On 12 September 2024, the Attorney-General introduced the Privacy and Other Legislation Amendment Bill 2024 (Bill) to Parliament. The Bill seeks to enact:

• a first tranche of reforms to the Privacy Act 1988 (Cth) (Privacy Act) to implement 23 of the 25 legislative proposals that were previously agreed to by Government in the Government Response to the Privacy Act Review;

• a new statutory tort for serious invasions of privacy; and

• criminal offences for the malicious publication of personal information online, known as doxxing.

Notably, the Bill does not seek to enact any legislative proposals that were only agreed-in-principle in the Government Response to the Privacy Act Review, which will be subject to further consultation.

Highlights of the Bill

A few of the key reforms in the Bill will:

• include a requirement for the Privacy Commissioner to develop an Australian Privacy Principle (APP) Code about online privacy for children;

• provide a further exception to the requirements of APP 8 (which deals with overseas data flows) for countries that are prescribed as having laws or binding schemes that have the effect of protecting personal information in at least a substantially similar way in which the APPs protect the information; and there are mechanisms the individual can take action to enforce that protection;

• provide powers for the Attorney-General to make declarations authorising the sharing of personal information in certain circumstances, including where it was directly related to the preventing or reducing a risk of harm associated with a cyber incident;

• include various new enforcement powers for the Privacy Commissioner, including new civil penalties and infringement notices for less serious privacy breaches;

• include amendments to section 13G of the Privacy Act to remove the reference to “and repeated” from the existing heading. This proposal is intended to more clearly express that breaches affecting a large number of individuals without affecting any one individual seriously are covered;

• include a requirement for entities to update privacy policies to include certain details about automated decisions they make involving personal information;

• provide individuals with a cause of action in tort for serious invasions of privacy. This would implement the Australian Law Reform Commission’s recommendation in its 2008 report For Your Information: Australian Privacy Law and Practice; and

• amend the Criminal Code Act 1995 (Cth) to introduce new offences targeting the release of personal data using a carriage service in a manner that would be menacing or harassing.

If your agency or organisation needs assistance with understanding how any of the legislative proposals may impact you, please reach out to our information law experts James Pratt (james.pratt@adaptbl.com.au or 0423 368 823) or Geoff Adams (geoff.adams@adaptbl.com.au or 0404 608 231) to discuss.