By Gill Collins ,
Head of Cyber Incident Management and Cyber Advisory, Marsh Pacific
20/09/2024
In 2022, in the wake of the fallout for customers affected by the major cyber data breaches of Optus and Medibank, we described how Australia’s Privacy Act underwent significant reforms.
Two years later, and after extensive consultation and the release of the Privacy Act Review Report, in September 2024 the Australian Government is introducing further amendments to the Act, in the form of the Privacy and Other Legislation Amendment Bill 2024. This Bill includes 23 of the 25 reforms that were agreed under the 2022 review.
Businesses have been anticipating not only the nature and extent of the reforms, but also their implications.
On the one hand, the Bill is a laudable step forward in enhancing the enforcement of rights of individuals whose privacy or personal information has been breached. It is also likely to result in increased privacy litigation, potential class actions and greater enforcement actions by the Office of the Australian Information Commissioner (OAIC), including fines and penalties.
But on the other hand, it falls short in addressing other major outstanding issues surrounding Australia’s privacy regime, as well as changes which would bring the Australian Privacy regime in line with international standards. Among the issues yet to be resolved are the small company exemption, the employee records exception, direct marketing and targeting, fairness, data retention, privacy impact assessments, compliance records, and updated definitions of personal and sensitive information.
To assist you with navigating this first tranche of changes and what they mean for your operations, we have summarised each of the potential key reform areas. In addition, we’ll explore what Australian businesses can do to prepare for compliance with this impending heightened regulatory regime and protect against the risk of fines.
The key amendments:
1. Statutory Tort for Serious Invasions of Personal Privacy
2. Reforms impacting automated decision making
3. Clarification of steps to take in securing and retaining Personal Information
4. A new three-tiered penalty regime and greater enforcement powers for the OAIC
5. Protection of children’s privacy
6. Anti-doxxing offences and criminal penalties
7. Clarity around overseas disclosure of personal information.
The proposed change:
The Bill introduces amendments which would entitle individuals to bring legal proceedings where there is a “serious” invasion of personal privacy and where this invasion is intentional or reckless. It specifies a right which has been mooted for some time. Previously, individuals have been hard-pressed to enforce actions against another party in scenarios where they have suffered a personal impact on their right to privacy.
There appears to be no requirement upon the individual to prove damages to bring this action. However, in cases where the defendant alleges that there was a public interest in disclosing the information, the court will determine whether the public interest in protecting the individual’s privacy outweighs the public interest in disclosing it.
This tort will come into effect six months after the Bill is passed, if it is passed, and becomes legislation.
Our view:
Businesses may face significant penalties and litigation due to these increased personal rights. There will be a greater risk of class actions for breach or privacy. This means that organisations need to rethink and review their data management practices to ensure that the rights of the individual are paramount in the way they with personal information.
The proposed change:
The Bill requires organisations to update their privacy policies whenever a computer program uses an individual’s personal information to make a decision that could “reasonably be expected to significantly affect the rights or interests” of that individual. For example, it would require organisations to disclose the use of AI to process or use personal information for decision-making.
Our view:
Ensure that your organisation’s privacy policy is clearly defined, easily accessible and regularly reviewed. The policy should include provisions for the appropriate handling of personal and private information. In particular, reviews should take into account whether computer programs are used to make decisions that are wholly or partially automated. They should also consider compliance with all aspects of the Privacy Act due to the new increased penalties for administrative breaches and less serious interferences with privacy.
The proposed change:
The Bill proposes amendments aimed at providing greater transparency regarding what organisations should do to protect personal information. In addition to technical data security protection, this can include governance structures and organisational frameworks around retention and management of personal data.
It is likely to extend beyond cybersecurity controls around data use, and also include encryption of data, data management procedures and policies as well as heightened governance obligations in relation to the method of use and implementation of those policies.
Our view:
This amendment’s increased potential for scrutiny of how your organisation handles personal information means that its more critical than ever to have detailed transparency around your business’s processes. This includes updating and reviewing data management frameworks and all organisational procedures around how you manage and process data, as well as practices around collecting, accessing, using, storing and cleansing of data. All data management frameworks must now include not only technical security guidelines and measures but also outline clearly the governance requirements of data management.
This amendment also impacts an organisation’s cyber incident response plans and data breach playbooks. These should be analysed to ensure they take into consideration the new notification and compliance obligations. We would recommend that organisations also develop updated communication plans so that they include the applicable requirements to notify regulators and individuals in any instance where personal information has been breached.
The proposed change:
One of the most significant proposed amendments is the introduction of a tiered system of penalties within the Privacy Act. The Bill proposes a 3-tiered approach to penalties with a new exposure for breaches identified as low-tier and mid-tier, in addition to the penalties for “serious breaches” which were amended legislatively in the 2022. Both mid-tier (interference of privacy) and low tier (less serious administrative breaches) will heighten the obligations on organisations and increase exposure to litigation and, potentially, class actions.
The OAIC has greater powers to seek penalties under the Act by utilising this tiered penalty approach and is no longer restricted to only bringing actions when there is a “serious” or “repeated” interference with an individual’s privacy. As a result of these greater enforcement powers, the Courts may make orders to pay damages, orders to redress the loss or damage suffered by an individual or make orders requiring the publication of a statement. Orders can be made even if the individual has not evidenced the suffering of damage.
Our view:
Businesses do need to prepare themselves for these changes and protect against risk of fines Review risk and compliance procedures of all business practices with reference to the Privacy Act legislation. The new “tiered” civil penalties mean that organisations are more exposed to fines and penalties for interference with privacy and infringement notices for other lesser breaches. Any compliance gaps should be rectified.
The proposed change:
The Bill requires OAIC to work on creating a Children’s Online Privacy Code. The Code will need to be formulated and released to the public for consultation and is to be completed within 2 years of the reforms coming into effect.
Our view:
This is one of the most important changes proposed by the legislation is the reforms aimed at protecting children's privacy and protecting them from a range of online harms. Social media organisations and internet service providers will need to keep abreast of these online privacy changes and adapt accordingly.
The proposed change:
This Bill introduces two new offences in relation to doxxing – the term given to the act of intentionally publishing or leaking of a person’s or group’s personal data – either online or via a telephone - without their consent and in a way that is threatening or menacing. The Bill creates two offences: the first relates to a doxxing action which is taken against an individual, and the second relates to doxxing which targets one or more members of a particular group (such as based on race, sexuality or religion).
These offences will form part of the Criminal Code and penalties for breach can include jail time. There will be no “small company exemption” to these offences.
The proposed change:
As it now stands, where personal information is disclosed overseas by an organisation, that organisation has to take reasonable steps to ensure that the personal information is dealt with appropriately and in accordance with the Australian Privacy Principles. An exemption to this responsibility is if an organisation believes that the recipient of the information is subject to substantially similar data protection regimes. The proposed amendments in the Bill will clarify which regimes are “substantially similar” or adequate as a starting point for compliance with this obligation.
Our view:
Prioritise ensuring that your organisation has a clear, defined, easily accessible and regularly reviewed privacy policy. If disclosure of personal information overseas is part of your operations or services, ensure that you stay up to date with the relevant data protection regimes in the regions where you exchange information.
This document and any recommendations, analysis, or advice provided by Marsh (collectively, the ‘Marsh Analysis’) are not intended to be taken as advice regarding any individual situation and should not be relied upon as such. This document contains proprietary, confidential information of Marsh and may not be shared with any third party, including other insurance producers, without Marsh’s prior written consent. Any statements concerning actuarial, tax, accounting, or legal matters are based solely on our experience as insurance brokers and risk consultants and are not to be relied upon as actuarial, accounting, tax, or legal advice, for which you should consult your own professional advisors. Any modelling, analytics, or projections are subject to inherent uncertainty, and the Marsh Analysis could be materially affected if any underlying assumptions, conditions, information, or factors are inaccurate or incomplete or should change. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Except as may be set forth in an agreement between you and Marsh, Marsh shall have no obligation to update the Marsh Analysis and shall have no liability to you or any other party with regard to the Marsh Analysis or to any services provided by a third party to you or Marsh. LCPA 24/501