Introduction
In the aftermath of large-scale cyber hacks in recent years, the government has moved to develop legislation to keep up with the evolving digital landscape. The recent data breaches have exposed millions of Australians’ most sensitive personal information to criminals, some of which have been published on the dark web.
The Privacy and Other Legislation Amendment Bill 2024 (Cth) (the ‘Privacy Amendment Bill’)[1] proposes amendments to the Privacy Act 1988 (Cth). The proposals are still some way from the more stringent privacy and data governance controls in other parts of the world, but it is a significant step forward, and there is more that businesses can do on their own initiative to protect the personal data of their customers.
Individuals would also do well to be more aware of how to protect their own personal data, although that can be hard with numerous businesses requesting their personal data, and often individuals have no clear idea what these businesses would do with the data. Individuals should note they are under no obligation to give their real personal data to some businesses.[2]
Why the Amendments?
With increasing digitalisation not only is it easier and faster to get personal information out there, but the harm and distress to an individual whose personal information has gone to those who have no right to know has also exponentially increased. Today, individuals find themselves continuously transferring personal information to government, vendors, websites, social groups, or social media platforms, oftentimes legitimately, but sometimes without consent or knowledge. Even if you did know, what choice do you have if you want to use that platform or app?
Someone once said there was no such thing as a free lunch, the same could be said that there is no such thing as a free app – the app was paid for with your personal data. Even without an individual being aware of it, each click of the mouse or scan of a rewards card is transferring personal information. Ever wondered why pop-up ads seem to know your browsing or shopping history? Your personal information was collected and sent to third parties.
The human right to a private life may be hard, and it has historically been hard. As Jane Austen wrote: “For what do we live, but to make sport for our neighbours, and laugh at them in our turn?” asks Mr. Bennet in Pride and Prejudice, published in 19th century England. (Note to reader: Your neighbours acting in their own capacity are currently not covered by the Privacy Act, although it is yet unknown how the tort of privacy may evolve.)[3]
The right to privacy is about the human right to choose what to share, who to share it with and how the shared information should be protected. Australians have a right to have their privacy respected, and when they are asked to hand over their personal data they have a right to expect it will be protected.
Recommendations from Privacy Amendment Bill
The Privacy Amendment Bill was introduced to parliament on 12 Sep 2024. It implements an initial tranche of agreed recommendations from the Privacy Act Review report published on 16 February 2023,[4] including:
- greater transparency provided to individuals regarding automated decisions that affect them;
- streamlined information sharing in the case of an emergency or eligible data breach, while ensuring that information is appropriately protected; and
- stronger enforcement powers for the Australian Information Commissioner.
Here we will examine three other proposed legislative changes in the Privacy Amendment Bill:
1. Children’s Online Privacy Code
The Privacy Amendment Bill proposes that the Office of Australian Information Commissioner (‘OAIC’) be supported with an additional $3 million over three years to develop a Children’s Online Privacy Code (‘the Code’) to help protect children from a range of online harms.
The OAIC has stated that as code developer, their ultimate objective is not to prevent children from engaging in the digital world, but rather to protect them within it.[5]
The Code will apply to social media and a wide range of other internet services children may access, including apps, websites, and messaging platforms. The Code’s strengthened privacy measures for these services in the handling of children’s personal information will be consistent with the Australian Privacy Principles, the privacy protection framework in the Privacy Act 1988 (Cth).
2. Criminal Offence of Doxxing
The Privacy Amendment Bill introduces new criminal offences to outlaw doxxing. Doxxing concerns the malicious release of personal data online, such that victims are exposed to physical threats, public embarrassment, humiliation or shaming, discrimination, identity theft and financial fraud, and other serious harms, including the dangers from the release of personal information involving women and children in the context of domestic and family violence.
The Privacy Amendment Bill provides a maximum penalty of 6 years’ imprisonment for the malicious release online of personal data, and a more serious penalty of 7 years’ imprisonment, where a person or group is targeted because of their race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality or national or ethnic origin.
3. Tort of Privacy
A statutory tort or cause of action for breaches of privacy is not a new concept. As early as 1969, Sir Zelman Cowen, then Vice-Chancellor of the University of New England, advocated for a legislative right to seek redress for breaches of privacy.[6]
Currently, Australia does not have a tortious right of action for invasion of privacy under the Privacy Act 1988 (Cth) (‘Privacy Act’) or any other Commonwealth, state or territory statute. The creation of a statutory tort was recommended by the Australian Law Reform Commission’s 2014 Report, “Serious Invasions of Privacy in the Digital Era” (‘ALRC Report’). [7]
In the ALRC Report, the Commission said creating the tort would ‘fill an increasingly conspicuous gap in Australian law, helping to protect the privacy of Australians, while respecting and reinforcing other fundamental rights and values, including freedom of expression.’
While the concept of a tort of privacy is not new (note: a good background to the legal possibilities of the tort in Australia can be found in the 2005 Melbourne University Law Review article by Des Butler, titled, ‘A Tort of Invasion of Privacy in Australia?’),[8] this tort will become a reality once the Privacy Amendment Bill passes through parliament.
Things to Note from the Tort of Privacy
Schedule 2 to the Privacy Amendment Bill sets out the tort of privacy based on recommendations from the ALRC Report. Subject to limitations, Schedule 2 provides a statutory cause of action, or tort, for individuals who have suffered a serious invasion of their privacy, in circumstances where the individual had a reasonable expectation of privacy.
Some aspects of the tort in its application are:
- Only individuals will have a cause of action, not companies.
- There must have been an invasion of privacy either physically upon the individual’s private space or a misuse of information relating to the individual, which may be digital.
- The invasion of privacy must be serious.
- The invasion of privacy must be intentional or reckless, not merely negligent.
- The individual must have a reasonable expectation of privacy in the circumstances.
- The public interest in protecting the individual’s privacy outweighs any other countervailing public interest the other party has.
- The individual who is harmed does not need prove suffering.
Remedies include injunctions, declarations, ordered apologies, and monetary compensation.
Defences and Exemptions to the Tort of Privacy
The Privacy Amendment Bill sets out several defences common to the law of torts and defamation. There are also exemptions for journalists in their collection of information, preparation for publication or publication of journalistic materials, working in their professional capacity under their professional code of conduct.
Journalistic material is deemed to be such where it:
- has the character of news, current affairs, or a documentary; or
- consists of commentary or opinion on, or analysis of, news, current affairs, or a documentary[9]
This exemption extends to employers of journalists and persons assisting journalists in their professional capacity. There are similar exemptions for enforcement bodies, intelligence agencies, and persons under the age of 18.
Conclusion
If the Privacy Amendment Bill is passed through the parliament, it would introduce significant changes to the legal landscape in terms of stronger protections of the individual’s human right to privacy and is something to be applauded. How the tort of privacy will unfold in the courts and the body of legal principles from future cases that will be established will be interesting to watch, with its implications on society and the nature of social interactions.
Vocare Law is well equipped to assist our Information Technology and Software clients with a wealth of collective knowledge and experience providing insight and advice in this area. Please don’t hesitate to contact our office if you have any questions regarding the changes proposed in the new Privacy and Other Legislation Amendment Bill 2024 (Cth) and forthcoming Act, contact us on 1300-VOC-LAW / 1300-862-529 or email: enquiry@vocarelaw.com.au
**The information contained herein does not, and is not intended to, constitute legal advice and is for general informational purposes only.
Footnote
[1] https://www.aph.gov.au/Parliamentary_Business/Bills_LEGislation/Bills_Search_Results/Result?bId=r7249
[2] See Australian Privacy Principle 2 – anonymity and pseudonymity, subclause 2.1.
[3] https://www.oaic.gov.au/privacy/privacy-legislation/the-privacy-act/rights-and-responsibilities
[4] https://www.ag.gov.au/rights-and-protections/publications/privacy-act-review-report
[5] https://www.oaic.gov.au/news/blog/better-privacy-protections-for-children-are-coming
[6] https://ministers.ag.gov.au/media-centre/speeches/second-reading-speech-privacy-and-other-legislation-amendment-bill-2024-12-09-2024
[7] https://www.alrc.gov.au/publication/serious-invasions-of-privacy-in-the-digital-era-alrc-report-123/
[8] https://classic.austlii.edu.au/au/journals/MelbULawRw/2005/11.html
[9]https://parlinfo.aph.gov.au/parlInfo/download/legislation/bills/r7249_first-reps/toc_pdf/24115b01.pdf;fileType=application%2Fpdf
