Publications

The developing privacy landscape: proposed changes to Commonwealth privacy legislation are afoot!

Published on September 25, 2024 by Selwyn Black, Patricia Monemvasitis, Yue Lucy Han and Samuel ChuSelwyn Black, Patricia Monemvasitis, Yue Lucy Han and Samuel Chu

Your business, educational institution, charity or other community organisation should be aware of proposed changes to Commonwealth privacy legislation that were introduced into the Commonwealth Parliament in September 2024. If these proposed changes are implemented by the Commonwealth Parliament, they could affect how your organisation should manage privacy risks that it may face on a day-to-day basis.

It is important for you to take action now to prepare your organisation (especially if you are using artificial intelligence solutions), to proactively address the developing privacy obligations.

On 12 September 2024, the Commonwealth Government introduced the Privacy and Other Legislation Amendment Bill 2024 into the Commonwealth Parliament. Relevantly, this Bill proposes a number of key changes to Commonwealth privacy legislation (that is, the Privacy Act 1988 (Cth)) – including:

• to clarify the objects of the Act to focus on information privacy by amending the object to promote the protection of the privacy of individuals with respect to their personal information;
• a new stand-alone statutory tort for individuals to bring claims for serious invasions of privacy;
• introducing new civil penalty provisions for the interference with the privacy of individuals and for breaching specific Australian Privacy Principles;
• requiring the Office of the Australian Information Commissioner to develop a Children’s Online Privacy Code within 2 years from when the provisions become law;
• a new criminal offence targeting the release of personal data using a carriage service in a manner that would be menacing (in other words, this new criminal offence would make ‘doxxing’ a crime);
• provisions to let entities easily handle information, where it would be necessary to help individuals in emergencies and following significant data breaches;
• requiring additional information in privacy policies if the entities use personal information in automated decisions and failure to do so will be a breach of the new civil penalty provisions;
• clarifying that requirements in APP 11 for entities to covered by the Australian Privacy Principles to “take reasonable steps” to protect the security of personal information must be satisfied by entities taking both technical and organisational steps.

Our Firm has been monitoring the changing Commonwealth privacy law landscape for some time. This is because the Commonwealth privacy law regulatory framework has been subject to two years’ worth of law reform efforts from the Commonwealth Attorney-General’s Department (in co-operation with the Commonwealth Government). The Department (in late 2022) completed a broad review of the Privacy Act, and the Commonwealth Government (in late 2023) responded to – and agreed (or agreed-in-principle) to implement nearly all of – the recommendations arising from the Department’s review of the Privacy Act.

Accordingly, this Bill is the first of (what is likely to be) a number of tranches of reforms that the Commonwealth Government will introduce to Commonwealth privacy legislation. We expect that later tranches of reforms may propose a number of key changes that are directly relevant to businesses and charities, including:

• removing the “small business exemption” in the Privacy Act. If the “small business exemption” is removed, many small entities, being entities with an annual turnover of $3,000,000 or less, will then need to comply with the Privacy Act (including the Australian Privacy Principles) – and will accordingly be required, under APP 1.3, to adopt and maintain a clearly expressed and up-to-date privacy policy;
• amending the Privacy Act to clarify that the collection, use and disclosure of personal information must be “fair and reasonable in the circumstances”;
• amending the definition of “collection” for Privacy Act purposes to expressly cover information obtained from any source and by any means, including inferred or generated information;
• introducing an express requirement in APP 5 that notices of the collection of personal information that entities provide must be clear, up-to-date, concise and understandable;
• giving individuals additional rights to help them manage personal information that entities hold about them, and to (more broadly) exercise their rights under the Privacy Act (including the Australian Privacy Principles); and
• clarifying the scope of permitted direct marketing for the purposes of the Privacy Act (with a view to limiting the circumstances in which an entity may engage in direct marketing towards children and other individuals).

In today’s rapidly evolving privacy landscape, developing your organisation’s approach to privacy is not just a legal obligation but a cornerstone of trust and integrity with your stakeholders.

As your dedicated partner in navigating the complexities of privacy law, we invite you to take proactive steps to protect your organisation and those you serve by:

1. scheduling a comprehensive privacy audit with our expert team to identify and mitigate potential risks.
2. investing in ongoing privacy training for your staff to ensure compliance and foster a culture of vigilance; and
3. staying ahead of regulatory changes by subscribing to our privacy law updates and insights, empowering your organisation to adapt swiftly and confidently.

If your business, educational institution, charity or other community organisation needs advice or assistance to manage privacy risks affecting its activities, please contact Selwyn Black, Patricia Monemvasitis, Yue Lucy Han or Samuel Chu.

Please note that this article does not constitute legal advice. If you are seeking professional advice on any legal matters, you can contact Carroll & O’Dea Lawyers on 1800 059 278 or via our Contact Page and one of our lawyers will be able to assist you.