Enhanced enforcement and litigation risk – stage one of the Privacy Act reforms

The Federal Government has released the Privacy and Other Legislation Amendment Bill 2024 (Cth) (the Bill), a potential turning point in Australian privacy law and the next major step following the Review report of the Privacy Act 1988 (Cth) (Privacy Act) (discussed in a previous insight here).

The Bill, if enacted without amendment, would implement 23 of the legislative proposals that were specifically agreed in the Federal Government response to the Privacy Act Review report last year, along with a number that were previously agreed in-principle only.

The Attorney-General’s media release indicates that this is only the first stage of the reform process, and it remains to be seen whether other key proposals, including the ‘fair and reasonable’ test, and the removal of the employee records and small business exemptions, will proceed.

In this article, we focus on the key aspects of the Bill for corporations and cyber insurers. We note that the Bill also includes proposed reforms regarding doxing and children’s online privacy, which this article does not cover.

Enhanced enforcement

A key aspect of the Bill is vastly enhanced enforcement mechanisms available to the Office of the Australian Information Commissioner (OAIC).

While the OAIC currently has powers to seek substantial penalties under the current section 13G of the Privacy Act, these are only available in respect of ‘serious’ or ‘repeated’ interferences with privacy. If the interference is not serious or repeated, the OAIC is only empowered to make lower-level determinations, including that the entity: 

• take steps to not repeat or continue an act or practice;
• publish a statement about the conduct; or 
• pay compensation or other redress for impacted individuals.

The effect of these powers is that unless the privacy interference is serious or repeated (the standards for which have not yet been considered by an Australian court), the OAIC has, to date, been more limited in the remedies available to address these concerns compared with what is proposed.  

The Bill seeks to consolidate the existing ‘serious or repeated’ threshold into a single category of a ‘serious’ interference with the privacy of individuals. This would be supported by a non-exhaustive list of factors that may be considered by a court in making such a finding, with repetition being one factor. Other factors include the sensitivity of the impacted information, the number of impacted individuals, and whether the impacted entity’s practices, procedures, or systems contributed to the interference. 

The Bill also seeks to introduce new enforcement powers in relation to interferences with the privacy of individuals by organisations or agencies covered by the Privacy Act (APP entities) that are not deemed ‘serious’ under the new threshold. In particular, this includes a proposed:

• section 13H, empowering a court to make findings that there has been an interference with the privacy of an individual by an APP entity that is not serious, punishable by a penalty of up to 2000 penalty units (as set out in the Explanatory Memorandum, the intended maximum would be $3.3 million for APP entities who are companies); and
• section 13K, with the OAIC being able to issue infringement notices to APP entities of up to 200 penalty units (as set out in the Explanatory Memorandum, the intended maximum would be $330,000 for APP entities who are companies). 

Taken together, these proposed amendments would both clarify the operation of, and greatly expand on, existing enforcement mechanisms to address alleged privacy infringements. While the higher bar of ‘serious or repeated’ may have discouraged the OAIC from taking legal action in the past, these amendments may encourage the OAIC to take a more active enforcement stance going forward.  

We expect that businesses and cyber insurers alike will need to be on high alert for these developing risks.

Statutory tort for serious invasions of privacy

Arguably, the headline change in the Bill is the introduction of a statutory tort for serious invasions of privacy, which is proposed to be introduced under a new schedule 2 to the Privacy Act. 

While this tort has been recommended following three separate privacy law reform initiatives over the past two decades, to date, individuals have had few direct options to seek remedies against those who have allegedly interfered with their privacy rights. 

The proposed amendments would permit an individual to bring court proceedings against a person if:

• the person invaded their privacy;
• the individual had a reasonable expectation of privacy in all of the circumstances;
• the invasion of privacy was intentional or reckless; 
• the invasion of privacy was serious; and
• the public interest in protecting the individual’s privacy outweighs other public interests. 

If the invasion is proven, a court may make orders for a wide range of remedies, including injunctions and awards of damages (currently up to $478,550). Journalists, enforcement bodies, intelligence agencies, and minors are exempt. 

Of note, this proposed cause of action appears to be actionable without any proof of damage, which would create a low barrier to entry for any impacted individual to commence litigation. While there are clearly thresholds for would-be plaintiffs to overcome, the lack of damages requirements may limit opportunities for businesses to have claims with poor prospects of success dismissed in their early stages. 

We expect that these changes will result in an increase in litigation following data breaches, including increased class action risks. 

Amendments to the Australian Privacy Principles

APP 1: Open and transparent management of personal information

Proposed APPs 1.7, 1.8, and 1.9 would collectively impose an obligation on APP entities to disclose if they are using computer programs to make decisions based on personal information about an individual. 

The Explanatory Memorandum indicates that these changes are intended to mandate that APP entities disclose the use of AI and other machine learning processes as part of the reasons for which they collect, use, and disclose personal information. The obligation is specifically imposed on the entity using the personal information, which would capture all organisations implementing AI into their decision-making procedures rather than just developers of the relevant software.

With the increasing use of such automated processes across all areas of Australian business, privacy policies are likely to require widespread amendments to ensure APP compliance. 

APP 8: Cross‑border disclosure of personal information

Currently, APP 8 provides that an entity who discloses personal information overseas must take reasonable steps to ensure that the overseas entity does not breach the APPs. However, there is an exemption to the ‘reasonable steps’ requirement if the entity reasonably believes the recipient of the information is subject to data protection schemes that are ‘at least substantially similar’ to the APPs. 

To clarify which data protection schemes meet the exemption, the Bill proposes introducing APP 8.2(aa) and 8.3, which would allow the Governor-General to designate certain international schemes as compliant under APP 8, rather than requiring the entity to assess this themselves. This would greatly assist multinationals and others to assess their privacy obligations under the laws in multiple jurisdictions, reducing regulatory risks. 

APP 11: Security of personal information

The proposed APP 11.3 would clarify that reasonable steps to protect personal information include implementing technical and organisational measures. The Explanatory Memorandum appears to indicate that this amendment is intended to set de facto minimum cybersecurity standards, such as encrypting data, installing anti-virus software, and maintaining policies and procedures for securing personal information.

OAIC guidance and decisions indicate that APP entities were already subject to these expectations. However, specifically outlining these factors may provide additional guidance to businesses, and assist them in ensuring their continued compliance with APP 11. 

Eligible data breach declarations

For data breaches of critical importance, the Minister has the ability to make an ‘eligible data breach declaration’. This would, among other things, permit an APP entity to collect, use, or disclose information in ways that would otherwise breach an APP if it would prevent or reduce the risk of harm to impacted individuals. 

We expect that these declarations may be used in data breaches to assist impacted entities become more comfortable with sharing information with government investigative bodies, or in circumstances where an entity may become insolvent as a result of the cyber incident. Currently, entities face risks when sharing information with external government stakeholders, as this may waive legal professional privilege or otherwise expose information that could be used as a justification for third-party claims or regulatory action. 

Public inquiries

Under the new proposed division 3B of the Privacy Act, the Minister may direct the OAIC to conduct a public inquiry into a matter relating to privacy. The direction would need to specify the acts or practices in relation to which the inquiry is to be held, and the types of personal information in relation to which the inquiry is to be held, and may specify whether specific APP entities or a class of APP entities are to be the subject of the inquiry. 

The OAIC would not be bound by the rules of evidence and would also be able to compel individuals to produce documents and give evidence under oath, with associated penalties for non-compliance. 

While evidence given in these inquiries could not be used for the basis of a penalty under another Commonwealth law, there are nonetheless risks of reputational harm and resulting third-party civil claims that could arise from these inquiries.