House of Representatives

Explanatory Memorandum

(Circulated by authority of the Attorney-General, the Hon Mark Dreyfus KC MP)

STATEMENT OF COMPATIBILITY WITH HUMAN RIGHTS

Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011

Privacy and Other Legislation Amendment Bill 2024

1. This Bill is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.

Overview of the Bill

Measures to enhance the privacy of individuals with respect to their personal information

2. Schedule 1 of the Bill contains a range of measures to enhance the privacy of individuals with respect to the protection of their personal information, including amendments to:

a.

clarify the objects of the Privacy Act (Part 1),

b.

enhance the Information Commissioner's code-making powers (Part 2),

c.

enhance the sharing of personal information in emergency situations to assist individuals involved in or affected by emergencies or disasters (Part 3),

d.

require the development and registration of a COP Code to enhance privacy protections for children (Part 4),

e.

clarify the steps entities are required to take to keep personal information secure (Part 5),

f.

provide greater certainty about when personal information can be disclosed overseas, and increase mechanisms to facilitate the free flow of information across national borders while ensuring that the privacy of individuals is respected (Part 6),

g.

facilitate information sharing where there has been an eligible data breach of an entity to prevent or reduce the risk of harm arising from misuse of personal information (Part 7),

h.

introduce new civil penalties for breaches of the Privacy Act (Parts 8 and 9),

i.

enable the Information Commissioner to undertake public inquiries on matters relating to privacy (Parts 10 and 11),

j.

strengthen the Information Commissioner's enforcement powers (Parts 13 and 14), and

k.

increase transparency about automated decisions that significantly affect the interests of an individual (Part 15).

Statutory cause of action for serious invasions of privacy

3. Schedule 2 of the Bill provides individuals with a statutory cause of action in tort for serious invasions of privacy. This would implement the recommendation in ALRC Report 108. The model of the statutory tort set out in this Bill is informed by ALRC Report 123.

4. The statutory tort provides a flexible framework to address current and emerging privacy risks and provide individuals with the ability to better protect themselves and seek compensation for a broader range of invasions of privacy than existing laws.

5. Under the tort, individuals would have a cause of action for a serious invasion of privacy if they suffer an invasion of their privacy, either by an intrusion into their seclusion or by misuse of information, when a person in their position would have had a reasonable expectation of privacy in all the circumstances; the invasion of privacy was intentional or reckless; and the invasion of privacy was serious. Where a competing public interest is identified, the plaintiff must also satisfy the court that the public interest in protecting their privacy outweighs those public interests.

6. The statutory tort provides for a range of defences and exemptions for legitimate activities, including activities of law enforcement and intelligence agencies, and journalism.

7. The statutory tort also provides for a range of remedies including compensation, and specifies some modifications of the ordinary operation of courts, including a cap on damages, ensuring that summary judgment can be issued in all jurisdictions, and a role for the Information Commissioner to intervene with the leave of the court, or to assist as amicus curiae.

Criminal offences

8. Schedule 3 of this Bill will amend Part 10.6 of the Criminal Code by introducing two new offences to specifically criminalise the malicious release of personal data using a carriage service.

9. The first offence will apply where a person uses a carriage service to make available, publish or otherwise distribute personal data and the person does so in a way that reasonable persons would regard as being, in all the circumstances, menacing or harassing towards the individual.

10. The second offence will apply where a person or group is targeted because of their race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality or national or ethnic origin.

11. In these offences, 'personal data' of an individual means information about the individual that enables the individual to be identified, contacted or located. This could include the name of the individual, their photograph or other image of them, telephone number, email address, online account, residential address, work or business address, a place of education or place of worship. It is becoming increasingly common for individuals to intentionally expose this type of information online to maliciously to target a specific person, or one or more members of certain groups.

12. Current Commonwealth criminal law does not specifically address doxxing conduct. Part 10.6 of the Criminal Code covers generic carriage services offences and provisions such as section 474.17 - using a carriage service to menace, harass or cause offence, which may cover certain doxxing scenarios. These specific criminal offences targeting doxxing make clear to those looking to engage in this conduct that it is harmful, serious and subject to significant criminal penalties.

Human rights implications

13. This Bill engages the following rights:

a.

the right to privacy in Article 17 of the International Covenant on Civil and Political Rights (ICCPR),

b.

the right to freedom of expression in Article 19(2) of the ICCPR,

c.

the right to freedom of thought, conscience and religion in Article 18 of the ICCPR,

d.

the right to security of the person in Article 9 of the ICCPR,

e.

the right to liberty of persons and freedom from arbitrary detention in Article 9(1) of the ICCPR,

f.

the right to a fair trial in Article 14(1) of the ICCPR,

g.

the right to presumption of innocence in Article 14(2) of the ICCPR,

h.

the right to an effective remedy in Article 2(3) of the ICCPR,

i.

the right to equality and non-discrimination in Articles 2(1), 16 and 26 of the ICCPR and Article 2 of the International Covenant on Economic, Social and Cultural Rights (ICESCR),

j.

the child's right to privacy in Article 16 of the Convention on the Rights of the Child (CRC),

k.

the right to life in Article 6 of the ICCPR,

l.

the right to the highest attainable standard of physical and mental health in Article 12 of the ICESCR,

m.

the prohibition of torture, or cruel, inhuman and degrading treatment or punishment in Article 7 of the ICCPR, and

n.

the right to not be subject to retrospective criminal laws contained in Article 15(1) of the ICCPR.

(a) Right to protection against arbitrary or unlawful interference with privacy

14. The Bill would promote the right to privacy by strengthening the protection and enforcement of the law against unlawful interferences with privacy. Article 17 of the ICCPR provides that no one shall be subjected to arbitrary or unlawful interference with their privacy, and that everyone has the right to the protection of the law against such interference or attacks.

15. For interference with privacy not to be arbitrary, it must be lawful and in accordance with the provisions, aims and objective of the ICCPR and should be reasonable in the particular circumstances. Reasonableness in this context incorporates notions of proportionality to the end sought and necessity in the circumstances.

Measures to enhance the privacy of individuals with respect to their personal information

Part 1 - Objects of the Privacy Act

16. Part 1 would promote the right to privacy by amending the objects of the Privacy Act to clarify that the objects of the Act include promoting the protection of individuals' personal information, and to recognise the public interest in protecting privacy.

17. These amendments would ensure that the Privacy Act is underpinned by a comprehensive understanding of the broad public benefits of strong privacy protections, which would guide the judiciary's interpretation of the Act.

Part 2 - Code-making powers

18. Part 2 would promote the right to privacy by providing greater flexibility and efficiency to the APP code-making process by empowering the Information Commissioner to develop and register an APP code or Temporary APP code on the written direction of the Minister if the Minister is satisfied that it is in the public interest to develop the code, and for the Information Commissioner to develop the code.

19. APP codes provide greater clarity and specificity about how the principles-based Australian Privacy Principles (APPs) are to be applied and complied with. The Bill enhances the right to privacy by promoting greater compliance and providing confidence to members of the community that their personal information will be handled appropriately. This is particularly important given the growing calls for APP codes to be developed in response to the privacy risks arising from new and emerging technologies.

Part 3 - Emergency declarations

20. Part 3 would amend the Privacy Act's emergency declaration provisions, which previously allowed for the wide sharing of personal information in a declared emergency or disaster. These amendments enable emergency declarations to be more targeted by requiring that the declaration specify the kinds of personal information that may be handled, the entities which may handle the personal information, the entities to which the personal information may be disclosed, and the permitted purpose of the collection, use or disclosure of the personal information.

21. By requiring the scope of personal information handling under emergency declarations to be defined, these amendments would strike a better balance between protecting individuals' privacy, and enabling effective and coordinated responses to an emergency or disaster. This balance would ensure that the limits placed on the right to privacy by emergency declarations are reasonable and proportionate.

22. Part 3 would allow both agencies and organisations to disclose personal information to state and territory authorities. Expanding the circumstances in which personal information can be shared in an emergency or disaster may limit the right to privacy. As a safeguard, a criminal offence exists to deter unauthorised secondary disclosures of personal information received under a declaration. These limitations are reasonable, proportionate and necessary to achieve a legitimate objective - to prevent the loss of life and other serious harms and assist individuals who may be involved in an emergency or disaster.

Part 5 - Security, retention and destruction of personal information

23. Part 5 would promote the right to privacy by clarifying the expected scope of measures that entities should consider when determining how they should protect the personal information. The reform would promote the importance of implementing technical and organisational measures (such as encrypting data, securing access to systems and premises, and undertaking staff training) to address information security risks. These controls would help minimise the risk of data breaches and harm arising from cyber incidents, which can cause significant detriment to affected individuals.

Part 6 - Overseas disclosures of personal information

24. Part 6 would promote the right to privacy by introducing a mechanism to prescribe countries and binding schemes that provide substantially similar privacy protections to the APPs. This measure would enhance the free flow of information across national borders while ensuring the privacy of individuals is respected by providing greater certainty to disclosing entities about the standard of privacy protections in countries in which overseas recipients of personal information are located.

Part 7 - Eligible data breach declarations

25. Part 7 would empower the Minister to make a declaration enabling entities to handle personal information in a manner that would otherwise not be permitted under the APPs or certain secrecy provisions in order to prevent or reduce the risk of harm to individuals in the event of an eligible data breach. Individuals affected by a data breach are exposed to risk of serious harms including identity fraud, reputational damage and blackmail. Unauthorised access or disclosure of personal information in a data breach can cause significant financial loss, emotional distress and have serious, ongoing consequences for individuals.

26. This would involve disapplying the privacy protections that would otherwise apply to collection, use or disclosure of personal information. However, this would only occur in situations where it is necessary to prevent or reduce the risk of harm arising from a misuse of personal information about one or more individuals following unauthorised access to, or unauthorised disclosure of, that personal information from the eligible data breach of the entity.

27. Safeguards are included to minimise potential adverse privacy impacts, including:

a.

a declaration can only be made if an entity has experienced an 'eligible data breach',

b.

the Minister must be satisfied that making the declaration is necessary or appropriate to prevent or reduce a risk of harm,

c.

a declaration may only authorise the collection, use or disclosure of personal information for a permitted purpose that is directly related to preventing or reducing a risk of harm arising from a misuse of personal information about one or more individuals following an eligible data breach,

d.

an entity may only collect, use or disclose personal information if they have a reasonable belief that an individual is at risk from an eligible data breach,

e.

collection, use or disclosure is only authorised in accordance with the declaration, and a criminal offence exists to deter unauthorised secondary disclosures of personal information received under a declaration,

f.

declarations are also only able to operate for a limited time (a maximum of 12 months),

g.

the Minister may consult with the Information Commissioner to inform the making of a declaration, including its effect on privacy protections, and

h.

the security and destruction requirements apply to APP entities that hold personal information received under a declaration.

28. The limitations imposed on the right to privacy through increased information sharing in the aftermath of a data breach are reasonable, proportionate and necessary to achieve the legitimate objective of preventing and reducing a risk of harm to individuals.

Parts 8-11 - Civil penalties and enforcement powers

29. The Bill would promote the right to privacy by strengthening the protection of the law against unlawful interferences with privacy.

30. Part 8 would introduce new civil penalties and enhance the enforcement mechanisms available to the Information Commissioner and the powers available to the FCA or the FCFCOA to order remedies for unlawful interference with privacy.

31. Part 8 would promote the right to privacy by clarifying what constitutes a 'serious' interference with privacy. This amendment would clarify that an interference with privacy may be serious if certain factors apply, including whether an act or practice is repeated or continuous.

32. New civil penalties would apply commensurate with the seriousness of the interference with privacy. These amendments would provide more enforcement options to the Information Commissioner to deter non-compliance and ensure penalties are appropriately tailored to the seriousness of the contravention. They would address a gap in enforcement where the Information Commissioner was previously only able to seek civil penalties for the most serious or egregious interferences with privacy.

33. The Information Commissioner would be able to issue infringement notices for civil penalties for relatively minor contraventions of the Privacy Act. This would promote the right to privacy by giving the Information Commissioner the option to penalise entities that are not meeting their privacy obligations without the need to engage in protracted litigation, and would allow the Information Commissioner to resolve matters more efficiently.

34. Part 9 would enable the FCA or the FCFCOA to issue any order it sees fit, if the Court is satisfied there has been contravention of a civil penalty provision. This measure would promote the right to privacy by expanding the jurisdiction of the FCA and FCFCOA to make orders other than civil penalties, such as orders for compensation. This measure would also give sufficient flexibility to the FCA and FCFCOA to make other appropriate orders, including orders to take steps to minimise further impacts to individuals impacted by the interference with privacy.

35. Part 10 would promote the right to privacy by enabling the Information Commissioner to conduct public inquiries into specified matters as directed by or subject to Ministerial approval. Public inquiries would enable the Information Commissioner to examine acts and practices that may illustrate systemic or industry-wide issues relevant to individuals' privacy. These provisions would support the Information Commissioner's privacy functions, including by indicating where further education and guidance may assist entities to comply with requirements in the Privacy Act or where to target regulatory efforts.

36. Part 11 would promote the right to privacy by allowing the Information Commissioner to issue a determination requiring a respondent to a privacy matter to perform any reasonable act or course of conduct to prevent or reduce reasonably foreseeable future loss or damage. For example, if an entity was found to have breached APP 11 (security of personal information) and this led to identity credentials being exposed, such as drivers' licenses, the Information Commissioner would have the power to make a declaration requiring the entity to assist affected individuals in replacing compromised credentials, or to engage service providers such as identity theft and cyber support providers to give support to affected individuals for a certain time period after the incident. This would enhance privacy protections as it would enable the Information Commissioner to require a respondent to be more proactive following a privacy breach, including identifying reasonably foreseeable consequences and taking reasonable steps to mitigate these consequences.

Part 14 - Monitoring and investigation powers

37. Part 14 would engage the right to privacy by triggering the powers in Part 2 and Part 3 of the Regulatory Powers Act. The provisions specify which matters and provisions trigger the standard monitoring and investigation powers. These would replace bespoke entry and inspection provisions in the Privacy Act to ensure the OAIC has a robust and consistent regulatory framework to monitor compliance and enforce protections in the Privacy Act and other Acts under which the Information Commissioner has responsibility, including (but not limited to) the Crimes Act 1914 (Spent Convictions Scheme), the Competition and Consumer Act 2010 (Consumer Data Right (CDR) privacy safeguards), the Data-matching Program (Assistance and Tax) Act 1990 (Data-matching Program Act), the Digital ID Act 2024, the Healthcare Identifiers Act 2010, the My Health Records Act 2012 and National Health Act 1953. They are constrained in various ways as set out below, ensuring that their use is not arbitrary.

38. The powers cannot be exercised without consent being given to the entry into the premises, or prior judicial authorisation in the form of a warrant. Where entry is based on the consent of the occupier, consent must be informed and voluntary and the occupier of the premises can restrict entry by authorised persons to a particular period.

39. The Regulatory Powers Act also provides conditions on the issuing of a monitoring or investigation warrant. For example, in the case of an investigation warrant, an issuing officer may issue the warrant only when satisfied, by oath or affirmation, that there are reasonable grounds for suspecting that there is, or may be within the next 72 hours, evidential material on the premises. An issuing officer must not issue a warrant unless the issuing officer has been provided, either orally or by affidavit, with such further information as they require concerning the grounds on which the issue of the warrant is being sought. These conditions ensure there are adequate safeguards against arbitrary limitations on the right to privacy in the issuing of warrants.

40. An authorised person cannot enter premises under a warrant unless their identity card is shown to the occupier of the premises. If entry is authorised by a warrant, the authorised person must provide a copy of the warrant to the occupier of the premises. This provides for the transparent utilisation of the powers, and mitigates arbitrariness and risk of abuse.

41. Further, the standard powers can only be exercised in specific circumstances set out in the triggered provisions. For example, under section 52 of the Regulatory Powers Act, the power to seize evidence of a kind not specified in the warrant may only be exercised where:

a.

an authorised person finds the thing in the course of searching for material of the kind specified in an investigation warrant, and

b.

the authorised person believes on reasonable grounds that the thing is evidential material of another kind, and

c.

the authorised person believes on reasonable grounds that it is necessary to seize the thing in order to prevent its loss, concealment or destruction.

42. These constraints on the exercise of the powers also limit their susceptibility to arbitrary use and ensure that their use is reasonable and proportionate in the circumstances.

43. New section 80TC and subsection 80TE(1) provide that, in executing a warrant, an authorised person is permitted to use such force against things as is necessary and reasonable in the circumstances. These amendments preserve current arrangements under the Privacy Act, which would be repealed by Part 14 of this Bill.

44. It is necessary to include this power, as it would enable authorised persons executing a monitoring warrant to facilitate access onto the premises if the occupier is not in attendance or is non-compliant, including if access to further secure locations within the premises is prevented, for example locked doors. It may also be needed by an authorised person to open locked cabinets or remove physically secured computers removed from locks if required to be taken off-premises for further forensic examination, if the authorised person reasonably suspects these contain things or information that would provide evidence that provisions or matters subject to monitoring have not been, or are not being, complied with, or that information subject to monitoring is incorrect.

45. Similarly, an authorised person executing an investigation warrant may need to open locked doors, cabinets, drawers and other similar objects that the authorised person reasonably suspects contain evidential material that would demonstrate that an offence provision or civil penalty provision has been contravened.

46. The use of force power can only be exercised under a monitoring or investigation warrant, which must be issued by a judicial officer. Further, the power may only be used as is necessary and reasonable in the circumstances which means that any ensuing damage to property would be restricted to the minimum required to obtain the documents and things, during the execution of the search warrant. As this power does not extend to the use of force against persons, it does not engage the right to security of person in Article 9, nor the right to life in Article 6, of the ICCPR.

47. Accordingly, the monitoring and investigation powers are necessary, proportionate and reasonable for OAIC to enforce privacy protections and improve successful regulatory outcomes.

Part 15 - Automated decision making

48. Part 15 would enhance the right to privacy by introducing requirements that entities must include information in privacy policies about the kinds of personal information used in, and types of decisions made by, computer programs that use personal information to make decisions that could reasonably be expected to significantly affect the rights or interests of an individual.

49. Automated decision making (ADM) systems can be used to assist or replace the judgement of human decision makers. ADM systems pose privacy risks as they can use personal information about individuals in ways which may have significant impact, with little transparency.

50. The right of an individual to ascertain what personal information about them is held or used by other persons, and how this is done, is an aspect of the protection of that individual from unlawful or arbitrary interferences with privacy. Providing individuals with greater transparency allows them to understand how an entity handles their personal information and for what purposes, and allows them to take further action if there has been a breach of their personal privacy.

Statutory cause of action for serious invasions of privacy

51. Schedule 2 of the Bill would promote the right to privacy by providing a new cause of action for serious invasions of privacy. The Privacy Act currently regulates the handling of personal information by most Australian Government agencies and private sector organisations with annual turnover of more than $3 million annually (as well as some smaller organisations which handle sensitive information, such as health services providers, or opt in). However, the Privacy Act does not apply to individuals acting in a personal capacity, nor to a range of exempted entities, and it only regulates information privacy.

52. This schedule would provide protection against a broader range of interferences with privacy, in line with Australia's international obligations, and would enable individuals to seek a range of remedies, including injunctions for serious invasions of privacy and damages.

Criminal offences

53. Schedule 3 of the Bill would protect and promote the right to protection against arbitrary and unlawful interferences with privacy, both by directly criminalising the release of personal data and indirectly by protecting people against the consequential harms to their privacy that often flow from doxxing. The exposure of personal data violates a person's privacy and can compromise their safety, wellbeing and reputation.

54. The offences in the Bill are fundamentally directed towards protecting an individual's privacy and reputation by prohibiting the release of personal data that would enable a person to be identified, located or contacted online in a manner which is menacing or harassing towards the individual.

(b) Right to freedom of expression

55. Article 19(2) of the ICCPR provides that everyone shall have the right to freedom of expression, including freedom to seek, receive and impart information and ideas of all kinds, regardless of frontiers, either orally, in writing or in print, in the form of art, or through any other media of their choice. Any permissible limitation on the right to freedom of expression must be reasonable, necessary, and proportionate for the pursuit of a legitimate objective and for the respect of the rights or reputations of others or for the protection of national security, public order, or public health or morals.

56. Article 19(3) of the ICCPR provides that the exercise of the rights provided for in Article 19(2) carries with it special duties and responsibilities. Any permissible limitation on the right to freedom of expression must be reasonable, necessary, and proportionate for the pursuit of a legitimate objective and for the respect of the rights or reputations of others or for the protection of national security, public order, or public health or morals.

Statutory cause of action for serious invasions of privacy

57. Schedule 2 of the Bill would limit the right to freedom of expression by providing a new cause of action for serious invasions of privacy. The limitation on the right to freedom of expression is necessary to achieve the Bill's objective in promoting the right to privacy.

58. Recent developments in technology have impacted the right to privacy, including through a proliferation of 'smart' surveillance devices, image-based abuse and doxxing, and these represent a pressing and substantial concern that requires action.

59. The limitation of the right to freedom of expression is proportionate to the objective of protecting the right to privacy as there are numerous safeguards built into the mechanism of the statutory tort to ensure an appropriate balance between these interests:

a.

the cause of action only applies to serious invasions of privacy where the plaintiff would have a reasonable expectation of privacy and the defendant's conduct was reckless or intentional-so limitation of the right to freedom of expression only arises when there is a substantial interest in protecting the right to privacy,

b.

the cause of action contains a public interest balancing test where a court must be satisfied that the public interest in protecting the plaintiff's privacy outweighs any public interest in the invasion of privacy for which the defendant can adduce evidence,

c.

there are defences for absolute privilege, publication of public documents, and fair report of proceedings of public concern,

d.

the courts would have powers to deal efficiently with matters that do not meet the requirements of the cause of action, including through summary judgment, and

e.

there is an exemption from liability for journalism to reflect the particular importance of a free press in the right to freedom of expression.

Criminal offences

60. Schedule 3 of the Bill engages the right to freedom of expression as it restricts the ability for people to use a carriage service to make available, publish or otherwise distribute an individual's personal data online in a manner that would be menacing or harassing towards that individual.

61. The offences include a 'reasonable persons' test which allows community standards and common sense to be imported into a decision on whether the conduct is in fact, menacing or harassing towards those individuals. This objective standard recognises that there are a range of contexts in which people publish, make available or otherwise distribute information, including information about other individuals' identity, contact details and movements, that are not menacing or harassing in nature.

62. Such a threshold also ensures that it does not limit an individual's right to freedom of expression inappropriately or disproportionately. For example, media reporting, political commentary and public debate identifying key figures are not typically done in a manner that reasonable persons would regard as being menacing or harassing, and therefore would not be captured under the offences.

63. The Bill directly seeks to target the release of personal data that is menacing or harassing towards an individual and or indirectly targets the harms that are associated with such damaging conduct. To the extent that the Bill engages the right to freedom of expression, these restrictions are reasonable, necessary and proportionate to prevent online abuse, and protect individuals from the harms outlined in this statement.

(c) Right to freedom of thought, conscience and religion

64. Article 18 of the ICCPR provides that everyone shall have the right to freedom of thought, conscience and religion. This includes the freedom to have or to adopt a religion or belief, and freedom, either individually or in community with others and in public or private, to manifest religion or belief in worship, observance, practice and teaching.

Statutory cause of action for serious invasions of privacy

65. The statutory tort for serious invasions of privacy (Schedule 2) would promote the right to freedom of thought, conscience and religion by supporting individuals to hold and manifest their religion and beliefs in private without fear of public exposure, and harms such as discrimination and vilification.

(d) Right to security of the person

66. The right to security of the person in Article 9 of the ICCPR places a positive obligation on States to provide reasonable and appropriate measures to protect a person's physical security.

Statutory cause of action for serious invasions of privacy

67. Schedule 2 of this Bill would promote the right to security by deterring serious invasions of privacy that might involve intrusions onto a person's property, unauthorised surveillance, or sharing information that enables a person to be identified or located. By deterring this conduct, the Bill would protect individuals from harm, including physical harm.

(e) Right to liberty of persons and freedom from arbitrary detention

68. Article 9(1) of the ICCPR states that everyone has the right to liberty and security of person and that no one shall be subjected to arbitrary arrest or detention.

69. Limitations on the right to liberty are permitted to the extent that they are 'in accordance with such procedures as are established by law', provided that the law and the enforcement of it is not arbitrary, and where they are reasonable, necessary and proportionate to achieve a legitimate objective.

Criminal offences

70. Schedule 3 of this Bill limits the right to liberty of a person and freedom from arbitrary arrest and detention by imposing maximum penalties for the malicious release of personal data, for which a court may lawfully prescribe a period of imprisonment for a person found guilty of the offence.

71. The Bill applies a maximum penalty of 6 years' imprisonment for the new offence targeting the release of personal data online in a manner that would be menacing or harassing towards the individual. This penalty is proportionate, reflects the potential damaging behaviour of the conduct, particularly on an individual's safety and wellbeing, and recognises the substantial and enduring infringement this behaviour has on an individual's rights and privacy.

72. The Bill also applies a higher maximum penalty of 7 years' imprisonment where a person or group is targeted based on protected characteristics, such as race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality or national or ethnic origin. While both offences seek to protect all Australians, the introduction of a higher penalty in this offence recognises that victims may be targeted based on one or more of these protected attributes and that, in these scenarios, doxxing can serve as a method of silencing their voices or embarrassing and humiliating them, and can expose them to particular risks of harm from third parties who may seek to target the victim or victims, based on prejudice against people with the protected characteristic in question. It also recognises that the act of doxxing members of a group distinguished by a protected attribute is likely to have a larger societal impact as it may result in trauma or fear for other people who share that attribute

73. Penalties involving a period of imprisonment are reasonable for these criminal offences given that they will only be applied by a court if a person is convicted of such an offence as a result of a fair trial in accordance with the procedures as established by law. Maximum penalties are set to adequately deter and punish a worst-case offence, while supporting judicial discretion and independence. The penalty will only be applied by a court if the prosecution has proved the elements of the offence beyond reasonable doubt. In this regard, the application of the penalties is not arbitrary or disproportionate. Further, the penalty will apply only to offences committed at or after the commencement of the amendments.

74. On this basis, the limitation imposed on the right to liberty and freedom from arbitrary detention is reasonable, necessary and proportionate to achieving the legitimate objective of strengthening laws to protect Australians from online harms.

(f) Right to a fair trial

75. Article 14 of the ICCPR guarantees a person be afforded, in the determination of any criminal charge against them, the right to a fair trial. The United Nations Human Rights Committee has indicated that the right to a fair trial under Article 14 may extend to acts that are 'criminal in nature with sanctions that, regardless of their qualification in domestic law, must be regarded as penal because of their purpose, character or severity' (see General Comment No, 32, para 15; Communication No. 1015/2001, Perterer v. Austria, at para 9.2).

Measures to enhance the privacy of individuals with respect to their personal information

Part 7 - Eligible data breach declarations

76. Part 7 of the Bill engages this right by creating an offence for unauthorised secondary disclosures of personal information that are not in accordance with an eligible data breach declaration. The offence has a criminal penalty of 60 penalty units, or imprisonment for 1 year, or both.

77. This is subject to safeguards including that the offence would not apply to certain disclosures being disclosures that are:

a.

for APP entities - permitted under an APP, a registered APP code that binds the person or a rule issued under section 17,

b.

for the purposes of carrying out a State's constitutional functions, powers or duties,

c.

for the purposes of obtaining or providing legal advice on the operation of Part 7,

d.

authorised by the declaration,

e.

made with the consent of the individual to whom the personal information relates or made to the individual to whom the personal information relates,

f.

to a court, and

g.

as prescribed by the regulations.

78. As a declaration can authorise information handling that would otherwise not be permitted under the APPs or certain secrecy provisions in order to prevent or reduce the risk of harm, including disclosures to persons who are not regulated by the Privacy Act, the level of criminal penalties are a reasonable and proportionate response and a necessary deterrent to prevent further unauthorised secondary disclosures.

Part 8 - Civil penalties

79. Part 8 of the Bill engages this right by introducing new civil penalties under the Privacy Act and clarifying the application of existing civil penalties. Civil penalties are aimed at deterrence of conduct that is detrimental to the privacy of individuals, and therefore may carry a substantial penalty depending on the severity and seriousness of the conduct, and have wide application to entities (including individuals) regulated by the Privacy Act.

80. The Bill is not considered to limit this right because it provides for appropriate safeguards relating to civil penalty processes including independent court processes. The civil penalty amounts are also considered reasonable and proportionate to deter non-compliance under the Privacy Act, which are discussed further below.

81. Under current section 13G, the maximum civil penalty for serious or repeated interferences with privacy is $2.5 million for a person other than a body corporate. For bodies corporate, the maximum penalty is an amount not exceeding the greater of $50 million; three times the value of the benefit obtained by the body corporate from the conduct constituting the serious or repeated interference with privacy; or, if the value cannot be determined, 30% of their adjusted turnover in the relevant period. This maximum penalty was introduced through the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022, which implemented the recommendation in the July 2019 report of the Australian Competition and Consumer Commission's Digital Platforms Inquiry to ensure penalties sufficiently deterred breaches of privacy, particularly for large digital platforms, and that individuals are adequately protected. The high maximum penalty for bodies corporate is consistent with contemporary penalties for similar contraventions by body corporates in Commonwealth legislation, such as breaches of the privacy safeguards under the CDR Scheme (see section 56EV of the Competition and Consumer Act 2010).

82. The Bill would retain the maximum civil penalty amount and provide more clarity on what conduct meets the threshold of serious interferences with privacy. Specifying factors in legislation would support the Information Commissioner in determining when it is appropriate to enforce this penalty and give greater certainty to entities, the courts and the public on which breaches may attract the highest maximum penalty under the Privacy Act.

83. The Bill would also introduce a new civil penalty in section 13H for interferences with privacy that are not a serious interference. For example, this may cover instances where an APP entity fails to notify individuals of an eligible data breach as soon as practicable in accordance with subsection 26WL(3). The maximum penalty for a person would be 2,000 penalty units - which, on the penalty unit value at the time of introduction of this Bill, equates to a maximum penalty of $660,000 for persons. In accordance with subsection 82(5) of the Regulatory Powers Act, the maximum penalty amount for bodies corporate is 10,000 penalty units - which, on the penalty unit value at the time of introduction of this Bill, equates to a maximum penalty of $3.3 million for bodies corporate.

84. The maximum penalty amount for section 13H would ensure deterrence against privacy breaches and meet increasing community expectations for stronger and more meaningful protections. The amount accounts for potential commercial gains that entities may obtain as a result of an interference with privacy, and ensures these entities are not able to absorb civil penalties as a cost of doing business. For example, an APP entity may obtain a commercial gain, or achieve a competitive advantage, by using or disclosing personal information for an unrelated secondary purpose not covered by APP 6.2 without having obtained the necessary consent from individuals.

85. There are existing safeguards in the Privacy Act that trigger codified civil penalty processes through the Regulatory Powers Act to protect the rights expressed in Article 14 of the ICCPR. Consistent with Article 14(1), an independent, impartial court will preside over all civil penalty proceedings under this Act. Such proceedings will be subject to established Australian court processes and procedures that protect the right to a fair trial, including requirements relating to procedural fairness, evidence and sentencing.

86. Part 4 of the Regulatory Powers Act provides that in determining pecuniary penalties a court must take all relevant matters into account, including the circumstances of the contravention, the nature and extent of any loss or damage suffered because of the contravention and whether the entity has previously been found to have engaged in similar conduct. The penalty amounts are maximum amounts and it would be open to the courts to impose lesser amounts in appropriate circumstances. Where conduct contravenes more than one civil penalty provision, proceedings may be commenced in relation to each contravention; however, the entity (or person) cannot be liable for more than one penalty in relation to that conduct.

87. For these reasons, the existing penalty amount under section 13G and new civil penalty amount under section 13H are a reasonable and proportionate response to the behaviours the penalties are intended to deter and penalise.

88. The Bill introduces new civil penalty provisions for breaches of specific privacy obligations of the APPs and non-compliant eligible data breach statements, which would be subject to infringement notices. The maximum penalty for a person would be 200 penalty units - which, on the penalty unit value at the time of introduction of this Bill, equates to a maximum penalty of $66,000 for persons. In accordance with subsection 82(5) of the Regulatory Powers Act, the maximum penalty amount for bodies corporate is 1,000 penalty units - which, on the penalty unit value at the time of introduction of this Bill, leads to a maximum penalty of $330,000 for bodies corporate.

89. These civil penalties have a lower maximum penalty amount to section 13H and target specific obligations that are administrative in nature and where a contravention can be easily established, such as an APP entity failing to include the requisite information in a privacy policy.

90. Prior to the commencement of this Bill, the Information Commissioner could only issue an infringement notice in relation to the civil penalty provision in subsection 66(1) for failure to give information where required to do so. The Bill engages the right to a fair and public hearing by introducing additional powers for Information Commissioner to issue infringement notices for alleged contraventions of civil penalties under section 13K which, as noted above, can be determined through straightforward, factual circumstances. This enhanced power would encourage enforcement of obligations by the Information Commissioner and compliance by entities with their obligations, without the additional time, cost and resources involved in litigation of civil penalty proceedings.

91. In accordance with subsection 104(2) of the Regulatory Powers Act, the amount to be stated in the infringement notice would be 12 penalty units for a person, and 60 penalty units for bodies corporate - which, on the current penalty unit value, is $3,960 for a person and $19,800 for bodies corporate. This amount is increased to 200 penalty units for listed corporations - which, on the current penalty unit value, is $66,000 for listed corporations. An increased infringement notice amount for publicly listed companies is included to ensure that infringement notices are an effective enforcement measure against large entities.

92. The Privacy Act triggers codified processes for infringement notices in Part 5 of the Regulatory Powers Act, which provides the following safeguards to ensure the right to fair trial is not inappropriately limited:

a.

an infringement notice must be issued within 12 months of when the contravention is alleged to have taken place and must outline the consequences of a failure to pay the amount payable under the infringement notice. The infringement notice must also state that payment of the infringement is not an admission or finding of guilt or liability, and

b.

the right to a fair and public hearing by a competent, independent and impartial tribunal is preserved and a person can elect to have the matter heard by the court rather than pay the amount specified in the infringement notice. This right will be stated on an infringement notice, ensuring that a person issued with an infringement notice is aware of their right to have the matter heard by the court.

Part 10 - Public inquiries

93. Part 10 of this Bill would give the Information Commissioner the power to conduct public inquiries into specified matters relating to privacy as directed by or subject to Ministerial approval. This would enable the Information Commissioner to investigate systemic industry-wide acts and practices. The Information Commissioner would have the power to require the production of documents or information, and would not be bound by the rules of evidence when conducting public inquiries.

94. This does not engage the right to a fair trial because public inquiries are intended to be informative and may make recommendations in relation to broader or systemic issues, and are not formal investigations into specific contraventions of the Privacy Act. It is appropriate that the Commissioner has flexible fact-finding procedures and is not subject to the technical rules of evidence required of the courts.

Part 14 - Monitoring and investigation powers

95. Part 14 of this Bill engages the right to fair trial by triggering the monitoring and investigation powers in Parts 2 and 3 of the Regulatory Powers Act, due to offences in sections 24 and 54 of that Act applying in relation to monitoring and investigation.

96. Under subsection 24(3) of the Regulatory Powers Act, where entry is authorised by a monitoring warrant, the authorised person may require any person on the premises to answer questions or produce documents relating to information or provisions subject to monitoring. If the person fails to do so, this is an offence under subsection 24(5) of the Regulatory Powers Act. The penalty is 30 penalty units. Similarly, under subsection 54(3) of the Regulatory Powers Act an authorised person who enters premises under an investigation warrant may require persons on the premises to answer questions or produce documents relating to evidential material of the kind specified in the warrant. If the person fails to do so, this is an offence under subsection 54(5) of the Regulatory Powers Act. The penalty is 30 penalty units.

97. These offence provisions do not limit the person's access to a fair trial or limit the other criminal process rights in any way. Sections 17 and 47 of the Regulatory Powers Act make it clear that the privilege against self-incrimination and legal professional privilege have not been abrogated by the monitoring and investigation powers provisions, including the offence provisions. These protections guarantee the criminal process rights protected in paragraphs 14(3)(d) and (g) of the ICCPR. The usual guarantees and criminal process rights will apply to these offences and are not abrogated by any provisions in the Bill or triggered provisions of the Regulatory Powers Act.

98. Accordingly, sections 24 and 54 of the Regulatory Powers Act, as applied in the Privacy Act by Part 14 of this Bill, are compatible with human rights.

(g) Right to presumption of innocence

99. Article 14(2) of the ICCPR provides that everyone charged with a criminal offence shall have the right to be presumed innocent until proven guilty according to law.

100. The presumption of innocence imposes on the prosecution the burden of proving the charge and guarantees that no guilt can be presumed until the charge has been proved beyond reasonable doubt.

Criminal offences

101. Schedule 3 engages this right by applying the presumption set out in section 475.1B of the Criminal Code to the new offences. The presumption in section 475.1B provides that if a physical element of the offence consists of a person using a carriage service to engage in particular conduct, and the prosecution proves beyond reasonable doubt that the person engaged in the relevant criminal conduct, then it is presumed, unless the person proves to the contrary, that the person used a carriage service to engage in that conduct.

102. The purpose of this presumption is to address problems encountered by law enforcement agencies in proving beyond reasonable doubt that a carriage service was used to engage in the relevant criminal conduct.

103. The requirement that the relevant criminal conduct be engaged in using a carriage service is a jurisdictional requirement. A jurisdictional element of the offence is an element that does not relate to the substance of the offence, or the defendant's culpability, but marks a jurisdictional boundary between matters that fall within the legislative power of the Commonwealth and those that do not.

104. Given its purpose, this presumption is proportionate in that it only applies to the jurisdictional element of the offence and not the offences as a whole. In this respect, the prosecution will still be required to prove, beyond a reasonable doubt, all other elements of the offence including fault elements of intention, knowledge or recklessness.

(h) Right to an effective remedy

105. Article 2(3) of the ICCPR provides the right to an effective remedy for any violation of rights or freedoms recognised by the ICCPR.

Measures to enhance the privacy of individuals with respect to their personal information

Part 9 - Federal court orders

106. Schedule 1 of the Bill would promote this right by enhancing the availability of effective remedies. Part 9 provides the FCA and FCFCOA with the power to issue any order it sees fit if the Court is satisfied there has been contravention of a civil penalty provision. This would include an order that an entity pay a person damages by way of compensation or that an entity perform any reasonable act or carry out any reasonable course of conduct to redress the loss or damage suffered by a person as a result of the entity's contravention of a civil penalty provision.

107. The Bill would promote the right to an effective remedy for violations of rights and freedoms recognised by the ICCPR by providing an avenue for plaintiffs to take civil action in state, territory or federal courts. Schedule 2 of the Bill would empower competent judicial authorities to provide wide range of remedies to address the specific circumstances of the violation.

(i) Right to equality and non-discrimination

108. Articles 2(1), 16 and 26 of the ICCPR and Article 2(2) of the ICESCR guarantee the rights enshrined in the Covenants to all people without discrimination. Additionally, in this respect, the law shall prohibit any discrimination and guarantee to all persons equal and effective protection against discrimination on any ground such as race, colour, sex, language, religion, political or other opinion, national or social origin, property, birth or other status.

Measures to enhance the privacy of individuals with respect to their personal information

Part 15 - Automated decision making

109. Unfair treatment and discrimination can occur when ADM systems are 'trained' using historical data that is affected by prejudice, such as through the under-representation of minorities in data sets. ADM can also pose risks to individuals when systems are not designed to take into account the unique circumstances of an individual or decisions are made which are based on incorrect information.

110. Part 15 of the Bill promote the right to equality and non-discrimination by increasing transparency about computer programs that use personal information to make decisions that could reasonably be expected to significantly affect the right or interests of an individual.

111. This may reduce the risk of discrimination by allowing individuals to request entities correct information held or to take further action if there has been an interference with their privacy or unlawful discrimination.

Criminal offences

112. Schedule 3 of the Bill would apply a higher penalty for the offence where one or more members of a group are targeted in whole or in part because of the offender's belief that the group is distinguished by their race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality or national or ethnic origin.

113. This Bill positively engages Article 26 as it provides direct protection to members of a group who share one or more protected attributes. Doxxing persons because of a belief that they are part of a protected group is particularly serious in nature and is likely to instil fear in these groups that have faced historic or ongoing persecution, prejudice or discrimination, and cause additional trauma. Additionally, the doxxing of members of a protected group where the offender is motivated by these particular characteristics is likely to expose them to further harm from individuals with a prejudice against that group. It can also result in trauma or fear for other people who share that attribute.

114. Provided that doxxing conduct can be targeted to silence or humiliate certain groups of individuals, the Bill provides robust protections for all persons from experiencing discrimination, hatred, violence, and racism.

(j) Children's right to privacy

115. Article 16 of the CRC provides that no child shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence, nor to unlawful attacks on his or her honour and reputation.

Measures to enhance the privacy of individuals with respect to their personal information

Part 4 - Children's privacy

116. Part 4 promotes the right to privacy for children by requiring the Information Commissioner to develop and register a COP Code. The COP Code would be an enforceable APP code that sets out how one or more of the APPs are to be applied or complied with in relation to the privacy of children.

117. To date, details about how privacy protections under the Privacy Act should apply to children have been set out in guidance material from the Information Commissioner. Elevating protections into an enforceable APP code promotes the right to privacy of a child by imposing specific enforceable obligations with respect to privacy in the handling of children's personal information than would otherwise exist under prevailing law.

(k) Right to life

118. The right to life in Article 6 of the ICCPR places a positive obligation on governments to take appropriate measures to protect the right to life of those within its jurisdiction.

Measures to enhance the privacy of individuals with respect to their personal information

Part 3 - Emergency declarations

119. Part 3 promotes the right to life by seeking to prevent and mitigate harm caused by emergencies or disasters by facilitating enhanced information sharing when an emergency declaration is in place.

(l) Right to health

120. Article 12 of the ICESCR provides that all people have the right to the highest attainable standard of physical and mental health. The UN Committee on Economic, Social and Cultural Rights has stated that the right to health is closely related to, and dependent upon the realisation of other human rights, including the right to privacy.

121. Providing individuals with control over when, how and for what purpose their personal information is handled by others is key to ensuring human dignity, safety, health and wellbeing. Interferences with privacy, such as through a data breach, can cause serious interferences with the right to health through financial loss, identity theft or fraud, emotional distress, reputational damage, physical harm, coercion and/or discrimination.

Measures to enhance the privacy of individuals with respect to their personal information

Part 3 - Emergency declarations

122. Part 3 promotes the right to the enjoyment of the highest attainable standard of physical and mental health by seeking to prevent and mitigate harm caused by emergencies and disasters by facilitating information sharing when an emergency declaration is in place. These provisions allow both agencies and organisations to disclose personal information to state and territory authorities. The COVID-19 pandemic demonstrated the vital importance of information sharing with state and territory authorities for contact tracing purposes.

Part 7 - Eligible data breach declarations

123. Part 7 promote the right to health by seeking to prevent and mitigate harm caused by eligible data breaches. These provisions allow agencies and organisations to disclose specified kinds of personal information to specified entities or class of entities for responding to a cyber security incident and the consequences of a cyber security incident, including emotional and psychological harm, family violence and physical harm or intimidation.

(m) Prohibition of torture, or cruel, inhuman and degrading treatment or punishment

124. Article 7 of the ICCPR states that no one shall be subjected to torture or to cruel, inhuman or degrading treatment or punishment.

Criminal offences

125. Schedule 3 engages the prohibition by providing for penalties of imprisonment. Penalties of imprisonment may amount to cruel, inhuman or degrading treatment where their application is disproportionate to the offence committed.

126. The maximum penalties of imprisonment in the Bill have been set at a level that is proportionate and adequate to deter and punish the damaging behaviour of doxxing. This reflects the wide-ranging serious harms and impact on individuals, which can be physical, psychological and financial in nature. The base criminal offence applies a serious penalty of a maximum period of imprisonment of 6 years.

127. Doxxing can have significant impacts on an individual's wellbeing, has the ability to expose victims, including family members and associates of the individual whose data is released, to a wide range of harms including harassment and threats to their lives or physical safety, public embarrassment, humiliation or shaming, discrimination, stalking, identity theft and financial fraud. Doxxing can also cause psychological harms, both directly and as a result of the occurrence, or the fear of the occurrence, of the previously-mentioned harms.

128. The Bill also imposes the possibility of higher penalties of imprisonment (a maximum period of imprisonment of 7 years) where the conduct is targeted towards protected groups. This recognises that the discrimination against persons on the basis of protected attributes is particularly serious in nature. The act of doxxing members of a group distinguished by a protected attribute is likely to have a larger societal impact as it may result in trauma or fear for other people who share that attribute.

129. On this basis, the penalties of imprisonment in the Bill are proportionate and appropriate to the wide-ranging, serious and enduring harms that doxxing can cause. Responsibility for determining criminal guilt and imposing an appropriate sentence rests with the courts in their exercise of judicial power. The court will have discretion to implement an appropriate penalty based on all of the circumstances of the case.

(n) Protection from retrospective criminal laws

130. Article 15 of the ICCPR is a non-derogable provision which provides that no one shall be held guilty of any criminal offence on account of any act or omission which did not constitute a criminal offence, under national or international law, at the time it was committed. It also prohibits the imposition of a heavier penalty than the one that was applicable at the time when the criminal offence was committed.

Measures to enhance the privacy of individuals with respect to their personal information

Part 9 - Federal court orders

131. Part 9 of the Bill retrospectively provides the Court the power to makes orders it considers appropriate in proceedings instituted after the commencement of this Part, where the Court determines that a contravention of a civil penalty provision has occurred, including where the act or practice relevant to the contravention occurred before commencement of the Bill.

132. This however does not engage the right in Article 15 as the Court's discretion to make orders that are appropriate and proportionate in the circumstances will mean these orders are not punitive in character or considered to be a criminal penalty.

Conclusion

133. The Bill is compatible with human rights because it promotes the protection of human rights, particularly the right to privacy in Article 17 of the ICCPR. Any interference with human rights occasioned in this Bill is in pursuit of a legitimate objective. To the extent that it may limit human rights, those limitations are reasonable, necessary and proportionate to achieve the legitimate aims of the Bill.