The Government has introduced a bill to amend the Privacy Act 1988.
Key takeaways:
· New penalties for mid-tier breaches of the Privacy Act
· Ability of OAIC to issue infringement notices
· New OAIC powers of investigation
· Restrictions on the use of personal information in automated decision making
· Criminal offence of doxxing
· New tort of serious invasion of privacy
· No change to small business exemption
· Organisations will have to consider the risk of non‑serious privacy breaches
Attorney General Mark Dreyfus has finally brought his delayed bill to update the Privacy Act before Parliament. The bill is, however, only the first “tranche” of reforms to the Act and falls short of delivering all the changes the Government has committed to. In particular, the proposed removal of the small business exemption is not in the bill. This would have extended the Privacy Act to cover businesses with an annual turnover of $3 million or less. Such a change is now unlikely to be delivered before the General Election.
The bill does however propose some significant amendments including new powers for the Office of the Australian Information Commissioner (OAIC), civil penalties (i.e. fines) and penalty notices for less serious breaches of the Privacy Act, a new tort (a basis for bringing court action) of serious invasion of privacy, criminalising “doxxing” (the malicious sharing of personal data) and some other changes.
The main effect of the bill becoming law, from a business perspective, would be giving regulatory “teeth” to the Act. The new provisions will see a wider range of options for the OAIC and the courts to penalise breaches that fall short of the current high bar of “serious” breaches. This would mean corporate entities would face penalties of up to $330,000 for all sorts of APP (Australian Privacy Principle) breaches in areas such as collecting and storing personal information, inadequate privacy policies, failure to deal with complaints, failure to notify parties of data breaches, and all the other possible breaches of the Act that have long been ignored by many entities.
There will be new powers for the OAIC including the ability to seek civil penalties (from courts, or to issue smaller penalty notices themselves) for less serious breaches of privacy. This will allow the AOIC to pursue not only the most egregious breaches of the Act, but also more minor breaches that currently go unpursued. This will be the real game changer for business.
Federal courts will be given powers to order non-pecuniary penalties, which means they will be able to make orders not just for payment of money, but also for remedies such as apologies, changes to business practices, and other more practical orders to make amends for breaches. This should also prevent entities from writing off penalties as a “cost of doing business”.
The OAIC will have expanded powers to make APP codes; something it currently rarely uses.
APP 11 will be amended to set out technical and administrative measures required to protect information. These will include data encryption, specific security requirements, and training.
Exceptions will be introduced to lift restrictions on sharing personal information when it is necessary to prevent harm following significant data breaches. For example, this might permit sharing of PI with banks to prevent or minimise the risk of the misuse of data stolen in a breach.
The bill also introduces protections on the use of personal information in “automated decision making”, which is clearly aimed at the use of AI in particular, though the bill itself does not address this head on.
The promised direct right of action to seek remedies under the Act is not in the current bill, but a statutory tort of serious invasion of privacy will be introduced.
The creation of new doxxing offences is a significant development, but as it concerns the menacing or harassing publication of personal data, it is not likely to have a direct effect on business (though of course it is worth checking that workplace policies can deal with any instances should they arise).
The bill will no doubt disappoint many privacy advocates, but it will introduce changes that motivate organisations to start taking their privacy obligations seriously. Although Australia will still lag behind Europe and elsewhere, this is at least a step in the right direction.
Organisations should reassess any relevant existing policies and procedures, consider what operational or business decisions will require Privacy Impact Assessments, and begin a general reassessment of all data handling practices.