The first tranche of Australian privacy law reform has been passed by the Australian government and will come into effect within days. This reform further increases the range and type of penalties that Australia can enforce for non-compliance with local privacy law and introduces changes which businesses will need to action before the end of 2024.
If you are a business operating in Australia:
- The new requirement to publish disclosures regarding automated decision-making within Australian privacy policies are a mandatory action item that need to be addressed now by way of updates to your privacy policy
- The expanded penalty regime and impending invasion of privacy tort exposes you to greater risk for non-compliance, incentivising you to review your privacy compliance as a whole and upskill to mitigate a higher risk environment down under
Now is the time for businesses to consider their Australian privacy compliance framework. As we head into 2025, you should:
- Revisit your Australian privacy policy and ensure it complies with local requirements
- Assess your privacy practices and confirm whether they are adequate and appropriate for the standards imposed by Australian privacy law
- Ensure your data breach response plan meets the expectations of the Australian notifiable data breach scheme, and train your employees on complying with this policy in the event of a data breach
- If you operate a business that provides online services to children, ensure you stay up to date as Australia develops and implements the proposed “Children’s Online Privacy Code”.
On 29 November 2024, the Privacy and Other Legislation Amendment Bill 2024(Bill) passed both Houses of Parliament. The Bill contains significant reforms to the Privacy Act 1988 (Cth) (the Privacy Act) to enhance the protection of personal information, including by introducing a tort for invasion of privacy, the creation of a Children’s Online Privacy Code and providing greater clarity on the permissibility of overseas data disclosures. For further information regarding key changes introduced by the Bill, please refer to our previous article on this reform.
The Bill was passed with certain amendments, notably in relation to the enforcement of the Privacy Act and the statutory tort for invasion of privacy. Some of the major amendments include:
Compliance Notice – A new compliance notice regime, which can be issued prior to receiving an infringement notice. The Office of the Australian Information Commissioner will have the power to issue compliance notices in respect of certain breaches of the Privacy Act. Compliance notices will require an entity to either take steps, or refrain from certain conduct to address the relevant privacy breach, or ensure the breach is not repeated or continued. Failure to comply can result in a civil penalty of up to AU$330,000 for corporations.
Exemptions and Defences to the Statutory Tort – The Bill clarifies and broadens some of the exemptions to the statutory tort, including exemptions for:
- Journalistic materials prepared for publication by a journalist or editorial content relating to news, current affairs or a documentary
- State and Territory agencies and authorities, where the invasion of privacy is in the performance or exercise of the agency or authority’s function or power
Most of the provisions of the Bill come into effect immediately after the Bill receives Royal Assent – which is expected to occur within the next week, and certainly before the end of 2024. Australian businesses may have more time to prepare for a privacy landscape which contains a statutory tort for invasion of privacy, with that aspect of the law commencing at a date to be fixed by proclamation, but no later than six months after Royal Asset, meaning the statutory tort will be in place by mid-2025 at the latest.
Data privacy continues to be an important issue in the Australian legislature. While the Bill was passed with amendments, those amendments were minor in context, and further reform of the Privacy Act remains on the agenda. Critically, numerous recommendations from the Privacy Act Review Report remain expected in future changes, although the timeline and certainty of those changes are unclear.
In particular, this reform did not change the small-business or employee record exemptions. These exemptions are fundamental structures of Australian privacy law, carving out privacy compliance obligations for Australian small businesses entirely and relieving all businesses of privacy obligation in respect of their employees. These exemptions are sometimes criticized internationally for not requiring privacy compliance for large portions of the Australian commercial sector and are the key factor behind Australia being considered “not adequate” for the purposes of cross-border disclosure out of the EU pursuant to the EU General Data Protection Regulation (GDPR). As a result, while disclosures out of Australia to Europe are anticipated to be streamlined under the new “whitelisting” framework, disclosures from Europe to Australia will likely continue to require contractual agreements to implement.