How Organisations Should Prepare For The Proposed Privacy Law Reforms
On Thursday 12 September 2024, the Privacy and Other Legislation Amendment Bill 2024 (Bill) was introduced into parliament, marking the first tranche of reforms to the Privacy Act 1988 (Cth). This is the Australian Government’s first legislative response to the long-awaited reforms to Australia’s privacy framework. We’ve discussed the initial tranche of reforms here. In this article, we’ll break down the practical implications of the Bill and what organisations should do to prepare.
Key reforms and actions for organisations
The Bill implements 23 legislative proposals that were agreed upon by the Government in its response to the 116 proposals set out in the Privacy Act Review Report. Notably, it introduces a new statutory tort for serious invasions of privacy, a tiered penalty regime, new transparency requirements and a new Children’s Online Privacy Code. Below, we outline these reforms and the concrete steps your organisation should consider.
New statutory tort to address serious invasions of privacy
The Bill introduces a new statutory tort addressing a broader range of privacy invasions, including:
- physical privacy violations and misuse of information
- The requirement that the invasion is intentional or reckless and serious
- The individual had a reasonable expectation of privacy
- Public interest in protecting privacy outweighs competing interests
Action steps
- Review and update internal policies and procedures to ensure they address not only data breaches but also broader privacy concerns, including physical privacy
- Train staff on what constitutes intentional or reckless privacy invasions and ensure they are aware of how to minimise these risks
- Conduct regular privacy impact assessments, particularly when launching new projects or systems involving personal information
Children’s Online Privacy Code
The Australian Information Commissioner (AIC) will develop a Children’s Online Privacy Code within 24 months of the Bill taking effect.
Action steps
- If your organisation handles children’s data (i.e., data of an individual who has not reached 18 years), start preparing now by reviewing your data handling processes
- Ensure your privacy policies and procedures are ready to adapt to the new Code once it’s published, and assess whether consent mechanisms for children need updating
Ministerial power for emergency information sharing
The Bill allows a Minister to declare streamlined information sharing for emergencies or during eligible data breaches to mitigate the impact.
Action steps
- Update your incident response plans to account for the Ministerial power. This should include a protocol for how and when personal information may be shared during emergencies
- Train staff on these updated processes and ensure decision-makers understand how to activate emergency sharing measures in the case of an eligible data breach
Stronger enforcement powers for OAIC
The Bill strengthens the Office of the Australian Information Commissioner (OAIC)’s enforcement powers, introducing a three-tier penalty system for privacy breaches:
1. Serious interferences with the privacy of an individual remain subject to the highest level of civil penalties – for a body corporate, this is the greater of $50m, three times the value of any benefit obtained from the interference, or 30% of annual turnover for the body corporate over a 12-month period. The OAIC must still apply to the Federal Court to impose this penalty.
When determining whether an interference is ‘serious’, the Bill outlines several factors that must be considered:
- The kind of information involved
- The sensitivity of the information
- Consequences of interference for an individual
- Number of individuals affected
- Whether the individual is a child or person experiencing vulnerability
- Whether the act was repeated, continuous
- Whether the contravention is due to the organisation failing to take steps to implement practices, procedures and systems to comply with their obligations
2. Mid-tier penalties for non-serious breaches, up to ~$3m for body corporates. Again, the OAIC must still apply to the Federal Court to impose this penalty.
3. Lower-tier administrative fines, up to $313,000, for administrative breaches of the Australian Privacy Principles (APPs) like having a deficient privacy policy, failing to provide opt-out controls for direct marketing, not properly dealing with information correct requests, or providing deficient data breach notices.
These fines can be imposed directly by the OAIC through infringement notices. If an organisation wishes to contest the notice, the burden is on the organisation to apply to the Federal Court.
Action steps
- Establish a robust privacy program. This should include clear policies, data breach notification procedures, and regular audits to ensure compliance with the APPs
- Ensure your privacy practices are fully documented, and that you are actively monitoring and responding to compliance gaps
- Prioritise data governance. If your organisation hasn’t yet embedded strong data governance and privacy compliance frameworks, now is the time to act. Failure to have effective systems in place may lead to higher penalties.
Increased transparency for automated decision making
The Bill introduces transparency requirements for organisations using personal information in automated decision-making systems that significantly affect individual rights. Organisations must:
- Disclose in privacy policies the types of personal information used in automated decisions
- Explain the kinds of decisions these systems make that could impact individuals’ rights, such as granting or refusing benefits or services.
Action Steps
- Review your privacy policy and update it to reflect any use of automated decision-making processes. Ensure it is clear about the types of decisions made, the data used, and how these decisions might impact individuals
- Consider adding a review mechanism that allows individuals to contest automated decisions if they believe their privacy has been compromised
Key Takeaways
The proposed changes to privacy law signal that now, more than ever, privacy compliance should be a top priority for organisations. Here are the key takeaways:
- Conduct an enterprise-wide baseline privacy assessment: evaluate your organisations current processes, especially around data governance, privacy policies and handling of personal information.
- Update internal policies: prepare for the new tiered penalties and transparency requirements by ensuring your data handling and breach notification practices are up to date.
- Train staff and build awareness: regular training on privacy obligations and breach response protocols is essential. Ensure all employees particularly those in data management and decision-making roles, are well prepared
- Prepare for future reforms: the Bill is just the first tranche of reforms. Keep an eye on future changes and ensure you’re well prepared to adapt.
By taking proactive steps now, organisations can mitigate risks, avoid penalties and ensure compliance with Australia’s evolving privacy laws.