Publication
International arbitration report
In this edition, we focused on the Shanghai International Economic and Trade Arbitration Commission’s (SHIAC) new arbitration rules, which take effect January 1, 2024.
Australia | Publication | December 2024
This article was co-authored with Donnacha Egan and Isabella Dudkowski.
On 29 November 2024, the first tranche of sweeping Australian privacy reforms contained in the Privacy and Other Legislation Amendment Bill 2024 (Cth) (Bill) passed both Houses of Parliament. The Bill received Royal Assent on 10 December 2024, and the Privacy and Other Legislation Amendment Act 2024 (Cth) (Act) is now in effect. We previously considered the Bill’s implications when it was introduced on 12 September 2024. In this update, we summarise key amendments to the Privacy Act 1988 (Cth) and other legislation, including some of the ‘eleventh hour’ additions. We also outline strategies that may assist organisations to refocus privacy practices to comply with the new law.
The Act represents the most substantial change to Australia’s privacy regime since its inception. In most cases, it requires organisations to:
This update covers key changes, including:
Most of the amending provisions of the Act came into effect on 10 December 2024, with the exception of two major changes: the tort of serious invasions of privacy will commence on a date to be proclaimed or within 6 months after commencement (ie 10 June 2025) and some provisions relating to automated decisions have a two-year grace period, ending 10 December 2026.
The amendments have introduced a statutory tort of serious invasions of privacy. This means privacy will now be a personal right; for the first time, Australians will have a personal right of action to sue another party where that party has invaded the individual’s privacy by intruding upon their seclusion or misusing information relating to them.
In summary, an individual will have a civil cause of action in tort (allowing recovery of damages and/or the obtaining of an injunction) against another party if:
The comparison between the ’public interest in the individual’s privacy” and “any countervailing public interest” was added to the Act as an express element of the cause of action in the ‘last minute’ amendments. The Act provides some guidance around what is considered a ‘countervailing public interest’, such as freedom of expression (including political communication and artistic expression) and freedom of the media, national security, and public health and safety.
The exemptions to the new statutory tort were also broadened by amendments made by the Senate. Those exempt from liability for the tort include:
Significantly, the Act permits a court to determine, at any stage in the proceedings, whether an exemption applies in relation to the invasion of privacy.
In terms of the remedies available in successful actions, the court must not award aggravated damages but may award damages for emotional distress, and may award exemplary or punitive damages in exceptional circumstances. Further, damages for non-economic loss and exemplary or punitive damages are subject to a cap equal to the greater of $478,550 and the maximum amount of damages for non-economic loss that may be awarded in defamation proceedings under Australian law.
The Act provides the OAIC with new enforcement and investigative powers. The OAIC will adopt standard regulatory tools available under the Regulatory Powers (Standard Provisions) Act 2014 (Cth) with rights to:
The Act also introduces a new tiered civil penalty process with medium- and low-level penalties and infringement notices that can be issued by the OAIC directly. Finally, the Senate amendments also give the OAIC the power to issue compulsory ‘compliance notices’ to an entity as an alternative to seeking civil penalty orders, enforceable undertakings or issuance of infringement notices. These powers give the OAIC more flexibility and enforcement options, which is likely to lead to a significant increase in enforcement action, particularly in respect of ‘administrative’ breaches such as failing to have a compliant APP privacy policy or failing to draw an individual’s attention to the ability to opt out of direct marketing communications.
In an area which will force many organisations to review in detail their current uses of technology, the Act requires those engaging in automated decision making to provide individuals with adequate information on these decisions by updating their privacy policies to achieve transparency.
An automated decision is when a computer program uses an individual’s personal information to make a decision, or to do a thing that is substantially and directly related to the making of a decision, and the decision could reasonably be expected to significantly affect the rights or interests of the individual, whether adversely or beneficially. In essence, it is when a decision that greatly impacts an individual is made by automated means without any human involvement.
Examples of automated decisions include:
Real world examples include a computer system deciding whether or not to grant a loan to an individual based on the individual’s personal information, or an automated system marking an exam and deciding an individual’s grade. It is important to note that automated decisions are not limited to the use of artificial intelligence tools. Many existing technologies with “hard coded” decision making logic will likely be captured.
There is a 24 months’ grace period from 10 December 2024, until the automated decision requirements come into effect. However, organisations should be aware that, once in effect, the requirements will apply to all automated decisions, regardless of whether:
The Act introduces a new ‘whitelist’ mechanism for disclosing personal information overseas to recipients who are in approved countries. Countries and binding schemes may be approved by the Minister if:
The approval may be subject to conditions for certain classes of entities and kinds of personal information.
This ‘whitelist’ approach has parallels with the adequacy decisions of the European Commission under the General Data Protection Regulation (GDPR) which allow for the transfer of personal data from the EU to countries whose privacy laws provide a level of protection equivalent to the GDPR, without the need for any additional safety mechanisms.
Companies should note that the whitelist mechanism applies to information disclosed after the commencement date of the new law, regardless of when it was acquired or created. The mechanism will benefit organisations by reducing their compliance burden when disclosing personal information overseas to recipients in approved countries.
APP 11 is essentially the cornerstone of all APPs under Australian privacy law, requiring organisations to take ‘such steps as are reasonable in the circumstances’ to keep personal information secure. The Act introduces APP 11.3, which requires that APP entities consider ‘technical and organisational measures’ as steps to take to meet the requirements of APP 11, modelling language used in the European Union’s GDPR.
APP 11.3 was introduced to address the common misconception that IT security is a purely technical problem, and that organisations can rely solely on IT security to protect personal information. This can leave gaps in the privacy and cyber defences of organisations by overlooking the importance of organisational measures, such as continuous training of staff on key privacy and cyber security issues, and introducing policies, standards and procedures. The expectation is now clear; APP entities must take continuing and proactive steps. including training relevant personnel. This training should be documented and reviewed on a regular basis to ensure staff are up to date with, aware of, and can respond effectively to evolving threats.
It is no longer sufficient for entities to rely solely on strong technical defences or strategies; these must now be coupled with built-in organisational measures to comply with APP 11.
In a world-leading move, the Act introduces a new criminal offence involving “doxxing" by amending the Criminal Code Act 1995 (Cth) (Criminal Code). Doxxing is the targeted release of personal information in a malicious manner using a carriage service. There are two new offences relating to doxxing:
‘Personal data’ in this context has been given a more expansive definition than ‘personal information’ as defined under the Privacy Act. Personal data encompasses information about an individual or group member that enables them to be identified, contacted or located, including names, photographs or images, work or business addresses, places of education and worship.
The maximum penalty for a doxxing offence against an individual is 6 years’ imprisonment and an offence against one or members of a group is punishable by up to 7 years’ imprisonment. It is also immaterial if a group is actually distinguished by any of the characteristics listed above. As the doxxing offences are contained within the Criminal Code they are not subject to the exemptions under the Privacy Act, meaning small businesses and journalists could also be charged with, and found to have committed, a doxxing offence.
The Act enables the Minister to make a declaration to allow the sharing of information to prevent or manage a large data breach. The declaration could allow financial institutions to share information about exposed personal information (such as Tax File Numbers and passports), with government agencies as well as with other organisations such as other financial institutions or competitors. This tool is only available for specific data breaches for limited periods and purposes. It may be cumbersome to seek and obtain such a declaration from the Minister and is likely to only be suitable for large data breaches where harm mitigation requires disclosure of personal information.
The Attorney-General’s Department has indicated it will soon start consulting on the second tranche of privacy reforms to which the Government has agreed or agreed in principle. These could include the removal or reduction of both the employee records exemption and small business exemption, expanded individual rights such as the right to erasure, and the controller/processor distinction to mirror the GDPR.
Should the second tranche incorporate the remaining reforms, this may allow Australia to be re-assessed for an ‘adequacy decision’ from the EU which would facilitate the transfer of data from the EU to Australia without the need for additional safeguards.
Reviewing privacy practices and policies is a fundamental starting point to ensure they are compliant, particularly around adequacy of the information contained in privacy policies, collection statements as well as direct marketing and consent collection mechanisms.
Another important action item is reviewing decision-making processes to identify automated decision-making already in use or plans for procurement, and updating privacy practices and privacy policies sufficiently to achieve the required transparency regarding automated decision making. The use of AI will be particularly relevant as it is increasingly being used for some forms of decision-making.
For organisations that regularly collect or amass personal information, it is critical to consider your organisation’s conduct in light of the possible risk of serious invasions of privacy, the potential litigation threat this may pose and how new and mitigating practices could reduce that risk.
It is also important for organisations to consider introducing regular and comprehensive staff training on privacy and cyber risks, and additional organisational measures to ensure security.
A final take-away is that the law requires immediate action and a roadmap for future privacy compliance. As the Australian Privacy Commissioner Carly Kind recently stated, 2025 is going to be a big year for privacy and that is also likely to be accompanied by a big year of enforcement action.
Publication
In this edition, we focused on the Shanghai International Economic and Trade Arbitration Commission’s (SHIAC) new arbitration rules, which take effect January 1, 2024.
Publication
The 28th Conference of the Parties on Climate Change (COP28) took place on November 30 - December 12 in Dubai.
Publication
Miranda Cole, Julien Haverals and Emma Clarke of our Brussels/ London offices are the authors of a chapter on procedural issues in merger control that has been published in the third edition of the Global Competition Review’s The Guide to Life Sciences. This covers a number of significant procedural developments that have affected merger review of life sciences transactions.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023