New Privacy Act
On 29 November 2024, Federal Parliament passed the Privacy and Other Legislation Amendment Bill 2024. The Bill sets out the first tranche of reforms to introduce a range of measures to protect the privacy of individuals with respect to their personal information.
The Bill progresses 23 proposals from the Government Response to the Privacy Act Review Report. Tranche 1 of the Bill includes expanding the scope of the Privacy Act and increasing the enforcement powers of regulatory bodies.
The reforms will see amendments to the Privacy Act 1988 and seven other Acts including the Criminal Code Act 1995.
Key amendments include:
- Statutory tort (Privacy Act 1988) to provide redress for serious invasions of privacy – individuals are entitled to bring legal proceedings where there is a “serious” invasion of personal privacy and where this invasion is intentional or reckless.
- Expansion of the Information Commissioner’s enforcement powers.
- New three-tiered civil penalties regime – there is a new exposure for breaches identified as low-tier (less serious administrative breaches) and mid-tier (interference of privacy), in addition to the penalties for “serious breaches” which were amended legislatively in 2022.
- Clarification regarding security and retention of personal information – tightens up what it means to protect personal information under APP 11; in addition to technical data security protection, measures relate to governance structures and organisational frameworks around retention and management of personal data.
- Anti-doxxing offences and criminal penalties including imprisonment (Criminal Code Act 1995) – there are two new offences in relation to doxxing (intentionally publishing or leaking a person’s or group’s personal data without their consent and in a way that is threatening or menacing): general doxxing (where an individual’s personal information is shared to cause them harm), and doxxing based on attributes (doxxing which targets one or more members of a particular group such as based on race, sexuality or religion).
- Reforms impacting automated decision-making – organisations are required to update their privacy policies whenever a computer program uses an individual’s personal information to make a decision that could “reasonably be expected to significantly affect the rights or interests” of that individual.
- Development of a Children’s Online Privacy Code.
- Protections for overseas disclosures of personal information – the amendment to APP 8 means that organisations that disclose client data to overseas recipients may no longer need to ensure the recipient complies with Australian privacy standards, provided the recipient is located in a country with privacy laws deemed “substantially similar” to Australia’s.
Our view
The Privacy Bill reforms have expanded the compliance landscape for businesses – and with that, implications that could impact operations, reputation and bottom line if the business does not get its privacy practices in order.
Talk to your EBM Account Manager about the liability risks that your business may face with the introduction of the new privacy laws and the role of insurance in protecting against those risks.
