This may have been understandable when the expectation was that law reforms would imminently clarify how the use of this type of technology (which is relatively widespread and by no means limited to any one company) is to be regulated.  However, if the path to reform becomes more drawn out, it is not hard to imagine the OAIC revisiting this decision and choosing to chance its hand on more novel or edge-case matters in order either to show that this type of conduct is covered by the existing legal framework or else put greater pressure on the Government of the day to speed up the pace of reform. 

What is clear is that in its initial response to the Bill, the OAIC was keen to emphasise that the reform work is only partly complete, with Privacy Commissioner Carly Kind saying ‘We are eagerly awaiting the second tranche of privacy reforms … Further reform of the Privacy Act is urgent, to ensure all Australian organisations build the highest levels of security into their operations and the community’s personal information is protected to the maximum extent possible.’

Stay tuned for more detailed analysis

If passed, most changes in the Bill will take effect immediately.  Given they are largely not substantive, and should not require significant operational changes, this should not be a major concern for businesses.  There are two exceptions to this:

  • the enhanced transparency requirements for automated decisions, which will not take effect for 24 months (likely reflecting the greater operational effort that may be required to comply with this requirement), and
  • the statutory tort, which will not take effect for 6 months.

In the meantime, stay tuned for much more to come from KWM on this topic, including deep-dives on some the key reforms that we think will have the greatest impact.  We have a large team of privacy experts ready and eager to discuss what these reforms mean for your business, so please reach out with any queries you may have.

As a reminder, you can always stay on top of the latest regulatory developments through the KWM Tech Regulation Tracker.

Categories

KEY CONTACTS

SHOW MORESHOW LESS
LATEST THINKING
Insight
Reform Reflections: Understanding the Shift in Australia’s Industrial Landscape
The incumbent Australian Labor Party (ALP) has been re-elected to a second consecutive term in office. While all races are yet to be formally declared, the ALP is set to have more seats than at any point since its establishment, and will likely face a materially less fractured Senate, no longer having to rely on patching together support from a diverse group of independents in order to pass legislation.

12 May 2025

Insight
The great election wash up - and what we’re watching next…
As the post-election dust settles, the KWM team has pulled together a succinct assessment of the Government’s key policy positions, legislative priorities and issues to watch for in the next term of Parliament.

09 May 2025

Insight
Are non-poaching clauses enforceable?
A ‘non-poach’ clause is a contractual provision that seeks to restrain the hiring of one party’s employees by the other party to the contract.

09 May 2025

EXPLORE LATEST THINKING
OUR PEOPLE
LOCATIONS
MEDIA CENTRE
CAREERS
ABOUT US
Explore Our Expertise
Explore insights
Explore Our Insights

Advertising and Targeting Cookies