Privacy reforms in Australia!
The Privacy and Other Legislation Amendment Act 2024 (Cth) contains ‘significant measures’ to reform Australia’s privacy laws and the Criminal Code. These reforms include:
Ø the introduction of a statutory tort for serious invasions of privacy, for individuals to seek redress for privacy harms in the courts – to be implemented on 10 June 2025 or a date to be proclaimed.
o The elements of the statutory tort are:
§ an invasion of privacy in circumstances where the plaintiff had a reasonable expectation of privacy
§ the invasion of privacy was intentional or reckless and serious
§ the public interest in the plaintiff’s privacy outweighed any countervailing public interest
o There is no requirement for proof of damage to the plaintiff and remedies can include damages, injunctions, an apology, declaration and the destruction or delivery up of material.
o Defences will apply which include if (a) the invasion of privacy was required or authorised by or under an Australian law or court/tribunal order; or (b) the plaintiff, or a person having lawful authority to do so for the plaintiff, expressly or impliedly consented to the invasion of privacy; or (c) the defendant reasonably believed that the invasion of privacy was necessary to prevent or lessen a serious threat to the life, health or safety of a person; or (d) the invasion of privacy was: (i) incidental to the exercise of a lawful right of defence of persons or property; and (ii) proportionate, necessary and reasonable.
o Exemptions will apply in relation to intelligence agencies and law enforcement bodies, persons disclosing information to such agencies or bodies, persons using information disclosed by such agencies or bodies, and persons under 18 years of age. Journalists and certain other persons are also exempt in certain circumstances.
Ø the expansion of the OAIC’s enforcement and investigation powers, including higher civil penalties and the power to issue infringement notices – into effect from 11 December 2024
Ø the OAIC to develop a Children's Online Privacy Code, covering not only social media platforms but any online services likely to be accessed by children – to be developed and registered by 10 December 2026
Ø a new mechanism to facilitate cross-border data transfers through the development of a 'white list' of countries and binding schemes with adequate privacy protections to be approved by the Minister if:
o they provide the same, or at least substantially similar, level of protection as the Australian Privacy Principles would provide; and
o there are mechanisms the individual can access to enforce the protections
Ø Ministerial power for eligible data breach declarations and information sharing on a limited basis after an eligible data breach where to do so would otherwise breach the Privacy Act
Ø APP entity privacy policies to contain information about substantially automated decisions which significantly affect individuals’ rights or interests, including the kinds of decisions and kinds of personal information used – to be implemented on 11 December 2026
Ø a new Australian Privacy Principle which requires APP entities to ensure ‘technical and organisational measures’ are taken to meet the requirements of APP 11. The new principle is modelled on Article 32 of the European Union’s General Data Protection Regulation (GDPR) and came into effect from 11 December 2024. This requires APP entities to ensure that both technical and organisational measures are taken to keep personal information secure under APP 11 of the Australian Privacy Principles. The Explanatory Memorandum stated that examples of:
o technical measures include protecting personal information through physical measures, and software and hardware – for example through securing access to premises, encrypting data, anti-virus software and strong passwords
o organisational measures include steps, processes and actions an entity should put in place – for example, training employees on data protection, and developing standard operating procedures and policies for securing personal information
Ø a new criminal offence known as “doxxing” by an amendment to the Criminal Code Act 1995 (Cth) with effect from 11 December 2024. “Doxxing” is the release of personal data that is menacing or harassing towards an individual (penalty up to 6 years’ imprisonment) or towards one or more members of a group based on that person’s belief that the group is distinguished by race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality or national or ethnic origin (penalty up to 7 years’ imprisonment)
Further reforms will follow!
Further reforms (a second tranche) are anticipated in 2025. The Attorney General stated that the first tranche is “an important first step in the government's privacy reform agenda, but it will not be the last.”
Assistance and training
Professional assistance regarding these reforms and to provide training is available and should be sought, as appropriate.
Dr Nigel Wilson, Director, Australis Chambers
Dr Nigel Wilson is an Australian lawyer and privacy, cybersecurity and technology regulatory specialist with over thirty years’ experience.
He is the author of the international, award-winning Teaching Professionals – Revised AI Edition! and is also a professional workplace trainer and educator for corporations, legal practices, governments, critical infrastructures and not-for-profits. He was a finalist in 3 categories in the Australian AI Awards 2024 (AI Leader of the Year – SME, AI Consultant of the Year – SME and AI Academic / Researcher of the Year).
Dr Nigel Wilson, Australis Chambers
LLB (Hons), BEc, BCL Oxford, Cybersecurity Harvard, PhD
wilson@australischambers.com www.australischambers.com 0413 807 585
Liability limited by a scheme approved under the Professional Standards Legislation