Second reading speech – Privacy and Other Legislation Amendment Bill 2024
Check Against Delivery
Introduction
The digital economy has unleashed enormous benefits for Australians. But it has also increased the privacy risks we face through the collection and storage of enormous amounts of our personal data.
The Privacy Act 1988 represented the first time that a comprehensive, integrated set of legal rules protecting interests in privacy existed in Australia. On introducing it, Attorney-General Lionel Bowen told the Parliament that “enormous developments in technology for the processing of information are providing new and, in some respects, undesirable opportunities for the greater use of personal information.”
In that respect, little has changed. Evolutions in technology and the way people use it continue to vex those who share information online, and those charged with regulating it. It is essential that Australians are protected by a legal framework that is flexible and agile enough to adapt to changes in the world around them.
The Privacy Act has not kept pace with the adoption of digital technologies. The vast data flows that underpin digital ecosystems have also created the conditions for significant harms – like major data breaches that have revealed the sensitive information of millions of Australians, exposing us to the risk of identity fraud and scams.
Strong privacy laws and protections are critical to building public trust and confidence in the digital economy, and driving the investments needed to keep people’s data safe.
The right to privacy is a fundamental human right. As Sir Zelman Cowen said in his 1969 Boyer Lectures, a person without privacy is a person without dignity. We must be vigilant in ensuring that evolving technology does not erode our ability to protect information about who we are, what we do and what we believe from being misused.
The Privacy and Other Legislation Amendment Bill 2024 is a significant step forward for Australian privacy law. It begins the much-needed work of updating our privacy laws to be fit-for-purpose in the digital age.
With this Bill, the Australian Government is taking the next step to ensure Australians’ privacy is respected and protected. It implements a first tranche of agreed recommendations of the Privacy Act Review, ahead of consultation on a second tranche of reforms.
It also delivers on a commitment made by the Albanese Government following the National Cabinet held in May to address gender-based violence, by outlawing the practice of “doxxing”, or the malicious release of personal data online.
Schedule 1 of the Bill will amend the Privacy Act to enhance its effectiveness, strengthen the enforcement tools available to the privacy regulator and better facilitate safe overseas data flows. It will require the development of a Children’s Online Privacy Code, streamline information-sharing in emergencies and following eligible data breaches, and increase transparency when entities are automating significant decisions which use personal information.
Schedule 2 of the Bill will introduce a new statutory tort to provide redress for serious invasions of privacy.
Schedule 3 of the Bill will amend the Criminal Code Act 1995 to introduce new criminal offences to target the harmful practice of doxxing.
Schedule 1 – Privacy Act amendments
Schedule 1 begins the work of bringing Australia’s privacy protection framework into the digital age. The amendments re-affirm the Government’s view that entities have a responsibility to protect Australians’ personal information and not treat it merely as a commercial asset.
Children’s privacy
While all Australians face privacy risks in the online environment, children are particularly vulnerable. For many Australian children, social media has been part of their lives from the time they were born. They have never lived in a world without it.
It has been estimated that by the time a child turns 13, around 72 million pieces of data will be collected about them.
This Bill will require the development of a Children’s Online Privacy Code which will apply to social media and other internet services which are likely to be accessed by children. The Children’s Online Privacy Code will specify how these entities must comply with privacy obligations in relation to children. The Code will align to the extent possible with similar codes in like-minded countries, such as the United Kingdom.
The Code will be developed by the Office of the Australian Information Commissioner, which will be provided with $3 million in funding over three years to do this important work.
Information-sharing declarations after data breaches and emergencies
Cyber incidents are growing in number, speed and sophistication. Data breaches are exposing millions of Australians to risk of fraud, identity theft and scams. This Bill will promote the importance of implementing technical and organisational controls - such as encrypting data and training staff on data protection - to address information security risks.
It will also support more effective responses to data breaches by introducing eligible data breach declarations. A declaration will permit the sharing of personal information following a notifiable data breach for the purpose of preventing or reducing the risk of harm to individuals.
Sharing information under these circumstances will enable entities such as banks to act quickly to prevent the misuse of compromised credentials. Safeguards are included to ensure that a declaration can only be made for a purpose that is related to preventing or reducing a risk of harm to individuals arising from a misuse of personal information from the eligible data breach.
An eligible data breach declaration can be issued quickly and will make clear the kinds of personal information that may be shared, and with whom they may be shared, which may include state and territory agencies.
Similarly, emergency declarations made under the Act permit personal information sharing following disasters or emergencies to support response efforts, including to assist affected individuals. The Bill will require emergency declarations to specify the kinds of personal information, types of entities permitted to share information and the purposes for which it may be shared. These changes will ensure that individuals’ privacy is protected while also addressing their broader interests, and will support enhanced coordination with states and territories in emergencies and disasters.
Overseas data flows
The flow of information across national borders is critical for international trade and services in a globalised world. To support the free flow of information with appropriate protections, the Bill provides for countries with substantially similar data privacy laws to Australia to be prescribed. Businesses and individuals will be able to have greater confidence that personal information will be kept safe. This will also reduce costs for business when entering into contracts and agreements with overseas entities.
Enforcement
Effective enforcement of the Privacy Act is essential to protect Australians’ interests. This Bill expands the suite of regulatory powers available to the Information Commissioner to effectively enforce the Act and provides a broader range of enforcement options available to do so. This will include new civil penalties and infringement notices for less serious privacy breaches.
To investigate potential privacy breaches in an increasingly complex digital landscape, the Information Commissioner requires modern investigative powers. This Bill provides the Information Commissioner with additional powers, including for search and seizure, which may be exercised under warrant when investigating breaches of the Act, and scalable enforcement options.
The Bill will empower a court to make appropriate orders where it has determined that an entity has breached a civil penalty provision, which may include compensation for loss or damage suffered.
Effective privacy protection requires proactive regulatory action. This Bill also strengthens the Information Commissioner’s capacity by expanding monitoring and assessment functions. The Bill also introduces new public inquiry powers which will enable the Information Commissioner to inquire into specified matters as directed or approved. This will enable the Information Commissioner to keep closer oversight of threats to privacy, including issues of a systemic nature, as they emerge.
Automated decision making
The safe and responsible development and deployment of automated decision making presents significant opportunities. These systems have the potential to increase the efficiency, accuracy and consistency of decisions, and they present opportunities for improved outcomes in health, environment, defence and national security.
The Bill will provide individuals with transparency about the use of their personal information in automated decisions which significantly affect their interests. Entities will need to specify the kinds of personal information used in these sorts of decisions in their privacy policies.
Importantly these requirements will apply to decisions that are wholly or substantially automated, ensuring that the new requirements cannot be avoided by ‘tokenistic’ human involvement in a decision-making process.
Schedule 2 – statutory tort for serious invasions of privacy
A statutory tort applying to breaches of privacy has been talked about in Australia for a long, long time – as early as 1969, when Sir Zelman Cowen, then Vice-Chancellor of the University of New England, endorsed legislation to create an actionable right to seek redress for breaches of privacy.
There is currently no tortious right of action for invasion of privacy under the Act or any other Commonwealth, state or territory statute. The creation of a statutory tort was recommended by the Australian Law Reform Commission in its 2014 Report “Serious Invasions of Privacy in the Digital Era”, which I commissioned in 2013. It has been recommended by many other inquiries before and since.
In its 2014 report, the Commission stated the creation of a statutory tort would “fill an increasingly conspicuous gap in Australian law, helping to protect the privacy of Australians, while respecting and reinforcing other fundamental rights and values, including freedom of expression”.
Schedule 2 to the Bill will provide a new statutory cause of action, or tort, for individuals who have suffered a serious invasion of their privacy. This will include an intrusion on a person’s physical privacy, so the tort will complement the Privacy Act, which focusses on the narrower concept of information privacy.
There are parts of our lives that we reasonably expect to be able to keep to ourselves. The freedom to enjoy a private and family life, and express ourselves and our beliefs in safety, is critical to our wellbeing and dignity.
Ensuring that individuals have a clear right to seek a legal remedy against people or entities who seriously invade their privacy is a key part of ensuring that our privacy laws keep pace with community expectations and advances in technology.
Schedule 2 to the Bill provides that an individual has a cause of action for serious privacy invasions, either by an intrusion upon the individual’s seclusion – for example by physically intruding into their private space – or by misuse of their information, in circumstances where the individual had a reasonable expectation of privacy.
A plaintiff will have a cause of action without having to prove that any damage arose from the invasion of privacy. The damage or harm a plaintiff suffers will be a relevant factor in assessing the seriousness of the invasion, and the remedies that may be awarded.
For a claim to succeed, the plaintiff will need to demonstrate the public interest in protecting their privacy outweighs any competing public interest raised by the defendant.
In addition to the public interest balancing test, a range of defences will apply, including where the conduct of the defendant was required or authorised by law or was necessary because of a serious threat to life, health or safety.
The Bill will provide specific exemptions from liability under the tort, including for journalism, enforcement bodies and intelligence agencies. These exemptions are important to protect press freedom and ensure that legitimate activities of government can be delivered effectively.
The journalism exemption provides that invasions of privacy which occur in the course of the collection, preparation or publication of journalistic material, by a journalist, their employer, or someone assisting them, would not be liable under the tort. The Bill requires that to be considered a ‘journalist’, the person must work in that professional capacity and be subject to applicable standards of professional conduct or a code of practice.
The journalism exemption also operates in addition to the requirement that a court balance the public interest in the plaintiff’s privacy with other public interests. This may involve consideration of the public interest in freedom of the media, or freedom of expression.
A court will have the flexibility to choose the remedy or remedies that are most appropriate in the circumstances. This may include compensation for non-economic loss or an order requiring the defendant to apologise to the plaintiff.
Schedule 3 – doxxing criminal offences
Schedule 3 of the Bill will amend the Criminal Code 1995 to create new criminal offences targeting the release of personal data in a manner that is menacing or harassing—a practice known as ‘doxxing’.
The prevalence of social media and online platforms has rapidly increased the capacity of malicious individuals to obtain personal data, and to release that online—either to the public at large on social media platforms, or to their associates on forum and messaging platforms.
Doxxing exposes victims to significant and enduring harm, including public embarrassment, humiliation, shaming, discrimination, stalking and identify theft and financial fraud. It can lead to threats to a victim’s life and safety, and the lives and safety of their families and friends. It can inflict significant and lasting psychological harm.
Doxxing is a damaging form of abuse that can affect all Australians but is often used against women in the context of domestic and family violence.
The creation of this offence also responds to a recent, shocking incident of a group who were targeted with doxxing on the basis of their religion.
The Bill creates a new offence that applies where a person:
- uses a carriage service to make available, publish or otherwise distribute the personal data of one or more individuals; and
- the person does so in a way that reasonable persons would regard as being menacing or harassing towards those individuals.
The new offence will carry a maximum penalty of 6 years’ imprisonment.
The Bill also introduces a further offence, with a more serious maximum penalty of 7 years’ imprisonment, where a person or group is targeted because of their race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality or national or ethnic origin.
The Government recognises that there are circumstances in which people legitimately publish and distribute personal data, including individuals’ names, contact details and movements.
The new offences will apply only where a reasonable person would consider the conduct to be, in all the circumstances, menacing or harassing, to ensure that legitimate conduct is not inappropriately criminalised.
‘Personal data’, in the context of these new offences, means information about an individual that enables them to be identified, contacted or located. This includes their name, photograph, telephone number, email address, online account, residential or work address, and place of education or worship. This definition recognises that doxxing can occur in a number of different ways.
The Albanese Government is committed to the protection of Australians from online harm, and these new offences will ensure that perpetrators of doxxing are held to account.
These new offences will complement work that is underway across government, to strengthen online safety for all Australians. This includes the takedown powers of the eSafety Commissioner, the Cyberbullying Scheme and the Adult Cyber Abuse Scheme under the Online Safety Act 2021.
Conclusion
This Bill is an important first step in the Government’s privacy reform agenda, but it will not be the last. Over the coming months, the Attorney-General’s Department will develop the next tranche of privacy reform for targeted consultation, including draft provisions. The Government is approaching this important reform work carefully, to ensure increased privacy protections are balanced alongside other impacts, and that we deliver the fairest outcome for all Australians.
After many years of inaction, this Labor Government is committed to genuine privacy reform. The Australian people expect no less – for themselves and their children.