The first portion of privacy law reform was presented to the Parliament of Australia last week.
According to an explanatory memorandum by Australian Attorney-General Mark Dreyfus, the Privacy and Other Legislation Amendment Bill 2024 "would enact a first tranche of reforms" to the Privacy Act 1988 to implement legislative proposals agreed on in the government's September 2023 Response to the Privacy Act Review.
The bill would "introduce a new statutory tort for serious invasions of privacy, and targeted criminal offences to respond to doxxing," and would grant the Office of the Australian Information Commissioner "access to a broader range of enforcement options, as well as new functions and capabilities." This includes provisions to tailor civil penalties to the seriousness of a privacy breach.
"This would address the gap in the current law under which the Australian Information Commissioner (Information Commissioner) can only seek civil penalties for the most serious or egregious interferences with privacy," the memorandum states.
The statutory tort would "provide a flexible framework to address current and emerging privacy risks and provide individuals with the ability to better protect themselves and seek compensation for a broader range of serious invasions of privacy, including physical privacy, as well as misuse of information," the memorandum states.
"Individuals would have a cause of action if they suffer an invasion of their privacy, either by an intrusion into their seclusion or by misuse of information, when: a person in their position would have had a reasonable expectation of privacy in all the circumstances; the invasion of privacy was intentional or reckless; and the invasion of privacy was serious."
It notes the bill enhances enforcement of privacy protections by expanding Federal Court of Australia and Federal Circuit and Family Court of Australia powers in civil penalty proceedings, empowering the OAIC to use "general investigation and monitoring powers" to "improve successful regulatory outcomes," and enabling the Information Commissioner to conduct public inquiries into privacy issues.
The bill would also grant the Information Commissioner the ability to create code to clarify or specify compliance with the Australian Privacy Principles and require the commissioner to develop a Children's Online Privacy Code.
The memorandum says the bill "introduces a series of measures to increase transparency and certainty regarding the handling of personal information for individuals and entities," including requiring entities to notify of automated decisions significantly impacting individuals' rights or interests within privacy policies.
While many in the privacy community were hoping for a broader bill to include many of the proposals agreed to in principle by the government in September, this first step opens the path toward ongoing privacy law reform and demonstrates the government is serious about updating the Privacy Act to address the unique challenges of the digital age — providing better protections for Australian's personal information and privacy.
We at the IAPP can't wait to welcome the ANZ and global privacy community to Melbourne 26 and 27 Nov. for the IAPP ANZ Summit 2024, where this development will be keenly discussed and debated during a number of expert panels. Both Australian Privacy Commissioner Carly Kind and New Zealand Privacy Commissioner Michael Webster will be delivering keynote addresses and we look forward to these and other exceptional sessions.
Adam Ford is the managing director, Australia, New Zealand, for the IAPP.