Amendments to Privacy Act passed with changes made by the Senate
Yesterday, the Privacy and Other Legislation Amendment Legislation Amendment Bill 2024 was passed with some changes made by the Senate.
On 12 September 2024, the Bill was introduced to Parliament and proposed a landmark suite of reforms to the Privacy Act 1988 (Cth) which included the introduction of anti-doxxing measures, a statutory tort for serious invasions of privacy, greater transparency obligations in respect of automated decision-making, an obligation for the Information Commissioner to develop a Children’s Online Privacy Code, enhanced information-sharing and enforcement powers for the Information Commissioner and enhancements to APP 8. We have previously written about these measures here.
The Bill has been passed, but not in its original form. The Senate has agreed a number of amendments to the Bill, including:
- The Minister is required to cause an independent review of the anti-doxxing measures put in place within 24 months of the commencement of those measures.
- A compliance notice regime has been added to the reforms, which will allow the Information Commissioner to give an APP entity a notice if they reasonably believe that the entity has contravened certain APPs (including the requirements to have an APP privacy policy which meets the content requirements prescribed in APP 1.4 and obligations relating to direct marketing prescribed in APP 7); and for preparing a statement in relation to a notifiable data breach which does not comply with section 26WK(3) of the Privacy Act. Failure to comply with a compliance notice is a civil penalty. By complying with the notice, the APP entity is taken to have admitted to the relevant contravention and is found to have contravened that section.
- Some amendments have been made in relation to the statutory tort for serious invasion of privacy:
-
- The notion of public interest has been replaced with a more limited concept of “countervailing public interest”, which prescribes specific matters which may constitute a countervailing public interest, including national security, public health and safety and the prevention and detection of crime and fraud.
- Specifying that the court may, at any stage or proceedings, determine whether the exemptions for journalist, law enforcement bodies (under the original Bill, this exemption related to “enforcement bodies”), intelligence agencies or minors specified in Part 3 of Schedule 2 of the Bill, would apply. The Senate’s amendments make it clear that the court can make a determination relating to these exemptions on its own volition, or at the application of a party to the proceedings. An exemption for agencies and State and Territory authorities and their staff members has also been introduced as a separate exemption from law enforcement bodies.
The amendments largely came into effect once the Bill receives Royal Assent, but it may be another six months before the statutory tort for serious invasion of privacy commences, and APP entities will have 24 months to prepare for the commencement of the automated decisions measures.