First tranche of Privacy Reforms Released – advertising specific reforms not included
The Privacy and Other Legislation Amendment Bill 2024 has today been introduced into the Parliament. More analysis to follow, but below is a brief summary of what it contains:
- A statutory tort for serious invasions of privacy
The statutory tort is informed by the ALRC’s proposed version of the tort in its 2014 report on serious invasions of privacy.
It is intended to cover both:
- intrusion from seclusion (eg intrusions on physical privacy), as well as
- the misuse of information when there is a reasonable expectation of privacy.
The requirements are:
- The complainant must have a reasonable expectation of privacy in the circumstances
- The invasion of privacy would need to be intentional or reckless (not negligent)
- It would need to be ‘serious’.
Balancing factors, defences and exemptions that apply:
- If there are competing public interests (such as freedom of the media, open justice, national security or the prevention or detection of crime and fraud) it would need to be proven that the public interest in protecting privacy outweighs those other interests.
- Defences available include if the invasion was required or authorised by law; and if the complainant expressly or impliedly consented to the invasion of privacy (amongst others).
- There is an exemption from liability for journalism (journalistic content) to reflect the importance of the right to freedom of expression.
Remedies available include:
- an injunction,
- a correction order
- damages,
- a declaration that the defendant has seriously invaded the complainant’s privacy,
- an order requiring an apology,
- an order for destruction of the relevant material
- Automated decision-making transparency
A new requirement to include information in privacy policies about the kinds of PI used in, and the types of decisions made (‘solely’) by, computer programs that use PI to make decisions that could reasonably be expected to significantly affect the rights or interests of an individual.
- Additional enforcement powers for the OAIC
A range of additional enforcement powers, including creation of a tiered penalty structure so that the OAIC has greater ability to impose penalties for breaches that are not ‘serious’.
- Children’s Online Privacy Code provisions
A requirement to develop and register a Children’s Online Privacy Code within two years of commencement of the legislation.
- Information sharing in emergency situations and around data breaches
The ability for entities to handle PI in a manner that otherwise wouldn’t be permitted under the APPs, when it is necessary to assist individuals in emergencies and following significant data breaches.
- Disclosure to overseas recipients
A mechanism to prescribe countries and binding schemes as providing substantially similar protection to the APPs, to assist entities to assess whether to disclose personal information to an overseas recipient.
- Criminal offences for doxing
The Bill also amends the Criminal Code Act 1995 to introduce new offences targeting the release of personal information in a way that is menacing or harassing – with maximum penalties up to 7 years depending on the offence.
The Bill does not include advertising specific provisions like targeting, trading, the fair and reasonable requirement, or some of the other amendments that would impact data management that were canvassed in the Government’s reform process. These will be in tranche 2 of the reforms.
We will provide more detailed analysis as we go through the legislation, as well as more information on timing of tranche 2 as it comes to light.