Key Privacy Reforms – Guidance on ‘serious interference with privacy’ and the new orders available to the Court in civil penalty proceedings

In this the fourth (of five) of our deeper dives into the key areas of the reforms to the Privacy Act in the Privacy and Other Legislation Amendment Bill 2024 (Cth) (Bill), we examine for organisations (a) the guidance for the Court on the “factors” to be considered to determine if a ‘serious interference with privacy’ has occurred and (b) the expanded orders available to the Court by its own motion or on the application of affected individuals to address relevant ‘contraventions’ of the Privacy Act/APPs in civil penalty cases.

Our original general overview of the key aspects of the Bill can be found here, our first deeper dive on the statutory right of action for serious invasions of privacy can be found here, our second deeper dive on automatic decision making and offshore disclosures can be found here and our third deeper dive on the increased security requirements, the new APP 11.3 and TOMs can be found here.

What is it?

The Bill seeks to strengthen an individual’s right to privacy by giving the OAIC/Privacy Commissioner (PC) and the Court enhanced powers to address a range of privacy contraventions more effectively. Key elements of this are the guidance on what is a ‘serious interference with privacy’ and new orders available to the Court, along with the addition of both a ‘mid tier’ civil penalty for interferences with privacy (i.e. those that do not meet the ‘serious’ threshold) and an administrative style (or ‘low-tier’) ‘infringement notice’ civil penalty for failure to meet certain specific requirements (e.g. not having a privacy policy or not having everything in it that is required to be in a privacy policy), creating a three tired penalty regime. The new mid tier and infringement notice civil penalties will be discussed in the next (i.e. the fifth) of our deeper dives coming soon. 

Factors indicating a ‘serious interference with privacy’

The Court may consider any of the following (non exhaustive) list of factors (Factors) to determine if the interference with privacy is ‘serious’, as regards imposing the high tier civil penalty:

1. the particular kind or kinds of information involved in the interference with privacy;
2. the sensitivity of the personal information of the individual;
3. the consequences, or potential consequences, of the interference with privacy for the individual;
4. the number of individuals affected by the interference with privacy;
5. whether the individual affected by the interference with privacy is a child or person experiencing vulnerability;
6. whether the act was done, or the practice engaged in, repeatedly or continuously;
7. whether the contravening organisation (in our case) failed to take steps to implement practices, procedures and systems to comply with their obligations in relation to privacy in a way that contributed to the interference with privacy; and
8. any other relevant matter.

As a reminder, since mid December 2022 the increased (‘high tier’) civil penalty for serious interferences with privacy (the “or repeated” inferences being removed in the Bill) is up to the greater of:

• $50 million;
• three times the value of the benefit obtained during the contravention; and
• 30% of “adjusted turnover” (i.e. effectively revenue) during the greater of the period of contravention and 12 months.

The Factors will assist the Court with its determination of which, if any, civil penalty is to be imposed. While the Bill removes the “or repeated” interferences from the s 13G Privacy Act, ‘repeated or continuous interferences with privacy’ are still a Factor to be considered (see Factor (f) above) when determining whether or not an interference with privacy is serious. 

The new range of orders

The Bill also enhances the enforcement of privacy protections by expanding the range of orders available to the Federal Court of Australia and the Federal Circuit and Family Court of Australia (collectively Court). These are in addition to and irrespective of any civil penalty imposed by the court and are for relevant privacy ‘contraventions’ that arise for consideration in relation to the action seeking to impose a civil penalty.

If the Court finds that an organisation has contravened any civil penalty related provision of the Privacy Act (contravention), whether or not the Court ultimately imposes a civil penalty, the Court may on its own motion, at the request of the PC or on the application of any affected individual also make any one or more of the following orders (Orders), directing the organisation to:

1. perform any reasonable act, or carry out any reasonable course of conduct, to address the loss or damage suffered, or likely to be suffered, by any individual as a result of the contravention;
2. pay damages to any individual by way of compensation for any loss or damage suffered or likely to be suffered by an individual as a result of the contravention; 
3. engage, or not engage, in any act or practice to avoid repeating or continuing the contravention; and/or
4. publish, or otherwise communicate, a statement about the contravention. 

The contraventions which are within scope for the Orders are any “interference with the privacy of an individual”, which includes any:

1. breach of an APP or a binding registered APP Code in relation to personal information;
2. breach of the Tax File Number Rules in relation to tax file number information that relates to an individual;
3. unauthorised request for a TFN (i.e. tax file number information) of an individual; and
4. breach of any of the assessment of an eligible data breach, preparation of a statement or notification obligations as regards an eligible data breach under the Notifiable Data Breach Scheme in the Privacy Act.

How will this impact you?

Factors indicating a serious interference with privacy

In addition to assisting the Court to determine whether a serious interference with privacy has occurred, the Factors will likely also guide the PC as to when she should seek the high tier civil penalty for a serious interference with the privacy of an individual. For organisations and their advisors the Factors, in particular (6) and (7) above, should also guide them as to what ‘to do’/‘not do’ in practice to avoid (or, at least, minimise) the risk of the high tier civil penalty being considered by the PC and imposed by the Court. Organisations should use the relevant Factors as a ‘roadmap’ to help navigate what needs to be done to ensure their general privacy compliance, compliance with APP 1.2 and to minimise the likelihood of a high tier civil penalty being sought and imposed.

Factors (6) and (7) above are part of a recurring theme throughout the reforms, both those introduced in the Bill and the other announced reforms agreed to/agreed in principle by the Government. Factor (7) links back to APP 1.2 and other announced changes agreed (or agreed in principle) by the Government, of which the Bill is the first part (or ‘tranche’). This Factor reinforces the existing organisation wide accountability requirement that measures necessary to ‘ensure’ the organisation’s privacy compliance are implemented (or, at least, are sought to be implemented). Failure to take any steps at all to implement practices, procedures and systems to comply with the organisation’s privacy obligations (i.e. in accordance with APP 1.2), which failure then contributes (as is likely) to the interference with privacy arising from such failure, will put the organisation squarely within scope for the high tier civil penalty for a serious interference with privacy. 

Factor (6), whether the act or omission in question is done or practice engaged in repeatedly or continuously, will also feed into this consideration. The continuous or repeated nature of any contravention, in itself, suggests a lack of appropriate oversight and that organisational accountability is not in place, in breach of APP 1.2. A key organisational accountability measure is to have a process in place to discover and learn from previous contraventions and to implement measures to eliminate or, at least, significantly reduce the risk of these occurring again. 

The new range of orders

The Orders provide the Court with significant and flexible tools to promote the rights of affected individuals and minimise the impacts of contraventions, even where a civil penalty is not imposed by the Court. For example, organisations that have any contraventions (in particular those that have not even attempted to implement the necessary measures to ensure compliance with the APPs or the Notifiable Data Breach Scheme) should consider what they can and should now be doing to reduce the risk of a significant civil penalty or any of the relevant Orders (e.g. for compensation) being imposed on them.

Perhaps more significant (at least for the first six (6) years after commencement of this change), the new ss 80UA(4) and (5) Privacy Act, once effective as currently drafted, provide that the Court may make such Orders on the application of affected individual(s), on the Court’s own motion or at the PC’s request within six (6) years of the relevant contravention. While s 80UA Privacy Act and the Orders only apply to proceedings instituted after the commencement of s 80UA Privacy Act, such proceedings/applications can reach back and apply to contraventions which occurred up to six (6) years prior to the date those proceedings were instituted. That is, while there is no retrospective effect on proceedings instituted before the commencement of s 80UA Privacy Act, for civil penalty proceedings commenced after commencement of s 80UA Privacy Act the Orders can (at least for the first six years of operation) reach back to contraventions that occurred prior to the commencement of that provision. 

Given that s 80UA Privacy Act will ‘commence’ once the Bill is passed on Royal Assent (i.e. almost immediately the Bill is passed) and that this is likely to be by mid 2025, this should be of significant concern to all organisations who may potentially be subject to a determination that they had interfered with the privacy of an individual (i.e. contravened any of the civil penalty provisions of the Privacy Act/APPs) up to six (6) years prior to the commencement of s 80UA Privacy Act (e.g. from mid 2019 if an action commenced immediately after this provision is effective). 

What you can do to prepare

Given the expectation that the Bill will be passed and these provisions will be effective from mid 2025, there is no transition period, there is no time to waste. 

Our Cyber Advisory and Digital Law teams can assist you to quickly determine whether or not your organisation has practices, procedures, systems and frameworks in place in compliance with Factors (6) and (7) and APP 1.2 and, if so, if these are appropriate. Having these practices, procedures, systems and frameworks in place at an organisational level (even if they are not 100% effective) will significantly minimise the risk of the high tier level of civil penalty being in play (that is, of there being a serious interference with the privacy of an individual). If not, we can advise on (and assist with implementation of) the steps that should be taken now to minimise the risk of an interference (serious or otherwise) with privacy. For any notifiable data breach, our Incident Response and Digital Law teams can assist you to consider how best to address likely contraventions potentially subject to the potential Orders. This will enable any contraventions ‘discovered’ as part of a data breach to be appropriately dealt with to minimise the risk of such Orders being made in any future civil penalty actions instituted by the PC.

Clyde & Co’s Cyber, Privacy and Technology Team has unparalleled and specialised expertise across the privacy, cyber, financial services information regulatory and broader technology practice areas. It also houses the largest dedicated market leading privacy and cyber incident response practice across Australia and New Zealand. All of this ensures your “readiness, response and recovery” is in good hands. We provide end to end risk management solutions for clients including in relation to advice, strategy, transactions, innovations, cyber and privacy pre incident readiness, incident response and post incident remediation and recovery, regulatory investigations, dispute resolution, recovery of damages and third-party claims. We offer market leading practical solutions, focussed pragmatic assistance and advice.