The Privacy and Other Legislation Amendment Bill 2024 (“the Bill”) was finally introduced after a four-year review of the Privacy Act 1988 (Cth). While not all the “agreed” or “agreed in principle” amendment proposals are adopted and included in the Bill, this Bill is just the first tranche of the reforms – more is yet to come.
Among the various key changes in the Bill, this article will focus on three of them:-
Statutory tort for serious invasions of privacy
This long-awaited statutory incorporation is finally in place. Under this statutory tort, an individual would have a claim against a person if:-
- The person invades the individual’s privacy by intruding into their seclusion (i.e. physically intruding into their place) or a misuse of information;
- The individual would have a reasonable expectation of privacy in the circumstances;
- The invasion of privacy was intentional or reckless; and
- The invasion of privacy was serious.
By codifying the above, the test of serious invasions of privacy has become clearer. It has also made clear that the threshold of proving statutory tort for serious invasions of privacy is high. It has to be intentional or reckless – mere negligence is not sufficient. The statutory tort for serious invasions of privacy does not require proof of damage, which is a significant departure from the common law position.
As a side note, the Bill adds in a new exemption for journalism, enforcement bodies and intelligence agencies.
Data Security
The Bill also clarifies what ‘reasonable steps’ an entity has to take to protect personal information under the Australian Privacy Principles (“APP”). The Bill expressly includes ‘technical and organizational measures’ as part of the ‘reasonable steps’. Specifically, the Bill’s Explanatory Memorandum provides explanation of ‘technical and organizational measures’ as follows:-
- ‘Technical measures’ include physical measures, and software and hardware (for example, through securing access to premises, encrypting data, anti-virus software and strong passwords).
- ‘Organizational measures’ include steps, processes and actions an entity should put in place (for example, training employees on data protection, and developing standard operating procedures and policies for securing personal information).
The above provides clearer guidance for entities on what appropriate measures they will need to have in place to protect personal data.
Data Breach
The Bill gives power to the Attorney-General to make an ‘eligible data breach declaration’ where an eligible data breach (i.e. a notifiable data breach) occurs. The ‘eligible data breach declaration’ allows for limited sharing and handling of personal information solely for permitted purposes where such a disclosure would mitigate or prevent the risk of harm to individuals.
An example of how the ‘eligible data breach declaration’ could be useful is that big entities (for example banks or financial institutions) will promptly implement further measures to prevent the use of compromised credentials to prevent financial crime.
The above demonstrates changes to the privacy law paradigm quite substantially. This Bill is just the first tranche of the reform of the Privacy Act 1988 (Cth) – sit tight and wait for more to come to light.
Contact Rankin Business Lawyers for practical, on-point commercial legal guidance.
Ming Yip
Junior Litigation Lawyer