Australia’s Privacy Act Reforms: 8 important changes

Australia’s Privacy and Other Legislation Amendment Bill 2024 promises long overdue reforms to the Privacy Act 1988 and other related laws – strengthening privacy protection, enhancing the powers of the Information Commissioner, and clarifying obligations around data breaches and privacy investigations. 

Here’s a look at eight ways in which the Privacy and Other Legislation Amendment Bill 2024 will transform privacy compliance for Australian businesses.

1. New objectives of the Act

The Bill amends the “objects” clause of the Privacy Act 1988 to explicitly recognize the public interest in protecting privacy. This subtle but important change embeds privacy as a fundamental right for everyone in Australia.

2. New rules on developing APP codes

The Bill introduces provisions that allow the Minister to direct the Information Commissioner to develop new Australian Privacy Principle (APP) codes. The Minister can use this power when: 

• Developing a code is in the public interest, or 
• A code needs to be developed urgently. 

This gives the Australian government greater influence over the development of privacy standards.  

The Bill also includes provisions for temporary APP codes, which can be implemented quickly for a maximum of 12 months. A temporary code can address urgent privacy concerns while a more comprehensive code is developed. 

3. Revised emergency declarations framework

The Bill revises the framework for emergency declarations under the Privacy Act 1988.  

Emergency declarations allow for the collection, use and disclosure of personal information in response to emergencies and disasters. The Bill would require emergency declarations to specify: 

• The types of personal information covered by the declaration 
• The entities authorized to collect, use, or disclose the information 
• The permitted purposes handling the personal information 

The amendments also explicitly exclude media organizations from being recipients of personal information under emergency declarations. This provision is intended to safeguard the freedom of the press as it would prevent the government from using emergency powers to control or monitor media activities. 

4. Big changes to children’s privacy

The Bill includes provisions focusing on protecting children’s privacy online.  

The Information Commissioner is mandated to develop a Children’s Online Privacy Code within two years. The code will apply to providers of social media services, relevant electronic services and designated internet services that are likely to be accessed by children. 

This part of the Bill could allow the Office of the Australian Information Commission (OAIC) to develop a code similar to the Children’s Code, adopted by the UK’s Information Commissioner’s Office (ICO) in 2021. 

The Commissioner’s Children’s Code should address how the Australian Privacy Principles apply to children’s data and can provide specific requirements tailored to their needs.  

When developing the Code, the Commissioner would be obliged to consult with children, children’s charities, and the eSafety and National Children’s Commissioners. 

5. New government powers over data breach reporting

The Bill significantly expands the powers of the government to respond to “eligible data breaches”. The Minister would receive new powers to issue an “eligible data breach declaration” if there is a risk of harm arising from the misuse of personal information following a data breach. 

An eligible data breach declaration would authorize specified entities to collect, use, and disclose personal information to prevent or reduce the risk of harm. This coordinated response could involve various state and territory authorities.

6. New penalties for ‘interference with privacy’

The Bill introduces a new civil penalty provision for serious interferences with privacy, creating a two-tiered system of penalties: 

• A higher penalty for “serious” interference with privacy. 
• A lower penalty for interference with privacy that is not considered “serious”. 

The Bill also outlines factors that courts may consider when determining the seriousness of an interference, such as the sensitivity of the information, the consequences for the individual, and whether the individual is a child or experiencing vulnerability.

7. Federal court orders

Under the Bill, the Federal Court would gain additional powers to issue orders in response to privacy contraventions. The court can order an entity to: 

• Pay compensation for any loss or damage suffered by an individual. 
• Engage in or refrain from certain acts to prevent further breaches. 
• Publish a statement about the contravention. 

These additional powers give the court more flexibility to provide remedies for privacy violations and deter future misconduct.

8. New public inquiry powers

The Bill empowers the Information Commissioner to conduct public inquiries into privacy matters. The Minister can direct or approve these inquiries, which can examine specific acts or practices related to privacy. 

The Commissioner has broad powers to gather information and conduct these inquiries, and they are not bound by the rules of evidence.  

The Commissioner must report their findings to the Minister, who then tables the report in Parliament. The report cannot make findings or recommendations about specific acts or practices being an interference with privacy. 

Preparing for change 

Many of the changes proposed under the Privacy and Other Legislation Amendment Bill 2024 are procedural, giving new powers to the OAIC and the government.  

However, the Bill signals Australia’s willingness to bring its decades old privacy law up to modern standards. The reforms reflect a stronger focus on protecting privacy – particularly children’s privacy – especially in the online environment and in the context of data breaches. 

As such, these legal changes will impact businesses – particularly those whose privacy and data protection standards are not up to scratch.