Slow and steady: 2024 Privacy Act Reform Bill released

• The development of a COP Code by the Information Commissioner is a positive step towards enhancing online privacy protections for children, particularly on social media and electronic services. This initiative aims to align with international standards, such as those in the UK, and is supported by $3m in funding over three years for the OAIC.
• However, it remains uncertain if the new code will address the recommendation for entities to consider the best interests of the child when collecting, using, or disclosing information. It's surprising that this wasn't included as a requirement.
• Additionally, the Federal Government plans to ban social media use for children under a certain age, potentially up to 16 years old. This social media banning legislation will be developed in collaboration with states and territories and will include trials of age verification technology, which raises further privacy concerns.
• If you collect children’s personal information in the course of business, you should already be considering how you can put in place additional processes, procedures and technology to enhance your data governance and protection environment.

• The clarification that APP 11 includes both technical and organisational measures, such as data encryption and staff training, formalises best practices from OAIC guidance into a legal requirement.
• This aligns our legislation with the GDPR and other international standards. We anticipate the OAIC will update its guidance on APP 11 to define "reasonable steps" more clearly. Organisations should proactively secure information by implementing governance, processes, procedures, and technologies to meet these standards.

Introducing a mechanism to prescribe countries and binding schemes as providing substantially similar protection to the APPs and then allowing disclosure of information to organisations in those jurisdictions. This will occur where a country or binding scheme:

• has been prescribed in regulations as protecting the information in a way that, overall, is at least substantially similar to the way in which the APPs protect the information; and
• provides mechanisms that the individual can access to take action to enforce that protection.

• Introducing a mechanism to recognise countries and binding schemes with protections similar to the APPs is a positive step for facilitating cross-border data flows. This simplifies legal challenges for global organisations, especially those dealing with Europe (and other countries with GDPR like laws), the UK, New Zealand, and parts of the US and Canada.
• As the EU revisits its standard contractual clauses under the GDPR, we anticipate that we will eventually see a similar approach integrated into the Act. The key question is whether these will be mandatory or part of a broader framework for countries lacking adequate protections.

• This amendment, likely further inspired by the Optus cyber incident, allows the Minister to temporarily enable entities to handle personal information in ways not usually permitted under the APPs to mitigate harm from data breaches.
• It's a positive change, ensuring laws don't hinder harm minimisation. However, it requires careful balancing to avoid increasing risks to individuals through these sharing activities. There are harsh penalties for organisations who receive this information and do not handle it in accordance with the scheme — so beware! 

1. Providing a non-exhaustive list of matters that a court must take into account when determining whether an interference of privacy is serious that includes the kind of information, the sensitivity, consequences or potential consequences, number and kinds of individuals affected, repetition of the act and steps that were not taken;
2. Creating new civil penalty provisions as follows:
   1. where an entity engages in an interference with the privacy of an individual
      
      Maximum penalty of $660,000 (2000 units) for individuals or $3.3m (10000 units) for bodies corporate (section 13H).
      
      (Note: A court may determine there has been a contravention of this section where the seriousness element has not been met or there is a contravention of both)
   2. an APP entity prepares an incomplete eligible data breach statement under section 26WH or breaches the following:
      - APP 1.3: Requirement to have an APP privacy policy
      - APP 1.4: Contents of APP privacy policy
      - APP 2.1: Individuals may choose not to identify themselves in dealings with entities
      - APP 6.5: Written notice of certain uses or disclosures
      - APP 7.2(c) or 7.3(c): Simple means for individuals to opt out of direct marketing communications
      - APP 7.3(d): Requirement to draw attention to the ability to opt out of direct marketing communications
      - APP 7.7(a): Giving effect to request in a reasonable period
      - APP 7.7(b): Notification of source of information
      - APP 13.5: Dealing with requests
      - any other that becomes prescribed in legislation.
      
      Maximum penalty of $66,000 (200 units) for individuals or $330,000 (1000 units) for bodies corporate (section 13K).
3. Enabling the Information Commissioner to also to issue infringement notices in relation to B(b) above
   
   Maximum penalty of a $3,960 (12 units) penalty for individuals, $19,600 (60 units) for non-listed bodies corporate and $66,000 (200 units) for listed bodies corporate.
4. Expanding the powers of the Court in civil penalty proceedings to make any order it sees fit, provided the Court is satisfied there has been contravention of a civil penalty provision.
   1. Includes orders for compensation and to take steps to minimise further impacts to individuals impacted by the interference with privacy.
   2. Notably, such orders may be made on the Court’s own initiative during proceedings or on application by the Commissioner or an affected individual within 6 years of the contravention.
   3. It also has a retrospective application.

• This reform is a pivotal part of the current legislative changes. The introduction of a non-exhaustive list of factors for courts to consider when determining serious privacy interference provides much-needed clarity. This codification aligns with existing OAIC guidance, ensuring consistency in legal interpretation.
• The new tiered penalty system offers the regulator greater flexibility to address privacy breaches. It allows for a nuanced approach, particularly beneficial for dealing with smaller organisations. The penalties range from $660,000 for individuals to $3.3m for bodies corporate, depending on the severity and nature of the breach.
• For those smaller operators above the small business threshold, these reforms act as a significant deterrent. If the OAIC can efficiently issue infringement notices, it could lead to widespread compliance improvements across the economy. The penalties for incomplete data breach statements and breaches of specific APPs further reinforce this.
• One potential risk is that, without increased funding, the OAIC might opt for utilising simpler penalty regimes, potentially limiting the effectiveness of enforcement and the deterrence for larger organisations. The deterrent effect of massive GDPR fines has been considerable and the OAIC should not abandon that approach due to the complexity and challenges of enforcement. It will be important for the OAIC to use an appropriate mix of the enforcement measures now available to it to maximise their role in driving compliance.
• The changes to the Court's powers regarding compensation orders allow individuals to seek compensation directly when a civil penalty is applied. This could temporarily address the absence of a direct right of action. However, it still depends on the OAIC initiating and succeeding in civil penalty proceedings, but this process is now somewhat easier due to the lower threshold for new civil penalties.
• The retrospective application of expanded Court powers could significantly impact ongoing civil penalty proceedings. If civil penalties are successfully applied by the OAIC, individuals may bring direct compensation claims against these organisations under the new provisions. This aspect of the reform underscores the critical importance of compliance and highlights the potential consequences of privacy breaches. This serves as a reminder of the evolving legal landscape and the need for vigilance in adhering to privacy regulations today.
• Overall, while the reforms provide a robust framework for privacy enforcement, their success largely depends on the OAIC receiving adequate funding to carry out its expanded enforcement activities effectively and the approach that they ultimately take in utilising these new enforcement measures.

• As AI technology becomes more prevalent, privacy concerns are increasingly coming to the forefront. Issues such as those seen with Clearview AI and Facebook's public photo scraping highlight the potential risks associated with AI. This amendment aims to address these concerns by enhancing transparency around ADM processes. However, the two-year lead-in period seems lengthy for what is essentially a transparency measure. During this time, significant automated decision-making will likely occur, potentially leaving a gap in transparency.
• Originally, this amendment was paired with a right for individuals to seek further information about ADM in the Response, which has not been included in the final version. It's unclear if this right will be introduced as part of individual rights in future legislation. Given the privacy risks posed by AI, more comprehensive and immediate requirements might have been expected.
• Overall, while the amendment is a step towards greater transparency in ADM, its delayed implementation and the absence of additional rights for individuals may limit its immediate impact. The effectiveness of this measure will depend on future OAIC guidance and potential legislative enhancements.

Schedule 2 of the Draft Bill introduces a new statutory tort for serious invasions of privacy. This provision allows individuals to take legal action against others who invade their privacy, either by intruding upon their seclusion or misusing their information. Defences are available if the accused acted with lawful authority or in situations involving consent, necessity, or the defence of persons or property. If the invasion involves publishing information, defences similar to those in defamation cases may apply. Additionally, if a defendant identifies competing public interests, such as freedom of expression, the plaintiff must prove that their privacy interest outweighs these.

Exemptions are in place for intelligence agencies, those disclosing information to such agencies, and individuals under 18. Journalists and certain associated persons, as well as enforcement bodies, are also exempt in specific circumstances.

The court can grant remedies, including capped damages, and may issue interim injunctions to prevent further privacy invasions. Proceedings can be summarily dismissed under certain conditions.

• This tort extends beyond APP entities, applying to individuals and small businesses, which broadens its scope significantly. It's unclear why this was prioritised over a direct right of action, but it may be due to the extensive groundwork laid by the ALRC in developing the tort model which has not been done for a direct right of action under the Act.
• As this provision comes into effect, it's expected to trigger an initial wave of litigation, which will help establish the legal framework and set precedents for future cases.