13/09/2024
Today the long awaited first tranche of amendments to the Privacy Act 1988 (Cth) (Privacy Act) entered parliament. The Privacy and Other Legislation Amendment Bill 2024 (Bill) was introduced and read for a first time today in the House of Representatives.
In the Explanatory Memorandum to the Bill, the Attorney-General conceded that to date, the Privacy Act has not kept pace with the widespread adoption and reliance on digital technologies here in Australia, acknowledging that this has lead to significant online harms including data breaches, fraud, identity theft unwanted surveillance and even doxing.
The Bill will implement 23 of the 25 legislative proposals that were agreed in the Government Response to the Privacy Act Review released almost a year ago.
Among these 23 reforms are:
- Enhanced enforcement powers of the Office of the Information Commissioner (OAIC) including powers of investigation and public inquiry, power to develop APP Codes at the direction of the Minister and powers to tailor civil penalties to the seriousness of a privacy breach
- Requirement for OAIC to develop a Children’s Online Privacy Code within the first two years of the Bill’s commencement
- Statutory cause of action (tort) for serious invasions of privacy
- Amendments to the Criminal Code Act 1995 (Cth) to introduce new offences targeting the release of personal data using a carriage service in a manner that would be menacing or harassing – a practice known as ‘doxxing’
- Creation of a civil penalty provision for “serious” interferences with privacy and a list of factors to determine seriousness which include the sensitivity of the information involved, consequences, vulnerability of the affected individuals, whether it was a repeated interference and the number of individuals affected.
However, one of the biggest changes to the Privacy Act which has made its way into this first suite of reforms is an update to APP 1 – Open and transparent management of personal information regarded automated decision making. The Bill introduces a new requirement for APP entities to include information in their Privacy Policy which addresses:
- the kinds of personal information used in the operation of computer programs and
- the kinds of decisions or parts that inform a decision made solely by the operation of a computer program
In practical terms this means if you use AI or other automated tools to process information and make decisions that affect your customers you need to be transparent about it.
OAIC have released a statement saying they “welcome” the Bill as a “first step” in privacy reforms. Australian Privacy Commissioner Carly Kind has said the Bill contains “important initiatives that will have benefits for the Australian community” but noted “much more needed to be done”.
Please get in touch with our experienced privacy team to discuss what these reforms mean for you and your agency or business.