The Government has introduced the Privacy and Other Legislation Amendment Bill 2024 into the House of Representatives. Background.

If passed the Bill will implement a first tranche of changes that were agreed by the Government in its September 2023 Response to the Privacy Act Review.  Consultation will take place on a second tranche of reform.

New penalties

The Office of the Australian Information Commissioner (OAIC), Australia’s national privacy regulator, would have access to a broader range of enforcement options, as well as new functions and capabilities. These include two new civil penalty provisions in addition to the current penalty for serious or repeated interferences with privacy:

• a new civil penalty for interference with privacy that is not a serious interference. For example, this may cover instances where an APP entity fails to notify individuals of an eligible data breach as soon as practicable.
• new civil penalty provisions for breaches of specific privacy obligations of the APPs and non-compliant eligible data breach statements, which would be subject to infringement notices.

Use of personal information in the event of an eligible data breach 

Part 7 would empower the Minister to make a declaration enabling entities to share personal information in a manner that would otherwise not be permitted under the APPs or certain secrecy provisions in order to prevent or reduce the risk of harm to individuals in the event of an eligible data breach.

Automated decision-making

The Bill introduces a series of measures to increase transparency and certainty regarding the handling of personal information for individuals and entities in automated decision-making by:
a. clarifying that reasonable steps to protect information in APP 11 includes technical and organisational measures,
b. introducing a mechanism to prescribe countries and binding schemes as providing substantially similar protection to the APPs, to assist entities to assess whether to disclose personal information to an overseas recipient, and
c. requiring entities to include information in privacy policies about automated decisions that significantly affect the rights or interests of an individual.

Overseas recipients

A new APP 8.3 will be inserted which applies in relation to the disclosure of personal information about an individual by an APP entity to an overseas recipient if they are in a country that has been declared to protect the information in a way that, overall, is at least substantially similar to the way in which the APPs protect the information, and there are mechanisms that the individual can access to take action to enforce that protection.

Children’s privacy

The Bill requires the Australian Information Commissioner to develop and register a Children’s Online Privacy Code to protect children from a range of online privacy risks.

Invasions of privacy

The Bill would also introduce a new statutory tort for serious invasions of privacy, and amend the Criminal Code Act 1995 (Cth) to introduce a new offence of the intentional malicious exposure of an individual’s personal data online in a manner that would be menacing or harassing – a practice which is colloquially known as ‘doxxing’.

It introduces a further offence where a person or group is targeted because of their race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality or national or ethnic origin.

What’s not changing (at this time)

The right to ask for information to be deleted has not been included.

The consent requirements for direct marketing and targeted advertising have not increased.

A new general obligation to ensure all handling of personal information is ‘fair and reasonable’ has not been included.

The small business exemption has not been removed or reduced.

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.

Author: David Jacobson
Principal, Bright Corporate Law
Email:
About David Jacobson
The information contained in this article is not legal advice. It is not to be relied upon as a full statement of the law. You should seek professional advice for your specific needs and circumstances before acting or relying on any of the content.