On 12 September 2024, the Privacy and Other Legislation Amendment Bill 2024 (Cth) (Bill) was introduced into the House of Representatives. Based on the proposals made by the Attorney-General Department’s Privacy Act Review Report 2022 (Privacy Act Review), the Bill’s first tranche of proposed legislative reforms is expected to kickstart an overhaul of Australia’s current privacy protection framework. This includes notable amendments to the Privacy Act 1988 (Cth) (Privacy Act) and the Criminal Code Act 1995 (Cth) (Criminal Code).
The Bill’s Explanatory Memorandum prefaces the proposed changes with the following observations:
The rapidly evolving digital landscape presents opportunities for innovation, advances in productivity and efficiency, and a range of other benefits for all Australians. However, the Privacy Act has not kept pace with Australians’ widespread adoption and reliance on digital technologies, which increases the risks that personal data will be subject to misuse or mishandling, including through data breaches, fraud and identity theft, unauthorised surveillance and other significant online harms.
Although the Bill has not yet received royal assent, the impending new privacy rights, obligations and penalties are significant changes which individuals and businesses should be aware of and prepared for.
After years of debate and discussion, the Bill will introduce a Schedule 2 to the Privacy Act setting out a new cause of action - a statutory tort for serious invasions of privacy. The design and objects of this new tort date back to the Australian Law Reform Commission's (ALRC) Serious Invasions of Privacy in the Digital Era (ALRC Report 123) (Report). In its Report, the ALRC proposed a tort for serious invasions of privacy, based on nine guiding priciples. These principles included privacy being a fundamental value worthy of legal protection, the public interest in protecting privacy and the need for Australian privacy laws to meet international standards. The spirit of the Report is concern for the privacy of natural persons, not artificial entities, with frequent reference to privacy being a fundamental human right under international law. At paragraph 2.6 of the Report, the ALRC states:
Privacy is important to enable individuals to live a dignified, fulfilling, safe and autonomous life. It is fundamental to our understanding and appreciation of personal identity and freedom.
Consequently, it is only natural persons, not artificial entities, who will be able to pursue a cause of action for a serious invasion of their privacy. The elements of the new tort under clause 7 of Schedule 2 are proposed as follows:
The new tort will not require proof of damage but will be actionable per se. Without the obvious signpost of damage, businesses may presently and unknowingly be engaged in practices that would constitute a serious invasion of privacy under the new tort. Businesses should therefore review their privacy policies and practices against the Bill’s proposed Schedule 2 and the clause 7 elements. This means businesses asking themselves:
If you or your business believes it satisfies these questions, partially or completely, please do not hesitate to contact Iain Freeman, Partner in Lavan’s Litigation and Dispute Resolution Team.
Further to the new tort in its protection of individuals, the Bill introduces a specific focus on protecting the privacy of children. Schedule 1, Part 4 of the Bill will require the Office of the Australian Information Commissioner (OAIC) to develop a Children’s Online Privacy Code (Children’s Code) in consultation with children and relevant stakeholder bodies. The Children’s Code will specify how social media and other internet platforms likely to be accessed by children must comply with the OAIC’s Australian Privacy Principles. An APP entity, that is, an agency or organisation bound by the Australian Privacy Principles, will be further bound by the Children’s Code if, under the Bill’s proposed subsection 26GC(5) of the Privacy Act:
Before registering the Children’s Code, the OAIC must make the draft Children’s Code available for public submissions and consider those submissions. If your business is an APP entity and satisfies any of the criteria set out at subsection 26GC(5)(a), you may wish to be alert to the release of the draft Children’s Code and consider making submissions as a stakeholder to the OAIC.
In February 2024, a private group chat between Jewish creatives which included group members encouraging the targeting of pro-Palestinian public figures was leaked online. The 600 group members had their names and contact details made public in the leak and were consequently subjected to online harassment and death threats. In the wake of the leak, the Albanese government requested Attorney-General Mark Dreyfus to “bring forward” legislation addressing malicious publication of private information online, commonly referred to as doxxing.6 The Bill’s Explanatory Memorandum states:
Doxxing can expose victims, including family members and associates of the individual whose data is released, to a wide range of harms including harassment and threats to their lives or physically safety, public embarrassment, humiliation or shaming, discrimination, stalking, identity theft and financial fraud.
The Bill proposes two new doxxing offences to be added to the Criminal Code. Proposed section 474.17C targets doxxing directed at individuals in a menacing or harassing way, while proposed section 474.17D targets doxxing directed at individuals for reason of their race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality or national or ethnic origin.
Section 474.17C reads as follows:
The maximum penalty for breaching section 474.17C is proposed to be 6 years imprisonment.
Section 474.17D reads as follows:
The Australian Human Rights Commission (AHRC) has expressed its concern for potential consequences of the new doxxing offences’ effort to protect the privacy of individuals, to threaten freedom of expression. The AHRC has noted:7
The key issue is ensuring any offence is carefully tailored to meet the strict tests of necessity and proportionality and to avoid capturing reasonable online discourse about a person.
There are also concerns that doxxing laws may unreasonably capture public interest whistleblowing and journalism. Including a provision in the Bill which expressly protects the release of information for legitimate public interest purposes would help to further strengthen the protection of freedom of expression while still effectively addressing the harms caused by doxxing.
Only when these new doxxing offences are enforced will we be able to see whether they have struck the balance between protection of privacy and freedom of expression.
What constitutes “interference with the privacy of an individual” is currently and comprehensively set out at sections 13 to 13F of the Privacy Act. With respect to such interferences, the Bill is set to lower the threshold on existing civil penalty provisions and introduce new civil penalty provisions. As such, individuals and businesses should refresh themselves on sections 13 to 13F ahead of the amendments being implemented.
Subsection 13G(1) of the Privacy Act presently provides a civil penalty for an APP entity engaged in “serious” or “repeated” interferences with the privacy of an individual. The Bill will amend section 13G(1) by removing the reference to repeated interferences and confining the civil penalty provision to serious interferences of privacy as follows:
Repeated interferences with privacy will instead be included as a matter the court may have regard to in determining whether an interference with privacy is serious, under the Bill’s proposed subsection 13G(1B). Other matters the court may consider under subsection 13G(1B) include the sensitivity of the personal information which has been interfered, the potential or actual consequences of the interference with privacy for the individual and the number of individuals affected by the interference with privacy.
It is not only “serious” interferences with privacy which individuals and businesses should be alert to. Under the Bill’s proposed section 13H of the Privacy Act, a person found to have done an act, or engaged in a practice, that is an interference with the privacy of an individual, but does not reach the section 13(G)(1) threshold of seriousness, will be liable for a civil penalty. A maximum of 2,000 penalty units (currently $660,000) will be payable by an individual. While a maximum of 10,000 penalty units (currently $3.3 million) will be payable by a body corporate.
Some businesses may presently be engaged in practices that breach one or more of the Australian Privacy Principles, such as disclosing personal information about an individual for the purpose of direct marketing, for commercial gain or competitive advantage. The Bill has made clear with the significant civil penalties that such non-serious interferences with privacy of individuals should not be seen be seen as merely the price of doing business.
The Bill makes clear the federal government is cracking down on breaches of individuals’ privacy. The changes expected to be implemented by the Bill are not insignificant and individuals and businesses should be aware of how their current privacy policies and practices stand up against the incoming reforms.
If you have any queries arising from this update, please do not hesitate to contact Iain Freeman, Partner in Lavan’s Litigation and Dispute Resolution Team.
Thank you to Freya Surma-Litchfield, Solicitor, for her valuable research and assistance with this article.