Modernising Australia’s Privacy Framework

On 29 November 2024, the Privacy and Other Legislation Amendment Act 2024 (the amendments) passed through the Australian Parliament and subsequently received Royal Assent on 10 December 2024. The amendments mark the first wave of much needed reforms designed to enhance Australia’s privacy framework for the digital age and to better align it with privacy laws internationally. This includes notable reforms to the Privacy Act 1988 (Cth) (Privacy Act).

Key reforms include:

• New transparency requirements surrounding the use of automated decision-making systems.
• A new children’s online privacy code, and generally, enhanced code-making powers for Information Commissioner.
• Establishing a statutory tort for serious invasions of privacy
• Criminalisation of malicious releases of personal data (Doxxing)
• Enhanced investigative and monitoring powers for the Office of the Australian Information Commissioner (OAIC)

The devil as always will be in the detail, particularly around the application in practice of the children’s online privacy code and statutory tort.

Background

In February 2023, the Attorney-General released the landmark Privacy Act Review (the Review), which proposed 116 changes to Australia’s privacy framework to strengthen personal information protection and privacy practices in Australia. The Review exposed critical gaps in the Privacy Act, including in its fundamental architecture, with many elements being described as not reflecting contemporary privacy risks or community expectations.

In September 2023, the Government indicated that it either ‘agreed’ or ‘agreed in principle’ to 106 of the Review’s proposals. The response also outlined the Government’s commitment to modernise the Privacy Act, uplift existing protections, increase clarity and simplicity, improve control and transparency for individuals and strengthen enforcement.

While many of the 106 proposals are not addressed in the Privacy amendments, it is nonetheless the first phase towards addressing these critical reforms.

Coinciding with a review of the Privacy Act have been broader discussions around child safety online and the uptake of artificial intelligence (AI) to drive Automated Decision-Making (ADM) systems, which have culminated in additional reforms being incorporated into the Privacy Act.

Commencement date of reform: 11 December 2026

The new transparency obligations will require APP entities (that is, organisations covered by the Privacy Act) to disclose when ADM systems use personal information to make decisions that could significantly affect individuals’ rights and interests. This applies when:

• an entity uses a computer program to make decisions or perform tasks directly related to decision-making
• the decision could reasonably be expected to significantly affect an individuals’ rights or interests, or
• personal information about the individual is used in the operation of the computer program.

APP entities have a two-year grace period to review their ADM systems and comply with the new transparency requirements. This would involve APP entities disclosing in their privacy policies details about:

• the kind of personal information used
• the kind of decisions made solely by ADM systems, and
• the kind of decisions for which an ADM system does a thing that is substantially and directly related to the making of a decision.

These reforms should be of particular interest to businesses looking to incorporate AI driven ADM systems. To stay ahead of the curve, businesses should review and update their privacy framework and ADM systems as required to ensure compliance with the upcoming regulations.

Commencement date of reform: Code to be registered by 10 December 2026

Significantly, the privacy amendments grant the Information Commissioner powers to create enforceable codes, and with it the ability to provide greater clarity and specificity on what is required to comply with the Australian Privacy Principles (APPs). These codes, directed by the Minister, can be either temporary or permanent.

The amendments also mandate the development of the Children’s Online Privacy Code (COPC) within two years of the incorporation of the new provisions into the Privacy Act. This code applies to entities who provide social media services that are likely to be accessed by children and do not provide a health service. However, notably due to Parliament’s recent passing of social media minimum age legislation, children under 16 will be prohibited from accessing social media platforms regardless.

The intention is to protect children by enhancing privacy protections through the COPC and aligning these protections with the UK’s Age Appropriate Design Code. Impacted businesses will be well served to review the UK Code as development of the COPC progresses.

Commencement date of reform: A date to be fixed by proclamation, but must commence by 11 June 2025

The Privacy amendments introduce Australia’s first statutory right for individuals to sue businesses directly for serious invasions of privacy. The statutory right requires a plaintiff to establish three key elements:

• there was an invasion of the plaintiff’s privacy by intrusion upon seclusion or a misuse of information
• that a reasonable person would have had an expectation of privacy, and
• the invasion was serious and intentional or reckless.

Success in the claim may also depend on demonstrating that protecting the plaintiff’s privacy serves a public interest that outweighs any competing public interests raised in defence.

This statutory right will empower individuals to directly seek redress against relevant businesses for serious privacy invasions. This in turn is likely to lead to increased litigation. In this respect, it will be important that appropriate measures are put in place to limit the extent of frivolous or vexatious claims under the new right so that legitimate claims are given the due attention that is intended.

Organisations should be regularly reviewing their compliance with the Privacy Act and their security posture, including data retention arrangements, to the extent they are not already.

Commencement date of reform: 11 December 2024

The amendments introduce two new criminal offences targeting ‘doxxing’ – the malicious sharing of an individual’s identifying, contact or location information with the intent of harming or harassing.

The first offence carries a maximum six-year prison sentence and makes it a crime to share someone’s personal data if they:

• use a carriage service, such as the internet or phone, to make available or otherwise distribute the personal information of one or more individuals, and
• the person engages in the conduct in a way that a reasonable person would regard as menacing or harassing towards those individuals.

The second offence is effectively an aggravated version of the first offence, which carries a longer seven-year maximum prison sentence. The offence applies when someone shares private information to target people based on certain characteristics such as race, religion, or disability.

Commencement date of reform: 11 December 2024

The privacy amendments also bolster the OAIC’s investigative and enforcement powers and broadens the sanctions available to the court through:

• the introduction of civil penalties that match the severity of the breach
• expanded court powers to order penalties beyond monetary penalties
• expanded OAIC powers to investigate and monitor, and
• empowering the Information Commissioner to conduct public inquiries.

The new powers will be welcomed by the OAIC to provide it with alternatives to enforce compliance with the Privacy Act outside of attempts to impose fines and penalties for repeated or serious interferences to privacy via Court mechanisms.

The amendments to the Privacy Act will primarily fall on APP entities. Exempt businesses, such as small businesses below the AUD$3,000,000 turnover threshold, will continue to be exempt.

Key Impacts on Organisations

• APP entities may face a greater risk of prosecution or investigation for non-compliance with the Privacy Act
• APP entities will need to comply with additional transparency requirements on the use of ADM systems
• Social media services providers whose platforms are likely to be accessed by children will need to comply with additional privacy obligations aimed at protecting children by limiting access, and
• all organisations will need to have very careful regard to the privacy and cyber security framework, particularly in data breach scenarios to limit their exposure to the new statutory tort and broader OAIC enforcement powers.

In preparation for the Privacy Act amendments, entities should:

• proactively identify and address any compliance gaps and ensure their compliance measures are well documented
• consider whether they use or are in process of implementing ADM systems for decision-making
• ensure that they are prepared to detail the use of ADM systems in their privacy policy
• consider whether they are likely to be captured by the COPC
• if so, review the relevant UK Code in preparation of the COPC development, and
• review its data governance policies and procedures to minimise the likelihood of a privacy tort claim.

The Privacy Act amendments represent an initial step towards a long overdue reform of Australia’s privacy framework. This first wave of reforms includes enhanced enforcement, greater transparency around ADM, enforceable codes, stronger protections for children online, and new consequences for serious invasions of privacy and the doxxing of individuals.

Businesses should proactively assess the impact of these changes on their operations and ensure their compliance strategies are robust and up-to-date. Now is the time to prepare for the evolving privacy landscape and safeguard your organisation against potential risks.