Long awaited privacy act reforms to be unveiled on Thursday will not deliver on the most ambitious recommendations of a 2022 review but will pave the way for more legal action for serious breaches and beef up privacy and information regulators.
The remaining reforms, including ending a carve out for small businesses, a right to erasure, stronger consent models and a new “fair and reasonable” test for information handling, now won’t come until after the next election, taking the reform process beyond five years.
Thursday’s bill does include a new statutory tort for serious privacy breaches, transparency requirements for automated decisions, more teeth for privacy watchdogs and new powers for the government when responding to data breaches.
It will also introduce a new Children’s Online Privacy Code, with the OAIC to get an extra $3 million over three years for this work.
The government is implementing reforms proposed in the Attorney-General’s department’s two-year review, completed in 2022, in tranches, effectively split on whether the recommendations received full or principle support. Tranche two is not expected to reach parliament before the 2025 federal election.
Ambitious review recommendations like a new right for individuals to ask companies to delete their personal information, a removal of the current carve out of privacy law for small businesses, and a shift away from using ‘implied consent’ to collect data have been left out of the first tranche.
However, a new statutory tort – an unlawful act that gives victims a right to sue – for serious privacy breaches will be introduced. The privacy act review flagged that a serious invasion of privacy must be either by “intrusion into seclusion, or misuse of private information”.
Also included in the bill is the proposal to expand the power of the Information Commissioner. This will allow the regulator to make an Australian Privacy Principle code or temporary code if directed or approved by the Attorney General.
Greater enforcement measures also include a new tiered civil penalty regime, enabling the Office of the Australian Information Commissioner (OAIC) to tailor penalties relative to the seriousness of the privacy breach, and extra powers for the federal court.
The OAIC’s monitoring and investigation powers will be expanded alongside the addition of new powers for it to conduct public inquiries.
Organisations will also be required to set out the types of personal information used in substantially automated decisions, and legislation will be clearer on what reasonable steps are to secure personal information.
In the event of a data breach covered by the notifiable data breach scheme, the reforms would also empower the Attorney-General to permit information sharing with appropriate entities to reduce the risk of harm.
The Prime Minister or Attorney General’s power to make emergency declarations will become more targeted, able to be made in relation to ongoing emergencies and apply to states and territories.
“The Australian people expect greater protections, transparency and control over their personal information and this legislation begins the process of delivering on those expectations,” Attorney-General Mark Dreyfus said in a statement.
As previously reported the reforms will outlaw doxxing – the malicious release of personal data online.
The malicious use of personal data will incur a maximum prison term of six years, with up to seven years in place if a person or group is targeted based on attributes like race, religion, gender, or sexual orientation.
Do you know more? Contact James Riley via Email.