Where Are We With The Privacy Act Reforms? A November 2024 Update

If you’re curious about the status of the first tranche of Privacy Act reforms, here’s a quick update. The Privacy and Other Legislation Amendment Bill (Bill), introduced in Parliament on 12 September 2024, marks the first step in turning the Government’s 2023 privacy reform proposals into law. 

Privacy 108 weighed in with its submissions in early October, and as of 14 November 2024, the Senate Legal and Constitutional Affairs Legislation Committee has published its report on the Bill (the Report).

The takeaway? The Committee recommends the Senate pass the Bill but has thrown in 10 recommendations for good measure. Details on the recommendations can be found further below.

Then on 21 November 2024, Greens Senator David Shoebridge tabled amendments to the Bill (see <here>), proposing three key amendments:

  • Fair and reasonable test: the amendments propose that collection, use or disclosure must be ‘fair and reasonable’.
  • Definition of consent: a new definition of ‘consent’ requires it to meet the standard of being express – voluntary, specific, informed, and given at or near the time of collection, use or disclosure.
  • Revised definition of ‘personal information’: the definition to clarify that an individual is ‘reasonably identifiable’ if they can be distinguished from other individuals, even if the identity of the individual is not known.

What’s next?

 Further consultation is planned ahead of the second tranche of privacy reforms. As for amendments to the current Bill, we expect progress soon, given the limited parliamentary sitting days before a potential federal election and the caretaker period.

We’ll stay on top of updates as they unfold. Stay tuned!

Senate Legal and Constitutional Affairs Legislation Committee’s  Report on the Bill

In its report on the Bill (the Report), the Committee recommended that the Bill be passed by made 10 recommendations.  

The recommendations

  • Children’s Online Privacy Code: Two recommendations in relation to developing the Children’s Online Privacy Code 
  • Statutory privacy tort: Four recommendations focus on refining the proposed tort for serious invasions of privacy. 
  • Transparency on AI systems: A recommendation clarifying that privacy policies are not expected to compromise commercial-in-confidence information about automated decision-making systems. 
  • Compliance flexibility: The Information Commissioner should be able to issue discretionary ‘warnings’ before issuing infringement notices under the new infringement notice provisions. 
  • Media exemptions: A recommendation to clarify emergency information sharing powers to make it clear they are not intended to extend to national broadcasters (other media are already excluded) 
  • Journalism exemption: A recommendation that the Bill be amended to ensure that the journalism exemption applies to a person involved in the publication, re-publication or distribution of journalistic material.

What Did It Miss? 

The Report acknowledged our concerns but didn’t fully address some issues we raised: 

  • Definition of ‘children’: The Bill defines children as anyone under 18. We submitted that there should be consistency across laws, especially amid ongoing debates about appropriate age restrictions for social media. 
  • Negligence in privacy breaches: The statutory tort for serious invasions of privacy ignores negligence, focusing only on intentional acts. 
  • AI oversight: While transparency in use of automated decision making in privacy policies is a start, we pushed for stronger individual rights, like requiring human intervention in automated decisions and enabling reviews by a specialist regulator to ensure fairness. 
  • Confusing terminology: The introduction of a ‘personal data’ in the Criminal Code alongside ‘personal information’ in the Privacy Act creates unnecessary confusion. We called for harmonising these terms and modernising the Privacy Act’s language.

Other Highlights 

Other submissions proposed privacy reforms outside of the Bill. For instance, Privacy Commissioner Carly Kind urged prioritising changes to the definition of ‘personal information’ and introducing a ‘fair and reasonable’ test. These proposals have been extensively discussed during earlier consultations and remain crucial for future reform. 

Siska is a data privacy, IT and corporate and commercial counsel with an extensive background working at the intersection of business strategy, technology, law and data across a range of industries.  She is also an Assistant Professor at Bond University’s School of Law. Prior to joining Privacy 108, Siska was the Global Head of Data Privacy Advisory & Engagement at global med-tech company.