Setting the Foundations For Significant Privacy Law Reform in Australia

On Thursday the 12th of September, the Attorney-General introduced the Privacy and Other Legislation Amendment Bill 2024 (Privacy Amendment Bill) to Parliament. It is not the complete ‘house of reform’ and realignment to the GDPR which was anticipated from the Privacy Act Review and Government Response process. However, the Privacy Amendment Bill has 11 key building blocks of the previously announced significant privacy reforms with the ‘promise’ of the remainder of the reforms to be introduced in 2025.

The foundations included in the Privacy Amendment Bill include: 

• amending and adding to the ‘Objects’ of the Privacy Act to clarify that such include (a) promoting the protection of individuals’ personal information and (b) to recognise the public interest in protecting privacy (to aid interpretation by the Courts);
• an expansion and strengthening of the powers of the Australian Information Commissioner (IC), including allowing the IC to issue determinations ordering organisations to “perform any reasonable act or course of conduct” to prevent future breaches;
• greater enforcement measures with a 3 tiered civil penalty regime and clarification as to what constitutes ‘serious’ interference of privacy;
• clarification on what “reasonable steps” to secure personal information includes;
• the development and introduction of a new Children’s Online Privacy Code;
• empowering the Government to make targeted emergency declarations;
• giving the Attorney-General information sharing abilities during a data breach;
• introducing a mechanism to better facilitate the flow of information overseas;
• a new statutory tort for serious privacy infringements;
• declaring the types of personal information used in automated decision making; and
• outlawing of the malicious release of personal information online (‘doxxing’).

The next stage of reforms, likely throughout 2025, will address the potential removal of the small business and the employee records exceptions and introduce revised definitions of personal and sensitive information, a right of erasure, a “fair and reasonable” test and a “controller” and “processors” regime similar to that of the GDPR.

While each the changes will have an impact on organisations, the biggest impact of the Stage 1 reforms is that, except for the automated decision-making requirements, they have no transition periods. That is, once the Bill is passed and receives Royal Assent they will have immediate effect.

Key immediate impacts on organisations

Tiered Penalty System

The most impactful single change in the Stage 1 reforms is the introduction of a 3-tiered penalty system (i.e. two additional levels to what we have now). While there was much fanfare over the twenty-five fold increase in the maximum penalty available under for ‘serious or repeated invasions of privacy’ up to $50 million (or 30% of revenue over the breach period) back in December 2022, the cost and complexity of commencing these large civil penalty proceedings means that they are rarely pursued. However, the Bill empowers the IC to issue infringement notices for a list of specified ‘minor’ breaches of APPs. This represents a significant new risk for organisations. If you do not comply with any of the following specified requirements under the APPs (plus some others), you may receive an infringement notice and fine (for each ‘failure’) of up to $330,000 for companies:

• Have clear, up-to-date and easily accessible privacy policy
• Clearly detail in your privacy policy the types of personal information you collect, how you collect it and the purposes for which you collect, hold, use and disclose that information
• Provide an option for individuals not to identify themselves when dealing with the organisation
• Have an effective, simple and prominent means by which individuals may opt out of receiving direct marketing
• Deal with an individual’s access or correction request within 30 days.

This enhanced power is designed to encourage enforcement of obligations by the IC and will lead to a much more active regulatory environment.

Notifiable Data Breaches

Both the mid-tier (interference with privacy) and low-tier (infringement notices) penalties also apply to the notification of eligible data breaches to individuals. The failure to notify individuals of a notifiable data breach in a reasonable time will fall within the new mid-tier penalty of up to $3,300,000 for companies. Even where notification is given, if it does not contain the prescribed detail (description of the breach, kinds of information affected, recommendation or steps to take) this could result in an infringement notice with a fine of up to $330,000 for companies.

It is therefore imperative that organisations are fully prepared to respond to a data breach or cyber incident, including ensuring that appropriate response and communications plans are in place to meet their obligations and mitigate any potential exposure to these fines.

What you need to do now

Given the changes in the Privacy Amendment Bill have no transition periods and that there are more reforms to come in 2025, now is the time to assess the status of your privacy and cyber security compliance and what you need to do to uplift these to avoid being the subject of these new powers and fines.

 Clyde & Co’s Cyber, Privacy and Technology Team has unparalleled and specialised expertise across the privacy, cyber, financial services information regulatory and broader technology practice areas. It also houses the largest dedicated and market leading privacy and cyber incident response practice across Australia and New Zealand. All of this ensures your “readiness, response and recovery” is in good hands. We provide end-to-end risk management solutions for clients from advice, strategy, transactions, innovations, cyber and privacy pre-incident readiness, incident response and post-incident remediation and recovery to regulatory investigations, dispute resolution, recovery of damages and third-party claims.  We offer market leading practical solutions focussed assistance and advice