First Tranche of Australia's Much Anticipated Privacy Law Reforms Revealed
In Short
The Situation: The first wave of Australia's expansive privacy law reforms has been introduced into Federal Parliament in the Privacy and Other Legislation Amendment Bill 2024 (Cth) ("Bill").
The Result: The Bill seeks to implement several legislative proposals to which the government "agreed" in its Response to the Attorney-General's Privacy Act Review Report ("Privacy Act Review Report"). If passed, it will introduce a range of new enforcement tools for the Office of the Australian Information Commissioner ("OAIC"), and a significant new statutory cause of action: the tort of serious invasion of privacy.
Looking Ahead: The long-awaited reforms to Australia's privacy laws are now underway. The Bill is expected to pass in the coming months and the government is also expected to introduce a further bill to implement the remaining "agreed" proposals from the Privacy Act Review Report in due course. Companies need to act now to begin preparing for significantly heightened privacy obligations and increased risk of regulatory enforcement and litigation, particularly class actions relying on the new tort of serious invasion of privacy.
Background
Following extensive review and consultation in relation to the Privacy Act 1988 (Cth) ("Privacy Act"), the federal government announced in September 2023 that it "agreed" or "agreed in principle" with 106 of the 116 recommendations to reform the Privacy Act from the Privacy Act Review Report.
A year later, the first legislation to implement some of those recommendations has arrived. The Bill introduced into Federal Parliament on 12 September 2024 seeks to implement 23 legislative proposals to which the government "agreed", although many "agreed" recommendations are not yet included. For example, the Bill does not introduce a direct cause of action for contraventions of the Privacy Act, remove the employee records exemption or introduce a right of erasure for individuals. The Bill has been progressing through Federal Parliament and is at the second reading stage.
The Attorney-General's Department will begin to prepare a draft amendment bill for the second tranche of reforms over the next few months. The government will continue to consult with industry and other stakeholders to "strike the right balance between protecting people’s personal information and allowing it to be used and shared in ways that benefit individuals, society and the economy”. For example, the Australian Privacy Commissioner has signified that the second tranche of reforms will include dealing with a new positive obligation that personal information handling is fair and reasonable.
Statutory Tort for Serious Invasion of Privacy
Elements. The Bill introduces the new statutory tort of "serious invasion of privacy," which will consist of four elements:
- The defendant must invade the plaintiff's privacy by either intruding upon the plaintiff's seclusion (i.e., physical intrusion on private space), or misusing information that relates to the plaintiff;
- A person in the position of the plaintiff would have had a reasonable expectation of privacy in the circumstances;
- The invasion of privacy was intentional or reckless; and
- The invasion of privacy was serious.
Given the requirement that the defendant must invade the plaintiff's "seclusion" or misuse information relating to the plaintiff, the tort protects both spatial and informational privacy. The Explanatory Memorandum to the Bill cites the rise in increased surveillance technologies as a reason for the recognition of spatial privacy.
The Bill expressly provides that the tort is actionable without proof of actual tangible loss or damage. This is because it is intended to protect intangible interests and the dignity of the plaintiff. This is in contrast with the direct right of action for breaches of the Privacy Act that may be introduced in the next tranche of reforms that may require proof of damages but may not require proof of recklessness or intent.
The fault element of "recklessness" for this new tort requires awareness of a substantial risk that circumstances exist (or will exist), or that a result will occur, and that it is unjustifiable to take that risk having regard to the circumstances known to the relevant person. The Privacy Act Review Report detailed that this would capture circumstances in which the "risk of invasion is known or foreseen". It will be critical to see how the courts apply this test in relation to data breach and cybersecurity incidents.
The concept of "misusing information" is intended to be interpreted broadly, and includes collecting, using, or disclosing information about an individual. The Explanatory Memorandum expressly mentions "storing" being a way information could be misused. It is plausible that, in the context of a data breach, information could be "misused" by means of a reckless deficiency of security controls when storing data.
The requirement that the invasion of privacy be "serious" means that trivial invasions of privacy will not be actionable. With regard to whether the invasion was "serious", the Bill provides that a court may consider the degree of any offence, distress or harm to dignity that the invasion would likely cause a person of ordinary sensibilities in the position of the plaintiff.
Defences. The Bill provides for several defences to the tort, including:
- Authorisation by law or by a court or tribunal;
- Express or implied consent;
- That the invasion of privacy was reasonably believed by the defendant to be necessary to prevent or lessen a serious threat to the health or safety of a person;
- That the invasion of privacy was reasonable and proportionate to the incidental exercise of a lawful right of defence of persons or property; and
- Related defences from defamation law, particularly absolute privilege, publication of public documents and fair reporting of proceedings of public concern.
The Bill also provides for various exemptions applicable to enforcement bodies, intelligence bodies and for journalistic materials.
Remedies. As for remedies, the Bill empowers a court to order damages including for emotional distress (although not aggravated damages), injunctions, declarations and an apology. The remedies that may be granted in addition to or instead of damages are non-exhaustive. The maximum value of damages for non-economic loss and exemplary or punitive damages that can be awarded is fixed at $478,550.
In assessing damages, courts may draw principles from analogous torts which purport to protect dignitary interests, such as false imprisonment. This may mean that the award of damages has a “vindicatory” purpose in connection with the violation of the plaintiff’s rights. Consistent with the recommendations of the Australian Law Reform Commission, the Bill does not provide a monetary range of damages, but it does provide that, in determining the amount of damages, a court may consider, for example:
- Whether the defendant apologised to the plaintiff;
- If the defendant invaded the plaintiff's privacy by publishing information that relates to the plaintiff, whether the defendant published a correction;
- Whether the plaintiff received or agreed to receive compensation;
- Whether the plaintiff or the defendant took reasonable steps to settle the dispute; and
- Whether the defendant engaged in conduct after the invasion of privacy that was unreasonable and subjected the plaintiff to particular or additional embarrassment, harm, distress or humiliation.
Questions remain as to how damages will be assessed, including as to how losses in relation to compromises of personal information (particularly in the context of data breaches or cyberattacks that is claimed to be an actionable claim for serious invasion of privacy) will be quantified in circumstances in which an individual has been impacted by a data incident, but has not had, or has not yet had, their identity stolen or data otherwise misappropriated.
The new tort will take effect from six months of the day of Royal Assent of the Bill (or an earlier day fixed by proclamation).
Other Reforms. The Bill also proposes the other following reforms aimed at increasing transparency and certainty in the handling of personal information:
- To amend the Criminal Code Act 1995 (Cth) ("Commonwealth Criminal Code") to make "doxxing" a criminal offence and introduces two separate doxxing offences punishable by imprisonment: using a carriage service to make available, publish or otherwise distribute information which could render someone identifiable in a menacing or harassing manner; and targeting a person or group by doxxing due to a belief that the group is distinguished by their race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality or national or ethnic origin.
- The Explanatory Memorandum says that "making available", "publishing" and "otherwise distributing" are intended to be interpreted broadly, and that "making available" can include making information "available to be downloaded, accessed or disclosed on request, rather than publishing the information directly". Further, the ordinary principles of accessorial liability under the Commonwealth Criminal Code will apply, in that intentionally or recklessly aiding or abetting, counselling or procuring the commission of the offence may render a corporation (as a "person") liable.
- To introduce a new civil penalty provision s 13H (maximum $660,000 for individuals or $3.3 million for bodies corporate) for interferences with privacy that are not a "serious" interference. For example, where an APP entity fails to notify individuals of an eligible data breach as soon as practicable. This penalty applies per contravention, so the maximum penalty could be multiplied by the number of individual contraventions. The OAIC is empowered to apply to the court for a civil penalty order.
- To enable the OAIC to issue infringement notices (up to $66,000 for individuals and $330,000 for bodies corporate) in relation to certain Australian Privacy Principles ("APP"), such as APP 1.3 (requirement to have a privacy policy) and APP 1.4 (requirements as to the contents of the policy).
- To amend APP 11 to clarify that the obligation to take reasonable steps to protect information includes "technical and organisational measures".
- To introduce “eligible data breach declarations”, pursuant to which the Minister may make declarations to permit the sharing of personal information following an eligible data breach. The objective is to reduce the risk of harm to individuals following such a breach.
- To require APP entities to disclose in their privacy policy circumstances in which computer programs make a decision that could significantly affect the rights or interests of an individual when personal information about that individual is used in making that decision.
- To introduce a "white list" of countries simplifying the exceptions in APP 8 for sending data to recipients in countries with "substantially similar" privacy regimes to Australia.
- To introduce a Children's Online Privacy Code to be developed by the OAIC.
Anticipated Increases in Regulatory Enforcement and Litigation in Relation to Privacy in Australia
The Bill will substantially increase the enforcement options available to the OAIC in an environment in which new Privacy Commissioner Carly Kind has stated that the OAIC is taking an “enforcement approach” and wants to get those who seriously violate the Privacy Act “in the courts”.
Since 2014, the OAIC has had the ability to pursue “serious” or “repeated” violations of privacy by way of a civil penalty in the courts, but only a handful of civil penalty proceedings have been pursued to date. The Attorney-General’s Review Report commented that the lack of any civil penalty provision for interferences with privacy which are not serious or repeated has been a “gap in the regulatory framework”.
The introduction of the new s 13H and the ability to issue infringement notices for non-compliance with certain APPs will give the OAIC additional flexibility in enforcing the Privacy Act, making it easier for the regulator to pursue moderate or less significant contraventions and to obtain penalties.
In addition to the anticipated increase in enforcement activity by the OAIC, the new statutory tort for serious invasions of privacy may further assist plaintiffs in pursuing claims in connection with data and privacy incidents, particularly class actions on behalf of persons affected by data breaches.
Many examples of serious invasions of privacy will be individual and not suitable for a class action. However, there may also be situations were several, or indeed many, persons are subject to serious invasions of privacy.
There are currently several data breach class actions before the courts. These are considered test cases; none have yet proceeded to trial and there remain many obstacles for claimants in successfully pursuing the actions. These obstacles include uncertainty as to the application or availability of certain causes of action in connection with data breaches, including the tort of invasion of privacy at common law, and critically, the assessment of damages or loss. We previously wrote about the likely rise of data breach class actions and the obstacles to claimants successfully pursuing them in our White Paper, Data Breach Class Actions in Australia.
We expect that claimants in class actions will seek to rely on the new statutory tort of serious invasion of privacy amongst the range of causes of action on which these cases are founded. Depending on how the courts approach the measurement of damages for this new tort, claimants that can establish the cause of action may be able to address the difficulty that they may otherwise face in establishing loss or damage in these cases. But establishing the tort in the context of data breaches, particularly those involving malicious threat actors, may be difficult given the standard of recklessness required. Moreover, the defences and exceptions discussed above will carve out some claims.
Three Key Takeaways
- The stage is set for a continued increase in enforcement and litigation relating to privacy and data incidents: A new statutory cause of action, and broader powers for the OAIC (which is already shifting its approach to enforcement), will drive a further uptick in regulatory enforcement and claims on behalf of individuals impacted by privacy and data incidents, particularly class actions in an already active market.
- Reconsider data collection and handling processes and data breach response protocols: In light of the OAIC’s new enforcement powers, it is imperative that APP entities review their compliance with the APPs (including their privacy policies for Australia) and their data breach response procedures, and consider now how they will respond to potential regulatory investigations and claims in the event of an incident.
- The wait goes on … and on …: While the Bill will implement many of the key agreed recommendations, there is a prospect that the balance of the agreed recommendations for reforms to Australia’s privacy laws will continue to be in limbo for some time, particularly given the looming federal election.