![](https://privacy108.com.au/wp-content/uploads/2023/03/Parliament-House.png)
Even With The Proposed Privacy Act Changes, We Are Not There Yet
After nearly five years of discussion, the much-anticipated Privacy Act changes were introduced into Parliament to the disappointment of most privacy experts who had been expecting a little more.
What’s included:
- a new statutory tort for serious privacy breaches,
- ability to prescribe countries with substantially similar laws (for overseas data flows)
- confirming that reasonable security includes organisational and technical measures
- transparency requirements for automated decisions,
- more teeth for privacy watchdogs, and
- new powers for the government when responding to data breaches.
It will also introduce a new Children’s Online Privacy Code, with the OAIC to get an extra $3 million over three years for this work. And doxing will be outlawed …
What’s not included:
- Expanded definition of ‘personal information’ to include location data and inferred data,
- Ending the carve-out for small businesses and employee records held by privacy entities,
- A right to erasure,
- stronger consent models,
- The much hoped-for new “fair and reasonable” test for information handling.
In fact, the proposed amendments leave out most of the fundamental reforms that most privacy professionals, academics, civil society and other commentators regard as necessary to make Australia’s privacy laws fit for the digital era.
What’s New: Privacy Act Proposed Changes
Taking a deeper look at what will be included:
Statutory tort for serious invasions of privacy
Finally, we are getting a statutory tort – giving Australians the right to sue for breach of privacy. This is not a new idea: it was recommended in 2008 and 2014.
But the right will be limited. It will only apply where there is either:
- an intrusion into seclusion (for example, being filmed in a private place) or
- misuse of information relating to a person, where they had a reasonable expectation of privacy.
In addition, the right to sue will only be available if the invasion is “serious” and committed intentionally or recklessly. This imposes a very high bar to any action.
Serious harms caused by an organisation’s negligence would not be enough. This means that the tort is unlikely to be helpful, for example, in most data breach cases (where to date it has been difficult to even establish negligence, let alone intentional harm or recklessness).
A range of defences to the tortious claim will apply, including where the conduct of the defendant was required or authorised by law or was necessary because of a serious threat to life, health or safety. There are also specific exemptions from liability, including for journalism, enforcement bodies and intelligence agencies.
On the positive side – you can have a cause of action without having to prove that any damage arose from the invasion of privacy. Although the damage or harm a plaintiff suffers will be a relevant factor in assessing the seriousness of the invasion, and the remedies that may be awarded.
It’s also worth noting that the statutory tort will automatically cover simple breaches of the Australian privacy principles. If you want to complain about a breach, you must first pursue your complaint / issue with the organisation concerned. Then, if you’re unhappy with the outcome you can submit a complaint to the OAIC, which then decides whether it will make any investigation or determination… Quite a lengthy process.
Automated decision making
The government is keen to support the safe and responsible development and deployment of automated decision making, stating that it presents significant opportunities – such as increasing the efficiency, accuracy and consistency of decisions, and presenting opportunities for improved outcomes in health, environment, defence and national security.
The Bill will provide individuals with transparency about the use of their personal information in automated decisions which significantly affect their interests. Entities will need to specify the kinds of personal information used in these sorts of decisions in their privacy policies.
Importantly these requirements will apply to decisions that are wholly or substantially automated, ensuring that the new requirements cannot be avoided by ‘tokenistic’ human involvement in a decision-making process.
Fortunately there are other things happening in the AI space (which often involved automated decision-making) which might provide more protections for Australians. See our post on AI decision making guard rails in Australia here.
Increased OAIC enforcement powers
The OAIC’s investigative powers are extended. The additional powers, include search and seizure, and may be exercised under warrant when investigating breaches of the Act, and scalable enforcement options.
Courts will be empowered to make appropriate orders where it has determined that an entity has breached a civil penalty provision, which may include compensation for loss or damage suffered.
This Bill also strengthens the OAIC’s capacity by expanding monitoring and assessment functions and introduces new public inquiry powers which will enable the Information Commissioner to inquire into specified matters as directed or approved. This will enable the Information Commissioner to keep closer oversight of threats to privacy, including issues of a systemic nature, as they emerge.
Greater powers for the privacy regulator as generally a good thing. However, for many years the OAIC has been constrained by lack of resources – something that many of the most influentials respondents to the various discussion papers and reviews have raised over and over again.
Bestowing more powers without the ability to exercise them in practice is unlikely to achieve the desired aim. The Explanatory Memorandum states that: “Effective privacy protection requires proactive regulatory action” – which requires appropriate financial support and resourcing.
Outlawing doxing
The reforms will criminalise doxing – which is defined as the malicious release of personal data online.
Doxing will incur a maximum prison term of six years, with up to seven years in place if a person or group is targeted based on attributes like race, religion, gender, or sexual orientation.
This amendment was not part of the Privacy Act review, but was introduced to an incident earlier this year when the personal details of hundreds of Jewish members of an online support group were published without their consent.
The introduction of a doxing offence will not broadly improve the way organisations treat our personal data. Most privacy harms are not caused by the publication of personal details in a manner that is “menacing or harassing” under criminal law.
What happens next
This bill is likely to be referred to a parliamentary committee for review. This means it isn’t likely to be passed until 2025, further delaying the limited amendments that have been proposed.
Further Privacy Act reform
And what about the rest of the amendments that were agreed or agreed-in-principle?
Although these amendments are referred to as a “first tranche” of reform, there’s no timeline for further reform. It’s likely they will be introduced until after the next election, at the earliest, meaning that the privacy reform process will have been going on for more than five years (having started in 2019 …). And Australians will continue to wait for our privacy laws to be brought into alignment with those of most other developed countries.
In his speech supporting the bill, A-G Dreyfus said: ‘Strong privacy laws and protections are critical to building public trust and confidence in the digital economy, and driving the investments needed to keep people’s data safe.’
However, as it stands, the current limited reform bill is unlikely to fundamentally change the way organisations treat Australians’ personal information or to re-set the rapidly eroding trust Australian’s have in the digital economy. Another opportunity lost for Australians.
Further References:
- Privacy and Other Legislation Amendment Bill 2024 – Parliament of Australia (aph.gov.au)
- Explanatory Memorandum: ParlInfo – Privacy and Other Legislation Amendment Bill 2024 (aph.gov.au)
- Second reading speech – Privacy and Other Legislation Amendment Bill 2024 | Our ministers – Attorney-General’s portfolio (ag.gov.au)
- Long-overdue Australian privacy law reform is here – and it’s still not fit for the digital era (theconversation.com)
- Media release: Privacy Reform – Digital Rights Watch