Australia's first tranche of privacy reforms – a deep dive and why they matter

What you need to know

• A bill to launch a generational shift to Australia's privacy law was introduced to Parliament on 12 September 2024, the first of two tranches of reforms.
• The first tranche of reforms focus on some “quick wins” such as regulatory powers and transparency of automated decisions, with the more expansive reforms still expected in tranche 2. 
• The Privacy Commissioner's message has been clear: "businesses - don't take your foot off the gas, because we're going to be looking to take a more enforcement-based approach in the interim."
• In this article, we explore "what good looks like" in building a risk-informed response to more agile, risk- and harms-focused privacy regulation. We'll then dig deeper into the key tranche 1 reforms, explaining what they are, and why they matter.

What you need to look out for

What you need to do

• Review your privacy risk management framework – Are your practices, procedures and systems managed and operating effectively? With a tougher enforcement environment, and further changes on the way, uplift projects that focus on practices, procedures and systems are a no regrets investment.
• Ensure appropriate consultation and collaboration – Are your legal, privacy, compliance and cyber teams working together to ensure an aligned process?
• Prepare your legal and compliance teams – How prepared are you to respond to a motivated regulator, with broader information-gathering powers, tiered penalties and infringement notices, as well as a risk of individual claims for serious invasions of privacy. 
• Set the direction and understand what good looks like for you – Ensure leadership and boards have the information needed to set a direction and vision for good privacy risk management. Understand the "go-to" state that the regulator expects of an organisation in your position, your risk appetite, and the risk profile you face.

An important first step in privacy reforms

"This bill is an important first step in the government's privacy reform agenda, but it will not be the last."

Attorney General, The Hon Mark Dreyfus KC MP (second reading speech)

Tranche 1 of the reforms was introduced to Parliament on 12 September 2024. The bill has already been referred for a Senate Committee inquiry, due to report back on 14 November 2024. Submissions closed on 11 October, and public hearings will be held on 22 October. 

With an election likely to be called in the first half of 2025 and many of the tranche 2 reforms subject to consultation and circulation of draft provisions, the likelihood that we will see tranche 2 before the election is quickly diminishing. However, with a comparatively small set of changes in tranche 1, it remains far more likely that some or all of the tranche 1 reforms will be pushed through prior before an election in 2025. Consultations are expected to commence before the end of 2024.

For a helicopter view of the reforms, see Australian Privacy Reforms: A generational change inches closer. 

What reforms are in tranche 1?

The proposed reforms address 23 proposals that were "agreed" in the Government Response to the Privacy Act Review Report, out of a total of 116 proposals. Key areas covered by the reforms are enhanced regulatory powers, automated decision transparency, cybersecurity uplifts, code-making powers (beginning with a new Children's Online Privacy Code), simpler international data transfers, a new statutory tort for serious invasions of privacy, and criminal offences for doxxing (exposing data in a way that is menacing or harassing).

Most reforms will commence shortly after the bill is passed – with a 6-month delay for the new statutory tort, and a 24-month delay for automated decision-making transparency requirements.

What reforms are still to come?

This is only the first part in a broader privacy reform agenda. Tranche 2 will likely cover a much broader spectrum of issues including a new “fair and reasonable” requirement, consent reforms, individual rights, small businesses and employee exemptions, and assessing the privacy impact of high-risk activities.

Read more about the full suite of 116 recommendations from the Privacy Act Review Report in our earlier publication Australia's blueprint for privacy reform– what you need to do today. 

Why do these changes matter? The regulator’s view

The changes seem modest at first blush, but they set up a number of significant themes, signalling a change in the enforcement landscape, the first steps of automated decision-making and artificial intelligence rules, and deliberate signals that ‘reasonable steps’ to meet cybersecurity requirements will be scrutinised. 

Privacy Commissioner, Carly Kind, has called out that even before the reforms arrive, the expectations of the Office of Australian Information Commissioner (OAIC) are higher, and the office will be much more enforcement-focused:

“... don't take your foot off the gas, because we're going to be looking to take a more enforcement-based approach to regulation in the interim, even notwithstanding those reforms.”

Privacy Commissioner, Carly Kind

Combining a more “risk-based and enforcement and education-focused posture” from the OAIC, with a new set of regulator powers, and new avenues for individuals to bring claims, expectations for organisations will only continue to increase as the reform journey continues.

A risk-informed response to agile, risk-focused regulation

Practices, procedures and systems: a sword or a shield

Tranche 1 of the reforms appears to shift the regulatory emphasis – looking to change market behaviours by ensuring appropriate practices, procedures and systems are in place. This is focused on preventing harm to the individual, and can be contrasted with the traditional approach of reactive enforcement after harm (like a data breach) occurs.

Australian Privacy Principle 1.2 requires entities to take reasonable steps to implement practices, procedures and systems to comply with privacy obligations. Failure to do so can be considered a breach of the Australian Privacy Principles in its own right and may lead to a Commissioner-initiated investigation by the OAIC. 

The obligations requiring practices, procedures and systems commenced over a decade ago – on 12 March 2014. Entities and agencies covered by the Privacy Act are assumed to have established their practices, procedures and systems over the past decade. The expectation of the regulator will be that you already have demonstrable, defensible, effective and efficient practices, processes and systems are in place. 

If designed and implemented properly your practices, procedures, and systems can provide you with a shield from your risks:

1. a clear understanding of your privacy related risks and controls;
2. a demonstratable and defensible decision-making process that will stand up to regulatory action, public scrutiny, and claims under the new statutory tort; and
3. a strong basis to meet new obligations, like AI and ADM, or to meet existing obligations, like cybersecurity and destruction of personal information.

If you do not have adequate practices, procedures, and systems, they can become a sword to be used against you. In addition to a possible breach of APP 1.2, as discussed above, companies may face additional regulatory problems meeting other Australian Privacy Principles.

What does good look like?

There's no single defined answer. Your design needs to reflect:

1. the nature of the entity (including size, maturity, and resources which should be invested in privacy risk);
2. the amount and type of information you collect, store, and use;
3. how sensitive that information is; and
4. the impact of any misuse or unauthorised access of information you are responsible for.

Practices, procedures and systems need to be designed, reviewed, and updated regularly to keep pace with the risk environment, laws, and the nature of the activities you undertake. 

The simplest question to ask is how ready are you to respond to a regulator or a class action on privacy today? If you are not ready you need to uplift your practices, procedures, and systems to make sure you are ready.

Enhanced regulatory toolkit

"To investigate potential privacy breaches in an increasingly complex digital landscape, the Information Commissioner requires modern investigative powers."

Attorney General, The Hon Mark Dreyfus KC MP (second reading speech)

As one of the key changes in the tranche 1 reforms, the OAIC's regulatory toolkit will be expanded, including by adopting a number of the standard regulatory tools available under the Regulatory Powers (Standard Provisions) Act 2014. 

The OAIC's new toolkit will include:

• Broader monitoring and investigation powers
• Conduct of public inquiries
• Expanded scope of OAIC determinations
• Clarified scope of court orders the OAIC may seek
• Enhanced code-making powers
• More infringement notice and civil penalty options

The broader regulatory toolkit allows the regulator to fulfil its ambition as a pro-active and risk-focused regulator – it will look to prosecute matters that are going to change practices and set a general deterrence effect across the economy and across markets.

Outside of the new penalty options (discussed below), these new changes include enhancements to existing tools (such as monitoring and investigation, determinations and court orders), as well as adding significant new tools such as regulator-driven code-making powers and the ability to conduct public inquiries into matters relating to privacy, at the direction of the Attorney-General.

The expansion of code-making powers signals a shift to a regulator-driven regime where the OAIC will be able to identify areas of concern and develop a code at the direction of the Attorney-General, potentially requiring entities to comply with additional privacy obligations outside of the legislative process. New provisions for the development of a Childrens Online Privacy Code have also been included. The development of this code will likely operate as a test for the OAIC’s new powers as the Government has promised specific funding for the development of the code.

What it means for you

• Know your biggest risks – The OAIC has said it will strive to take a risk-based and harm-focused approach to regulation, to head this off, assess where your greatest risks lie and what the OAIC’s enforcement priorities are.
• Action your findings – Action your backlog of identified concerns and build robust monitoring and review processes.
• Learn from experience with other regulators – While the broader toolkit is new to the OAIC, many of the tools are standard practice for other regulators. Leverage your learnings and processes from dealing with other regulators to adjust your regulatory engagement processes and strategies for the OAIC.

A new ‘tiered penalty' process and administrative failures

The OAIC currently has limited enforcement options – it can seek a large civil penalty for a serious or repeated interference with privacy (introduced in the 2022 privacy reforms), or smaller penalties and infringement notices for failures to provide information to the OAIC. 

The OAIC can also undertake an investigation and give a determination if it identifies a breach of the Australian Privacy Principles. While entities may agree to pay an amount set out in a determination, if they do not, the OAIC must seek enforcement in the Federal Court.

The tranche 1 reforms will enhance the existing penalty regime and introduce new medium-level and lower-level penalties, as well as infringement notices that may be issued by the OAIC directly, without going to court (although entities will have the option to challenge a penalty notice in the Federal Court). This new penalty framework gives the OAIC significantly more options and brings a greater likelihood of smaller and moderate breaches seeing enforcement action.

For bodies corporate, the revised maximum penalties look like this:

_{* The figures reflect an increase to the value of a Commonwealth penalty unit (to $330) under the Crimes and Other Legislation Amendment (Omnibus No. 1) Bill 2024, which is currently awaiting assent.}

The OAIC can bring court proceedings for civil penalties, and the changes include an adjustment to the “serious interference” threshold, to consolidate the test into a single principle (instead of “serious or repeated”), that takes into account various factors. If the “serious interference” threshold is not met, a new mid-range “interference” penalty remains available.

For the civil penalty provisions, whether or not penalties will be multiplied (for example in a data breach scenario) will rely on existing legal principles, depending on application of the court’s discretion in the context. However, for infringement notices, an express provision allows multiplication of the maximum penalty amount.

Infringement notices for administrative failures

Infringement notices may be issued by the OAIC without going to court, for minor ‘administrative’ failures where failure to meet the requirement can be easily established. 

These notices are intended to allow the OAIC to seek penalties against entities for minor contraventions, without the need to engage in litigation. Infringement notices can be issued for up to $66,000 for publicly listed companies (based on the proposed $330 Commonwealth Penalty Unit), but multiple failures may ‘stack’ on top of one another. 

Examples of issues that might be dealt with by an infringement notice include:

• inadequate privacy policies (APP 1.3, 1.4)
• failure to provide ability to interact anonymously or using a pseudonym (where practicable) (APP 2.1)
• inadequate record keeping of enforcement-related disclosures (APP 6.5)
• direct marketing – eg inadequate opt-out information or process, failure to provide information on source of direct marketing data when requested (APP 7.2(c), 7.3(c)-(d), 7.7(a)-(b))
• failure to correct personal when requested (APP 13.5)
• inadequate notifiable data breach statement (Section 26WK(3))
• further APPs prescribed by the regulations

What it means for you

• A regulator more ready to take enforcement action – The ability to pursue penalties or infringement notices for intermediate or lesser breaches will significantly change how the OAIC assesses what to investigate, what regulatory action to take.
• Infringement notices shift the burden to entities – Infringement notices allow a resource-constrained OAIC to take more enforcement action, but also shift the decision to litigate from the OAIC to recipients – do your regulatory engagement strategies allow you to quickly and strategically decide whether to challenge an infringement notice or accept the regulator's position? Even if the value of an infringement notice is comparatively small, being subject to regulatory action can carry significant reputational risk and can disrupt business practices and operational processes.
• Be ready with practices, procedures and systems – The right practices, procedures and systems (including monitoring and evaluation) can support compliance, provide an early warning system for likely areas of regulatory action, and provide the ability to engage productively with the regulator. 

Automated decisions and artificial intelligence

"The bill will provide individuals with transparency about the use of their personal information in automated decisions which significantly affect their interests."

Attorney General, The Hon Mark Dreyfus KC MP (second reading speech)

Under the new transparency requirement, organisations will need to identify decisions that significantly affect the rights or interests of an individual, and set out in their privacy policies:

• the kinds of decisions made solely by a computer operation;
• the kinds of decisions where computer operation is substantially and directly related to making the decision; and
• the kinds of personal information used to make that decision.

The Privacy Commissioner has specifically called this requirement out: by pairing the automated decision-making requirement with the infringement notice power for administrative failures (which include content of the privacy policy), the OAIC may be able to bring quick action.

Acknowledging the complexity of introducing this level of transparency, the bill proposes a delay of 24 months before these new obligations commence. 

The framework proposed in the Privacy Act Review Report referred to “substantially automated decisions which have a legal or similarly significant effect on an individual’s rights”, a construct similar to the European GDPR. 

The term substantially automated was used to address the risk of "tokenistic" human involvement. While similar, the new approach requires a computer program to be both substantially and directly related to the decision-making process, but also expands the potential effect to rights and interests of the individual, instead of using the “legal or similarly significant effect” formulation.

This new language is closer to the approach explored for use of computer-assisted decisions in the public sector, such as the Canadian Directive on Automated Decision-Making, which extends to systems that support human decision-makers, for example by providing assessments, scores or summaries.

What about artificial intelligence?

Automated decision rules capture artificial intelligence that uses personal information, as well as other computer assisted decisions. However, the proposed changes can be seen as one of the first cabs off the rank for broader artificial intelligence regulation.

The Privacy Commissioner had flagged that the OAIC will be releasing guidance on the use of artificial intelligence, use of personal information in commercial off-the-shelf artificial intelligence products, and the use of personal information to train AI models. 

What it means for you

• Long lead-time but existing processes are in scope – Although the provision is not proposed to take effect for two years, all computer programs, personal information and processes are in scope. There is no carve-out for existing processes, and entities will be required to assess their existing systems as well as new proposals. 
• Most businesses in Australia rely on lots of automation – Meaning a lot of business processes need to be risk assessed. Overseas regimes, including the GDPR, focus on legal (or similar significant) impacts on individuals. With a broader focus on “rights or interests” in Australia's proposed regime, more decisions may be in scope. Controversial areas overseas include "gig economy" platforms, fraud probability scores, credit scores, and automated screening of job applications.
• Complex processes mean multiple systems may be relevant – Many decisions are made using derived or calculated data, including data sourced from supply chains and third parties – like credit scores or capability assessments. Standardised business processes can apply to both high impact and low impact use cases cases (for example, standard processes might apply for children or people experiencing vulnerability, or might apply to advertising for essential services as well as non-essential services). 

Cybersecurity uplifts

"… we are moving into a new era in which our expectations of entities are higher ..."

Privacy Commissioner, Carly Kind (Notifiable Data Breaches Report: January to June 2024)

The bill clarifies that reasonable steps under Australian Privacy Principles 11.1 and 11.2 (relating to security and the destruction or de-identification of personal information) include both technical and organisational measures – an uncontroversial position adopting language also used in the GDPR. However, the impact underscores the Government’s increasing expectations that organisations have sufficient practices, procedures and systems in place to ensure cybersecurity and protect against data breaches. 

Additional cyber security measures covered by the bill include an eligible data breach declaration regime, allowing the Attorney-General to make a declaration permitting information sharing to assist in data breach response (for example, sharing information between financial institutions to reduce fraud risks). This new mechanism is similar to a regime under the Telecommunications Regulations 2021, introduced in 2022 in the wake of major cyber incidents.

What it means for you

• Security measures are not one-size-fits-all – Your "go-to" state depends on the type, sensitivity and volume of data you are handling, what might go wrong, your size, resources, and business activities – and is heavily informed by your current and desired maturity and capabilities.
• Keep up to date with regulatory expectations and meet them – Expect further guidance from the OAIC, but also keep across industry engagement from other bodies. Practical insights can be found in the OAIC's regular notifiable data breach reports, and APRA insights on common cyber control weaknesses, not to mention the extensive resources available from cyber.gov.au. Read more about regulator expectations in our recent article Redefining cyber readiness – Three ways to outpace Australia's new cyber laws.
• Get your governance right – The Australian Institute of Company Directors, the Cyber Security Cooperative Research Centre and Ashurst published world-first guidance on Governing Through a Cyber Crisis - Cyber Incident Response and Recovery for Australian Directors, which includes important guidance on organisational measures required for a cyber-resilient organisation (including helpful "red flags" to look out for).
• Data destruction and de-identification is critical – High profile cyber security incidents have driven home the importance of identifying and destroying legacy data – have you made robust data destruction and de-identification part of business-as-usual processes, and not a one-off project?

Cross-border data flows

“This will … reduce costs for business when entering into contracts and agreements with overseas entities.”

Attorney General, The Hon Mark Dreyfus KC MP (second reading speech)

If an overseas recipient is subject to laws or binding scheme prescribed by regulations, then the Australian entity:

1. does not need to do its own assessment of foreign law, or obtain specific consent for disclosure
2. does not need to take reasonable steps to ensure overseas recipient doesn't breach Australian privacy laws
3. is not accountable for overseas acts or practices (because the overseas entity will be able to provide recourse instead)

Under the Privacy Act, an Australian entity needs to take reasonable steps to ensure an overseas recipient of data complies with Australia's Privacy Principles and can be held accountable for the overseas acts or practices of that overseas recipient.

There are exceptions to these requirements – for example, where specific informed consent is obtained, or where the Australian entity reasonably believes the laws of a foreign country or binding scheme are equivalent to the Australian Privacy Principles.

Under the new bill, the regulations may prescribe a "whitelist" of such countries or binding schemes. Australian entities will no longer need to make their own assessments or carry the risk that their belief is not considered "reasonable", so long as the recipient is bound by a listed law or scheme, and the disclosure meets any relevant conditions. Those conditions could apply to particular entities or types of entities, or to types of information.

For countries or binding schemes not on the "whitelist", the existing regime will apply, and entities will still be able to use existing mechanisms (by making their own assessment, obtaining consents, or being accountable for compliance overseas).

What it means for you

• What will be on the whitelist? In deciding which countries or schemes will be included on the "whitelist", the overall level of protection is important. The European GDPR has a similar “adequacy” regime that other countries benefit from (such as Japan and New Zealand). Importantly, regimes with higher levels of protection such as the European Union or United Kingdom may meet the standard, but others such as the United States may not.
• Due diligence still required – While the "whitelist" will be a welcome simplification, entities will still need to be comfortable that recipients are in fact subject to those laws or schemes, and that any prescribed conditions are satisfied – and will need to monitor for any changes in business operations or foreign laws and schemes (such as exemptions) over time. Existing measures for offshoring will still apply for non-"whitelisted" countries.

Statutory tort – individual action for serious invasions of privacy 

“… providing people with the ability to seek redress through the courts for serious invasions of privacy without being limited to the scope of the Act.”

Office of the Australian Information Commissioner

Misuse of information includes any collection, use or disclosure about an individual, and intrusions on seclusion will extend, for example, to physically entering private space, or listening to or recording private activities. 

The Privacy Commissioner has expressed support for the statutory tort as a “different route” for individuals that does not rely on the complaints process (which requires significant resources from the OAIC). This gives the OAIC the opportunity to decide to leave certain matters to an individual bringing a serious invasion claim – selectively using its new powers in the bill to intervene in proceedings or assist the court as amicus curiae. 

What it means for you

• New avenue for class actions – The new right overcomes some challenges for plaintiffs in potential privacy and data breach class actions, but also presents new challenges. The new right may be attractive because there is no requirement to prove damage for an action to be brought. However, the high barriers to liability (both serious and intentional or reckless conduct) may be difficult to establish.
• A new risk for employee records – While employee records are (for now) excluded from many Privacy Act obligations, the statutory tort is not limited to Privacy Act compliance. Both employee data breaches and authorised and unauthorised uses of employee information might be subject to the new tort.
• Need to manage big risks and small – We will likely see exploratory use of the statutory tort for high-stakes litigation (including potentially activist litigation), but we may also see unresolved privacy complaints escalated to claims – potentially speculative and made by unrepresented litigants. Privacy and legal teams will need to consider how they can reduce the additional complexity and risk of managing these claims.

Other changes of note

Some of the other changes that are included in the bill include the following:

• Criminal penalties for doxxing – The bill also includes a criminal offence for the practice of doxxing, referring to the publication or distribution of personal data about an individual in a way that is menacing or harassing. The “personal data” definition is distinct from personal information under the Privacy Act and includes information that enables the individual to be identified, contacted or located.
• Emergency declarations – Similar to the eligible data breach declaration mechanism described above, the bill amends existing emergency declaration powers will permit the Attorney-General to make a declaration to permit sharing or use of information in response to an emergency or disaster, including to allow for sharing with State or Territory authorities where a declaration has been made. 
• Changing nature of privacy – The objectives of the Privacy Act will also be revised to address both protection of privacy of individual and the public interest of privacy, part of a shift towards seeing privacy as a fundamental human right, a shift in perspective we will see more of in tranche 2 reforms.

Authors: Geoff McGrath, Partner; Leon Franklin, Director - Consulting, Risk Advisory; Andrew Hilton, Expertise Counsel; Michael Turner, Executive, Risk Advisory; Thomas Suters, Graduate and Michelle Lee, Paralegal.