What Australia’s First Privacy Reforms Mean for Your Business

The Australian government has taken its first significant step toward reforming the Privacy Act 1988 (Cth) (Act) with the introduction of the Privacy and Other Legislation Amendment Bill 2024 (Bill). The proposed reforms in the Bill address key areas of concern, many substantial changes have been deferred, leaving Australian privacy law in a state of flux.

Background

In September 2023, the Government responded to the Privacy Act Review Report, agreeing (in principle or otherwise) to 116 proposals aimed at modernising Australia’s privacy framework. The Bill proposes to implement 23 of these proposals with a focus on urgent areas. However, it leaves many more significant reforms on hold, including those impacting small business exemptions and the handling of employee records.

Key changes

The key reforms in the first tranche will include:

1. Automated decision-making (ADM) Transparency Requirements

Organisations utilising ADM technologies must now disclose this in their privacy policies. The obligation applies where ADM uses personal information in order to make decisions which significantly impact an individual’s rights. Organisations are obligated to outline the types of decisions made and the data used in their privacy policies. While there is a two-year grace period for this compliance, organisations should be reviewing their ADM systems now to avoid future complications.

2. Overseas Data Flows

The reforms will simplify the process for disclosing personal information to overseas jurisdictions. If a jurisdiction is prescribed by regulation as having adequate privacy protections, organisations will no longer need to ensure that the recipient adheres to Australia’s privacy standards. This reform introduces a more streamlined mechanism for international data transfers, offering clarity to organisations that operate or outsource operations globally.

3. Security and Retention of Personal Information

The reforms clarify that organisations must take “reasonable steps” to protect personal information, which now explicitly includes both technical and organisational measures. This brings legislative certainty to what was previously only best practice guidance. This ensures that privacy compliance is not only about implementing technical security measures but also establishing robust governance structures within the organisation.

4. Increased Penalties and Expanded OAIC Powers

The reforms include the introduction of a tiered penalty regime. Organisations found in contravention of the Act now face tougher enforcement, with penalties ranging up to $62,000 for serious breaches. Additionally, the Office of the Australian Information Commissioner (OAIC) has been granted new powers to issue infringement notices for specific breaches and enforce compliance more effectively.

5. Anti-doxxing Laws

New offences have been introduced in the Federal Criminal Code, targeting individuals or entities that publish or share personal information that reasonable people would regard as being menacing or harassing towards the individual. The penalties for these offences are severe, ranging from six (6) to seven (7) years imprisonment.

6. Enhanced Data Security and Governance

The reforms clarify that organisations must implement both technical and organisational measures to secure personal information. This emphasis on governance reflects the OAIC’s focus on comprehensive privacy compliance, requiring businesses to review not only their technical safeguards but also their internal governance frameworks.

What has been deferred?

While these reforms are significant, several vital proposals have been left out of this first tranche. Most notably, reforms concerning small business exemptions, employee records, and consent mechanisms. This delay leaves businesses in uncertainty, particularly with the looming federal election in 2025. These issues will likely remain unresolved until after the election.

What actions can businesses take to stay ahead?

Given the scope of the proposed new legislation, businesses should consider the following actions:

1. Review and update privacy policies – ensure privacy policies are compliant with the new ADM disclosure requirements and reflect any changes to data-handling practices, including overseas data transfers.

2. Evaluate data security measures – both technical and organisational data security practices must be reviewed and updated to align with the new Australian Privacy Principles requirements.

3. Prepare for increased OAIC enforcement – with expanded penalties and enforcement powers, organisations must take stock of their current privacy compliance and address gaps, particularly around transparency and direct marketing practices.

4. Monitor future developments – with more reforms expected in future tranches, businesses must stay informed about ongoing legislative changes and prepare for further adjustments, especially in areas like consent, small business exemptions, and employee data.

If you would like advice or assistance in relation to commercial law matters, please contact our accredited business law specialists and Partners Justin Thornton on jthornton@marsdens.net.au and Rahul Lachman on rlachman@marsdens.net.au or otherwise by calling them on (02) 4626 5077.

The contents of this publication are for reference purposes only. This publication does not constitute legal advice and should not be relied upon as legal advice. Specific legal advice should always be sought separately before taking any action based on this publication.