On 12 September 2024, the Australian Government introduced the Privacy and Other Legislation Amendment Bill 2024 to the House of Representatives, marking the first phase of the much-anticipated reforms to the Privacy Act 1988 (Cth).
The Driving Forces Behind the Reforms:
The rising number of data breaches in Australia, such as the high-profile attacks on Optus and Medibank, have amplified the urgency of reforming the Privacy Act. These incidents have underscored the need for stronger protections and clearer obligations for organisations managing personal data, as well as more robust consequences for breaches.
The reform aims to bring Australian privacy laws closer to international standards, such as the European Union’s GDPR, ensuring that Australian businesses can operate smoothly in the global digital economy while maintaining strong protections for citizens’ data.
These changes are expected to have a significant impact on businesses, particularly those that manage large volumes of personal information, making compliance and proactive data protection strategies more critical than ever.
Key Proposed Changes to the Privacy Act:
New Monitoring and Investigative Powers: The Commissioner and its staff will be given enhanced monitoring and investigative powers, including the authority to monitor specific information and matters through entry and inspection powers, which may be exercised with consent or through judicial authorisation via a warrant. Additionally, the Commissioner will be empowered to investigate suspected contraventions of civil penalty provisions, including exercising powers of entry, search, and seizure, again with either consent or judicial authorisation.
Guidance on Serious Privacy Interference: The Bill provides clear guidance on the factors that may be considered when determining whether an interference with privacy is ‘serious.’ This guidance is intended to assist the Commissioner in applying civil penalty provisions for serious interferences with privacy.
Removal of Civil Penalty for Repeated Interferences: The Bill proposes the removal of the existing civil penalty for repeated interferences with privacy. In its place, civil penalties for individual instances of privacy interference will be introduced, reflecting a shift towards penalizing each violation separately, rather than focusing on repeated misconduct.
New Civil Penalty for Privacy Interference: The Bill introduces a new civil penalty applicable for any interference with an individual’s privacy, regardless of the seriousness of the interference. The maximum penalty for such interferences will be capped at 2,000 penalty units.
Civil Penalties for Specific Breaches: The Bill expands civil penalties to include breaches of certain Australian Privacy Principles (APPs) and the preparation of non-compliant eligible data breach statements. Penalties for these violations will be capped at 200 penalty units, and the Commissioner will be empowered to issue infringement notices for such breaches.
Court-Ordered Penalties for Privacy Interference: The Bill enables courts, in proceedings concerning serious interferences with privacy, to impose civil penalties where an entity has interfered with an individual’s privacy, even if the court is not satisfied that the interference meets the threshold for being ‘serious.’
Redress and Compensation: Courts will be empowered to order entities found to have contravened a civil penalty provision under the Privacy Act to provide redress or pay compensatory damages for loss or damage suffered, or likely to be suffered, by affected individuals. Individuals will have six years from the date of the contravention to seek such orders from the court, and amounts awarded may be recovered as a debt.
Expanded Investigative Powers of the Commissioner: The Commissioner will be granted the authority to conduct public inquiries into privacy-related matters at the direction of the Minister. Following investigations, the Commissioner may issue determinations requiring entities to take reasonable steps to mitigate foreseeable future loss or damage that may arise from their conduct.
Amendment to the Definition of ‘Privacy Matters’: The Bill amends the definition of ‘privacy matters’ that must be included in the Commissioner’s annual report. This amendment will limit the scope of performance reporting to privacy-related functions for the relevant year. It will also require the report to include details of complaints made to the Commissioner, the grounds for decisions not to investigate certain complaints, and information on how those decisions were reached.
External Dispute Resolution and Complaint Handling: The Commissioner will be empowered to decline investigating complaints that have already been addressed by a recognised external dispute resolution scheme, streamlining the complaint handling process and avoiding duplication.
The Driving Forces Behind the Reforms:
The rising number of data breaches in Australia, such as the high-profile attacks on Optus and Medibank, have amplified the urgency of reforming the Privacy Act. These incidents have underscored the need for stronger protections and clearer obligations for organisations managing personal data, as well as more robust consequences for breaches.
The reform aims to bring Australian privacy laws closer to international standards, such as the European Union’s GDPR, ensuring that Australian businesses can operate smoothly in the global digital economy while maintaining strong protections for citizens’ data.
These changes are expected to have a significant impact on businesses, particularly those that manage large volumes of personal information, making compliance and proactive data protection strategies more critical than ever.
For further information, see https://www.oaic.gov.au/news/media-centre/oaic-welcomes-first-step-in-privacy-reforms