The Australian Government has today published a draft Bill outlining the next steps in Australia’s Privacy Act Review process. 

The changes to be implemented by the Privacy and Other Legislation Amendment Bill 2024 include the introduction of:

  • A statutory tort for serious invasions of privacy, which has previously been referred to as filling an “increasingly conspicuous gap” in Australian law regarding the rights and remedies available to individuals following a breach of their privacy.  The cause of action will be based on a misuse of information in circumstances where the individual has a reasonable expectation of privacy, the invasion of privacy was serious and the invasion of privacy was intentional or reckless.  Claimants won’t need to prove that losses arose from the invasion of privacy, but will need to demonstrate that the public interest in protecting their privacy outweighs any competing public interest raised by the defendant.  The remedies will include recovery of non-economic losses, however damages will be capped at AUD 478,550.  This is a significant development that will materially change the risk profile for entities processing personal information in Australia.  In the last few years we’ve seen a rapid rise in the number of class actions following data breaches and other privacy incidents, and the introduction of a statutory tort will add  further fuel to the fire;
  • An online Children’s Online Privacy Code, to be developed by the Information Commissioner, which will apply to social media and other internet services which are likely to be accessed by children;
  • Tiered sanctions for less serious privacy breaches.  The power to seek civil penalties of up to the greater of AUD 50 million, three times the benefit of a contravention, or 30% of annual turnover for serious interferences with the privacy of individuals will not be impacted.  However, a lower civil penalty of up to AUD 3.3 million (using current penalty units) will apply for non-serious interferences with privacy, and infringement notices and penalties of up to AUD 330,000 may be issued for certain more technical breaches, including deficient privacy policies;
  • A requirement to include details of the use of personal information for “automated decision making” in privacy policies, with “automated decision making” including decisions which are wholly or substantially automated;
  • Eligible data breach declarations, to allow the sharing of personal information following notifiable data breaches for the purpose of preventing or reducing the risk of harm to individuals.  This would allow, for example, details of individuals impacted by an eligible data breach to be shared with banks so that the necessary protective measures could be applied to their accounts;
  • A mechanism to allow for declarations of equivalency to be issued, for the purpose of overseas transfers of personal information.  Currently, the law recognises that personal information can be shared with recipients which are subject to an equivalent law or binding scheme, however no formal declarations of equivalency have been made by the regulator to date; and 
  • A criminal offence of doxxing, which will sit under the Criminal Code 1995 rather than privacy law. 

The Bill follows the Privacy Act Review Report issued by the Attorney-General’s Department in February 2023, which identified 89 proposals directed at legislative change.  In its response in September 2023, the Australian Government accepted the majority of these recommendations.  However, its response differentiated between changes which could be accepted with minimal consultation, and those areas where more extensive engagement was required.

This Bill introduces 23 out of 25 of these expected changes, with the Attorney-General stating that “It begins the much-needed work of updating our privacy laws to be fit-for-purpose for the digital age… It implements a first tranche of agreed recommendations of the Privacy Act Review, ahead of consultation on a second tranche of reforms“.  The Government has committed to developing the next tranche of reforms for targeted consolation over “the coming months“, to ensure “genuine privacy reform in Australia“.