House of Representatives

Explanatory Memorandum

(Circulated by authority of the Attorney-General, the Hon Mark Dreyfus KC MP)

GENERAL OUTLINE

1. The Privacy and Other Legislation Amendment Bill 2024 (the Bill) would enact a first tranche of reforms to the Privacy Act 1988 (Cth) (Privacy Act) to implement a number of the legislative proposals that were agreed by the Government in its September 2023 Response to the Privacy Act Review. The Bill would also introduce a new statutory tort for serious invasions of privacy, and targeted criminal offences to respond to doxxing.

2. The rapidly evolving digital landscape presents opportunities for innovation, advances in productivity and efficiency, and a range of other benefits for all Australians. However, the Privacy Act has not kept pace with Australians' widespread adoption and reliance on digital technologies, which increases the risks that personal data will be subject to misuse or mishandling, including through data breaches, fraud and identity theft, unauthorised surveillance and other significant online harms.

3. These digital technologies can also facilitate doxxing, which exposes victims to physical threats, public embarrassment, humiliation or shaming, discrimination, identity theft and financial fraud, and other serious harms. These risks are magnified where the release of personal information involves women and children in the context of domestic and family violence.

4. The Privacy Act Review Report, released in February 2023, concluded that comprehensive reform is required to ensure the Privacy Act is fit for purpose and capable of addressing the heightened data risks of the digital age. The Government's response, released in September 2023, sets out its commitment to substantial reform to better protect Australians' privacy. Of the 89 proposals in the Report directed at legislative change, the Government Response agreed to 25 proposals, agreed in-principle to 56 and noted eight.

5. In addition to amendments to the Privacy Act, this Bill would introduce a new statutory tort for serious invasions of privacy, and targeted criminal offences to address doxxing. In doing so, this Bill constitutes an important first step in ensuring Australians' privacy is properly respected and protected.

Measures to enhance the privacy of individuals with respect to their personal information

6. The Bill would implement 23 of the 25 legislative proposals that were agreed in the Government Response to the Privacy Act Review.

7. The Bill would continue to recognise, in the objects of the Privacy Act, that the protection of the privacy of individuals must be balanced with the interests of entities in carrying out their functions or activities. However, the objects would also explicitly recognise that there is also a public interest in protecting privacy.

8. The Office of the Australian Information Commissioner (OAIC), Australia's national privacy regulator, would have access to a broader range of enforcement options, as well as new functions and capabilities. These include two new provisions to ensure civil penalties can be tailored appropriately to the level of seriousness of the privacy breach. This would address the gap in the current law under which the Australian Information Commissioner (Information Commissioner) can only seek civil penalties for the most serious or egregious interferences with privacy.

9. The Bill also enhances the enforcement of privacy protections by:

a.

expanding the powers of the Federal Court of Australia (FCA) and the Federal Circuit and Family Court of Australia (FCFCOA) in civil penalty proceedings beyond pecuniary penalties, to enable the courts to make any order in relation to the contravention,

b.

empowering the OAIC to use the general investigation and monitoring powers under Parts 2 and 3 of the Regulatory Powers (Standard Provisions) Act 2014 (Regulatory Powers Act) to improve successful regulatory outcomes, and

c.

empowering the Information Commissioner to conduct public inquiries into matters relating to privacy on the direction or approval of the Minister.

10. Additionally, the Information Commissioner would have enhanced code-making powers to provide greater clarity and specificity about the application of, or compliance with, the Australian Privacy Principles (APPs). This includes developing and registering an APP code on the direction of the Attorney-General where it is in the public interest to do so, and to make temporary APP codes to respond to urgent situations. To strengthen and protect the privacy of children online, the Information Commissioner would also be required to develop and register a Children's Online Privacy Code (COP Code) within two years of commencement of the relevant provisions.

11. This Bill provides that entities may handle personal information in a manner that would otherwise not be permitted under the APPs when it is necessary to assist individuals in emergencies and following significant data breaches. Emergency declarations made in relation to an emergency or disaster will be more flexible and targeted to assist with the Commonwealth's response in these situations, and give entities confidence about when they are permitted to take actions (such as sharing personal information) without contravening the Act. The Minister would also have the power to issue a declaration that would enable the sharing of personal information with appropriate entities where it is necessary or appropriate to prevent or reduce the risk of harm to individuals in the event of an eligible data breach.

12. The Bill introduces a series of measures to increase transparency and certainty regarding the handling of personal information for individuals and entities by:

a.

clarifying that reasonable steps to protect information in APP 11 includes technical and organisational measure s,

b.

introducing a mechanism to prescribe countries and binding schemes as providing substantially similar protection to the APPs, to assist entities to assess whether to disclose personal information to an overseas recipient, and

c.

requiring entities to include information in privacy policies about automated decisions that significantly affect the rights or interests of an individual.

Statutory cause of action for serious invasions of privacy

13. The Bill would provide individuals with a cause of action in tort for serious invasions of privacy. This would implement the Australian Law Reform Commission's (ALRC's) recommendation in its 2008 report For Your Information: Australian Privacy Law and Practice (ALRC Report 108). The model of the statutory tort set out in this Bill is informed by the ALRC's 2014 report Serious Invasions of Privacy in the Digital Era (ALRC Report 123).

14. Australia has a range of laws at the Commonwealth, state and territory levels (including the common law, criminal law and privacy legislation) that address invasions of privacy. However, these laws are not nationally uniform. They vary between jurisdictions in the circumstances in which they apply, the fora through which they are pursued, and the remedies they can provide.

15. The statutory tort for serious invasions of privacy would provide a flexible framework to address current and emerging privacy risks and provide individuals with the ability to better protect themselves and seek compensation for a broader range of serious invasions of privacy, including physical privacy, as well as misuse of information.

16. Individuals would have a cause of action if they suffer an invasion of their privacy, either by an intrusion into their seclusion or by misuse of information, when: a person in their position would have had a reasonable expectation of privacy in all the circumstances; the invasion of privacy was intentional or reckless; and the invasion of privacy was serious. Where one or more competing public interests are identified by a defendant (for example, the public interest in freedom of expression), the plaintiff must also satisfy the court that the public interest in protecting their privacy outweighs those competing public interests.

17. The statutory tort would include a range of defences and exemptions for legitimate activities that are essential in a free, safe and democratic society. This is intended to protect the vital public interest in press freedom, including the role of journalists in fostering informed public debate, to promote accountability and transparency, and serve as a platform for diverse opinions and voices. The defences and exemptions also recognise that legitimate activities of government may be privacy intrusive but are necessary and justifiable to ensure the proper administration of government, (including law enforcement) and keep the community safe and secure.

18. The statutory tort provides for a range of remedies including compensation. It also specifies some other modifications for the purposes of the tort, including a cap on damages, ensuring that summary judgment can be issued in all jurisdictions, and a role for the Information Commissioner to intervene with the leave of the court, or to assist as amicus curiae.

Criminal offences

19. The Bill amends the Criminal Code Act 1995 (Cth) (Criminal Code) to introduce new offences targeting the release of personal data using a carriage service in a manner that would be menacing or harassing - a practice which is colloquially known as 'doxxing'.

20. Doxxing is the intentional malicious exposure of an individual's personal data online. Doxxing can expose victims, including family members and associates of the individual whose data is released, to a wide range of harms including harassment and threats to their lives or physical safety, public embarrassment, humiliation or shaming, discrimination, stalking, identity theft and financial fraud. The risks of these harms can be enduring, once a person's personal data has been released online. Victims of doxxing may be required to take significant steps, and incur significant cost and hardship, to mitigate the risk of harm. Doxxing can also cause psychological harms, both directly and as a result of the occurrence, or the fear of the occurrence, of the previously-mentioned harms.

21. The prevalence of social media and online platforms has rapidly increased the capacity of individuals to access or gain another's personal data, and easily release that information maliciously online. If such malicious conduct is not criminalised, it can reduce individuals and the broader community's confidence in engaging substantially online, including in public and political debate, undermining the benefits of such engagement to the individual and community.

22. The Bill amends Part 10.6 of the Criminal Code to:

a.

introduce a new offence for using a carriage service to make available, publish or distribute personal data, where the person engages in the conduct in a way that reasonable persons would regard as being menacing or harassing, and

b.

introduce a further offence where a person or group is targeted because of their race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality or national or ethnic origin.

FINANCIAL IMPACT

23. The Government will provide funding to the Office of the Australian Information Commissioner to develop the COP Code.