One small step for privacy reform – what the Government’s new Privacy Bill does (and doesn’t) cover
The Australian Government has introduced the first tranche of its reforms to the Privacy Act 1988 (Cth) (Privacy Act) through the Privacy and Other Legislation Amendment Bill 2024 (Privacy Bill).
This Privacy Bill:
- implements 23 of the 25 legislative proposals ‘agreed’ by the Government as part of the September 2023 Response to the Privacy Act Review;
- introduces a new statutory tort for serious invasions of privacy; and
- introduces criminal offences for doxxing.
Despite the above changes – the Privacy Bill has excluded a significant portion of the more substantive reform that would bring Australia’s privacy and data regulatory regime in line with other jurisdictions, such as the European Union.
This provides organisations with time to get ahead of the Government – and take practical steps to prepare for the Privacy Act reforms. The message from Maddocks on the Privacy Act reforms has been consistent – organisations need to be taking proactive preparatory steps, rather than waiting for the final form of the changes.
Regardless of the Privacy Act reforms, over the last four years, cyber attacks have become exponentially more sophisticated, with an attack reported to the Australian Centre for Cyber Security every six minutes – see ASD Cyber Threat Report 2022-2023.
In early 2024, ASIC flagged that it would be targeting executives and boards in relation to their organisation’s cyber weaknesses and privacy breaches, while also targeting organisations which fail to ensure that their third party providers adequately protect personal information. Reporting suggests that the corporate regulator will seek to make an example out of boards and executives who are recklessly ill-prepared for a cyber attack. ASIC has made clear that for all boards, cyber resilience has got to be a top priority and that risks of third-party providers should be managed. In June, the OAIC and ASIC signed a memorandum of understanding which makes information sharing easier for the two regulators.
The current threat landscape and broader regulatory developments mean that organisations must be taking a robust and proactive approach to compliance, managing risks and preparing for anticipated reforms.
While the precise shape of the final Privacy Act reforms is yet to be determined, there are a number of practical steps that organisations can take now to prepare themselves. We have set these out in our practical checklist below with easy to follow steps.
What’s in the new Privacy Bill
Some may be disappointed by the lack of reforms in the Privacy Bill, which are limited to reforms that have been “agreed” by the Government. The Privacy Regulator, OAIC, has made clear that more is to be done.
Some of the most significant proposed legislative changes in the Privacy Bill are:
- The enhanced civil penalty regime which the OAIC has said will “add significantly to our enforcement toolkit, providing the OAIC with greater discretion and flexibility to apply a risk-based approach to enforcement that is proportionate and also supportive of a growing digital economy”.
- The statutory tort that is stated to fill a gap in the privacy landscape by providing people with the ability to seek redress through the courts for serious invasions of privacy
- Amendments to APP 11 (the security obligation) to clarify that the steps entities must take to keep personal information secure including technical and organisational methods.
The Privacy Bill also:
- clarifies the objects of the Privacy Act to promote the protection of individuals’ personal information and recognise the public interest in protecting privacy;
- increases the Information Commissioner’s powers to develop APP codes that provide clarity on the application of, or compliance with, the APPs;
- allows entities to handle personal information in ways it normally couldn’t under the APPs in emergency and disaster situations;
- introduces a Children’s Online Privacy Code to enhance privacy protections for children;
- provides a mechanism to prescribe countries and binding schemes that provide substantially similar protection to the APPs, to assist organisations in assessing whether to disclose personal information to an overseas recipient;
- facilitates the sharing of personal information to reduce the risk of harm to individuals where an eligible data breach has occurred;
- introduces a tiered civil penalty structure for breaches of the Privacy Act, covering mid-tier and lower-level privacy breaches, and breaches of specific obligations in the APPs and non-compliant eligible data breach statements;
- empowers the Information Commissioner to undertake public inquiries on matters relating to privacy;
- strengthens the Information Commissioner’s enforcement powers, including through enabling the Information Commissioner to issue:
- infringement notices for civil penalties for relatively minor contraventions of the Privacy Act; and
- determinations that require organisations to take action to prevent reasonably foreseeable future loss or damage;
- requires organisations to include information in privacy policies about automated decisions that significantly affect individuals;
- introduces criminal offences for the malicious release of personal information.
What’s still to come
A number of more substantive amendments are still to come.
There are a number of key agreed in principle legislative proposals which have been left out of the Privacy Bill and are foreshadowed to come in Tranche 2, including:
- expanding the definition of “personal information” to include information which ‘relates to’ an individual (instead of ‘about’ an individual), and include identifiable technical and inferred information (e.g. IP addresses and device identifiers);
- including geolocation and genomic information as a type of “sensitive information”;
- introducing a higher standard of de-identification;
- removing the small business exemption, to bring small businesses in compliance with the Privacy Act;
- introducing a distinction between controllers and processors of personal information;
- requiring that the collection, use and disclosure of personal information must be fair and reasonable;
- requiring that a Privacy Impact Assessment (PIA) is conducted prior to any activities with a high privacy risk;
- updating the definition of consent to be voluntary, informed, current, specific and unambiguous;
- recognising the right of individuals to withdraw consent for personal information to be handled;
- recognising the right of individuals to opt-out the use or disclosure of their information for direct marketing purposes;
- requiring compliance with baseline privacy outcomes aligned with the 2023-2030 Australian Cyber Security Strategy;
- requiring minimum and maximum retention periods for the personal information they hold, specified in privacy policies;
- requiring notifications to the OAIC of an eligible data breach within 72 hours;
- requiring the implementation of practices, procedures and systems to respond to a data breach; and
- introducing an individual’s right to erase personal information held by an organisation.
Don’t wait for the Bill to progress or for Tranche 2 – this is what you should be doing now
While organisations wait to see what the Privacy Act will look like once the Government has pushed through its final reforms, there are a number of key practical steps to take to prepare now.
We have drafted a checklist you can use:
Task | Yes | No |
---|---|---|
Determine if the Privacy Act applies to your organisation, or may in the future, if the Privacy Act reforms take place. | ||
Conduct a maturity assessment for current compliance with the Privacy Act and the APPs, as this base line understanding will be critical to responding to reforms. | ||
Conduct a data mapping exercise to understand and record:
| ||
Implement a data breach response plan and test this plan (be prepared to respond to shorter timeframes). | ||
Review existing collection notices, consents and privacy policies. | ||
Appoint staff who are responsible for privacy, such as a privacy officer, and privacy champions. | ||
Train staff on privacy compliance. | ||
Conduct Privacy Impact Assessments (PIAs) whenever your organisation is considering implementing a new or changed way of handling personal information. | ||
Consider your organisation’s Essential Eight maturity level, according to the Australian Cyber Security Centre’s ‘Essential Eight’ model. This can be linked back to the APP 11 requirement to have in place technical and organisational methods. | ||
Invest in privacy and cyber risk management. It is critical to put aside sufficient budget and people allocation to manage current risks as well as deal with significant reforms. | ||
Implement a privacy management plan. A privacy management plan is essential for tracking maturity and outlining key roles and responsibilities. Having a clear privacy management plan now will assist organisations methodically respond to reforms. Monitoring the reforms should be an action included in any privacy management plan. |
Key takeaways
The Privacy Bill introduces some key reforms that will have major ramifications for organisations. Strengthened penalty and enforcement provisions should come as no surprise, given the surge in cyber attacks and data breaches in recent years, and signal a tick of approval for further regulatory action against organisations who fail to protect personal information and take cyber risks seriously. The statutory cause of action for a serious invasion of privacy may also empower individuals to hold large organisations to account for how they deal with their personal information.
Despite the above – the Privacy Bill has excluded a significant portion of the more substantive reform that would bring Australia’s privacy and data regulatory regime in line with other jurisdictions, such as the European Union. However, these are anticipated to come.
Organisations must be taking steps now to get ahead of the Government – and take practical steps to prepare for reforms, as well as mitigate current threats.
ADAPT by Maddocks: Simplify the complexity of undertaking a privacy review and ensuring best-practice data handling processes.
Find out more here
Keep up to date with our legal insights and events
Sign upRecent articles
Windfall Gains Tax: Securing best-outcomes for Council-owned land
How can councils implement recent changes to Windfall Gains Tax effectively?...
Nicotine vaping reforms – what you need to know
From 1 October 2024, certain vapes can be supplied by a pharmacy to adults without a prescription
How would a reasonable business person interpret a commercial contract? Recent case reaffirms key principles of construction
Reviewing the Alliance Building and Construction Pty Ltd v Veesaunt Property Syndicate 1 Pty Ltd [2024] QCA 75 case
Guard(rail)ing the development and deployment of AI: the Australian Government’s proposal
The Australian Government has released proposed mandatory guardrails for organisations developing or deploying AI.
Partner
Sydney