On 12th September 2024, the Privacy and Other Legislation Amendment Bill (the Bill) was introduced in Australia’s House of Representatives, proposing changes to the existing federal Privacy Act 1998 (Privacy Act) and making it more relevant in the digital age. The Bill strives to advance privacy reforms in Australia, through provisions for children’s online privacy, automated decision-making, better information sharing after data breaches and emergencies, and the introduction of a criminal offence for doxing. The bill also establishes a statutory tort for serious invasions of privacy. The Australian government is presenting the Bill as the “first tranche” of its proposed reforms to the broader Privacy Act. 

Here are some of the amendments the Bill tackles: 

  • A new system of civil penalties for interferences with privacy: Courts can impose a civil penalty (maximum of 10,000 penalty units for a company or 2,000 penalty units for an individual) for any interference in an individual’s privacy.  
  • A statutory tort for serious invasion of privacy: This will allow individuals to seek a legal remedy against people or entities who intrude upon the individual’s seclusion (by physically intruding into their private space) or by misuse of their information in circumstances where the individual had a reasonable expectation of privacy.  
  • Automated decision-making processes: The Bill aims to provide individuals with greater transparency about how their information is being handled by entities and for what purposes their data is used. 
  • Overseas data flows:  a process to prescribe ‘white-listed’ countries suitable for personal data transfers to ensure the level of protection granted to personal data is substantially similar to the one granted by the Australian privacy principles. 
  • APP Codes: The Information Commissioner will have enhanced powers to make Australian Privacy Principles (APPs) Codes which clarify the application of the APPs and how to comply with them.  
  • Investigative powers: The Bill grants the Office of the Australian Information Commissioner (OAIC) several new powers to assist in its investigative and enforcement functions, particularly issues of a systematic nature.  
  • Children’s Online Privacy Code: A draft Code will be released for consultation and the Code must be implemented within 2 years of the commencement of the amendment.  
  • Criminalisation of offences such as doxing: Doxing (the release of someone’s personal data online without their consent in a manner that is menacing or harassing) will be included as a criminal offence in the Criminal Code 1995. This comes with maximum penalty of 6 years of imprisonment or 7 years imprisonment where the targeting is because of race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality or national or ethnic origin.  

Organisations can work with their global data protection officer to ensure they comply with these proposed measures once they come into force. These include but are not limited to:  

  • Undertaking privacy gap assessments to mitigate compliance lapses. 
  • Focus on data-breach response plans and international disclosures of personal data to ensure it complies with the Bill.  
  • Train employees and third parties to ensure a culture of privacy first is embedded throughout the organisation. 

As a global Data Protection Officer, HewardMills can support your team to ensure your processes align with the ever-evolving global regulatory landscape. Including helping to ensure compliance with the new Australian privacy Bill or any other data protection legislation as it becomes enforced. 

 

If you would like to discuss this topic or anything else data protection and privacy-related, please contact us at dpo@hewardmills.com.