"Much ado about nothing": The small yet significant steps in Australian privacy reform

Summary of the Privacy Reforms

The Bill covers a number of different areas, some substantive and others apparently administrative. Highlights include:

1. Expansion of the civil penalty regime: in addition to significant civil penalties for “serious” interference with privacy (maximum of which is the greatest of AUD50,000,000, three times the value of benefit obtained; or 30% of the adjusted turnover), there are now greater powers for the Information Commissioner to propose penalties for less serious or administrative breaches:

• Mid-tier civil penalties for interference with privacy (with a maximum of 2,000 penalty units, i.e., AU$3,330,000 for body corporates and AUD$660,000 for individuals); and
• Low-level civil penalties for “administrative” breaches of certain Australian Privacy Principles (APPs) and data breach requirements (with a maximum of 200 penalty units, i.e., AUD330,000 for body corporates and AUD66,000 for individuals);

2. Creation and expansion of enforcement powers:

• Monitoring and investigation powers, including powers of entry under an investigation warrant;
• An “eligible data breach declaration” power intended to enable emergency authorisation to share personal information for purposes such as fraud prevention after a data breach; and
• The power to require, in a declaration, an APP entity to prevent or reduce any reasonably foreseeable loss or damages that is likely to be suffered;

3. Enhanced disclosure requirements relating to automated decision-making;

4. A mechanism for prescribing countries and cross-border transfer schemes as “substantially similar” to facilitate data transfers;

5. A statutory obligation for the Information Commissioner to develop a Children’s Online Privacy Code; and

6. Specification that reasonable security measures includes both technical and organisational measures.

New Statutory Tort for Serious Invasions of Privacy

Widely anticipated, the Bill introduces a new statutory tort for serious invasions of privacy. The elements of the statutory tort are:

• Invasion of privacy by intrusion into seclusion or misuse of private information;
• Reasonable expectation of privacy by the plaintiff in all the circumstances;
• Most of the amendments in the Bill will take effect when it receives the Royal Assent, which we expect will take place in the first quarter of 2025.
• Intention or recklessness; and
• The invasion of privacy is serious.

The tort is actionable without proof of damage. While the Bill contains several specific defences, it further provides that if the defendant provides evidence of public interest in the invasion of privacy, the plaintiff will have the burden of proof that the public interest in the invasion of privacy was outweighed by the public interest in protecting the plaintiff’s privacy. This public interest test is crucial in balancing the key rights of freedom of expression and privacy. The court may award:

• An interim injunction restraining the defendant;
• Damages for emotional distress;
• Exemplary or punitive damages in exceptional circumstances; and/or
• Any order that the court thinks most appropriate in the circumstances, which can include an order requiring the defendant to apologise to the plaintiff.

New Doxxing Offences

The Bill also introduces doxxing offences which will be included in the Criminal Code. We analysed doxxing and approaches to doxxing in different jurisdictions in our earlier article.Under the Bill, personal data in respect of the doxxing offences includes name, photograph or other image, telephone number, email address, online account, residential address, work or business address, place of education, or place of worship of the individual.

A person commits an offence and may face imprisonment for six years if he or she makes available, publishes or otherwise distributes personal data of one or more individuals using a “carriage service” (e.g., online) and engages in the conduct in a way that reasonable persons would regard as being menacing or harassing towards those individuals. An aggravated offence applies, and the term of imprisonment is extended to seven years, if the defendant acts in any part due to his or her belief that the group (of which the affected individual(s) is a member) is distinguished by race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality or national or ethnic origin.

Expected Timeframe

Most of the amendments in the Bill will take effect when it receives the Royal Assent, which we expect will take place in the first quarter of 2025.

However, there are two notable exceptions. For the statutory tort for serious invasions of privacy, the commencement will be six months after the Royal Assent or earlier as proclaimed. For disclosure of automated decision-making in privacy notices, APP entities will have two years after the Royal Assent to comply.

Next Steps

The Bill contains many of the less controversial proposals compared to the other proposed reforms that have been agreed or agreed-in-principle to. It is expected that those additional reforms will be introduced in further tranches, but likely only after additional consultation given significant concern in the business community about the proposals and their effect on Australian businesses.

With the Cybersecurity Bill and amendments to the Security of Critical Infrastructure Act expected in October this year, it continues to be an ever-evolving situation for companies operating digitally in Australia.

In the following days, we will take a deep dive into the key amendments brought by the Bill and explain in detail how they could affect how you or your organisation should handle personal information and the steps you should be taking ahead of the reforms coming into force.