"Un tranche de vie" is a late 1800s theatrical saying translating to an authentic "slice of life." So, too, the Privacy and Other Legislation Amendment Bill 2024 introduced in Parliament in September gives us a little slice of privacy reforms truly needed in Australia.
The bill reflects 23 reforms to Australia's Privacy Act and other changes agreed to by the government last September, with the remaining 83 reforms directed for legislative change expected in a second tranche next year or later.
The first tranche of reforms will not see a material transformation of privacy practices for businesses covered by the Privacy Act. They are, however, a critical first step to evolve Australia's privacy laws. The reforms will better address advancements and rapid adoption of digital technologies, safeguarding Australians' privacy rights over their personal information and protections against digital harms, particularly for children.
The first tranche of reforms come into force when the bill passes, with requirements around automated decision-making and children's privacy taking effect two years later. Businesses should prepare to integrate each reform into their privacy programs, products and operations, raising any risks and endorsements needed from executives and the board.
1. Provide greater transparency on automated decisions that use personal information
Under the bill, businesses will need to include specific information in their privacy policies regarding the use of personal information to make or do a thing directly related to automated-decision making that significantly affects the rights or interests of an individual. The automated decisions must be conducted by computer programs, which are a pre-programmed rule-based process, artificial intelligence, or machine learning process to make a computer execute a task. They include decisions made under regulation or agreement, or to access a significant service or support.
The reform includes several terms to unpack, including the unusual term "thing." The explanatory memorandum provides some definitions and examples, but further guidance is necessary. The reform provides greater transparency to individuals on covered personal information handling practices.
However, similar laws in the European Economic Area, Brazil, Indonesia, the Philippines, and the U.K. go one step further and provide an individual the right to review or contest the automated decision, with exceptions.
The government agreed to a similar reform but did not include it in the first tranche. Businesses should prepare now to ensure compliance by identifying automated decisions likely covered by the proposed reform, and documenting specific detail required in relevant privacy policies: the kinds of personal information used and decisions made solely by it or a "thing" that is substantially and directly related to decision-making.
Businesses can look to local and global privacy and AI laws, frameworks and regulatory guidance to understand the intersection between AI and privacy and interpret similar terminology where possible. Refer to guidance from the U.K. Information Commissioner's Office, Australia's new Voluntary AI Safety Standard, as well as other emerging AI standards, policies and proposals issued by the government. A privacy impact assessment may be helpful to allow for a comprehensive and methodical approach to the use of personal information in automated decisions.
2. Safeguard children's privacy online through tailored products and services
Under the new amendment, the Australian privacy commissioner must develop a Children's Online Privacy Code, specifying how the Privacy Act applies to children's privacy. It is intended to elevate protections to promote the right to privacy of a child, with specific and enforceable obligations.
Unlike a growing number of other countries' laws, the current Privacy Act does not specifically address this important issue. The code will apply to at least a social media service, electronic service or designated internet service within the meaning of the Online Safety Act 2021 and where the service is likely to be accessed by children, exempting health services. Additional categories of covered entities may also be included in the code. A child is defined as an individual who has not reached 18 years. The code requires a two-year consultation and development period.
Businesses can get a head start on safeguarding children's privacy by identifying services the proposed reform will likely cover. The explanatory memorandum provides the following factors to determine if a service is likely to be accessed by children: the nature and content of the service, and whether it has a particular appeal to children; market research, current evidence on user behavior, the user base of similar or existing services and service types; and how the service is accessed, and whether any measures put in place are effective in preventing children from accessing the service.
Also, look to local and global children's privacy and safety laws, standards and regulatory guidance, to consider adopting techniques across, for instance, age appropriate application and verification, privacy by default, and avoiding marketing and nudge techniques to children. Businesses can look to existing global frameworks and guidance from Australia's eSafety Commissioner and the U.K.'s Children's Code. The explanatory memorandum indicates the code should align with these.
The Australian government has also announced its intention to introduce a bill to ban children from social media, but the particulars and privacy implications are yet to be disclosed.
Finally, a privacy impact assessment may be helpful here to approach services that are likely covered.
3. Ensure adequate security technical and organizational measures are in place
Under the Privacy Act, businesses must take reasonable steps to protect personal information, with the reforms clarifying that these steps include "technical and organizational measures." The explanatory memorandum indicates measures include undertaking staff training, developing standard operating procedures and policies for securing personal information, protecting personal information through physical measures, and software and hardware ― for example, through securing access to systems and premises, encrypting data, anti-virus software and strong passwords.
An update to the Australian Privacy Regulator's security guidance will likely follow. The inclusion of this term is intended to minimize the risk of data breaches and harm arising from cyber incidents that can cause significant detriment to affected individuals.
Businesses should review their information security risk profile, governance and practices, and determine if it is fit for purpose. Further insights into specific measures can be sourced from the EU General Data Protection Regulation, where the term was copied and pasted from, associated guidance from regulators, and case law.
4. Prepare for a greater likelihood of regulatory communications and interactions
Several reforms require reaction and responsiveness but demand preparation to do so effectively. These are primarily increased powers for the Australian privacy regulator and new legal avenues for individuals to address privacy harms and breaches.
Under the proposed law, Australia's privacy regulator will be better equipped to monitor and investigate privacy breaches, issue infringements, undertake public inquiries, including requiring businesses to produce documents or information, make codes and facilitate data sharing between entities where there is an eligible large-scale data breach, with minister approval.
Following an increase in civil penalties for privacy breaches introduced by the government in 2022, the reforms will introduce a framework to tailor civil penalties to the level of seriousness of a privacy breach.
A statutory tort will be introduced for serious invasions of privacy by intentionally or recklessly intruding upon an individual's seclusion or misusing information relating to them. The first tranche will also introduce doxxing as a criminal offense to target intentional malicious exposure of an individual's personal information online.
Businesses should prepare for these reforms by reviewing their regulatory communication, business continuity and crisis management, disputes and litigations, and data breach response policies, playbooks and training. They should introduce a zero-tolerance policy for doxxing and safety practices should be considered by those that offer communication carriage services where it may occur, such as on social media platforms.
The eSafety Commissioner is an important resource that currently administers Australia's Online Safety Act 2021. The act introduced online safety expectations on online services providers and mechanisms for the eSafety Commissioner to ensure they are upheld.
5. Consider commercial advantages of updates to overseas personal information disclosure capabilities
New minister powers will be introduced through the reforms to authorize transborder data flows between Australia and other select countries and binding schemes. This is intended to enhance the free flow of personal information across borders and reduce the burden to assess suitability for compliance of a "substantially similar law or binding scheme" under the current Privacy Act overseas data disclosures framework.
The reforms replicate the power of the European Commission to designate adequacy decisions under the GDPR. In practice, the value to businesses is questionable. The current framework is limited to disclosures, not to access or use, and there are alternative options for compliance through enforceable contracts and identifying countries with similar laws, which is increasingly becoming easier to find as other countries significantly update their laws. Binding schemes may be difficult to decide upon and struck down as inadequate.
This can be seen with the multiple attempts to approve an EU-U.S. framework for personal data transfers in compliance with the GDPR. Global businesses with an EU presence may be more likely to consider the value of integrating these changes into their existing cross-border transfer framework but will first have to wait for minister approval of countries and binding schemes.
Next steps
The Office of the Australian Information Commissioner welcomed the first tranche of reforms as an important first step to strengthen Australia's privacy framework but said more needs to be done, which other privacy professionals and advocates have agreed with.
The OAIC has also provided details of its initiative and approach for a Children's Online Privacy Code.
Businesses should keep track of the bill's advancement through Parliament and the date it passes, tracking any changes as it advances through each stage of the legislative process.
Ilana Singer, CIPP/E, CIPM, CIPT, is a senior privacy professional at SEEK.
