On 28 November 2024, the Australian government passed the Privacy and Other Legislation Amendment Bill 2024 (Cth), putting a major point in the column of Australian privacy rights. The Bill was signed into law just days after the Australian Senate approved another landmark piece of privacy legislation, the Cyber Security Act 2024 (Cth). Both received Royal Assent on 29 November 2024 and are now Acts of Parliament.
Australia’s Privacy Bill Overview
Included in the Bill are measures including:
- A statutory tort for major privacy infractions, giving Australian citizens formal recourse for privacy harms via the court system.
- Increased powers of enforcement and investigation for the Office of the Australian Information Commissioner (OAIC). This includes the ability to issue infringement notices and the addition of new layers of civil penalties.
- A Children’s Online Privacy Code, which will be created by the OAIC through a $3 million dollar fund given over a period of three years. The Code seeks to protect children against online threats and will encompass not only social media sites but any online services likely to be accessed by children.
- The creation of a ‘whitelist’ of countries and methodologies using strong enough data security measures to facilitate safe cross-border data transfers.
- Provisions for the streamlined sharing of vital information in the event of an emergency data breach. These same provisions must ensure that the information shared is also adequately protected.
- Provisions for ‘technical and organizational’ measures to be made as part of the ‘reasonable steps’ mandated by the Bill to protect the personal information of Australian citizens.
- A rule requiring privacy policies to state details about substantially automated decisions that can impact personal privacy rights and interests in a significant way. This information must include, among other things, the type of information being used and the decisions that are being made therewith.
- New criminal offenses for doxxing, or the publishing of private and identifiable information online with the intent to injure a person or their reputation. Doxxing has become a form of abuse commonly used against Australian women, specifically in cases of domestic and family violence.
The Privacy Amendment Bill is considered the “first tranche” of at least two tranches of proposed reforms to the Privacy Act 1988 (Cth). There is no date currently known for the release of the second tranche.
In February 2023, the Privacy Act Report Review concluded that “comprehensive reform [was] required to ensure the Privacy Act is fit for purpose and capable of addressing the heightened data risks of the digital age,” as noted on the Bill home page. The Australian government responded six months later, agreeing to 25 of 89 proposals, agreeing in-principle to 56, and noting eight.
New Penalties for Privacy Infractions
Prior to the Bill, the Information Commissioner could only punish ‘serious and repeated’ privacy breaches. Now, Part 8 amends the Privacy Act, allowing it to:
- Enact civil punishments even if ‘serious’ privacy interferences are not also ‘repeated’.
- More clearly define what is meant by a ‘serious’ privacy interference.
- Make non-serious privacy interferences still punishable by law.
- Introduce specific penalties for specific privacy-related crimes.
When determining whether or not a privacy interference is deemed ‘serious’ or not, courts can take into account factors like:
- What kind of information was involved.
- How sensitive the information was.
- The consequences of an interference of privacy for the affected individual.
- How many are involved in and affected by the privacy breach.
And other factors, including whether the privacy breach victim was a child, and whether or not the infraction was done repeatedly.
New Monitoring and Investigation Measures
Under current Privacy Act law, the Information Commissioner has a range of powers used for monitoring, investigation, and assessment. This includes the right to enter and inspect any documents relevant to the Commissioner’s duties under the Act.
The new amendments in the Bill update these provisions to include the standard monitoring and investigative powers already contained Regulatory Powers (Standard Provisions) Act 2014 (Cth). They include not only entry, but search and seizure (as necessary and reasonable) to allow the OAIC to enforce the provisions of the Bill.
New Rules on Public Inquiries
Under the new Bill, the Information Commissioner now has the authority to conduct public inquiries on privacy infringements. This must be done with the approval of or under the direction of the Minister.
Under the umbrella of this new ability, the Information Commissioner will be able to:
- Investigate systemic privacy abuses.
- Require that documents or information be protected.
- Leverage a wider array of evidence than is usually permissible in a standard legal setting.
Additionally, the Information Commissioner will now be able to issue a determination (a binding judgment) following privacy investigations which will mandate a certain course of action in order to prevent the possibility of future privacy infractions.
Expanded Powers of the Federal Court
Currently, the Federal Court, Federal Circuit, and Family Court are only allowed to levy pecuniary penalties (fines and fees) in response to privacy infractions. The new Bill expands the powers of those judicial bodies when punishing violators of the Privacy Act (in its amended form).
Now, the Court can implement any civil penalty it sees fit in response to Privacy Act infringements, including:
- Ordering the perpetrator(s) to perform any reasonable act of restitution.
- Ordering the perpetrator(s) to pay the victim damages and compensation for injuries caused.
- Ordering the entity to perform, or not perform, any acts that would prevent the Privacy Act from being trespassed on in the future.
- Ordering the entity involved to publish a statement regarding the incident violating the Privacy Act.
Why the Australian Privacy Bill is So Important
The passing of this Bill marks a major step forward in Australian privacy law reform and highlights the desire of the Albanese Government to give its citizens greater control of their personal information. "The reforms are an important first step,” noted Australian Privacy Commissioner Carly Kind. “[They] come at a critical time, as privacy harms increase and the Australian community demands more power over their personal information.”
This comes at an opportune time, as Australians have endured their fair share of privacy debacles, some widespread and public. Between 2018 and 2021 (right on the heels of the Cambridge Analytica scandal), a popular Australian home improvement store chain was found guilty of breaching citizens’ privacy en masse when their CCTV cameras were discovered to be using facial recognition technology. Described by Commissioner Kind as “one of the most ethically challenging new technologies in recent years,” this technology and the debate it caused is just one of the examples of a need for overarching, modernized privacy reform suited for a rapidly advancing digital era.
As noted on the Australian Attorney-General's Department site, “Australians want their privacy respected. When they are asked to hand over their personal data Australians expect it will be protected.” To that end, the Government is retrofitting the Privacy Act one tranche at a time to future-proof it for the modern age. This move reflects a broader trend of countries, organizations, and international regulatory bodies to implement updated privacy laws that can keep pace with emerging threats, changing environments, and the bespoke technical parameters of our time.
