New Privacy Law in Australia - will also impact AI
On 12 September 2024, the Australian government introduced the first tranche of reforms to the Privacy Act 1988 (Cth) (Privacy Act) into Parliament in the Privacy and Other Legislation Amendment Bill 2024 (the Bill).
?The Bill is the latest development in a four-year process following a review by the Attorney General’s Department, stakeholder consultation and the government’s response. If enacted, the Bill will enhance privacy protections for individuals by:?
?·????? Granting the Office of the Australian Information Commissioner (the independent national regulator for privacy and freedom of information) greater enforcement powers?
·????? Establishing a right for individuals to sue for serious privacy breaches?
·????? Mandating clearer disclosures about the use of personal information in automated decision-making?
·????? Strengthening privacy safeguards for children?
·????? Criminalizing the act of doxing to deter the malicious sharing of personal information online.?
?In response to polling conducted by the Information Commissioner,1 89% of Australians indicated they support reform to the Privacy Act to make it fit for the digital age, and this is a priority on the government’s legislative agenda. While the Bill introduces some added protections for consumers, this first tranche of reforms only gets us part of the way there. Many of the significant changes expected based on the government’s response to the Attorney General’s review have been excluded from this first tranche. The rest of the changes will likely be introduced in future legislative updates following more consultation with stakeholders.?
?
We expect that the government will introduce further reforms so that Australia keeps up with privacy and data protection laws globally, but it is not yet clear when this will happen. With a federal election approaching in early 2025, the path forward for privacy reform in Australia continues to be unpredictable.
?
Key features of the Bill
If enacted as drafted, the Bill would introduce the following changes to the Privacy Act:
?·????? Broader enforcement powers for the Australian Information Commissioner: This would likely mean that the Information Commissioner would have increased authority to investigate privacy breaches, enforce compliance with privacy laws and impose penalties on organizations that violate privacy regulations.?
·????? Statutory tort for serious invasions of privacy: A statutory tort would create a new civil wrong, allowing individuals to sue for compensation if their privacy is seriously invaded without their consent. This could cover a range of actions, including unlawful surveillance, hacking or the dissemination of personal information.?
·????? Greater transparency for automated decision-making: This change would require organizations to be more open about how they use personal information to make automated decisions. This could include decisions made by algorithms or artificial intelligence (AI), and the requirement could extend to providing individuals with explanations of how such decisions are made. In parallel, the government has introduced a policy for the responsible use of AI for federal government departments and agencies.?
·????? Additional protection for children’s privacy: Enhanced protection for children could involve stricter rules on the collection, use and disclosure of children’s personal information, recognizing the increased vulnerability of young people in the digital environment.
·????? Criminal offense to outlaw doxing: Doxing is the act of publishing private or identifying information about an individual on the internet, typically with malicious intent. Making it a criminal offense would mean that individuals engaging in doxing could face criminal charges and potential imprisonment. The Bill introduces maximum penalties up to seven-years’ prison time for offenders where a group is targeted based on race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality, or national or ethnic origin.
·????? Simplified international data sharing: The government plans to identify countries and certification schemes that offer privacy protections comparable to Australia’s, simplifying the process for organizations to share information internationally — a critical aspect of the digital economy without borders. This move will be a relief for private sector organizations that have previously grappled with the complexity of assessing the “adequacy” of foreign privacy laws or creating contractual measures to compensate for it. However, foreign investors in Australia should be aware that the Foreign Investment Review Board’s (FIRB) data conditions are still likely to be attached to how those investors hold data about Australians, particularly sensitive data or data about defense personnel.
·????? Streamlined information sharing in the case of an emergency or eligible data breach: The efficient exchange of information during emergencies or qualified data breaches can reduce the consequences of significant data breach incidents. For instance, this system could alert financial institutions when identity documents are at risk, allowing them to implement increased surveillance and additional protective measures to shield clients from potential financial fraud.
?
What do the changes mean?
?Increased compliance obligations: With broader enforcement powers for the Information Commissioner and the introduction of a statutory tort for serious invasions of privacy, organizations handling personal information will need to have robust privacy practices in place. This includes securing personal information, obtaining clear consent for its use and being transparent about data processing activities.
?
Enhanced transparency requirements: The requirement for greater transparency around automated decision-making means organizations handling personal information will need to disclose more about their use of algorithms and AI in processing personal information. They may need to provide individuals with explanations of decisions made automatically, which could require adjustments to their systems and processes.?
?
Special considerations for children’s data: The additional protections for children’s privacy will necessitate stricter controls over the collection, use and sharing of data belonging to minors. This may involve implementing age verification mechanisms and obtaining parental consent where necessary.?
领英推荐
?
Legal risks from doxing: The criminalization of doxing introduces a new legal risk, emphasizing the importance of safeguarding personal information to prevent unauthorized disclosure that could harm individuals.
?
Easier international data sharing: The mechanism to identify countries and certification schemes with privacy protections like Australia’s will streamline the process for organizations to share information internationally. This reduces the burden of assessing foreign privacy regimes’ adequacy?
and negotiating contractual safeguards, making compliance easier and potentially opening new markets. However, foreign investors subject to data conditions should check with the FIRB regarding how those conditions will be impacted by these proposed data sharing arrangements.
?
Streamlined information sharing during emergencies or eligible data breaches: This change would necessitate organizations handling personal information to adapt to new compliance requirements. It also offers the advantage of enhanced fraud prevention measures and the potential for increased trust and reputation protection by taking proactive personal information protection efforts.
?
Actions to consider now
?Organizations operating in Australia, as well as global companies with Australian customers, will need to closely monitor these developments and prepare to comply with the new requirements. Considering reforms proposed in the Bill, affected parties will want to consider the following actions:?
?·????? Become compliant with the current requirements of the Privacy Act now. The Information Commissioner will have more funding and powers to investigate breaches and enforce the law.?
·????? Undertake a privacy compliance gap assessment and seek support from a privacy subject-matter expert to recommend remediation actions and build out a roadmap towards compliance. This will include having strong privacy governance and practices in place and practical policies and processes to support organizations to implement compliance with the Privacy Act into business-as-usual practices.
·????? Pay attention to data breach response plans, data retention and third-party supplier management — these issues are common areas of struggle.
·????? An organization’s employees and the third parties it shares personal information with are its greatest sources of privacy risk. Put mandatory privacy training in place for all employees and create a strong vendor vetting, onboarding and management framework.??
·????? Take special precautions when implementing new technologies or processing activities like the use of AI. Undertaking a privacy impact assessment is good practice.???
·????? Pay attention to international disclosures of personal information. Have appropriate terms in place with third parties to ensure personal information is protected. If you are subject to FIRB data conditions, make sure that your privacy governance framework and contracting arrangements support this compliance.?
·????? Know that international privacy laws (such as the General Data Protection Regulation) have extraterritorial application and can affect Australian-based organizations.??
·????? Be aware that law reform and guidance is being issued by government and regulatory authorities in relation to other key digital issues, such as cybersecurity, the use of AI, and combating the spread of mis- and disinformation online.?
·????? Expect further changes to the Privacy Act.
?
What next???
?·????? The Bill is expected to undergo Parliamentary Committee review and will likely be made into law in 2025.
·????? Expect a second tranche of substantial changes to be published soon.??
·????? The second tranche is not the only piece of legislation that the government is considering, more is expected for AI and data. There may also be further legislative developments in the states, such as age verification of children on social media platforms in South Australia and AI in New South Wales.
?
Many thanks to Amber Cerny, Emma Maconick and Lucy Hannah for drafting this informative update.
?
1 “OAIC welcomes reforms critical to Australia’s privacy future,” Office of the Australian Information Commissioner (OAIC), https://www.oaic.gov.au/news/media-centre/oaic-welcomes-reforms-critical-to-australias-privacy-future#:~:text=The%20Office%20of%20the%20Australian%20Information%20Commissioner%20(OAIC)%20today%20welcomed, 28 September 2023.
This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Member firms of the global EY organization cannot accept responsibility for loss to any person relying on this article.