New Privacy Tort, Doxxing Offence And More – What To Expect From The Privacy and Other Legislation Amendment Bill 2024

On 12 September 2024, the Privacy and Other Legislation Amendment Bill 2024 (Cth) (Bill) was introduced into the House of Representatives.  Based on the proposals made by the Attorney-General Department’s Privacy Act Review Report 2022 (Privacy Act Review), the Bill’s first tranche of proposed legislative reforms is expected to kickstart an overhaul of Australia’s current privacy protection framework.  This includes notable amendments to the Privacy Act 1988 (Cth) (Privacy Act) and the Criminal Code Act 1995 (Cth) (Criminal Code).  

The Bill’s Explanatory Memorandum prefaces the proposed changes with the following observations:

The rapidly evolving digital landscape presents opportunities for innovation, advances in productivity and efficiency, and a range of other benefits for all Australians.  However, the Privacy Act has not kept pace with Australians’ widespread adoption and reliance on digital technologies, which increases the risks that personal data will be subject to misuse or mishandling, including through data breaches, fraud and identity theft, unauthorised surveillance and other significant online harms.

Although the Bill has not yet received royal assent, the impending new privacy rights, obligations and penalties are significant changes which individuals and businesses should be aware of and prepared for.

Tort for serious invasion of privacy

After years of debate and discussion, the Bill will introduce a Schedule 2 to the Privacy Act setting out a new cause of action - a statutory tort for serious invasions of privacy.  The design and objects of this new tort date back to the Australian Law Reform Commission's (ALRC) Serious Invasions of Privacy in the Digital Era (ALRC Report 123) (Report).  In its Report, the ALRC proposed a tort for serious invasions of privacy, based on nine guiding priciples.  These principles included privacy being a fundamental value worthy of legal protection, the public interest in protecting privacy and the need for Australian privacy laws to meet international standards.  The spirit of the Report is concern for the privacy of natural persons, not artificial entities, with frequent reference to privacy being a fundamental human right under international law.  At paragraph 2.6 of the Report, the ALRC states:

Privacy is important to enable individuals to live a dignified, fulfilling, safe and autonomous life. It is fundamental to our understanding and appreciation of personal identity and freedom.

Consequently, it is only natural persons, not artificial entities, who will be able to pursue a cause of action for a serious invasion of their privacy.  The elements of the new tort under clause 7 of Schedule 2 are proposed as follows:

  1. An individual (the plaintiff) has a cause of action in tort against another person (the defendant) if:
  • the defendant invaded the plaintiff’s privacy by doing one or both of the following:
    • intruding upon the plaintiff’s seclusion;
    • misusing information that relates to the plaintiff; and
  • a person in the position of the plaintiff would have had a reasonable expectation of privacy in all of the circumstances; and
  • the invasion of privacy was intentional or reckless; and
  • the invasion of privacy was serious.

The new tort will not require proof of damage but will be actionable per se.  Without the obvious signpost of damage, businesses may presently and unknowingly be engaged in practices that would constitute a serious invasion of privacy under the new tort.  Businesses should therefore review their privacy policies and practices against the Bill’s proposed Schedule 2 and the clause 7 elements.  This means businesses asking themselves:

  1. Do our policies permit, or are we engaged in, watching, listening to or recording an individual’s private activities or private affairs?1
  2. Do our policies permit, or are we engaged in, collecting, using or disclosing an individual’s personal information?2
  3. If answered yes to any of the above questions, would these individuals have a reasonable expectation of privacy in all of the circumstances?3
  4. If answered yes to any of the above questions, could the potential invasion of privacy be described as intentional or reckless as defined by the Criminal Code?4
  5. If answered yes to any of the above questions, could the court consider the invasion of privacy as serious?5

If you or your business believes it satisfies these questions, partially or completely, please do not hesitate to contact Iain Freeman, Partner in Lavan’s Litigation and Dispute Resolution Team.

Children's Code

Further to the new tort in its protection of individuals, the Bill introduces a specific focus on protecting the privacy of children.  Schedule 1, Part 4 of the Bill will require the Office of the Australian Information Commissioner (OAIC) to develop a Children’s Online Privacy Code (Children’s Code) in consultation with children and relevant stakeholder bodies.  The Children’s Code will specify how social media and other internet platforms likely to be accessed by children must comply with the OAIC’s Australian Privacy Principles.  An APP entity, that is, an agency or organisation bound by the Australian Privacy Principles, will be further bound by the Children’s Code if, under the Bill’s proposed subsection 26GC(5) of the Privacy Act:

  1. all of the following apply:
    • the entity is a provider of a social media service, relevant electronic service or designated internet service (all within the meaning of the Online Safety Act 2021);
    • the service is likely to be accessed by children;
    • the entity is not providing a health service; or
  2. the entity is an APP entity, or an APP entity in a class of entities, specified in the code for the purposes of this paragraph.

Before registering the Children’s Code, the OAIC must make the draft Children’s Code available for public submissions and consider those submissions.  If your business is an APP entity and satisfies any of the criteria set out at subsection 26GC(5)(a), you may wish to be alert to the release of the draft Children’s Code and consider making submissions as a stakeholder to the OAIC.

Doxxing

In February 2024, a private group chat between Jewish creatives which included group members encouraging the targeting of pro-Palestinian public figures was leaked online.  The 600 group members had their names and contact details made public in the leak and were consequently subjected to online harassment and death threats.  In the wake of the leak, the Albanese government requested Attorney-General Mark Dreyfus to “bring forward” legislation addressing malicious publication of private information online, commonly referred to as doxxing.6 The Bill’s Explanatory Memorandum states:

Doxxing can expose victims, including family members and associates of the individual whose data is released, to a wide range of harms including harassment and threats to their lives or physically safety, public embarrassment, humiliation or shaming, discrimination, stalking, identity theft and financial fraud.

The Bill proposes two new doxxing offences to be added to the Criminal Code.  Proposed section 474.17C targets doxxing directed at individuals in a menacing or harassing way, while proposed section 474.17D targets doxxing directed at individuals for reason of their race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality or national or ethnic origin. 

Section 474.17C reads as follows:

  1. A person commits an offence if:
  • the person uses a carriage service to make available, publish or otherwise distribute information; and
  • the information is personal data of one or more individuals; and
  • the person engages in the conduct in a way that reasonable persons would regard as being, in all the circumstances, menacing or harassing towards those individuals.

The maximum penalty for breaching section 474.17C is proposed to be 6 years imprisonment.

Section 474.17D reads as follows:

  1. A person commits an offence if:
  • the person uses a carriage service to make available, publish or otherwise distribute information; and
  • the information is personal data of one or more members of a group; and
  • the person engages in the conduct in whole or in part because of the person's belief that the group is distinguished by race, sex, sexual orientation, gender identity, intersex status, disability, nationality or national or ethnic origin; and
  • the person engages in the conduct in a way that reasonable persons would regard as being, in all the circumstances, menacing or harassing towards those members.

The Australian Human Rights Commission (AHRC) has expressed its concern for potential consequences of the new doxxing offences’ effort to protect the privacy of individuals, to threaten freedom of expression.  The AHRC has noted:7

The key issue is ensuring any offence is carefully tailored to meet the strict tests of necessity and proportionality and to avoid capturing reasonable online discourse about a person.

There are also concerns that doxxing laws may unreasonably capture public interest whistleblowing and journalism. Including a provision in the Bill which expressly protects the release of information for legitimate public interest purposes would help to further strengthen the protection of freedom of expression while still effectively addressing the harms caused by doxxing.

Only when these new doxxing offences are enforced will we be able to see whether they have struck the balance between protection of privacy and freedom of expression.

Civil penalty provisions

What constitutes “interference with the privacy of an individual” is currently and comprehensively set out at sections 13 to 13F of the Privacy Act.  With respect to such interferences, the Bill is set to lower the threshold on existing civil penalty provisions and introduce new civil penalty provisions.  As such, individuals and businesses should refresh themselves on sections 13 to 13F ahead of the amendments being implemented.

Subsection 13G(1) of the Privacy Act presently provides a civil penalty for an APP entity engaged in “serious” or “repeated” interferences with the privacy of an individual.  The Bill will amend section 13G(1) by removing the reference to repeated interferences and confining the civil penalty provision to serious interferences of privacy as follows:

  1. An entity contravenes this subsection if:
  • the entity does an act, or engages in a practice, that is an interference with the privacy of an individual; and
  • the interference with privacy is serious.

Repeated interferences with privacy will instead be included as a matter the court may have regard to in determining whether an interference with privacy is serious, under the Bill’s proposed subsection 13G(1B).  Other matters the court may consider under subsection 13G(1B) include the sensitivity of the personal information which has been interfered, the potential or actual consequences of the interference with privacy for the individual and the number of individuals affected by the interference with privacy.

It is not only “serious” interferences with privacy which individuals and businesses should be alert to.  Under the Bill’s proposed section 13H of the Privacy Act, a person found to have done an act, or engaged in a practice, that is an interference with the privacy of an individual, but does not reach the section 13(G)(1) threshold of seriousness, will be liable for a civil penalty.  A maximum of 2,000 penalty units (currently $660,000) will be payable by an individual.  While a maximum of 10,000 penalty units (currently $3.3 million) will be payable by a body corporate. 

Some businesses may presently be engaged in practices that breach one or more of the Australian Privacy Principles, such as disclosing personal information about an individual for the purpose of direct marketing, for commercial gain or competitive advantage.  The Bill has made clear with the significant civil penalties that such non-serious interferences with privacy of individuals should not be seen be seen as merely the price of doing business.

Lavan comment

The Bill makes clear the federal government is cracking down on breaches of individuals’ privacy.  The changes expected to be implemented by the Bill are not insignificant and individuals and businesses should be aware of how their current privacy policies and practices stand up against the incoming reforms.

If you have any queries arising from this update, please do not hesitate to contact Iain Freeman, Partner in Lavan’s Litigation and Dispute Resolution Team.

 

Thank you to Freya Surma-Litchfield, Solicitor, for her valuable research and assistance with this article.   

Disclaimer – the information contained in this publication does not constitute legal advice and should not be relied upon as such. You should seek legal advice in relation to any particular matter you may have before relying or acting on this information. The Lavan team are here to assist.
AUTHOR
Iain Freeman
Partner
SERVICES
Cyber & Data Protection


FOOTNOTES
  1.  Privacy and Other Legislation Amendment Bill 2024 (Cth) (“Privacy Bill”) sch 2 cl 6 (meaning of “intruding upon the seclusion”).
  2. Ibid (meaning of “misusing information”).
  3. Ibid cl 7(5).
  4. Criminal Code Act 1995 (Cth) ss 5.2 and 5.4.
  5. Privacy Bill (n 1) sch 2 cl 7(6).
  6. Daniel Hurst and Josh Taylor, “Albanese government to propose legislation to crack down on doxing”, The Guardian (Web Page, 12 February 2024) <https://www.theguardian.com/australia-news/2024/feb/12/albanese-government-to-propose-legislation-to-crack-down-on-doxing>.
  7. “Privacy and Doxxing Reform Bill”, Australian Human Rights Commission (Web Page, 11 October 2024) .