House of Representatives

Explanatory Memorandum

(Circulated by authority of the Attorney-General, the Hon Mark Dreyfus KC MP)

ABBREVIATIONS USED IN THE EXPLANATORY MEMORANDUM

GENERAL OUTLINE

1. The Privacy and Other Legislation Amendment Bill 2024 (the Bill) would enact a first tranche of reforms to the Privacy Act 1988 (Cth) (Privacy Act) to implement a number of the legislative proposals that were agreed by the Government in its September 2023 Response to the Privacy Act Review. The Bill would also introduce a new statutory tort for serious invasions of privacy, and targeted criminal offences to respond to doxxing.

2. The rapidly evolving digital landscape presents opportunities for innovation, advances in productivity and efficiency, and a range of other benefits for all Australians. However, the Privacy Act has not kept pace with Australians' widespread adoption and reliance on digital technologies, which increases the risks that personal data will be subject to misuse or mishandling, including through data breaches, fraud and identity theft, unauthorised surveillance and other significant online harms.

3. These digital technologies can also facilitate doxxing, which exposes victims to physical threats, public embarrassment, humiliation or shaming, discrimination, identity theft and financial fraud, and other serious harms. These risks are magnified where the release of personal information involves women and children in the context of domestic and family violence.

4. The Privacy Act Review Report, released in February 2023, concluded that comprehensive reform is required to ensure the Privacy Act is fit for purpose and capable of addressing the heightened data risks of the digital age. The Government's response, released in September 2023, sets out its commitment to substantial reform to better protect Australians' privacy. Of the 89 proposals in the Report directed at legislative change, the Government Response agreed to 25 proposals, agreed in-principle to 56 and noted eight.

5. In addition to amendments to the Privacy Act, this Bill would introduce a new statutory tort for serious invasions of privacy, and targeted criminal offences to address doxxing. In doing so, this Bill constitutes an important first step in ensuring Australians' privacy is properly respected and protected.

Measures to enhance the privacy of individuals with respect to their personal information

6. The Bill would implement 23 of the 25 legislative proposals that were agreed in the Government Response to the Privacy Act Review.

7. The Bill would continue to recognise, in the objects of the Privacy Act, that the protection of the privacy of individuals must be balanced with the interests of entities in carrying out their functions or activities. However, the objects would also explicitly recognise that there is also a public interest in protecting privacy.

8. The Office of the Australian Information Commissioner (OAIC), Australia's national privacy regulator, would have access to a broader range of enforcement options, as well as new functions and capabilities. These include two new provisions to ensure civil penalties can be tailored appropriately to the level of seriousness of the privacy breach. This would address the gap in the current law under which the Australian Information Commissioner (Information Commissioner) can only seek civil penalties for the most serious or egregious interferences with privacy.

9. The Bill also enhances the enforcement of privacy protections by:

a.

expanding the powers of the Federal Court of Australia (FCA) and the Federal Circuit and Family Court of Australia (FCFCOA) in civil penalty proceedings beyond pecuniary penalties, to enable the courts to make any order in relation to the contravention,

b.

empowering the OAIC to use the general investigation and monitoring powers under Parts 2 and 3 of the Regulatory Powers (Standard Provisions) Act 2014 (Regulatory Powers Act) to improve successful regulatory outcomes, and

c.

empowering the Information Commissioner to conduct public inquiries into matters relating to privacy on the direction or approval of the Minister.

10. Additionally, the Information Commissioner would have enhanced code-making powers to provide greater clarity and specificity about the application of, or compliance with, the Australian Privacy Principles (APPs). This includes developing and registering an APP code on the direction of the Attorney-General where it is in the public interest to do so, and to make temporary APP codes to respond to urgent situations. To strengthen and protect the privacy of children online, the Information Commissioner would also be required to develop and register a Children's Online Privacy Code (COP Code) within two years of commencement of the relevant provisions.

11. This Bill provides that entities may handle personal information in a manner that would otherwise not be permitted under the APPs when it is necessary to assist individuals in emergencies and following significant data breaches. Emergency declarations made in relation to an emergency or disaster will be more flexible and targeted to assist with the Commonwealth's response in these situations, and give entities confidence about when they are permitted to take actions (such as sharing personal information) without contravening the Act. The Minister would also have the power to issue a declaration that would enable the sharing of personal information with appropriate entities where it is necessary or appropriate to prevent or reduce the risk of harm to individuals in the event of an eligible data breach.

12. The Bill introduces a series of measures to increase transparency and certainty regarding the handling of personal information for individuals and entities by:

a.

clarifying that reasonable steps to protect information in APP 11 includes technical and organisational measures,

b.

introducing a mechanism to prescribe countries and binding schemes as providing substantially similar protection to the APPs, to assist entities to assess whether to disclose personal information to an overseas recipient, and

c.

requiring entities to include information in privacy policies about automated decisions that significantly affect the rights or interests of an individual.

Statutory cause of action for serious invasions of privacy

13. The Bill would provide individuals with a cause of action in tort for serious invasions of privacy. This would implement the Australian Law Reform Commission's (ALRC's) recommendation in its 2008 report For Your Information: Australian Privacy Law and Practice (ALRC Report 108). The model of the statutory tort set out in this Bill is informed by the ALRC's 2014 report Serious Invasions of Privacy in the Digital Era (ALRC Report 123).

14. Australia has a range of laws at the Commonwealth, state and territory levels (including the common law, criminal law and privacy legislation) that address invasions of privacy. However, these laws are not nationally uniform. They vary between jurisdictions in the circumstances in which they apply, the fora through which they are pursued, and the remedies they can provide.

15. The statutory tort for serious invasions of privacy would provide a flexible framework to address current and emerging privacy risks and provide individuals with the ability to better protect themselves and seek compensation for a broader range of serious invasions of privacy, including physical privacy, as well as misuse of information.

16. Individuals would have a cause of action if they suffer an invasion of their privacy, either by an intrusion into their seclusion or by misuse of information, when: a person in their position would have had a reasonable expectation of privacy in all the circumstances; the invasion of privacy was intentional or reckless; and the invasion of privacy was serious. Where one or more competing public interests are identified by a defendant (for example, the public interest in freedom of expression), the plaintiff must also satisfy the court that the public interest in protecting their privacy outweighs those competing public interests.

17. The statutory tort would include a range of defences and exemptions for legitimate activities that are essential in a free, safe and democratic society. This is intended to protect the vital public interest in press freedom, including the role of journalists in fostering informed public debate, to promote accountability and transparency, and serve as a platform for diverse opinions and voices. The defences and exemptions also recognise that legitimate activities of government may be privacy intrusive but are necessary and justifiable to ensure the proper administration of government, (including law enforcement) and keep the community safe and secure.

18. The statutory tort provides for a range of remedies including compensation. It also specifies some other modifications for the purposes of the tort, including a cap on damages, ensuring that summary judgment can be issued in all jurisdictions, and a role for the Information Commissioner to intervene with the leave of the court, or to assist as amicus curiae.

Criminal offences

19. The Bill amends the Criminal Code Act 1995 (Cth) (Criminal Code) to introduce new offences targeting the release of personal data using a carriage service in a manner that would be menacing or harassing - a practice which is colloquially known as 'doxxing'.

20. Doxxing is the intentional malicious exposure of an individual's personal data online. Doxxing can expose victims, including family members and associates of the individual whose data is released, to a wide range of harms including harassment and threats to their lives or physical safety, public embarrassment, humiliation or shaming, discrimination, stalking, identity theft and financial fraud. The risks of these harms can be enduring, once a person's personal data has been released online. Victims of doxxing may be required to take significant steps, and incur significant cost and hardship, to mitigate the risk of harm. Doxxing can also cause psychological harms, both directly and as a result of the occurrence, or the fear of the occurrence, of the previously-mentioned harms.

21. The prevalence of social media and online platforms has rapidly increased the capacity of individuals to access or gain another's personal data, and easily release that information maliciously online. If such malicious conduct is not criminalised, it can reduce individuals and the broader community's confidence in engaging substantially online, including in public and political debate, undermining the benefits of such engagement to the individual and community.

22. The Bill amends Part 10.6 of the Criminal Code to:

a.

introduce a new offence for using a carriage service to make available, publish or distribute personal data, where the person engages in the conduct in a way that reasonable persons would regard as being menacing or harassing, and

b.

introduce a further offence where a person or group is targeted because of their race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality or national or ethnic origin.

FINANCIAL IMPACT

23. The Government will provide funding to the Office of the Australian Information Commissioner to develop the COP Code.

STATEMENT OF COMPATIBILITY WITH HUMAN RIGHTS

Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011

Privacy and Other Legislation Amendment Bill 2024

1. This Bill is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.

Overview of the Bill

Measures to enhance the privacy of individuals with respect to their personal information

2. Schedule 1 of the Bill contains a range of measures to enhance the privacy of individuals with respect to the protection of their personal information, including amendments to:

a.

clarify the objects of the Privacy Act (Part 1),

b.

enhance the Information Commissioner's code-making powers (Part 2),

c.

enhance the sharing of personal information in emergency situations to assist individuals involved in or affected by emergencies or disasters (Part 3),

d.

require the development and registration of a COP Code to enhance privacy protections for children (Part 4),

e.

clarify the steps entities are required to take to keep personal information secure (Part 5),

f.

provide greater certainty about when personal information can be disclosed overseas, and increase mechanisms to facilitate the free flow of information across national borders while ensuring that the privacy of individuals is respected (Part 6),

g.

facilitate information sharing where there has been an eligible data breach of an entity to prevent or reduce the risk of harm arising from misuse of personal information (Part 7),

h.

introduce new civil penalties for breaches of the Privacy Act (Parts 8 and 9),

i.

enable the Information Commissioner to undertake public inquiries on matters relating to privacy (Parts 10 and 11),

j.

strengthen the Information Commissioner's enforcement powers (Parts 13 and 14), and

k.

increase transparency about automated decisions that significantly affect the interests of an individual (Part 15).

Statutory cause of action for serious invasions of privacy

3. Schedule 2 of the Bill provides individuals with a statutory cause of action in tort for serious invasions of privacy. This would implement the recommendation in ALRC Report 108. The model of the statutory tort set out in this Bill is informed by ALRC Report 123.

4. The statutory tort provides a flexible framework to address current and emerging privacy risks and provide individuals with the ability to better protect themselves and seek compensation for a broader range of invasions of privacy than existing laws.

5. Under the tort, individuals would have a cause of action for a serious invasion of privacy if they suffer an invasion of their privacy, either by an intrusion into their seclusion or by misuse of information, when a person in their position would have had a reasonable expectation of privacy in all the circumstances; the invasion of privacy was intentional or reckless; and the invasion of privacy was serious. Where a competing public interest is identified, the plaintiff must also satisfy the court that the public interest in protecting their privacy outweighs those public interests.

6. The statutory tort provides for a range of defences and exemptions for legitimate activities, including activities of law enforcement and intelligence agencies, and journalism.

7. The statutory tort also provides for a range of remedies including compensation, and specifies some modifications of the ordinary operation of courts, including a cap on damages, ensuring that summary judgment can be issued in all jurisdictions, and a role for the Information Commissioner to intervene with the leave of the court, or to assist as amicus curiae.

Criminal offences

8. Schedule 3 of this Bill will amend Part 10.6 of the Criminal Code by introducing two new offences to specifically criminalise the malicious release of personal data using a carriage service.

9. The first offence will apply where a person uses a carriage service to make available, publish or otherwise distribute personal data and the person does so in a way that reasonable persons would regard as being, in all the circumstances, menacing or harassing towards the individual.

10. The second offence will apply where a person or group is targeted because of their race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality or national or ethnic origin.

11. In these offences, 'personal data' of an individual means information about the individual that enables the individual to be identified, contacted or located. This could include the name of the individual, their photograph or other image of them, telephone number, email address, online account, residential address, work or business address, a place of education or place of worship. It is becoming increasingly common for individuals to intentionally expose this type of information online to maliciously to target a specific person, or one or more members of certain groups.

12. Current Commonwealth criminal law does not specifically address doxxing conduct. Part 10.6 of the Criminal Code covers generic carriage services offences and provisions such as section 474.17 - using a carriage service to menace, harass or cause offence, which may cover certain doxxing scenarios. These specific criminal offences targeting doxxing make clear to those looking to engage in this conduct that it is harmful, serious and subject to significant criminal penalties.

Human rights implications

13. This Bill engages the following rights:

a.

the right to privacy in Article 17 of the International Covenant on Civil and Political Rights (ICCPR),

b.

the right to freedom of expression in Article 19(2) of the ICCPR,

c.

the right to freedom of thought, conscience and religion in Article 18 of the ICCPR,

d.

the right to security of the person in Article 9 of the ICCPR,

e.

the right to liberty of persons and freedom from arbitrary detention in Article 9(1) of the ICCPR,

f.

the right to a fair trial in Article 14(1) of the ICCPR,

g.

the right to presumption of innocence in Article 14(2) of the ICCPR,

h.

the right to an effective remedy in Article 2(3) of the ICCPR,

i.

the right to equality and non-discrimination in Articles 2(1), 16 and 26 of the ICCPR and Article 2 of the International Covenant on Economic, Social and Cultural Rights (ICESCR),

j.

the child's right to privacy in Article 16 of the Convention on the Rights of the Child (CRC),

k.

the right to life in Article 6 of the ICCPR,

l.

the right to the highest attainable standard of physical and mental health in Article 12 of the ICESCR,

m.

the prohibition of torture, or cruel, inhuman and degrading treatment or punishment in Article 7 of the ICCPR, and

n.

the right to not be subject to retrospective criminal laws contained in Article 15(1) of the ICCPR.

(a) Right to protection against arbitrary or unlawful interference with privacy

14. The Bill would promote the right to privacy by strengthening the protection and enforcement of the law against unlawful interferences with privacy. Article 17 of the ICCPR provides that no one shall be subjected to arbitrary or unlawful interference with their privacy, and that everyone has the right to the protection of the law against such interference or attacks.

15. For interference with privacy not to be arbitrary, it must be lawful and in accordance with the provisions, aims and objective of the ICCPR and should be reasonable in the particular circumstances. Reasonableness in this context incorporates notions of proportionality to the end sought and necessity in the circumstances.

Measures to enhance the privacy of individuals with respect to their personal information

Part 1 - Objects of the Privacy Act

16. Part 1 would promote the right to privacy by amending the objects of the Privacy Act to clarify that the objects of the Act include promoting the protection of individuals' personal information, and to recognise the public interest in protecting privacy.

17. These amendments would ensure that the Privacy Act is underpinned by a comprehensive understanding of the broad public benefits of strong privacy protections, which would guide the judiciary's interpretation of the Act.

Part 2 - Code-making powers

18. Part 2 would promote the right to privacy by providing greater flexibility and efficiency to the APP code-making process by empowering the Information Commissioner to develop and register an APP code or Temporary APP code on the written direction of the Minister if the Minister is satisfied that it is in the public interest to develop the code, and for the Information Commissioner to develop the code.

19. APP codes provide greater clarity and specificity about how the principles-based Australian Privacy Principles (APPs) are to be applied and complied with. The Bill enhances the right to privacy by promoting greater compliance and providing confidence to members of the community that their personal information will be handled appropriately. This is particularly important given the growing calls for APP codes to be developed in response to the privacy risks arising from new and emerging technologies.

Part 3 - Emergency declarations

20. Part 3 would amend the Privacy Act's emergency declaration provisions, which previously allowed for the wide sharing of personal information in a declared emergency or disaster. These amendments enable emergency declarations to be more targeted by requiring that the declaration specify the kinds of personal information that may be handled, the entities which may handle the personal information, the entities to which the personal information may be disclosed, and the permitted purpose of the collection, use or disclosure of the personal information.

21. By requiring the scope of personal information handling under emergency declarations to be defined, these amendments would strike a better balance between protecting individuals' privacy, and enabling effective and coordinated responses to an emergency or disaster. This balance would ensure that the limits placed on the right to privacy by emergency declarations are reasonable and proportionate.

22. Part 3 would allow both agencies and organisations to disclose personal information to state and territory authorities. Expanding the circumstances in which personal information can be shared in an emergency or disaster may limit the right to privacy. As a safeguard, a criminal offence exists to deter unauthorised secondary disclosures of personal information received under a declaration. These limitations are reasonable, proportionate and necessary to achieve a legitimate objective - to prevent the loss of life and other serious harms and assist individuals who may be involved in an emergency or disaster.

Part 5 - Security, retention and destruction of personal information

23. Part 5 would promote the right to privacy by clarifying the expected scope of measures that entities should consider when determining how they should protect the personal information. The reform would promote the importance of implementing technical and organisational measures (such as encrypting data, securing access to systems and premises, and undertaking staff training) to address information security risks. These controls would help minimise the risk of data breaches and harm arising from cyber incidents, which can cause significant detriment to affected individuals.

Part 6 - Overseas disclosures of personal information

24. Part 6 would promote the right to privacy by introducing a mechanism to prescribe countries and binding schemes that provide substantially similar privacy protections to the APPs. This measure would enhance the free flow of information across national borders while ensuring the privacy of individuals is respected by providing greater certainty to disclosing entities about the standard of privacy protections in countries in which overseas recipients of personal information are located.

Part 7 - Eligible data breach declarations

25. Part 7 would empower the Minister to make a declaration enabling entities to handle personal information in a manner that would otherwise not be permitted under the APPs or certain secrecy provisions in order to prevent or reduce the risk of harm to individuals in the event of an eligible data breach. Individuals affected by a data breach are exposed to risk of serious harms including identity fraud, reputational damage and blackmail. Unauthorised access or disclosure of personal information in a data breach can cause significant financial loss, emotional distress and have serious, ongoing consequences for individuals.

26. This would involve disapplying the privacy protections that would otherwise apply to collection, use or disclosure of personal information. However, this would only occur in situations where it is necessary to prevent or reduce the risk of harm arising from a misuse of personal information about one or more individuals following unauthorised access to, or unauthorised disclosure of, that personal information from the eligible data breach of the entity.

27. Safeguards are included to minimise potential adverse privacy impacts, including:

a.

a declaration can only be made if an entity has experienced an 'eligible data breach',

b.

the Minister must be satisfied that making the declaration is necessary or appropriate to prevent or reduce a risk of harm,

c.

a declaration may only authorise the collection, use or disclosure of personal information for a permitted purpose that is directly related to preventing or reducing a risk of harm arising from a misuse of personal information about one or more individuals following an eligible data breach,

d.

an entity may only collect, use or disclose personal information if they have a reasonable belief that an individual is at risk from an eligible data breach,

e.

collection, use or disclosure is only authorised in accordance with the declaration, and a criminal offence exists to deter unauthorised secondary disclosures of personal information received under a declaration,

f.

declarations are also only able to operate for a limited time (a maximum of 12 months),

g.

the Minister may consult with the Information Commissioner to inform the making of a declaration, including its effect on privacy protections, and

h.

the security and destruction requirements apply to APP entities that hold personal information received under a declaration.

28. The limitations imposed on the right to privacy through increased information sharing in the aftermath of a data breach are reasonable, proportionate and necessary to achieve the legitimate objective of preventing and reducing a risk of harm to individuals.

Parts 8-11 - Civil penalties and enforcement powers

29. The Bill would promote the right to privacy by strengthening the protection of the law against unlawful interferences with privacy.

30. Part 8 would introduce new civil penalties and enhance the enforcement mechanisms available to the Information Commissioner and the powers available to the FCA or the FCFCOA to order remedies for unlawful interference with privacy.

31. Part 8 would promote the right to privacy by clarifying what constitutes a 'serious' interference with privacy. This amendment would clarify that an interference with privacy may be serious if certain factors apply, including whether an act or practice is repeated or continuous.

32. New civil penalties would apply commensurate with the seriousness of the interference with privacy. These amendments would provide more enforcement options to the Information Commissioner to deter non-compliance and ensure penalties are appropriately tailored to the seriousness of the contravention. They would address a gap in enforcement where the Information Commissioner was previously only able to seek civil penalties for the most serious or egregious interferences with privacy.

33. The Information Commissioner would be able to issue infringement notices for civil penalties for relatively minor contraventions of the Privacy Act. This would promote the right to privacy by giving the Information Commissioner the option to penalise entities that are not meeting their privacy obligations without the need to engage in protracted litigation, and would allow the Information Commissioner to resolve matters more efficiently.

34. Part 9 would enable the FCA or the FCFCOA to issue any order it sees fit, if the Court is satisfied there has been contravention of a civil penalty provision. This measure would promote the right to privacy by expanding the jurisdiction of the FCA and FCFCOA to make orders other than civil penalties, such as orders for compensation. This measure would also give sufficient flexibility to the FCA and FCFCOA to make other appropriate orders, including orders to take steps to minimise further impacts to individuals impacted by the interference with privacy.

35. Part 10 would promote the right to privacy by enabling the Information Commissioner to conduct public inquiries into specified matters as directed by or subject to Ministerial approval. Public inquiries would enable the Information Commissioner to examine acts and practices that may illustrate systemic or industry-wide issues relevant to individuals' privacy. These provisions would support the Information Commissioner's privacy functions, including by indicating where further education and guidance may assist entities to comply with requirements in the Privacy Act or where to target regulatory efforts.

36. Part 11 would promote the right to privacy by allowing the Information Commissioner to issue a determination requiring a respondent to a privacy matter to perform any reasonable act or course of conduct to prevent or reduce reasonably foreseeable future loss or damage. For example, if an entity was found to have breached APP 11 (security of personal information) and this led to identity credentials being exposed, such as drivers' licenses, the Information Commissioner would have the power to make a declaration requiring the entity to assist affected individuals in replacing compromised credentials, or to engage service providers such as identity theft and cyber support providers to give support to affected individuals for a certain time period after the incident. This would enhance privacy protections as it would enable the Information Commissioner to require a respondent to be more proactive following a privacy breach, including identifying reasonably foreseeable consequences and taking reasonable steps to mitigate these consequences.

Part 14 - Monitoring and investigation powers

37. Part 14 would engage the right to privacy by triggering the powers in Part 2 and Part 3 of the Regulatory Powers Act. The provisions specify which matters and provisions trigger the standard monitoring and investigation powers. These would replace bespoke entry and inspection provisions in the Privacy Act to ensure the OAIC has a robust and consistent regulatory framework to monitor compliance and enforce protections in the Privacy Act and other Acts under which the Information Commissioner has responsibility, including (but not limited to) the Crimes Act 1914 (Spent Convictions Scheme), the Competition and Consumer Act 2010 (Consumer Data Right (CDR) privacy safeguards), the Data-matching Program (Assistance and Tax) Act 1990 (Data-matching Program Act), the Digital ID Act 2024, the Healthcare Identifiers Act 2010, the My Health Records Act 2012 and National Health Act 1953. They are constrained in various ways as set out below, ensuring that their use is not arbitrary.

38. The powers cannot be exercised without consent being given to the entry into the premises, or prior judicial authorisation in the form of a warrant. Where entry is based on the consent of the occupier, consent must be informed and voluntary and the occupier of the premises can restrict entry by authorised persons to a particular period.

39. The Regulatory Powers Act also provides conditions on the issuing of a monitoring or investigation warrant. For example, in the case of an investigation warrant, an issuing officer may issue the warrant only when satisfied, by oath or affirmation, that there are reasonable grounds for suspecting that there is, or may be within the next 72 hours, evidential material on the premises. An issuing officer must not issue a warrant unless the issuing officer has been provided, either orally or by affidavit, with such further information as they require concerning the grounds on which the issue of the warrant is being sought. These conditions ensure there are adequate safeguards against arbitrary limitations on the right to privacy in the issuing of warrants.

40. An authorised person cannot enter premises under a warrant unless their identity card is shown to the occupier of the premises. If entry is authorised by a warrant, the authorised person must provide a copy of the warrant to the occupier of the premises. This provides for the transparent utilisation of the powers, and mitigates arbitrariness and risk of abuse.

41. Further, the standard powers can only be exercised in specific circumstances set out in the triggered provisions. For example, under section 52 of the Regulatory Powers Act, the power to seize evidence of a kind not specified in the warrant may only be exercised where:

a.

an authorised person finds the thing in the course of searching for material of the kind specified in an investigation warrant, and

b.

the authorised person believes on reasonable grounds that the thing is evidential material of another kind, and

c.

the authorised person believes on reasonable grounds that it is necessary to seize the thing in order to prevent its loss, concealment or destruction.

42. These constraints on the exercise of the powers also limit their susceptibility to arbitrary use and ensure that their use is reasonable and proportionate in the circumstances.

43. New section 80TC and subsection 80TE(1) provide that, in executing a warrant, an authorised person is permitted to use such force against things as is necessary and reasonable in the circumstances. These amendments preserve current arrangements under the Privacy Act, which would be repealed by Part 14 of this Bill.

44. It is necessary to include this power, as it would enable authorised persons executing a monitoring warrant to facilitate access onto the premises if the occupier is not in attendance or is non-compliant, including if access to further secure locations within the premises is prevented, for example locked doors. It may also be needed by an authorised person to open locked cabinets or remove physically secured computers removed from locks if required to be taken off-premises for further forensic examination, if the authorised person reasonably suspects these contain things or information that would provide evidence that provisions or matters subject to monitoring have not been, or are not being, complied with, or that information subject to monitoring is incorrect.

45. Similarly, an authorised person executing an investigation warrant may need to open locked doors, cabinets, drawers and other similar objects that the authorised person reasonably suspects contain evidential material that would demonstrate that an offence provision or civil penalty provision has been contravened.

46. The use of force power can only be exercised under a monitoring or investigation warrant, which must be issued by a judicial officer. Further, the power may only be used as is necessary and reasonable in the circumstances which means that any ensuing damage to property would be restricted to the minimum required to obtain the documents and things, during the execution of the search warrant. As this power does not extend to the use of force against persons, it does not engage the right to security of person in Article 9, nor the right to life in Article 6, of the ICCPR.

47. Accordingly, the monitoring and investigation powers are necessary, proportionate and reasonable for OAIC to enforce privacy protections and improve successful regulatory outcomes.

Part 15 - Automated decision making

48. Part 15 would enhance the right to privacy by introducing requirements that entities must include information in privacy policies about the kinds of personal information used in, and types of decisions made by, computer programs that use personal information to make decisions that could reasonably be expected to significantly affect the rights or interests of an individual.

49. Automated decision making (ADM) systems can be used to assist or replace the judgement of human decision makers. ADM systems pose privacy risks as they can use personal information about individuals in ways which may have significant impact, with little transparency.

50. The right of an individual to ascertain what personal information about them is held or used by other persons, and how this is done, is an aspect of the protection of that individual from unlawful or arbitrary interferences with privacy. Providing individuals with greater transparency allows them to understand how an entity handles their personal information and for what purposes, and allows them to take further action if there has been a breach of their personal privacy.

Statutory cause of action for serious invasions of privacy

51. Schedule 2 of the Bill would promote the right to privacy by providing a new cause of action for serious invasions of privacy. The Privacy Act currently regulates the handling of personal information by most Australian Government agencies and private sector organisations with annual turnover of more than $3 million annually (as well as some smaller organisations which handle sensitive information, such as health services providers, or opt in). However, the Privacy Act does not apply to individuals acting in a personal capacity, nor to a range of exempted entities, and it only regulates information privacy.

52. This schedule would provide protection against a broader range of interferences with privacy, in line with Australia's international obligations, and would enable individuals to seek a range of remedies, including injunctions for serious invasions of privacy and damages.

Criminal offences

53. Schedule 3 of the Bill would protect and promote the right to protection against arbitrary and unlawful interferences with privacy, both by directly criminalising the release of personal data and indirectly by protecting people against the consequential harms to their privacy that often flow from doxxing. The exposure of personal data violates a person's privacy and can compromise their safety, wellbeing and reputation.

54. The offences in the Bill are fundamentally directed towards protecting an individual's privacy and reputation by prohibiting the release of personal data that would enable a person to be identified, located or contacted online in a manner which is menacing or harassing towards the individual.

(b) Right to freedom of expression

55. Article 19(2) of the ICCPR provides that everyone shall have the right to freedom of expression, including freedom to seek, receive and impart information and ideas of all kinds, regardless of frontiers, either orally, in writing or in print, in the form of art, or through any other media of their choice. Any permissible limitation on the right to freedom of expression must be reasonable, necessary, and proportionate for the pursuit of a legitimate objective and for the respect of the rights or reputations of others or for the protection of national security, public order, or public health or morals.

56. Article 19(3) of the ICCPR provides that the exercise of the rights provided for in Article 19(2) carries with it special duties and responsibilities. Any permissible limitation on the right to freedom of expression must be reasonable, necessary, and proportionate for the pursuit of a legitimate objective and for the respect of the rights or reputations of others or for the protection of national security, public order, or public health or morals.

Statutory cause of action for serious invasions of privacy

57. Schedule 2 of the Bill would limit the right to freedom of expression by providing a new cause of action for serious invasions of privacy. The limitation on the right to freedom of expression is necessary to achieve the Bill's objective in promoting the right to privacy.

58. Recent developments in technology have impacted the right to privacy, including through a proliferation of 'smart' surveillance devices, image-based abuse and doxxing, and these represent a pressing and substantial concern that requires action.

59. The limitation of the right to freedom of expression is proportionate to the objective of protecting the right to privacy as there are numerous safeguards built into the mechanism of the statutory tort to ensure an appropriate balance between these interests:

a.

the cause of action only applies to serious invasions of privacy where the plaintiff would have a reasonable expectation of privacy and the defendant's conduct was reckless or intentional-so limitation of the right to freedom of expression only arises when there is a substantial interest in protecting the right to privacy,

b.

the cause of action contains a public interest balancing test where a court must be satisfied that the public interest in protecting the plaintiff's privacy outweighs any public interest in the invasion of privacy for which the defendant can adduce evidence,

c.

there are defences for absolute privilege, publication of public documents, and fair report of proceedings of public concern,

d.

the courts would have powers to deal efficiently with matters that do not meet the requirements of the cause of action, including through summary judgment, and

e.

there is an exemption from liability for journalism to reflect the particular importance of a free press in the right to freedom of expression.

Criminal offences

60. Schedule 3 of the Bill engages the right to freedom of expression as it restricts the ability for people to use a carriage service to make available, publish or otherwise distribute an individual's personal data online in a manner that would be menacing or harassing towards that individual.

61. The offences include a 'reasonable persons' test which allows community standards and common sense to be imported into a decision on whether the conduct is in fact, menacing or harassing towards those individuals. This objective standard recognises that there are a range of contexts in which people publish, make available or otherwise distribute information, including information about other individuals' identity, contact details and movements, that are not menacing or harassing in nature.

62. Such a threshold also ensures that it does not limit an individual's right to freedom of expression inappropriately or disproportionately. For example, media reporting, political commentary and public debate identifying key figures are not typically done in a manner that reasonable persons would regard as being menacing or harassing, and therefore would not be captured under the offences.

63. The Bill directly seeks to target the release of personal data that is menacing or harassing towards an individual and or indirectly targets the harms that are associated with such damaging conduct. To the extent that the Bill engages the right to freedom of expression, these restrictions are reasonable, necessary and proportionate to prevent online abuse, and protect individuals from the harms outlined in this statement.

(c) Right to freedom of thought, conscience and religion

64. Article 18 of the ICCPR provides that everyone shall have the right to freedom of thought, conscience and religion. This includes the freedom to have or to adopt a religion or belief, and freedom, either individually or in community with others and in public or private, to manifest religion or belief in worship, observance, practice and teaching.

Statutory cause of action for serious invasions of privacy

65. The statutory tort for serious invasions of privacy (Schedule 2) would promote the right to freedom of thought, conscience and religion by supporting individuals to hold and manifest their religion and beliefs in private without fear of public exposure, and harms such as discrimination and vilification.

(d) Right to security of the person

66. The right to security of the person in Article 9 of the ICCPR places a positive obligation on States to provide reasonable and appropriate measures to protect a person's physical security.

Statutory cause of action for serious invasions of privacy

67. Schedule 2 of this Bill would promote the right to security by deterring serious invasions of privacy that might involve intrusions onto a person's property, unauthorised surveillance, or sharing information that enables a person to be identified or located. By deterring this conduct, the Bill would protect individuals from harm, including physical harm.

(e) Right to liberty of persons and freedom from arbitrary detention

68. Article 9(1) of the ICCPR states that everyone has the right to liberty and security of person and that no one shall be subjected to arbitrary arrest or detention.

69. Limitations on the right to liberty are permitted to the extent that they are 'in accordance with such procedures as are established by law', provided that the law and the enforcement of it is not arbitrary, and where they are reasonable, necessary and proportionate to achieve a legitimate objective.

Criminal offences

70. Schedule 3 of this Bill limits the right to liberty of a person and freedom from arbitrary arrest and detention by imposing maximum penalties for the malicious release of personal data, for which a court may lawfully prescribe a period of imprisonment for a person found guilty of the offence.

71. The Bill applies a maximum penalty of 6 years' imprisonment for the new offence targeting the release of personal data online in a manner that would be menacing or harassing towards the individual. This penalty is proportionate, reflects the potential damaging behaviour of the conduct, particularly on an individual's safety and wellbeing, and recognises the substantial and enduring infringement this behaviour has on an individual's rights and privacy.

72. The Bill also applies a higher maximum penalty of 7 years' imprisonment where a person or group is targeted based on protected characteristics, such as race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality or national or ethnic origin. While both offences seek to protect all Australians, the introduction of a higher penalty in this offence recognises that victims may be targeted based on one or more of these protected attributes and that, in these scenarios, doxxing can serve as a method of silencing their voices or embarrassing and humiliating them, and can expose them to particular risks of harm from third parties who may seek to target the victim or victims, based on prejudice against people with the protected characteristic in question. It also recognises that the act of doxxing members of a group distinguished by a protected attribute is likely to have a larger societal impact as it may result in trauma or fear for other people who share that attribute

73. Penalties involving a period of imprisonment are reasonable for these criminal offences given that they will only be applied by a court if a person is convicted of such an offence as a result of a fair trial in accordance with the procedures as established by law. Maximum penalties are set to adequately deter and punish a worst-case offence, while supporting judicial discretion and independence. The penalty will only be applied by a court if the prosecution has proved the elements of the offence beyond reasonable doubt. In this regard, the application of the penalties is not arbitrary or disproportionate. Further, the penalty will apply only to offences committed at or after the commencement of the amendments.

74. On this basis, the limitation imposed on the right to liberty and freedom from arbitrary detention is reasonable, necessary and proportionate to achieving the legitimate objective of strengthening laws to protect Australians from online harms.

(f) Right to a fair trial

75. Article 14 of the ICCPR guarantees a person be afforded, in the determination of any criminal charge against them, the right to a fair trial. The United Nations Human Rights Committee has indicated that the right to a fair trial under Article 14 may extend to acts that are 'criminal in nature with sanctions that, regardless of their qualification in domestic law, must be regarded as penal because of their purpose, character or severity' (see General Comment No, 32, para 15; Communication No. 1015/2001, Perterer v. Austria, at para 9.2).

Measures to enhance the privacy of individuals with respect to their personal information

Part 7 - Eligible data breach declarations

76. Part 7 of the Bill engages this right by creating an offence for unauthorised secondary disclosures of personal information that are not in accordance with an eligible data breach declaration. The offence has a criminal penalty of 60 penalty units, or imprisonment for 1 year, or both.

77. This is subject to safeguards including that the offence would not apply to certain disclosures being disclosures that are:

a.

for APP entities - permitted under an APP, a registered APP code that binds the person or a rule issued under section 17,

b.

for the purposes of carrying out a State's constitutional functions, powers or duties,

c.

for the purposes of obtaining or providing legal advice on the operation of Part 7,

d.

authorised by the declaration,

e.

made with the consent of the individual to whom the personal information relates or made to the individual to whom the personal information relates,

f.

to a court, and

g.

as prescribed by the regulations.

78. As a declaration can authorise information handling that would otherwise not be permitted under the APPs or certain secrecy provisions in order to prevent or reduce the risk of harm, including disclosures to persons who are not regulated by the Privacy Act, the level of criminal penalties are a reasonable and proportionate response and a necessary deterrent to prevent further unauthorised secondary disclosures.

Part 8 - Civil penalties

79. Part 8 of the Bill engages this right by introducing new civil penalties under the Privacy Act and clarifying the application of existing civil penalties. Civil penalties are aimed at deterrence of conduct that is detrimental to the privacy of individuals, and therefore may carry a substantial penalty depending on the severity and seriousness of the conduct, and have wide application to entities (including individuals) regulated by the Privacy Act.

80. The Bill is not considered to limit this right because it provides for appropriate safeguards relating to civil penalty processes including independent court processes. The civil penalty amounts are also considered reasonable and proportionate to deter non-compliance under the Privacy Act, which are discussed further below.

81. Under current section 13G, the maximum civil penalty for serious or repeated interferences with privacy is $2.5 million for a person other than a body corporate. For bodies corporate, the maximum penalty is an amount not exceeding the greater of $50 million; three times the value of the benefit obtained by the body corporate from the conduct constituting the serious or repeated interference with privacy; or, if the value cannot be determined, 30% of their adjusted turnover in the relevant period. This maximum penalty was introduced through the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022, which implemented the recommendation in the July 2019 report of the Australian Competition and Consumer Commission's Digital Platforms Inquiry to ensure penalties sufficiently deterred breaches of privacy, particularly for large digital platforms, and that individuals are adequately protected. The high maximum penalty for bodies corporate is consistent with contemporary penalties for similar contraventions by body corporates in Commonwealth legislation, such as breaches of the privacy safeguards under the CDR Scheme (see section 56EV of the Competition and Consumer Act 2010).

82. The Bill would retain the maximum civil penalty amount and provide more clarity on what conduct meets the threshold of serious interferences with privacy. Specifying factors in legislation would support the Information Commissioner in determining when it is appropriate to enforce this penalty and give greater certainty to entities, the courts and the public on which breaches may attract the highest maximum penalty under the Privacy Act.

83. The Bill would also introduce a new civil penalty in section 13H for interferences with privacy that are not a serious interference. For example, this may cover instances where an APP entity fails to notify individuals of an eligible data breach as soon as practicable in accordance with subsection 26WL(3). The maximum penalty for a person would be 2,000 penalty units - which, on the penalty unit value at the time of introduction of this Bill, equates to a maximum penalty of $660,000 for persons. In accordance with subsection 82(5) of the Regulatory Powers Act, the maximum penalty amount for bodies corporate is 10,000 penalty units - which, on the penalty unit value at the time of introduction of this Bill, equates to a maximum penalty of $3.3 million for bodies corporate.

84. The maximum penalty amount for section 13H would ensure deterrence against privacy breaches and meet increasing community expectations for stronger and more meaningful protections. The amount accounts for potential commercial gains that entities may obtain as a result of an interference with privacy, and ensures these entities are not able to absorb civil penalties as a cost of doing business. For example, an APP entity may obtain a commercial gain, or achieve a competitive advantage, by using or disclosing personal information for an unrelated secondary purpose not covered by APP 6.2 without having obtained the necessary consent from individuals.

85. There are existing safeguards in the Privacy Act that trigger codified civil penalty processes through the Regulatory Powers Act to protect the rights expressed in Article 14 of the ICCPR. Consistent with Article 14(1), an independent, impartial court will preside over all civil penalty proceedings under this Act. Such proceedings will be subject to established Australian court processes and procedures that protect the right to a fair trial, including requirements relating to procedural fairness, evidence and sentencing.

86. Part 4 of the Regulatory Powers Act provides that in determining pecuniary penalties a court must take all relevant matters into account, including the circumstances of the contravention, the nature and extent of any loss or damage suffered because of the contravention and whether the entity has previously been found to have engaged in similar conduct. The penalty amounts are maximum amounts and it would be open to the courts to impose lesser amounts in appropriate circumstances. Where conduct contravenes more than one civil penalty provision, proceedings may be commenced in relation to each contravention; however, the entity (or person) cannot be liable for more than one penalty in relation to that conduct.

87. For these reasons, the existing penalty amount under section 13G and new civil penalty amount under section 13H are a reasonable and proportionate response to the behaviours the penalties are intended to deter and penalise.

88. The Bill introduces new civil penalty provisions for breaches of specific privacy obligations of the APPs and non-compliant eligible data breach statements, which would be subject to infringement notices. The maximum penalty for a person would be 200 penalty units - which, on the penalty unit value at the time of introduction of this Bill, equates to a maximum penalty of $66,000 for persons. In accordance with subsection 82(5) of the Regulatory Powers Act, the maximum penalty amount for bodies corporate is 1,000 penalty units - which, on the penalty unit value at the time of introduction of this Bill, leads to a maximum penalty of $330,000 for bodies corporate.

89. These civil penalties have a lower maximum penalty amount to section 13H and target specific obligations that are administrative in nature and where a contravention can be easily established, such as an APP entity failing to include the requisite information in a privacy policy.

90. Prior to the commencement of this Bill, the Information Commissioner could only issue an infringement notice in relation to the civil penalty provision in subsection 66(1) for failure to give information where required to do so. The Bill engages the right to a fair and public hearing by introducing additional powers for Information Commissioner to issue infringement notices for alleged contraventions of civil penalties under section 13K which, as noted above, can be determined through straightforward, factual circumstances. This enhanced power would encourage enforcement of obligations by the Information Commissioner and compliance by entities with their obligations, without the additional time, cost and resources involved in litigation of civil penalty proceedings.

91. In accordance with subsection 104(2) of the Regulatory Powers Act, the amount to be stated in the infringement notice would be 12 penalty units for a person, and 60 penalty units for bodies corporate - which, on the current penalty unit value, is $3,960 for a person and $19,800 for bodies corporate. This amount is increased to 200 penalty units for listed corporations - which, on the current penalty unit value, is $66,000 for listed corporations. An increased infringement notice amount for publicly listed companies is included to ensure that infringement notices are an effective enforcement measure against large entities.

92. The Privacy Act triggers codified processes for infringement notices in Part 5 of the Regulatory Powers Act, which provides the following safeguards to ensure the right to fair trial is not inappropriately limited:

a.

an infringement notice must be issued within 12 months of when the contravention is alleged to have taken place and must outline the consequences of a failure to pay the amount payable under the infringement notice. The infringement notice must also state that payment of the infringement is not an admission or finding of guilt or liability, and

b.

the right to a fair and public hearing by a competent, independent and impartial tribunal is preserved and a person can elect to have the matter heard by the court rather than pay the amount specified in the infringement notice. This right will be stated on an infringement notice, ensuring that a person issued with an infringement notice is aware of their right to have the matter heard by the court.

Part 10 - Public inquiries

93. Part 10 of this Bill would give the Information Commissioner the power to conduct public inquiries into specified matters relating to privacy as directed by or subject to Ministerial approval. This would enable the Information Commissioner to investigate systemic industry-wide acts and practices. The Information Commissioner would have the power to require the production of documents or information, and would not be bound by the rules of evidence when conducting public inquiries.

94. This does not engage the right to a fair trial because public inquiries are intended to be informative and may make recommendations in relation to broader or systemic issues, and are not formal investigations into specific contraventions of the Privacy Act. It is appropriate that the Commissioner has flexible fact-finding procedures and is not subject to the technical rules of evidence required of the courts.

Part 14 - Monitoring and investigation powers

95. Part 14 of this Bill engages the right to fair trial by triggering the monitoring and investigation powers in Parts 2 and 3 of the Regulatory Powers Act, due to offences in sections 24 and 54 of that Act applying in relation to monitoring and investigation.

96. Under subsection 24(3) of the Regulatory Powers Act, where entry is authorised by a monitoring warrant, the authorised person may require any person on the premises to answer questions or produce documents relating to information or provisions subject to monitoring. If the person fails to do so, this is an offence under subsection 24(5) of the Regulatory Powers Act. The penalty is 30 penalty units. Similarly, under subsection 54(3) of the Regulatory Powers Act an authorised person who enters premises under an investigation warrant may require persons on the premises to answer questions or produce documents relating to evidential material of the kind specified in the warrant. If the person fails to do so, this is an offence under subsection 54(5) of the Regulatory Powers Act. The penalty is 30 penalty units.

97. These offence provisions do not limit the person's access to a fair trial or limit the other criminal process rights in any way. Sections 17 and 47 of the Regulatory Powers Act make it clear that the privilege against self-incrimination and legal professional privilege have not been abrogated by the monitoring and investigation powers provisions, including the offence provisions. These protections guarantee the criminal process rights protected in paragraphs 14(3)(d) and (g) of the ICCPR. The usual guarantees and criminal process rights will apply to these offences and are not abrogated by any provisions in the Bill or triggered provisions of the Regulatory Powers Act.

98. Accordingly, sections 24 and 54 of the Regulatory Powers Act, as applied in the Privacy Act by Part 14 of this Bill, are compatible with human rights.

(g) Right to presumption of innocence

99. Article 14(2) of the ICCPR provides that everyone charged with a criminal offence shall have the right to be presumed innocent until proven guilty according to law.

100. The presumption of innocence imposes on the prosecution the burden of proving the charge and guarantees that no guilt can be presumed until the charge has been proved beyond reasonable doubt.

Criminal offences

101. Schedule 3 engages this right by applying the presumption set out in section 475.1B of the Criminal Code to the new offences. The presumption in section 475.1B provides that if a physical element of the offence consists of a person using a carriage service to engage in particular conduct, and the prosecution proves beyond reasonable doubt that the person engaged in the relevant criminal conduct, then it is presumed, unless the person proves to the contrary, that the person used a carriage service to engage in that conduct.

102. The purpose of this presumption is to address problems encountered by law enforcement agencies in proving beyond reasonable doubt that a carriage service was used to engage in the relevant criminal conduct.

103. The requirement that the relevant criminal conduct be engaged in using a carriage service is a jurisdictional requirement. A jurisdictional element of the offence is an element that does not relate to the substance of the offence, or the defendant's culpability, but marks a jurisdictional boundary between matters that fall within the legislative power of the Commonwealth and those that do not.

104. Given its purpose, this presumption is proportionate in that it only applies to the jurisdictional element of the offence and not the offences as a whole. In this respect, the prosecution will still be required to prove, beyond a reasonable doubt, all other elements of the offence including fault elements of intention, knowledge or recklessness.

(h) Right to an effective remedy

105. Article 2(3) of the ICCPR provides the right to an effective remedy for any violation of rights or freedoms recognised by the ICCPR.

Measures to enhance the privacy of individuals with respect to their personal information

Part 9 - Federal court orders

106. Schedule 1 of the Bill would promote this right by enhancing the availability of effective remedies. Part 9 provides the FCA and FCFCOA with the power to issue any order it sees fit if the Court is satisfied there has been contravention of a civil penalty provision. This would include an order that an entity pay a person damages by way of compensation or that an entity perform any reasonable act or carry out any reasonable course of conduct to redress the loss or damage suffered by a person as a result of the entity's contravention of a civil penalty provision.

107. The Bill would promote the right to an effective remedy for violations of rights and freedoms recognised by the ICCPR by providing an avenue for plaintiffs to take civil action in state, territory or federal courts. Schedule 2 of the Bill would empower competent judicial authorities to provide wide range of remedies to address the specific circumstances of the violation.

(i) Right to equality and non-discrimination

108. Articles 2(1), 16 and 26 of the ICCPR and Article 2(2) of the ICESCR guarantee the rights enshrined in the Covenants to all people without discrimination. Additionally, in this respect, the law shall prohibit any discrimination and guarantee to all persons equal and effective protection against discrimination on any ground such as race, colour, sex, language, religion, political or other opinion, national or social origin, property, birth or other status.

Measures to enhance the privacy of individuals with respect to their personal information

Part 15 - Automated decision making

109. Unfair treatment and discrimination can occur when ADM systems are 'trained' using historical data that is affected by prejudice, such as through the under-representation of minorities in data sets. ADM can also pose risks to individuals when systems are not designed to take into account the unique circumstances of an individual or decisions are made which are based on incorrect information.

110. Part 15 of the Bill promote the right to equality and non-discrimination by increasing transparency about computer programs that use personal information to make decisions that could reasonably be expected to significantly affect the right or interests of an individual.

111. This may reduce the risk of discrimination by allowing individuals to request entities correct information held or to take further action if there has been an interference with their privacy or unlawful discrimination.

Criminal offences

112. Schedule 3 of the Bill would apply a higher penalty for the offence where one or more members of a group are targeted in whole or in part because of the offender's belief that the group is distinguished by their race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality or national or ethnic origin.

113. This Bill positively engages Article 26 as it provides direct protection to members of a group who share one or more protected attributes. Doxxing persons because of a belief that they are part of a protected group is particularly serious in nature and is likely to instil fear in these groups that have faced historic or ongoing persecution, prejudice or discrimination, and cause additional trauma. Additionally, the doxxing of members of a protected group where the offender is motivated by these particular characteristics is likely to expose them to further harm from individuals with a prejudice against that group. It can also result in trauma or fear for other people who share that attribute.

114. Provided that doxxing conduct can be targeted to silence or humiliate certain groups of individuals, the Bill provides robust protections for all persons from experiencing discrimination, hatred, violence, and racism.

(j) Children's right to privacy

115. Article 16 of the CRC provides that no child shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence, nor to unlawful attacks on his or her honour and reputation.

Measures to enhance the privacy of individuals with respect to their personal information

Part 4 - Children's privacy

116. Part 4 promotes the right to privacy for children by requiring the Information Commissioner to develop and register a COP Code. The COP Code would be an enforceable APP code that sets out how one or more of the APPs are to be applied or complied with in relation to the privacy of children.

117. To date, details about how privacy protections under the Privacy Act should apply to children have been set out in guidance material from the Information Commissioner. Elevating protections into an enforceable APP code promotes the right to privacy of a child by imposing specific enforceable obligations with respect to privacy in the handling of children's personal information than would otherwise exist under prevailing law.

(k) Right to life

118. The right to life in Article 6 of the ICCPR places a positive obligation on governments to take appropriate measures to protect the right to life of those within its jurisdiction.

Measures to enhance the privacy of individuals with respect to their personal information

Part 3 - Emergency declarations

119. Part 3 promotes the right to life by seeking to prevent and mitigate harm caused by emergencies or disasters by facilitating enhanced information sharing when an emergency declaration is in place.

(l) Right to health

120. Article 12 of the ICESCR provides that all people have the right to the highest attainable standard of physical and mental health. The UN Committee on Economic, Social and Cultural Rights has stated that the right to health is closely related to, and dependent upon the realisation of other human rights, including the right to privacy.

121. Providing individuals with control over when, how and for what purpose their personal information is handled by others is key to ensuring human dignity, safety, health and wellbeing. Interferences with privacy, such as through a data breach, can cause serious interferences with the right to health through financial loss, identity theft or fraud, emotional distress, reputational damage, physical harm, coercion and/or discrimination.

Measures to enhance the privacy of individuals with respect to their personal information

Part 3 - Emergency declarations

122. Part 3 promotes the right to the enjoyment of the highest attainable standard of physical and mental health by seeking to prevent and mitigate harm caused by emergencies and disasters by facilitating information sharing when an emergency declaration is in place. These provisions allow both agencies and organisations to disclose personal information to state and territory authorities. The COVID-19 pandemic demonstrated the vital importance of information sharing with state and territory authorities for contact tracing purposes.

Part 7 - Eligible data breach declarations

123. Part 7 promote the right to health by seeking to prevent and mitigate harm caused by eligible data breaches. These provisions allow agencies and organisations to disclose specified kinds of personal information to specified entities or class of entities for responding to a cyber security incident and the consequences of a cyber security incident, including emotional and psychological harm, family violence and physical harm or intimidation.

(m) Prohibition of torture, or cruel, inhuman and degrading treatment or punishment

124. Article 7 of the ICCPR states that no one shall be subjected to torture or to cruel, inhuman or degrading treatment or punishment.

Criminal offences

125. Schedule 3 engages the prohibition by providing for penalties of imprisonment. Penalties of imprisonment may amount to cruel, inhuman or degrading treatment where their application is disproportionate to the offence committed.

126. The maximum penalties of imprisonment in the Bill have been set at a level that is proportionate and adequate to deter and punish the damaging behaviour of doxxing. This reflects the wide-ranging serious harms and impact on individuals, which can be physical, psychological and financial in nature. The base criminal offence applies a serious penalty of a maximum period of imprisonment of 6 years.

127. Doxxing can have significant impacts on an individual's wellbeing, has the ability to expose victims, including family members and associates of the individual whose data is released, to a wide range of harms including harassment and threats to their lives or physical safety, public embarrassment, humiliation or shaming, discrimination, stalking, identity theft and financial fraud. Doxxing can also cause psychological harms, both directly and as a result of the occurrence, or the fear of the occurrence, of the previously-mentioned harms.

128. The Bill also imposes the possibility of higher penalties of imprisonment (a maximum period of imprisonment of 7 years) where the conduct is targeted towards protected groups. This recognises that the discrimination against persons on the basis of protected attributes is particularly serious in nature. The act of doxxing members of a group distinguished by a protected attribute is likely to have a larger societal impact as it may result in trauma or fear for other people who share that attribute.

129. On this basis, the penalties of imprisonment in the Bill are proportionate and appropriate to the wide-ranging, serious and enduring harms that doxxing can cause. Responsibility for determining criminal guilt and imposing an appropriate sentence rests with the courts in their exercise of judicial power. The court will have discretion to implement an appropriate penalty based on all of the circumstances of the case.

(n) Protection from retrospective criminal laws

130. Article 15 of the ICCPR is a non-derogable provision which provides that no one shall be held guilty of any criminal offence on account of any act or omission which did not constitute a criminal offence, under national or international law, at the time it was committed. It also prohibits the imposition of a heavier penalty than the one that was applicable at the time when the criminal offence was committed.

Measures to enhance the privacy of individuals with respect to their personal information

Part 9 - Federal court orders

131. Part 9 of the Bill retrospectively provides the Court the power to makes orders it considers appropriate in proceedings instituted after the commencement of this Part, where the Court determines that a contravention of a civil penalty provision has occurred, including where the act or practice relevant to the contravention occurred before commencement of the Bill.

132. This however does not engage the right in Article 15 as the Court's discretion to make orders that are appropriate and proportionate in the circumstances will mean these orders are not punitive in character or considered to be a criminal penalty.

Conclusion

133. The Bill is compatible with human rights because it promotes the protection of human rights, particularly the right to privacy in Article 17 of the ICCPR. Any interference with human rights occasioned in this Bill is in pursuit of a legitimate objective. To the extent that it may limit human rights, those limitations are reasonable, necessary and proportionate to achieve the legitimate aims of the Bill.

NOTES ON CLAUSES

Preliminary

Clause 1 - Short title

1. This clause provides for the short title of the Act to be the Privacy and Other Legislation Amendment Act 2024.

Clause 2 - Commencement

2. This clause provides for the commencement of each provision in the Bill, as set out in the table.

a.

Item 1 of the table provides that sections 1 to 3 which concern the preliminary aspects of the Bill, as well as anything not elsewhere covered by the table, commence on the day on which this Act receives the Royal Assent,

b.

Item 2 of the table provides that Schedule 1, Parts 1 to 7 commence the day after this Act receives the Royal Assent,

c.

Item 3 of the table provides that Schedule 1, items 45 and 46 commence immediately after the commencement of the provisions covered by table item 5,

d.

Item 4 of the table provides that Schedule 1, item 47 commences the later of:

a.

immediately after the commencement of the provisions covered by table item 5; and

b.

immediately after the commencement of the Digital ID Act 2024.

e.

Item 5 of the table provides that Schedule 1, items 48 to 58 commence the day after this Act receives the Royal Assent,

f.

Item 6 of the table provides that Schedule 1, Parts 9 to 14 commence the day after this Act receives the Royal Assent,

g.

Item 7 of the table provides that Schedule 1, Part 15 commences the day after the end of the period of 24 months beginning on the day this Act receives the Royal Assent,

h.

Item 8 of the table provides that Schedule 2 commences on a single day to be fixed by Proclamation. However, if the provisions do not commence within the period of 6 months beginning on the day this Act receives the Royal Assent, they commence on the day after the end of that period, and

i.

Item 9 of the table provides that Schedule 3 commences the day after this Act receives the Royal Assent.

3. Item 4 of the table reflects that at the time of introduction of this Bill, the Digital ID Act 2024 has not yet commenced, and the commencement of item 47 is contingent on the commencement of both this Bill and the Digital ID Act 2024. Item 47 makes consequential amendments to paragraphs 37(2)(b) and 38(1)(b) of the Digital ID Act 2024 to include a reference to section 13H of the Privacy Act.

Clause 3 - Schedules

4. This clause provides that each Act specified in the Schedule is amended or repealed as set out in the Schedule. Clause 3 also provides that any other item in a Schedule of the Bill has effect according to its terms.

Schedule 1 - Privacy reforms

Privacy Act 1988

Part 1 - Objects of the Act

Item 1 - Paragraph 2A(a)

5. Item 1 repeals paragraph 2A(a) and substitutes it with paragraphs 2A(a) and (aa).

6. As privacy is multifaceted, the purpose of paragraph 2A(a) is to clarify that the Act's focus is information privacy, and that it aims to promote the protection of the privacy of individuals by protecting their personal information.

7. The purpose of paragraph 2A(aa) is to recognise the public interest in protecting privacy in addition to individual interests. This acknowledges that privacy-affecting acts and practices have undesirable public policy outcomes, even if the privacy harms to any one individual, on their own, are not significant. It also reflects the broader collective public benefits of strong privacy protections for individuals, which are necessary to build trust and facilitate participation in public life - particularly in the digital world.

8. As outlined in Schedule 2, the objects section does not apply to Schedule 2.

Item 2 - Paragraph 2A(h)

9. Item 2 replaces 'obligation' with 'obligations' in the plural in paragraph 2A(h). The purpose is to reflect that Australia's obligations with respect to the right to privacy arise from multiple sources, for example the ICCPR, the International Convention on the Elimination of All Forms of Racial Discrimination and the CRC.

Part 2 - APP codes

Item 3 - Subsection 6(1)

10. Item 3 amends subsection 6(1) to include a definition of temporary APP code to reflect the insertion of section 26GB.

Item 4 - Section 26G (at the end of the heading)

11. Item 4 makes it clear that the Information Commissioner developing an APP code under section 26G following a request to an APP code developer is a separate process to the Information Commissioner developing an APP code under sections 26GA and section 26GB following a direction from the Minister.

Item 5 - After section 26G

12. Item 5 inserts section 26GA and section 26GB.

Section 26GA

13. Section 26GA requires the Information Commissioner to develop an APP code on the written direction of the Minister if the Minister is satisfied that it is in the public interest to develop the code, and for the Information Commissioner to develop the code.

14. The purpose of section 26GA is to expand the circumstances when an APP code may be developed, which provides greater flexibility and efficiency to the APP code-making process.

15. Previously, an APP code could be developed by an APP code developer (as defined in subsection 6(1)) on their own initiative, or on request by the Information Commissioner. The Information Commissioner was only permitted to develop an APP code under section 26G after the Information Commissioner had requested an APP code developer to develop an APP code, and

a.

the request had not been complied with; or

b.

the request had been complied with but, under section 26H, the Information Commissioner has decided not to register the APP code that was developed as requested.

16. This process had the potential to be time consuming and inefficient in circumstances where it may be difficult or impracticable for the Information Commissioner to identify a suitable APP code developer with adequate resources and expertise to develop a code, for example if a proposed APP code is required to cover a broad range of activities or APP entities.

17. Increasing the efficiency of the APP code-making process is an important measure to preserve the flexible principles-based nature of the Act. It is expected that new or emerging technology will raise new privacy risks, and there will be a growing need for APP codes to provide certainty on privacy protections when handling specific types of personal information or handling personal information for specific purposes.

18. Subsection 26GA(1) requires that the Minister must be satisfied that it is in the public interest to develop the APP code, and for the Information Commissioner to develop the code. When meeting these requirements, the Minister may consider:

a.

whether a code would be the most effective way of resolving an identified privacy issue within a sector or industry or clarifying uncertainty regarding the application of the APPs to particular entities, or acts and practices, and

b.

whether the Information Commissioner is the appropriate code developer, having regard to how urgent it is to develop and register a code, the complexity and scope of the code requirements, and the Information Commissioner's particular privacy expertise.

19. Subsection 26GA(2) outlines that the Minister's direction may specify one or several matters that the APP code must deal with, and specify the entities or class of entities that should be bound by the code. For example, the direction may specify that the code must clarify uncertainty about how one of more APPs apply to a particular sector in relation to new or emerging technology.

20. Subsection 26GA(3) is merely declaratory of the law, and included to assist readers and clarify that a direction from the Minister is not a legislative instrument within the meaning of subsection 8(1) of the Legislation Act 2003, as it is administrative in character. The direction itself does not set out new rules or impose obligations on APP entities. However, the APP code itself will be a legislative instrument once it has been registered on the Codes Register under section 26U (as specified by subsection 26B(2)).

21. Subsection 26GA(4) makes it clear that it is mandatory for the Information Commissioner to develop and register the APP code following a direction from the Minister.

22. Subsection 26GA(5) specifies that despite paragraph 26C(3)(b), the APP code must not cover certain acts or practices that would otherwise be exempt under the Privacy Act under subsection 7B(1), (2) or (3). For example, the code must not deal with the handling of personal information by an individual where that information is collected, held, used, disclosed or transferred for personal, family or household affairs (that is, done other than in the course of business). This mirrors subsection 26G(2) and 26E(6) and reflects it is not appropriate for a code developed and registered by the Information Commissioner to apply to entities or acts and practices that are otherwise exempt from obligations in the Privacy Act.

23. Subsection 26GA(6) enables the Information Commissioner to consult any person the Information Commissioner considers appropriate during development of the APP code. Consultation during development will enable early identification of any issues and their resolution prior to the mandatory consultation period.

24. Subsection 26GA(7) sets out mandatory consultation requirements that the Information Commissioner must satisfy before registering the APP code under section 26H. The Information Commissioner must make a draft code publicly available, for example on the Information Commissioner's website. The Information Commissioner must also seek public submissions on the draft Code within a specified period that must run for at least 40 days, and give consideration to any submissions made within the specified period. The Information Commissioner may consider that it is necessary for the specified period to run longer than 40 days depending on, for example, the expected level of interest in the draft code, the expected number of affected stakeholders, the complexity of the draft code, or the expected impact of the provisions in the draft code on the practices or procedures of stakeholders. The Information Commissioner may also wish to bring the code to the attention of specific stakeholders, such as APP entities which will be bound by the code.

25. These mandatory consultation requirements would help to ensure that Information Commissioner-developed APP codes are fit for purpose and capable of being implemented. The minimum specified period for public consultation in subsection 26GA(7) is longer than the period of consultation required for APP codes developed by an APP code developer under subsection 26F(2). A longer consultation period recognises that industry and other affected stakeholders may require more time to meaningfully consider an Information Commissioner-developed APP code than one prepared by an APP code developer.

Section 26GB

26. Section 26GB requires the Information Commissioner to develop a temporary APP code on the written direction of the Minister if the Minister is satisfied that it is in the public interest to develop the code, for the Information Commissioner to develop the code, and for the code to be developed urgently.

27. Previously there was no ability for a temporary APP code to be made in urgent situations. Temporary APP codes address the gap where there is an identified urgent privacy issue or change in circumstances that creates uncertainty in complying with the APPs, and an APP code would give much needed clarity and certainty to affected entities, however the usual development process for the code would prevent the code being developed in a timely manner. Additionally, specifying how the APPs are to be complied with through a temporary APP code would enable the community to have confidence that their personal information will be handled appropriately during changing circumstances.

28. For example, temporary APP codes could be used in the context of a pandemic to instruct APP entities on how to comply with APPs while collecting contact-tracing information, and give greater transparency to the community on how their personal information is being handled.

29. To ensure the Information Commissioner is able to develop a temporary APP code efficiently, unlike an APP code there are no mandatory consultation requirements. This reflects the approach to temporary public interest determinations under Division 2, Part VI.

30. Subsection 26GB(1) requires that the Minister must be satisfied that it is in the public interest to develop the temporary APP code, and for the Information Commissioner to develop the code urgently. When meeting these requirements, the Minister may consider whether:

a.

a code would be the most effective way of resolving an identified urgent privacy issue within a sector or industry or clarifying uncertainty regarding the application of the APPs to particular entities, or acts and practices,

b.

the Information Commissioner is the appropriate code developer, considering how urgent it is to develop and register a code, the complexity and scope of the code requirements, and the Information Commissioner's particular privacy expertise, and

c.

a temporary APP code is appropriate, having regard to whether the usual timeframes for developing an APP code would hinder the timely delivery of certainty and clarity on privacy obligations, and how long it is expected a code would be required for.

31. Subsection 26GB(2) outlines that the Minister's direction may specify one or several matters that the temporary APP code must deal with, and specify the entities or class of entities that should be bound by the code. For example, the direction may specify that the code must clarify how businesses must comply with the APPs when rolling out Quick Response (QR) codes in the event of a pandemic.

32. Subsection 26GB(3) is merely declaratory of the law, and is included to assist readers and clarify that a direction from the Minister is not a legislative instrument within the meaning of subsection 8(1) of the Legislation Act 2003, as it is administrative in character. The direction itself does not set out new rules or impose obligations on APP entities. However, the temporary APP code itself will be a legislative instrument once it has been registered on the Codes Register under section 26U (as specified by subsection 26B(2)).

33. Subsection 26GB(4) makes it clear that it is mandatory for the Information Commissioner to develop and register the temporary APP code following a direction from the Minister.

34. Subsection 26GA(5) specifies that despite paragraph 26C(3)(b), the temporary APP code must not cover certain acts or practices that would otherwise be exempt under the Privacy Act under subsection 7B(1), (2) or (3). For example, the temporary APP code must not deal with the handling of personal information by an individual where that information is collected, held, used, disclosed or transferred for personal, family or household affairs (that is, done other than in the course of business). This mirrors subsection 26G(2) and 26E(6) and reflects it is not appropriate for a code developed and registered by the Information Commissioner to apply to entities or acts and practices that are otherwise exempt from obligations in the Privacy Act.

35. Subsection 26GB(6) outlines that in developing the temporary APP code, the Information Commissioner may consult any person the Information Commissioner considers appropriate. As it is expected that a temporary APP code is likely required urgent or evolving situations, there are no mandatory consultation requirements. This will ensure the Information Commissioner is able to make a temporary APP code expediently if needed.

36. Subsection 26GB(7) requires that the temporary APP code must not be in force for a period longer than 12 months. This reflects that it is expected that a temporary APP code is required in urgent situations, and is not intended to be used for ongoing purposes. If it was proposed that the enforceable requirements within a temporary APP code would be extended beyond a 12-month period, these should be subject to the usual provisions for developing an APP code, including mandatory consultation on the code and tabling in Parliament.

37. Subsection 26GB(8) notes that the instrument is not subject to disallowance under section 42 of the Legislation Act 2003 once the code is registered. It is necessary to exempt the instrument from disallowance to ensure that decisive action can be taken in urgent situations or where circumstances are rapidly evolving. This would establish an immediate, clear and certain legal basis for entities to handle personal information in accordance with the temporary APP code. Without an exemption, entities may be discouraged from meeting temporary APP code requirements, and not set up new processes or systems or change their practices until the disallowance period has concluded.

38. Further, a temporary APP code has safeguards in the development process including:

a.

the code would be developed by the Information Commissioner who has particular expertise in promoting and upholding privacy rights

b.

as outlined in subsection 26GB(1), the Minister must be satisfied that it is in the public interest to develop the code and the Information Commissioner should develop the code urgently

c.

as outlined in 26GB(5), a temporary APP code cannot cover an act or practice that is exempt within the meaning of subsection 7B(1), (2) or (3)

d.

as outlined in subsection 26GB(7) the code cannot be in force for longer than 12 months, and

e.

as outlined in paragraph 26C(3)(a), a temporary APP code can only impose additional requirements to those imposed by one or more of the APPs if those additional requirements are not contrary to, or inconsistent with, those principles.

Item 6 - Paragraph 26H(1)(b)

39. Item 6 amends paragraph 26H(1)(b) to make it clear that the Information Commissioner is able to register a code developed under new sections 26G, 26GA, 26GB by including it on the Codes Register.

Part 3 - Emergency declarations

40. The purpose of Part 3 of this Bill is to enable emergency declarations to authorise more targeted handling of personal information to assist individuals in emergency and disaster situations to and to ensure that declarations may be made in relation to ongoing or extended emergencies or disasters.

Item 7 - Subsection 80G(1)

41. Item 7 inserts a definition of entity into section 80G for the purposes of Part VIA.

Item 8 - Section 80H

42. This item repeals section 80H which provided the permitted purposes for which personal information could be collected, used and disclosed under a declaration. This reflects the new approach to emergency declarations specifying the permitted purposes for which information handling is authorised.

Items 9 and 11

43. These items amend section 80J(1) and (2) and section 80K(1) to specify that a declaration under those sections must be in writing.

Item 10 and 12

44. These items set out that an emergency declaration made under section 80J and section 80K are legislative instruments which are not subject to disallowance under section 42 of the Legislation Act 2003. It is necessary to exempt the instruments from disallowance to ensure that decisive action can be taken during an emergency or disaster. This would establish an immediate, clear and certain legal basis for entities to handle personal information in accordance with the emergency declaration. Without an exemption, entities may be discouraged from disclosing information where this may be time critical to prevent harm or render assistance to individuals at risk of harm.

45. Further, a declaration has safeguards in the development process including:

a.

the Minister or Prime Minister must be satisfied that an emergency or declaration has occurred, it is of such a kind that it is appropriate to make a declaration, it is of national significance and has affected one of more Australian citizens or permanent residents, and

b.

the declaration cannot be in force for longer than 12 months.

Item 13 - Section 80KA

46. Item 13 inserts section 80KA. Section 80KA sets out the matters that must be specified in a declaration, and will enable the declaration to be more targeted.

47. Subsection 80KA(1) requires that the emergency declaration must specify:

a.

the kind or kinds of personal information to which the declaration applies - for example, the declaration may specify that only an individual's legal identity and identity documents may be handled

b.

the entity or class of entities that may collect, use or disclose the personal information and the entity or class of entities that the personal information may be disclosed to - for example, the declaration may specify that only health service providers may disclose personal information to entities who provide humanitarian aid, and

c.

one or more permitted purposes of the collection, use or disclosure - for example, the declaration may specify that entities may only handle personal information for the purposes of identifying individuals who are or may be, or at risk of, being injured, missing or dead.

48. The Note to subsection 80KA(1) makes it clear that the collection, use and disclosure of personal information will be authorised under section 80P if specified in the declaration.

49. As set out in sections 80J and 80K, prior to making a declaration the Prime Minister or Minister must be satisfied of several matters, including that the emergency or disaster is of such a kind that it is appropriate in the circumstances for Part VIA to apply. When determining the matters that must be specified in the declaration, it is expected that the Prime Minister or Minister will consider:

a.

the type of emergency and disaster

b.

what entities are likely to be involved in the Commonwealth response to an emergency or disaster

c.

the importance of the entities being able to handle personal information in a manner that would otherwise not be permitted under the APPs, and the public interest objectives in doing so, and

d.

the potential for adverse impact on the privacy interests of individuals.

50. Subsection 80KA(2) provides that a declaration may specify that the entity or class of entities to which personal information may be disclosed to includes a State or Territory authority (paragraph 80KA(2)(a)), but cannot include a media organisation (paragraph 80KA(2)(b)).

51. Previously when an emergency declaration was in force agencies, but not organisations, were able to disclose to a State or Territory authority under a declaration. Allowing the Prime Minister or Minister to specify in the declaration that both agencies and organisations can disclose to a State or Territory authority when considered appropriate would better facilitate the response to an emergency or disaster, particularly where those authorities are responsible for providing or coordinating services for individuals.

52. A State or Territory authority is not an APP entity for the purposes of section 6(1). However, they would be subject to the following safeguards:

a.

Subsection 80Q(1) contains an offence for unauthorised secondary disclosures (with exceptions). A secondary disclosure occurs when a person to whom personal information has been disclosed under Part VIA subsequently discloses that information. The penalty applying to this offence is 60 penalty units or one-year imprisonment, or both, and

b.

When determining whether the declaration should specify that disclosures can be made to a State or Territory authority, it is expected that the Prime Minister or Minister would consider whether the authority has appropriate privacy protection frameworks - for example, privacy laws or standards that require the authority to store personal information in a secure manner.

53. The declaration cannot authorise disclosures to a media organisation (as defined in subsection 6(1)). This reflects that it is not appropriate for personal information to be disclosed under a declaration for purposes such as reporting on individuals involved in an emergency or disaster, and if any disclosures need to be made to a media organisation they must made in accordance with the normal operation of the Act.

54. Subsection 80KA(3) outlines that the permitted purpose specified in the declaration must be a purpose that directly relates to the Commonwealth's response to an emergency or disaster in respect of which an emergency declaration is in force. The purpose of this subsection is to limit the types of situations for which a declaration may authorise information handling.

55. Subsection 80KA(4) provides a non-exhaustive list of permitted purposes for which a declaration may authorise information handling. The list is intended merely as a guide and should not be interpreted to limit subsection 80KA(3).

56. Importantly, the non-exhaustive list of permitted purposes makes it clear that an emergency declaration may be made in relation to ongoing or extended emergencies. For example, a permitted purpose may be providing services to individuals at risk of being impacted (not simply those who have already been directly impacted).

57. Subsection 80KA(5) make it clear that the declaration can impose different requirements in relation to kinds of personal information, entities or classes of entities, and purposes or kinds of purposes. The intention of this provision is to provide necessary flexibility to ensure that a declaration can be tailored depending on the type of emergency or disaster. For example, a declaration may outline that only certain agencies are able to disclose sensitive information to other specified agencies for the purposes of assisting individuals who obtain financial assistance.

Item 14

58. Item 14 repeals sections 80L and 80M which previously outlined the form of a declaration and when a declaration took effect. These sections are no longer necessary as a declaration would be a legislative instrument, which would specify when the declaration commences.

Items 15, 16, 17, 18, 19 and 20

59. Items 15 to 19 are technical amendments to update and clarify terminology in section 80N to reflect that a declaration would be in force, instead of having effect. Item 20 is a technical amendment to paragraph 80N(c) to clarify the circumstances where a declaration ceases to be in force after 12 months from when it commences.

Item 21 - Sections 80P(1)(b) to (e)

60. Item 21 repeals subsections 80P(1)(b) to (e) and substitutes them with new subsections 80P(1)(b) to (f).

61. Subsections 80P(1)(b) to (e) previously authorised collection, use and disclosure of personal information for a permitted purpose set out in the Act and disclosure of the personal information by agencies and organisations to specified entities. New subsections 80P(1)(b) to (f) authorises handling of personal information in accordance with a declaration.

62. The requirement that an entity must reasonably believe that an individual may be involved in the emergency or disaster in order to collect, use or disclose personal information relating to the individual under a declaration continues to apply (subsection 80P(1)(a)).

Items 22, 23, 24, 25 and 26

63. Items 22 to 26 update the list of designated secrecy provisions in subsection 80P(7) to include:

a.

subsection 34GE(4) and sections 34GF and 35P of the Australian Security Intelligence Organisation 1979,

b.

section 15LC of the Crimes Act 1914,

c.

clause 9 of Schedule 1 to the Intelligence Services Act 2001, and

d.

sections 22, 22A and 22B of the Witness Protection Act 1994.

64. Subsection 80P(2) notes that entities that use and disclose personal information as authorised under subsection 80P(1) would not be in breach of secrecy provisions, unless it is a secrecy provision designated under subsection 80P(7).

65. Subsection 80P(7) recognises that it would be not appropriate to override secrecy provisions relating to particular intelligence agencies, and certain intelligence collection and analysis activities. Intelligence agencies are also exempt from the Privacy Act by virtue of paragraph 7(1)(f).

Item 27 - Subsection 80P(7) (definition of entity)

66. Item 27 repeals the definition of entity which was previously in subsection 80P(7). The same definition of entity has been moved to section 80G to ensure that the definition of entity applies to the entirety of Part VIA.

Item 28 - After paragraph 80Q(2)(a)

67. Item 28 inserts paragraphs 80Q(2)(b) and 80Q(2)(ba).

68. Paragraph 80Q(2)(b) provides that the offence in subsection 80Q(1) does not apply to a disclosure for the purposes of carrying out a State's constitutional functions, powers and duties. The relevant State privacy protections (if any) would apply to the further use and disclosure of the information by the State.

69. This ensures the offence does not prohibit States or state officers from disclosing information that is necessary for the performance of State constitutional functions or functions that are inherently connected to the government of the State.

70. Paragraph 80Q(2)(ba) notes that the offence in subsection 80Q(1) does not apply to a disclosure for the purposes of obtaining or providing legal advice in relation to the operation of Part VIA. For example, this would allow an entity to seek legal advice on either the operation of the declaration or in relation to a contravention of the offence in subsection 80Q(1).

Item 29 - Application of amendments

71. This item provides the arrangements for how amendments made to Part VIA are to be applied.

72. Amendments of sections 80J, 80K, 80N and 80P, the repeal of sections 80H, 80L and 80M, and the insertion of section 80KA, apply in relation to declarations made on or after the commencement of Part 3.

73. The amendments of section 80Q apply in relation to disclosure of personal information by a person on or after the commencement of the Part, whether the personal information was first disclosed to that person before or after that commencement.

Part 4 - Children's Privacy

Item 30 - Subsection 6(1)

74. Item 30 inserts the following definitions into subsection 6(1):

a.

'child', which means an individual who has not reached 18 years.

b.

'Children's Online Privacy Code', which has the meaning given by new section 26GC.

Item 31 - After subsection 26C(4)

75. Item 31 inserts subsection 26C(4A). This item makes it clear than an APP code may be expressed to apply differently in relation to classes of entities, classes of personal information, and classes of activities of entities. This provision is modelled on existing subsection 26N(4) which applies in relation to the Credit Reporting code.

76. The intention of this provision is to provide flexibility when developing the requirements of an APP code, given the range of entities who may be subject to a code.

Item 32 - Before section 26H

77. Item 32 inserts section 26GC which requires the Information Commissioner to develop a COP Code, and sets out the modifications to the APP code development and registration process.

78. Subsection 26GC(1) requires that the Information Commissioner develop an APP code, known as the COP Code, about online privacy for children. Unlike other APP codes which can be developed by an APP code developer on their own initiative, or on request by the Information Commissioner, the Information Commissioner must develop the COP Code. There is a public interest and community expectation in ensuring that a COP Code is developed and registered, and is developed by the Information Commissioner who has particular expertise in privacy. This will avoid any potential industry regulatory biases, and conflicting commercial interests.

79. Subsection 26GC(2) makes it clear that unless otherwise modified by section 26GC, Division 2 of Part IIIB, including section 26C, applies to the COP Code. This sets out compliance with registered APP codes, development and registration of APP codes, and variation and removal of registered APP codes.

80. Subsections 26GC(3) and (4) outline the matters the COP Code must set out, being how one of more of the APPs are to be applied or complied with in relation to children. The COP Code may also provide for other matters outlined in subsections 26C(3) and (4), including imposing additional requirement to those imposed by one of more of the APPs so long as the additional requirements are not contrary to or inconsistent with those principles.

81. For example, the COP Code may set out how regulated entities must meet requirements in APP 1 and 5 in relation to privacy policies and consent notices by ensuring that information addressed to a child is clearly expressed and understandable - such as through the use of graphics, video and audio content rather than relying solely on written communication.

82. The note to subsection 26GC(4) notes that an APP code may provide differently for different things, as outlined in the new subsection 26C(4A). For example, the COP Code may specify that particular requirements only apply to social media services that are bound by the code.

83. Subsection 26GC(4) specifies that despite paragraph 26C(3)(b), the COP Code must not cover certain acts or practices that would otherwise be exempt under the Privacy Act under subsection 7B(1), (2) or (3). For example, the Code must not deal with the handling of personal information by an individual where that information is collected, held, used, disclosed or transferred for personal, family or household affairs (that is, done other than in the course of business). This mirrors subsection 26G(2) and 26E(6) and reflects it is not appropriate for a code developed and registered by the Information Commissioner to apply to entities or acts and practices that are otherwise exempt from obligations in the Privacy Act.

84. Subsection 26GC(5)-(7) specify the types of entities that are, and are not, bound by the COP Code. Subsection 26GC(6) notes that paragraph 26C(2)(b), which requires that an APP code must specify the APP entities bound by the code, does not apply in relation to the COP Code as subsection 26GC(5) and (7) instead outline this instead.

85. The COP Code would automatically apply to an APP entity if it meets all of the conditions in paragraph 26GC(5)(a), being:

a.

the entity is a provider of a social media service, relevant electronic service or designated internet service (all within the meaning of the Online Safety Act 2021),

b.

the service is likely to be accessed by children, and

i.

This establishes a standard and threshold that is intended to align with the UK Information Commissioner's Age Appropriate Design Code, and the Online Safety (Basic Online Safety Expectations) Determination 2022.

ii.

In assessing whether a service is likely to be accessed by children, service providers should consider factors such as:

1.

the nature and content of the service, and whether it has a particular appeal to children,

2.

market research, current evidence on user behaviour, the user base of similar or existing services and service types, and

3.

the way in which the service is accessed, and whether any measures put in place are effective in preventing children from accessing the service.

iii.

Service providers are expected to proactively assess the likelihood that their service is accessed by children, regardless of if the service is not explicitly targeted at children.

iv.

Subsection 26GC(11) notes that the Information Commissioner may make written guidelines to assist entities determine if a service is likely to be accessed by children.

c.

the entity is not providing a health service.

i.

This establishes a standard and threshold that is intended to align with the UK Information Commissioner's Age Appropriate Design Code, and ensures the COP Code is not a barrier to providing essential services to children.

ii.

Guidance provided by the OAIC makes it clear that 'health service' providers can cover online health services such as counselling, advice and telehealth. However, more general health, fitness or wellbeing apps or services may be covered by the COP Code.

86. However, the COP Code would not apply to an APP entity that meets the conditions in paragraph 26GC(5)(a) if they have been specified in the COP code for the purposes of subsection 26GC(7).

87. The COP Code would also apply to an APP entity, or an APP entity in a class of entities, specified in the COP Code for the purposes of s 26GC(5)(b).

88. The intention of paragraph 26GC(5)(b) and subsection 26GC(7) is to provide flexibility, given the range of entities that the COP Code may, or should, apply to. For example, the COP Code may specify that:

a.

a provider of a designated internet service likely to be accessed by children is not bound by the COP Code, or

b.

a provider of a health service is bound by the COP Code, or

c.

an online service provider that is not a provider of a social media service, relevant electronic service or designated internet service is bound by the COP Code.

89. Subsection 26GC(8) sets out the consultation the Information Commissioner may undertake in developing the COP Code. The Information Commissioner may consult with children, relevant organisations or bodies concerned with children's welfare, the eSafety Commissioner, the National Children's Commissioner, and any other person the Information Commissioner considers appropriate. Consultation during development will enable early identification of any issues and their resolution prior to the mandatory consultation period.

90. Subsection 26GC(9) sets out mandatory consultation requirements that the Information Commissioner must satisfy before registering the COP Code under section 26H.

91. The Information Commissioner must make a draft Code publicly available, for example on the Information Commissioner's website. The Information Commissioner must also seek public submissions on the draft Code within a specified period that must run for at least 40 days, and consider any submissions made within the specified period. The Information Commissioner may consider that it is necessary for the specified period to run longer than 40 days, depending on, for example, the expected level of interest in the draft Code, the expected number of affected stakeholders, the complexity of the draft Code, or the expected impact of the provisions in the draft Code on the practices or procedures of stakeholders. The Information Commissioner may also wish to bring the Code to the attention of specific stakeholders, such as APP entities which will be bound by the Code.

92. The minimum specified period for public consultation in subsection 26GC(8) is longer than the period of consultation required for APP codes developed by an APP code developer under subsection 26F(2). A longer consultation period recognises that industry and other affected stakeholders may require more time to meaningfully consider an Information Commissioner-developed APP code than one prepared by an APP code developer.

93. The Information Commissioner must also consult with the eSafety Commissioner and National Children's Commissioner before registering the COP Code.

94. These mandatory consultation requirements help to ensure that COP Code is fit for purpose and capable of being implemented.

95. Subsection 26GC(10) provides that the COP Code must be developed and registered within 24 months of the Act receiving Royal Assent. When the Information Commissioner registers the COP code, the Code may specify a transition period.

96. Subsections 26GC(11)-(13) sets out that the Information Commissioner may make and publish written guidelines to assist entities to determine if a service is likely to be accessed by children for the purposes of subparagraph 26GC(5)(a)(ii). This aligns with the UK Information Commissioner's Office, which has published guidance on when a service is 'likely to be accessed by a child' for the purposes of the Age Appropriate Design Code, and includes FAQs, a non-exhaustive list of factors, case studies as well as an Impact Assessment.

97. Subsection 26GC(13) is merely declaratory of the law, and included to assist readers and clarify that guidelines are not a legislative instrument within the meaning of subsection 8(1) of the Legislation Act 2003, as they are administrative in character.

Item 33 - After paragraph 26H(1)(b)

98. Item 33 amends subsection 26H(1) to make it clear that the Information Commissioner is able to register a COP Code developed under section 26GC by including it on the Codes Register.

Part 5 - Security, retention and destruction

Item 34 - At the end of clause 11 of Schedule 1

99. Item 34 inserts APP 11.3 that notes that 'reasonable steps' for the purposes of APP 11.1 and 11.2 includes technical and organisational measures. The purpose of APP 11.3 is to give further guidance and clarification to APP entities, and to avoid doubt.

100. APP 11.3 does not limit APP 11.1 and 11.2 or any other provision of the Act. Undertaking technical and organisational measures may also be relevant to other APPs and other provisions of the Act that refer to APP entities taking reasonable steps.

101. Examples of technical measures include protecting personal information through physical measures, and software and hardware - for example through securing access to premises, encrypting data, anti-virus software and strong passwords.

102. Examples of organisational measures include steps, processes and actions an entity should put in place - for example, training employees on data protection, and developing standard operating procedures and policies for securing personal information.

Item 35 - Application of amendment

103. Item 35 notes the amendment to APP 11 applies in relation to information held after the commencement of this Part, regardless of whether the information was acquired or created before or after that commencement.

Part 6 - Overseas data flows

104. APP 8 and section 16C of the Act facilitate the disclosure of personal information overseas, while ensuring the privacy of individuals is respected and provide for an accountability framework:

a.

APP 8.1 provides that before an APP entity discloses personal information to an overseas recipient, the entity must take reasonable steps to ensure the overseas recipient does not breach the APPs in relation to the information, and

b.

Section 16C provides that an APP entity which discloses personal information to an overseas recipient is accountable for any acts or practices of the overseas recipient in relation to the information that would breach the APPs.

105. APP 8.2 provides exceptions to this accountability framework, including APP 8.2(a) which provides that an APP entity is not required to take 'reasonable steps' (and would not contravene section 16C if the entity reasonably believes the recipient of the information is subject to a law or binding scheme that, overall, is at least substantially similar to the APPs and there are mechanisms that an individual can access to take action to enforce those protections.

106. Items 36 - 38 work together to create a new exception in APP 8.2(aa) and 8.3 where a country or binding scheme has been prescribed in regulations as protecting the information in a way that, overall, is at least substantially similar to the way in which the APPs protect the information and there are mechanisms that the individual can access to take action to enforce that protection.

107. The purpose of these items is to reduce the burden on APP entities in assessing whether an overseas recipient is subject to a substantially similar framework under APP 8.2(a), and help establish Australia as a trusted trading partner and support Australian businesses to compete more effectively in international markets.

Item 36 - After subsection 100(1)

108. Item 36 inserts new subsections 100(1A) and 100(1B), which allow the Governor-General to make regulations for the purposes of the new APP 8.3.

109. Subsection 100(1A) notes that prior to the Governor-General making the regulations, the Minister must be satisfied that the country or binding scheme protects the information in a way that, overall, is at least substantially similar to the way in which the APPs protect the information, and there are mechanisms that the individual can access to take action to enforce that protection.

110. 'Substantially similar' means that the law or binding scheme provides a comparable, or a higher level of privacy protection to that provided by the APPs. When determining this, the overall effect of the law or scheme is considered - each provision of the law or scheme is not required to correspond directly to an equivalent APP.

111. Subsection 100(1B) outlines that the regulations may prescribe a country or binding scheme subject to conditions in relation to a specified entity or class of entities and conditions in relation to a specified kind or kinds of personal information. For example, if a law or scheme only regulates certain types of entities, the regulations may limit disclosures to only these entities.

Item 37 - After paragraph 8.2(a) of Schedule 1

112. Item 37 inserts APP 8.2(aa) which outlines that an exception to APP 8.1 includes where APP 8.3 applies in relation to the disclosure of the information.

Item 38 - After subsection 100(1)

113. Item 38 inserts APP 8.3, which applies when an APP entity discloses personal information about an individual to an overseas recipient who is subject to a law or a participant in a binding scheme prescribed by the regulations. Where the country or binding scheme is prescribed subject to conditions as permitted by subsection 100(1B), those conditions must be satisfied.

114. The Note clarifies that before a law or binding scheme is certified, the Minister must be satisfied that the country or binding scheme protects the information in a way that, overall, is at least substantially similar to the way in which the APPs protect the information.

Item 39 - Application of amendment

115. Item 39 notes the amendments to APP 8 apply in relation to information disclosed after the commencement of this Part, regardless of whether the information was acquired or created before or after that commencement.

Part 7 - Eligible data breaches

Item 40 - Subsection 6(1)

116. Item 40 amends subsection 6(1) to include a definition of eligible data breach declaration to reflect the insertion of subsection 26X(1).

Item 41 - Section 26WA (heading)

117. Item 41 renames section 26WA 'Guide to this Part' to align with other language used throughout the Act.

Item 42 - At the end of Section 26WA

118. Item 42 amends section 26WA to note that the Part also deals with the collection, use and disclosure of personal information involved in eligible data breaches, reflecting the insertion of Division 5.

Item 43 - At the end of Part IIIC

119. Item 43 inserts Division 5. Division 5 sets up a framework where the Minister may make a declaration that permits collections, uses and disclosures of personal information that would otherwise not be permitted under the APPs in order to prevent or reduce the risk of harm to individuals in the event of an eligible data breach.

120. For example, where there has been an eligible data breach of an APP entity, a declaration may permit the APP entity to disclose personal information with financial services (such as banks) to enable these services to undertake enhanced monitoring and safeguards for customers who have, or may have been, affected by the eligible data breach.

121. Subsection 26X(1) sets out when the Minister may make the declaration. The Minister may make a declaration if:

a.

there is an eligible data breach of an entity, and

i.

Unless an exception applies, under section 26WK an entity must provide a notification statement to the Information Commissioner if it is aware that there are reasonable grounds to believe that there has been an eligible data of the entity.

ii.

Subsection 26WE(2) outlines that an eligible data breach has occurred when there is unauthorised access to or disclosure of personal information (or information is lost in circumstances where unauthorised access or disclosure is likely to occur), and this is likely to result in serious harm to any of the individuals to whom the information relates.

b.

the Minister is satisfied that making the declaration is necessary or appropriate to prevent or reduce a risk of harm arising from a misuse of personal information about one or more individuals following unauthorised access to or disclosure of that personal information from the eligible data breach of the entity.

122. The Note to subsection 26X(1) clarifies that a declaration is relevant for section 26XD, which authorises collections, uses and disclosures as specified in the declaration.

123. To ensure that a declaration is appropriately targeted to the particular circumstances of a data breach, subsection 26X(2) requires a declaration to specify:

a.

the kind or kinds of personal information to which the declaration applies - for example, the declaration may specify that only an individual's legal identity and identity documents may be handled;

b.

the entity or class of entities that may collect, use or disclose the personal information, and the entity or class of entities that the personal information may be disclosed to - for example, the declaration may specify that only the APP entity that was affected by the eligible data breach may disclose personal information to financial institutions and government agencies to use for a permitted purpose; and

c.

one or more permitted purposes of the collection, use or disclosure - for example, the declaration may specify that entities may only handle personal information for the purposes of preventing a cyber security incident (within the meaning of the Security of Critical Infrastructure Act 2018), fraud, scam activity or identity theft.

124. Subsection 26X(3) outlines that the declaration may specify that the entity or class of entities that personal information may be disclosed to includes a State or Territory authority (paragraph 26X(3)(a)), but cannot include a media organisation (paragraph 26X(3)(b)).

125. A State or Territory authority is not an APP entity for the purposes of section 6(1). However, they will be subject to the following safeguards:

a.

Subsection 26XC(1) contains an offence for unauthorised secondary disclosures (with exceptions). A secondary disclosure occurs when a person to whom personal information has been disclosed under Division 5 subsequently discloses that information. The penalty applying to this offence is 60 penalty units or one year imprisonment, or both.

b.

When determining whether the declaration should specify that disclosures can be made to a State or Territory authority, it is expected that the Minister will give consideration to whether the authority has appropriate privacy protection frameworks - for example, privacy laws or standards that require the authority to store personal information in a secure manner.

126. The declaration cannot authorise disclosures to a media organisation (as defined in subsection 6(1)). This mirrors the emergency declaration framework and reflects that it is not appropriate for personal information to be disclosed under a declaration for purposes such as reporting on individuals involved in an emergency or disaster, and if any disclosures need to be made to a media organisation they must made in accordance with the normal operation of the Act.

127. Subsection 26X(4) outlines that the permitted purpose specified in the declaration must be a purpose that is directly related to preventing or reducing a risk of harm arising from a misuse of personal information about one or more individuals following unauthorised access to, or unauthorised disclosure of, that personal information from the eligible data breach of the entity.

128. Subsection 26X(5) provides a non-exhaustive list of permitted purposes. The list is intended merely as a guide of permitted purposes, and makes it clear the examples are only permitted purposes to the extent that they are directly related to preventing or reducing a risk of harm as required by subsection 26X(4).

129. The permitted purposes listed here are intended to take their ordinary meaning unless otherwise specified.

a.

The term 'cyber security incident' is defined to have the same meaning as in the Security of Critical Infrastructure Act 2018.

b.

The concept of 'fraud', is intended to be interpreted broadly and cover acts on behalf of a person that is deceptive or deceitful in some way, in that, it causes them to receive a benefit that they are not entitled to.

c.

The concept of 'scam activity' may overlap with the concept of fraud, and is more commonly understood as a dishonest scheme or trick used to cheat someone out of something, usually money.

d.

The concept of 'identity theft' is intended to cover acquiring the personal identification information or accreditation of an individual in order to use as an alternative identity.

130. Subsection 26X(6) makes it clear that the declaration can impose different requirements in relation to kinds of personal information, entities or classes of entities, and purposes or kinds of purposes. The intention of this provision is to provide necessary flexibility to ensure that a declaration can be tailored to the circumstances of the data breach.

131. Subsection 26X(7) notes that the declaration may specify additional conditions. For example, a declaration may specify a particular manner in which sensitive information must be transferred or stored to ensure security risks are addressed.

132. Subsection 26X(8) notes that in making the declaration, the Minister may consult any person or body, including the Information Commissioner and the Director-General of the Australian Signals Directorate.

133. Depending on the circumstances of the eligible data breach, the Minister may consult, for example:

a.

the Information Commissioner to assist the Minister with understanding:

i.

particular privacy considerations when making a declaration, and

ii.

the scale and seriousness of the eligible data breach, as the Information Commissioner will have been notified by an entity under section 26WK about the eligible data breach,

b.

the National Cyber Security Coordinator, who is responsible for the coordination of responses to major cyber incidents, whole of government cyber incident preparedness efforts and strengthening of Commonwealth cyber security capability, and

c.

Government agencies who have a role in facilitating the Government's response to data breaches.

134. Subsection 26X(9) ensures the Information Commissioner can disclose information to the Minister for the purposes of the Minister's consultation on the making of a declaration.

135. Subsection 26X(10) makes it clear that a declaration is a legislative instrument, and notes that the instrument is not subject to disallowance under section 42 of the Legislation Act 2003. It is necessary to exempt the instrument from disallowance to ensure that decisive action can be taken in the event of an eligible data breach. This will establish an immediate, clear and certain legal basis for entities to handle personal information in accordance with the declaration. Without an exemption, entities may be discouraged from disclosing information where this may be time critical to prevent or reduce harm to individuals at risk from the eligible data breach.

136. Further, a declaration has safeguards in the development process including:

a.

the Minister must be satisfied that the making of the declaration is necessary or appropriate to prevent or reduce harm arising from a misuse of personal information about one or more individuals following unauthorised access to, or unauthorised disclosure of, that personal information from an eligible data breach, and

b.

the declaration cannot be in force for longer than 12 months.

137. Section 26XA provides that the declaration ceases to be in force at the earliest of either the time specified in the declaration, the time a declaration is repealed, or 12 months from the commencement of a declaration.

138. Subsection 26XB(1) authorises an entity to collect, use or disclose personal information about an individual if the entity reasonably believes that the individual may be at risk from the eligible data breach, and the collection, use or disclosure is in accordance with the declaration. Section 26WB sets out that an entity for the purposes of Part IIIC includes a person who is a file number recipient.

139. While a declaration authorises collection, use or disclosure, it is intended that the APPs otherwise govern the handling of the personal information for APP entities. For example, under APP 11 entities must take active measures to protect personal information they hold from misuse, interference and loss, as well as unauthorised modification or disclosure.

140. Subsection 26XB(2) ensures that an entity is not liable for contravening a secrecy provision by using or disclosing personal information, where it is authorised to do so by subsection 26XB(1), unless the secrecy provision is a designated secrecy provision (as outlined in subsection 26XB(6)). As with emergency declarations, overriding secrecy provisions is necessary to ensure information sharing can occur in accordance with the terms of a declaration in order to prevent or reduce the risk of harm.

141. Subsection 26XB(3) ensures that an entity is not liable for contravening a duty of confidence in respect of disclosing personal information, where it is authorised to do so by subsection s26XB(1). For example, a contractual obligation of confidence arising from a contract or an equitable obligation of confidence.

142. Subsection 26XB(4) ensures that an entity does not breach an APP, a registered APP code that binds the entity or a rule issued under section 17 (rules relating to tax file number information) in respect of the collection, use or disclosure of personal information, where it is authorised to do so by subsection s26XB(1).

143. Subsection 26XB(5) ensures that collection, use or disclosure of personal information can only occur by an officer or employee of an agency who is authorised to do so.

144. Subsection s26XB(6) outlines designated secrecy provisions for the purposes of subsection 26XB(2). Entities that use and disclose personal information as authorised under subsection 26XB(1) will not be in breach of secrecy provisions, unless it is a designated secrecy provision. This recognises that it would be not appropriate to override secrecy provisions relating to particular intelligence agencies, and certain intelligence collection and analysis activities. Intelligence agencies are also exempt from the Privacy Act by virtue of paragraph 7(1)(f).

145. Paragraphs 26XB(6)(g) and (h) provide that the regulations may prescribe further Commonwealth laws that should be considered 'designated secrecy provisions'. This provides flexibility to prescribe any further Commonwealth laws, if identified, for which it would not be appropriate to remove liability for contravening a secrecy provision in respect of a use or disclosure of personal information.

146. Subsection 26XB(6) defines 'secrecy provision'. The definition is intended to be broad and include any provision of a Commonwealth law (including a provision of the Privacy Act) that prohibits or regulates the use or disclosure of personal information, whether the provision relates to the use or disclosure of personal information generally or in specified circumstances, such as in taxation records. The term should not be confined by reference to the use of the term 'secrecy provision' in other legislation or any definition of 'secrecy provision' that might apply in other legislation.

147. Section 26XC creates an offence for unauthorised secondary disclosures. A secondary disclosure occurs when a person to whom personal information has been disclosed under Division 5 of Part IIIC subsequently discloses that information. The penalty applying to this offence is 60 penalty units or one year imprisonment, or both.

148. Subsection 26XC(2) authorises secondary disclosure of personal information received under Division 5 of Part IIIC in prescribed circumstances. The offence provision therefore does not apply to those disclosures. The disclosures that are permitted are those:

a.

a disclosure made by an APP entity permitted by an APP, a registered APP code that binds the entity or a rule pertaining to tax file number information issued under section 17,

b.

a disclosure for the purposes of carrying out a State's constitutional functions, powers or duties,

i.

This ensures the offence does not prohibit States or state officers from disclosing information that is necessary for the performance of State constitutional functions or functions that are inherently connected to the government of the State.

ii.

The relevant State privacy protections (if any) would apply to the further use and disclosure of the information by the State.

c.

a disclosure for the purposes of obtaining or providing legal advice in relation to the operation of Division 5, Part IIIC,

i.

For example, this would allow an entity to seek legal advice on either the operation of the declaration or in relation to a contravention of the offence in subsection 26XC(1).

d.

a disclosure authorised by the declaration under s26XB,

e.

a disclosure made with the consent of the individual to whom the information relates,

f.

a disclosure made to the person to whom the information relates,

g.

a disclosure made to a court, and

h.

a disclosure prescribed by the regulations.

149. The Note to subsection 26XC(2) makes it clear that a defendant bears the evidential burden of establishing any of the matters in subsection 26XC(2). The details of the evidential burden are contained in subsection 13.3(3) of the Criminal Code. It is appropriate for the defendant to bear the onus of proving these matters as they are matters that, by their nature, are peculiarly within the knowledge of the defendant.

150. Subsection 26XC(3) makes it clear that a disclosure of personal information covered by subsection 26XC(2) is authorised.

151. Subsection 26XC(4) is intended to ensure that, for the purposes of paragraph 26XC(2)(g), a court includes any tribunal, authority or person having power to require the production of documents or the answering of questions.

152. Section 26XD(1) ensures that Division 5 of Part IIIC has a broad operation and is not limited by any other secrecy provision in a law of the Commonwealth unless that secrecy provision expressly excludes the operation of section 26XD. The effect of subsection 26XD(1) is to avoid any possible doubt about how a secrecy provision (other than a designated secrecy provision) operates when a declaration is in force by giving priority to the provisions of Division 5 Part IIIC that authorise the collection, use or disclosure of personal information.

153. Subsection 26XD(1) also reflects that if Parliament intends to exempt a secrecy provision from the operation of Division 5 of Part IIIC, then Parliament must expressly indicate an intention to exclude the operation of section 26XD (or designate the secrecy provision under s26XB(6)).

154. Subsection s26XD(2) makes it clear that Division 5 of Part IIIC is intended only to permit, and not to compel persons, agencies or organisations to collect, use or disclose personal information.

155. Subsection s26XD(3) defines 'secrecy provision', mirroring the definition in subsection 26XB(6).

156. Section 26XE provides the constitutional basis of Division 5 of Part IIIC. It clarifies that the Act relies on the Commonwealth's legislative powers under section 51(xxix) of the Constitution to give effect to Australia's obligations under the ICCPR.

157. In particular, the Division implements Australia's obligations under Article 17 of the ICCPR by providing legal protection against arbitrary or unlawful interferences with privacy. This is because the effect of making an eligible data breach declaration is to protect an individual from risks of harm relating directly to the misuse of their compromised personal information following an eligible data breach.

158. Section 26XF is an additional operation provision, intended to ensure that Division 5 of Part IIIC is given the widest possible operation consistent with Commonwealth constitutional legislative power.

159. Section 26XG clarifies that the additional operation provision contained in section 12B of the Act does not apply in relation to Division 5 of Part IIIC. Division 5 of Part IIIC has a wider operation than that contemplated by section 12B. Section 12B provides that the Privacy Act would have additional effect in relation to the activities of 'regulated entities', however Division 5 of Part IIIC applies more broadly to entities that are not regulated entities.

160. Section 26XH is a constitutional compensation provision (also referred to as a historic shipwrecks clause). Section 26XH provides that if the operation of Division 5 Part IIIC would result in an acquisition of property from a person otherwise than on just terms, the Commonwealth is liable to pay a reasonable amount of compensation to the person, including by the person instituting recovery proceedings in a court of competent jurisdiction. The purpose of section 26XH is to avoid contravening s 51(xxxi) of the Constitution, which provides that the Commonwealth has legislative power for the acquisition of property from any State or person only if the acquisition is on just terms. However, it is not expected that any provisions in Division 5 would result in an acquisition of property within the meaning of that expression in the Constitution.

Item 44 - Application of amendments

161. This item notes that Division 5 of Part IIIC applies in relation to eligible data breaches that happen on or after the commencement of this Part; and information collected, used or disclosed after the commencement of this Part, regardless of whether the information was acquired or created before or after that commencement.

Part 8 - Penalties for interference with privacy

Items 45, 46, 47 and 48 - consequential amendments

162. These items make consequential amendments to the Data Availability and Transparency Act 2022, Digital ID Act 2024 and Identity Verification Services Act 2023.

163. The consequential amendments in these items address references to section 13G in other Acts to also include the civil penalty in new section 13H.

a.

Items 45 and 46 make consequential amendments to sections 16F(1)(b) and 16F(3) of the Data Availability and Transparency Act 2022 to include a reference to section 13H of the Privacy Act.

b.

Item 47 makes a consequential amendment to paragraphs 37(2)(b) and 38(1)(b) of the Digital ID Act 2024 to include a reference to section 13H of the Privacy Act.

c.

Item 48 makes a consequential amendment to paragraph 10A(2)(b) of the Identity Verification Services Act 2023 to include a reference to section 13H of the Privacy Act.

164. For the avoidance of doubt, the civil penalties in section 13G and new section 13H may apply where an Act contains a provision that states a contravention is taken to be an interference with the privacy of an individual under section 13 of the Privacy Act, regardless of whether the provision explicitly refers to section 13G and new section 13H. This includes (but is not limited to) section 157 of the Personal Properties Security Act 2009 and section 35L of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006.

Item 49 - Section 13G (heading)

165. Item 49 repeals and replaces the heading of section 13G to state 'civil penalty provision for serious interference with privacy of an individual'. This removes the reference to 'and repeated' in the previous heading.

Item 50 - Subsection 13G(1)

166. Item 50 repeals and replaces section 13G(1). An entity contravenes subsection 13G(1) if the entity does an act, or engages in a practice, that is an interference with the privacy of an individual, and the interference with privacy is serious.

167. For the avoidance of doubt, an interference with privacy under paragraph 13G(1) is not limited to a single act or practice. It may be relevant to consider multiple acts or practices when determining if an interference with privacy is serious.

168. The Note to subsection 13G(1) outlines that the court may determine that an entity has contravened section 13H if the court it satisfied the act or practice was an interference with privacy of one more individual but is not satisfied it was serious.

Item 51 - After subsection 13G(1A)

169. Item 51 inserts subsection 13G(1B) which sets out matters to which the court may have regard when determining whether an interference is serious:

a.

the particular kind or kinds of information involved in the interference with privacy (paragraph 13G(1B)(a);

b.

the sensitivity of the personal information of the individual (paragraph 13G(1B)(b)) where this may relate to 'sensitive information' as defined in section 6(1) of the Privacy Act, or other information that would be considered 'sensitive' according to the ordinary meaning of the term;

c.

the consequences, or potential consequences, of the interference with privacy for the individual (paragraph 13G(1B)(c));

d.

the number of individuals affected by the interference with privacy (paragraph 13G(1B)(d);

e.

whether the individual affected by the interference with privacy is a child or person experiencing vulnerability (paragraph 13G(1B)(e));

f.

whether the act was done, or the practice engaged in, repeatedly or continuously (paragraph 13G(1B)(f));

g.

whether the contravening entity failed to take steps to implement practices, procedures and systems to comply with their obligations in relation to privacy in a way that contributed to the interference with privacy (paragraph 13G(1B)(g))

h.

any other relevant matter (paragraph 13G(1B)(h)).

170. The list in section 13G(1B) is not intended to be exhaustive and other matters may be relevant to determining whether an interference with privacy is serious.

Items 52, 53, 54 and 55

171. Items 52 to 55 are minor amendments to introduce subheadings for provisions in section 13G. These amendments do not change the calculation of the maximum pecuniary penalty under section 13G.

a.

Item 52 inserts the subheading 'maximum pecuniary penalty' before subsection 13G(2).

b.

Item 53 replaces the term 'greater' with 'greatest' in subsection 13G(3).

c.

Item 54 inserts the subheading 'meaning of adjusted turnover' before subsection 13G(5).

d.

Item 55 inserts the subheading 'meaning of breach turnover period' before subsection 13G(7).

Item 56 - At the end of Division 1 of Part III

172. Item 56 introduces new sections 13H, 13J and 13K.

173. An entity would contravene subsection 13H(1) if the entity does an act, or engages in a practice, that is an interference with the privacy of an individual. Interferences with privacy are defined in section 13 of the Act. This penalty covers instances where an interference with privacy warrants enforcement action but may not meet the serious threshold contained in section 13G.

174. Subsection 13H(2) makes it clear that subsection 13H(1) is a civil penalty provision. The note outlines that section 80U of the Privacy Act deals with civil penalty provisions.

175. Subsection 13H(3) sets out the maximum penalty payable by a person for a breach of subsection 13H(1), which is 2,000 penalty units. The maximum penalty for bodies corporate is five times the amount specified for a person (see subsection 82(5) of the Regulatory Powers Act).

176. This maximum penalty amount is to deter privacy breaches and meet increasing community expectations for meaningful privacy protection. The penalty amount is intended to account for potential commercial gains that entities may obtain through acts or practices that interfere with privacy, to ensure entities are not able to absorb civil penalties as a cost of doing business. For example, an APP entity may obtain a commercial gain, or achieve a competitive advantage, by using or disclosing personal information for a secondary purpose in breach of APP 6.

177. Section 13J applies in proceedings for a contravention of section 13G where the court is satisfied there has been an interference with privacy, however is not satisfied that it was serious. It allows the courts to determine in the alternative there has been a contravention of section 13H and make appropriate orders.

178. For the avoidance of doubt, section 13J would not limit the Information Commissioner's discretion to seek a civil penalty through both sections 13G and section 13H in relation to an act or practice. For example, ant an act or practice affecting a large group of individuals may be a contravention of section 13G in relation to one cohort of those individuals, and a contravention of section 13H in relation to a separate cohort of those individuals (because the consequences of the contravention may not be as serious).

179. Section 13K introduces new civil penalty provisions for breaches of specific obligations in the APPs and non-compliant eligible data breach statements. These would be subject to an infringement notice scheme under section 80UB. These civil penalties have a lower maximum penalty amount than section 13H and target specific obligations of an administrative nature, where a contravention can be easily established. Examples include an APP entity failing to have an APP privacy policy or not including the requisite information in an APP privacy policy.

180. An entity would contravene subsection 13K(1) if the entity breaches any of the following APPs:

a.

APP 1.3 - failure to have a clearly expressed and up-to-date APP privacy;

b.

APP 1.4 - failure to include the required information in an APP privacy policy;

c.

APP 2.1 - failure to provide individuals with the option to not identify themselves when dealing with the entity;

d.

APP 6.5 - failure to make a written note of a use or disclosure under APP 6.2(e);

e.

APP 7.2(c) or 7.3(c) - failure to provide a simple means by which the individual may easily opt out of marketing communications;

f.

APP 7.3(d) - failure to make a prominent statement or otherwise draw attention to an individual's ability to opt out of marketing communications;

g.

APP 7.7(a) - failure to giving effect to a request opt out of marketing communications within a reasonable period;

h.

APP 7.7(b) - failure to notify of the source of information upon request within a reasonable period;

i.

APP 13.5 - failure to deal a request for correction under APP 13.1 or associate a statement under APP 13.4 within specified timeframes; or

j.

any other APP prescribed by the regulations.

181. The Note to subsection 13K(1) clarifies that if an APP entity's conduct contravenes one or more of the civil penalty provisions in section 13K, it would be open to the Information Commissioner to seek a civil penalty through sections 13H or 13G. This might be appropriate if the consequences of the contravention are significant. For example, where a breach of privacy obligations in APP 7 affects a large number of individuals, this contravention may instead be considered an interference with the privacy of an individual under paragraph 13(1)(a).

182. An entity will contravene subsection 13K(2) if it prepares an eligible data breach statement under section 26WK but the statement does not contain all of the information required under subsection 26WK(3). For example, the prepared statement does not include any recommendations about the steps that individuals should take in response to the eligible data breach.

183. Subsection 13K(3) makes it clear that subsections 13K(1) and (2) are civil penalty provisions. The Note outlines that section 80U of the Privacy Act deals with civil penalty provisions.

184. Subsection 13K(4) sets out the maximum penalty payable by a person for a breach of subsections 13K(1) and (2), which is 200 penalty units. The maximum penalty for bodies corporate is five times the amount specified for a person (see subsection 82(5) of the Regulatory Powers Act), which is 1,000 penalty units. This penalty amount is substantially lower than the maximum civil penalty amount for contraventions of section 13H, which reflects their intended application to less serious contraventions of the Privacy Act.

Item 57 - Subsection 80UB(1)

185. Infringement notices provide a more convenient and efficient means to address contraventions of provisions as set out in paragraphs 80UB(1)(a) and (b). They encourage enforcement of obligations, and compliance by entities with their obligations, without the additional time, cost and resources involved in litigation of civil penalty proceedings. At the time of introduction of this Bill, the Information Commissioner could only issue an infringement notice under the Privacy Act in relation to the civil penalty provision in subsection 66(1) for failure to give information.

186. Item 57 repeals and replaces subsection 80UB(1) to enable the Information Commissioner to also to issue infringement notices in relation to civil penalty provisions in subsections 13K(1) and 13K(2). It is appropriate for these provisions to be subject to an infringement notice as they deal with less serious contraventions of the Privacy Act that can be established through straightforward, factual circumstances.

187. In accordance with subsection 104(2) of the Regulatory Powers Act, the amount to be stated in the infringement notice will be 12 penalty units for a person, and 60 penalty units for bodies corporate.

188. Subsections 80UB(1A) and 80UB(1B) modify the calculation amount for infringement notices issued to publicly listed corporations. If an infringement notice relates to one alleged contravention of subsection 13K(1) or (2) then the amount to be stated in the infringement notice will be 200 penalty units. If the infringement notice relates to more than one alleged contravention then the amount to be stated will be 200 penalty units multiplied by the number of alleged contraventions. It is appropriate that the infringement notice amount is higher for alleged contraventions by publicly listed corporations, as the standard amount for infringement notices calculated under the Regulatory Powers Act will not be a suitable deterrence for large entities.

Item 58 - Application of amendments

189. The amendments to section 13G apply in relation to acts done, or practices engaged in, after the commencement of this item.

190. The new sections 13H, 13J and 13K, and the amendments to section 80UB apply in relation to acts done, or practices engaged in, after the commencement of this item.

Part 9 - Federal court orders

Item 59 - At the end of Division 1 of Part VIB

191. Item 59 inserts section 80UA, which provides that the Federal Courts may make any orders in civil penalty proceedings where a contravention of a civil penalty provision under the Privacy Act has been established.

192. Subsection 80UA(1) provides the FCFCOA the power to make any order it sees fit in proceedings if the Court has determined, or will determine, under the Regulatory Powers Act that an entity has contravened a civil penalty provision of the Privacy Act (other than those contained in Part IIIA).

193. Subsection 80UA(2) provides a non-exhaustive list of examples of orders that the Courts may make under subsection 80UA(1):

a.

an order directing the entity to perform any reasonable act, or carry out any reasonable course of conduct, to redress the loss or damage suffered, or likely to be suffered, by any individual as a result of the contravention;

b.

an order directing the entity to pay damages to any individual by way of compensation for any loss or damage suffered, or likely to be suffered, by any individual as a result of the contravention;

c.

an order directing the entity to engage, or not to engage, in any act or practice to avoid repeating or continuing the contravention; and

d.

an order directing the entity to publish, or otherwise communicate, a statement about the contravention.

194. The examples of orders in section 80UA(2) are intended to clarify that the Courts are empowered to make certain types of orders without limiting the Courts' discretion to make any orders that it considers appropriate in the circumstances of the case.

195. Subsection 80UA(3) clarifies that the Court is not required to have made a pecuniary penalty under subsection 82(3) of the Regulatory Powers Act before it may make an order under subsection 80UA(1).

196. Subsection 80UA(4) provides the circumstances where the Court may exercise its power under 80UA(1), including:

a.

on its own initiative, during proceedings before the Court; and

b.

on application, made within the period of 6 years of the contravention, by an individual who has suffered, or is likely to suffer, loss or damage as a result of the contravention, or by the Information Commissioner.

197. Subsection 80UA(5) clarifies that if the Court makes an order that the entity pay an amount to the person, the person may recover the amount as a debt due to the person.

Item 60 - Application of amendments

198. Item 60 notes the insertion of new section 80UA applies in relation to proceedings instituted after the commencement of this Part, whether the contravention to which the proceedings relate is alleged to have occurred before, on or after that commencement.

Part 10 - Commissioner to conduct public inquiries

199. Part 10 of this Bill provides the Information Commissioner with a new power to conduct public inquiries into specified matters relating to privacy on the direction or approval of the Minister.

Items 61 and 62 - Subsections 33(1) and 33(3)

200. Items 61 and 62 amends subsections 33(1) and 33(3) (Exclusion of certain matters from reports) respectively to include reports on public inquiries, to reflect the insertion of paragraph 33J(4)(b) (see Item 63).

Item 63 - After Division 3A of Part IV

201. Item 63 inserts Division 3B, which includes sections 33E to 33J.

202. Section 33E(1) provides for the Minister to give a direction or approval in writing for the Information Commissioner to conduct a public inquiry into a specified matter or specified matters relating to privacy.

203. Section 33E(2) requires the Minister to specify, in a direction or approval, the acts or practices and the types of personal information in relation to which the public inquiry is to be held. The Minister must specify both of these matters.

204. Section 33E(3) sets out additional matters that the Minister may specify in a direction of approval, including:

a.

the date by which the public inquiry is to be completed (33E(3)(a);

b.

any directions in relation to the manner in which the public inquiry is to be conducted (33E(3)(b));

c.

one or more APP entities that are to be the subject of the inquiry (33E(3)(c));

d.

one or more classes of APP entities that are to be the subject of the inquiry (33E(3)(d)); and

e.

any other matters to be taken into consideration in the public inquiry (33E(3)(e).

205. For example, the Minister may direct the Information Commissioner to conduct a public inquiry that examines processes that APP entities have in place to ensure the appropriate handling of personal information within a specific sector or industry identified to have heightened privacy risks or vulnerabilities.

206. Subsection 33E(4) enables the Minister to vary a direction or approval. For example, the Minister may vary a direction to extend the date by which the inquiry is to be completed.

207. Subsection 33E(5) requires the Information Commissioner to conduct the public inquiry in accordance with a direction or approval from the Minister.

208. Subsection 33E(6) enables the Information Commissioner to conduct the inquiry in such manner the Information Commissioner sees fit, subject to any directions on the conduct of inquiries that are contained within the Minister's direction or approval.

209. Subsection 33E(7) makes clear that a public inquiry is not an investigation into a specific act or practice under section 40 nor a preliminary inquiry under section 42.

210. Public inquiries will enable examination of acts or practices that may identify systemic or industry-wide issues, however there may be circumstances where the Information Commissioner considers it appropriate to take regulatory action in relation to acts and practices examined in a public inquiry. For example, if the Information Commissioner uncovers significant issues of concern and an entity does not appear willing or capable of taking steps to address these concerns, it would be open to the Information Commissioner to commence an investigation into the entity's acts and practices under section 40.

211. Subsection 33E(8) is merely declaratory of the law, and included to assist readers and clarify that a direction or approval is not a legislative instrument within the meaning of subsection 8(1) of the Legislation Act 2003, as it is administrative in character.

212. Section 33F provides that the Information Commissioner may invite submissions from particular individuals or organisations or the public on matters that are the subject of a public inquiry. For example, the Information Commissioner may wish to invite industry and civil society groups, experts and academics to make written submissions to a public inquiry to better understand the effectiveness or risks of certain privacy practices. The Note to section 33F makes clear that the Information Commissioner may require submissions to be in writing.

213. Section 33G provides that the Information Commissioner is not bound by the rules of evidence in the gathering of information and may inform themselves on any manner in such matter the Information Commissioner thinks fit. It is appropriate that the Information Commissioner has flexible fact-finding procedures and is not subject to the technical rules of evidence required of the courts, as public inquiries are not formal investigations into specific contraventions of the Privacy Act.

214. Section 33H provides that the information-gathering powers available to the Information Commissioner under sections 44 and 45 apply to public inquiries in the same way as they apply to an investigation under Part V of this Act.

215. It would not be appropriate for the full suite of powers available for investigations under Part V to apply to public inquiries. To ensure the Information Commissioner's powers are appropriately limited, section 33H will enable the Information Commissioner to only use the following powers for the purposes of conducting a public inquiry:

a.

the power to require a person, through a written notice, to give information or produce a document if the Information Commissioner has reason to believe that the person has information or a document relevant to the public inquiry;

b.

the power to require a person, through a written notice, to attend before the Information Commissioner and answer questions relevant to a public inquiry if the Information Commissioner has reason to believe that a person has information relevant to a public inquiry; and

c.

the power to administer an oath or affirmation to a person required to attend before the Information Commissioner and examine that person under oath or affirmation.

216. The provisions relevant to the exercising of the above powers in subsections 44(2)-(2A) and 44(4)-(5) would also apply, including:

a.

the requirement that written notices must state the place and time at which, or period within which, the information or document must be given to the Information Commissioner;

b.

the ability for the Information Commissioner to take possession of, and make copies or take extracts from, documents it has received, and also:

i.

retain possession of the documents for any period that is necessary for the conduct of the public inquiry, and

ii.

permit a person who would be entitled to inspect the documents, were they not be in the Information Commissioner's possession, to do so at all reasonable times;

c.

the Information Commissioner must not issue a written notice where the Attorney-General has furnished to the Information Commissioner a certificate under section 70 certifying that the giving to the Information Commissioner of information concerning a specified matter, or the production to the Information Commissioner of a specified document or other record, would be contrary to the public interest; and

d.

where a person complies with a written notice, they will not be liable to a penalty under the provisions of any other Commonwealth law because they gave information, produced a document or answered a question.

217. The penalties in section 65 and section 66 would apply for failure to attend before the Information Commissioner and failure to give information where required, subject to the existing safeguards in those sections. This will ensure that persons who receive a written notice from the Information Commissioner under section 44 will cooperate to provide relevant information and documents needed for a public inquiry. This will ensure that public inquiries are thorough and informed, and not limited only to information that is publicly available.

218. Note 1 to section 33H provides that other provisions in this Act may apply on their own terms to public inquiries including section 33B. Section 33B provides arrangements for the Information Commissioner to disclose information acquired by the Information Commissioner in the course of exercising powers or performing functions or duties under this Act, including conducting public inquiries, if the Information Commissioner is satisfied it is in the public interest to do so. For example, the Information Commissioner may publish submissions it has received in relation to a public inquiry. This will ensure the public is informed about matters or issues being raised by key stakeholders.

219. Further, the following provisions apply to information given to the Information Commissioner where required under this Act, including under new section 33H:

a.

section 64 (protection of the Information Commissioner or persons from liability in the exercise of powers or authority under this Act);

b.

section 47 (protection from civil liability for providing a document or information to the Information Commissioner); and

c.

section 70 (information covered by the Attorney-General's certificate not required to be disclosed to the Information Commissioner).

220. Subsection 33J(1) requires the Information Commissioner to prepare and provide a written report to the Minister after completing a public inquiry.

221. If the direction or approval by the Minister specified any APP entity to be the subject of the public inquiry, subsection 33J(2) requires the Information Commissioner to also send a copy of the written report to the specified APP entity on the day on which it gives the Minister the report. This will ensure that the APP entity is informed of any of the Information Commissioner's opinions, findings or recommendations that are attributable to the APP entity at the same time as the Minister.

222. Subsection 33J(3) provides that an inquiry report may include findings and recommendations in relation to any matter included in the report.

223. Subsection 33J(4) provides that the following matters must not be included in the inquiry report:

a.

any finding or recommendation that a specific act or practice is an interference with the privacy of an individual, or

b.

any matter which the Information Commissioner thinks it is desirable to exclude under section 33.

224. This is appropriate as the purpose of a public inquiry is not to investigate whether a specific act or practice is an interference with the privacy of an individual. A report must not include any matter the Information Commissioner considers it desirable to exclude under section 33, having regard to the needs set out in subsection 33(2), such as preventing prejudice to the security, defence or international relations of the Commonwealth or preventing the unreasonable disclosure of confidential commercial information or personal affairs of any person. In preparing the inquiry report, the Information Commissioner would be responsible for achieving the appropriate balance between excluding matters from a report to meet the need in subsection 33(2) and the desirability of ensuring that the public is sufficiently informed of the opinions, findings or recommendations of the report.

225. If the Information Commissioner excludes a matter from an inquiry report, the Information Commissioner will be required to give to the Minister a report setting out the excluded matter with reasons for their exclusion (see subsection 33(4)).

226. The Note to subsection 33J(4) clarifies that this subsection does not prevent the Information Commissioner from including in the inquiry report any previously made findings or recommendations in earlier investigations finalised by the Information Commissioner.

227. Subsection 33J(5) requires the Minister to table a copy of the report before each House of the Parliament within 15 sitting days of that House after the day on which the Minister receives the report. This would ensure there is a permanent, public record of inquiry reports by the Information Commissioner. The requirement to table the report within 15 sitting days tabling occurs in a timely manner, while also allowing sufficient time for the Minister to consider the report prior to tabling.

228. Subsection 33J(6) requires the Information Commissioner to make a copy of the inquiry report publicly available, unless otherwise directed by the Minister. For example, the report might be published on the Information Commissioner's website. The Minister may exercise their discretion to require that the report not be immediately published to allow sufficient time for the Minister to consider the report prior to it being published. Ultimately, the inquiry report will be made public as it must be in tabled in Parliament (see subsection 33F(6)).

229. The Note to subsection 33J(6) clarifies in the context of reporting on public inquiries that the Information Commissioner has the power under section 33B to disclose information acquired by the Information Commissioner in the course of exercising powers or performing functions or duties under this Act, including conducting public inquiries, if the Information Commissioner is satisfied it is in the public interest to do so. For example, the Information Commissioner may publish information about an ongoing public inquiry through an interim report. This would ensure the public is informed about the progress of an inquiry and the matters being considered by the Information Commissioner, and enable further meaningful contributions (such as additional submissions) if requested by the Information Commissioner.

Item 64 - Application of amendments

230. Item 51 notes that Division 3B of Part IV, as inserted by this Part, applies in relation to public inquiries commenced on or after the commencement of this Part, whether the matter to which the inquiry relates arose, before or after that commencement.

Part 11 - Determinations following investigations

Items 65 and 66 - subparagraph 52(1)(b)(ii) and paragraph 52(1A)(c)

231. The Information Commissioner has the power to make a determination under section 52 after investigating a complaint or after an Information Commissioner-initiated investigation. The determination may include a declaration requiring the respondent to take steps or perform certain actions, including to perform any reasonable act or course of conduct to redress any loss or damage suffered as a result of an interference with privacy or breach (see section 52(1)(b)(ii) and section 52(1A)(c)).

232. Items 65 and 66 amend section 52(1)(b)(ii) and section 52(1A)(c) to expand that a declaration may also require a respondent to perform any reasonable act or course of conduct to prevent or reduce any reasonably foreseeable loss or damage that is likely to be suffered.

233. These amendments enable the Information Commissioner to also require in a declaration under these provisions that a respondent must proactively identify any reasonably foreseeable consequences of a breach and take reasonable steps to mitigate these.

Item 67 - Application of amendments

234. This item provides that the amendments to section 52 apply in relation to determinations made after the commencement of this Part.

Part 12 - Annual reports

Items 68 and 69

235. Item 68 and Item 69 amend sections 32(1)(a) and 32(1)(b) of the Australian Information Commissioner Act 2010 to clarify the relevant reporting period for these privacy matters to be covered in the annual report, and to ensure consistent terminology with the reporting period defined in new paragraphs 32(1)(c) and 32(1)(d) (see Item 70).

Item 70

236. Item 70 inserts new sections 32(1)(c) and 32(1)(d) in the Australian Information Commissioner Act 2010 to require the Information Commissioner to include the following privacy matters when preparing an annual report for the purposes of section 30:

a.

a statement including details about the number of complaints made under section 36 of the Privacy Act 1988 during the year; and

b.

a statement including details about the number of complaints made under section 36 of the Privacy Act 1988 in relation to which the Information Commissioner has decided during the year under section 41 of that Act not to investigate, or not to investigate further, and the relevant grounds for the decision.

237. Additional reporting on the number of privacy complaints received, and details on what grounds the Information Commissioner has relied on when deciding not to investigate complaints under section 41 of the Privacy Act, will increase transparency and assist regulated entities and individuals to better understand how privacy complaints are being handled. These statements would not provide detailed information about individual complaints.

Item 71

238. Item 71 notes the amendments to section 32 of the Australian Information Commissioner Act 2010 applies in relation to an annual report for a period beginning after the commencement of this Part.

Part 13 - External dispute resolution

Item 72

239. Item 72 amends paragraph 41(1)(dc) to enable the Information Commissioner to decide not to investigate a complaint that has been dealt with by a recognised external dispute resolution scheme.

240. This expands on the existing ground in paragraph 41(1)(dc) which applies where the act or practice is being dealt with by a recognised external dispute resolution scheme, and enables the Information Commissioner to also decide not to investigate a complaint if the Information Commissioner is satisfied that the act or practices has already been dealt with by a recognised external dispute resolution.

Item 73

241. Item 73 notes the amendment of section 41 applies in relation to any complaint made:

a.

before the commencement of this Part if the complaint has not been finalised by the Information Commissioner by that commencement; and

b.

after the commencement of this Part.

Part 14 - Monitoring and investigation

242. The Information Commissioner has a range of monitoring, assessment and investigation powers under the Privacy Act. This includes the power in section 68 enabling an authorised person to enter premises occupied by an agency, organisation, file number recipient, credit reporting body or credit provider to inspect any documents that are kept at those premises and are relevant to the performance of the Information Commissioner's functions under the Privacy Act, other than documents in respect of which the Attorney-General has furnished a certificate under section 70. This can occur:

a.

without consent, if the occupier of the premises is an agency; or

b.

with consent or pursuant to a warrant if the occupier of the premises is not an agency, provided the member of staff can produce their identity card upon request.

243. This is a wide entry and inspection power, exercisable for the purposes of inspecting any documents kept at the premises for the purposes of the performance by the Information Commissioner of any of their functions under the Privacy Act. This includes (but is not limited to) investigations under Part V of the Privacy Act, monitoring functions in section 28A and assessment functions in section 33C of the Privacy Act.

244. This Part amends the Privacy Act to apply the standard monitoring and investigation powers contained in Part 2 and Part 3 of the Regulatory Powers Act through new Division 1AB and 1AC of Part VIB. These powers include entry, search and seizure powers that would complement the Information Commissioner's existing powers in the Privacy Act, including Part V (except for sections 68 and 68A) and section 33C.

245. As a result, the Information Commissioner's existing entry and inspection powers in sections 68 and 68A would be repealed.

246. The Regulatory Powers Act provides for a standard suite of provisions in relation to monitoring and investigation powers. Bringing the Information Commissioner's regulatory powers in line with the standard provisions would provide additional powers and greater safeguards to ensure they are robust and align with best practice. Additionally, ensuring uniformity with the standard provisions would bring the Information Commissioner's powers in line with comparable domestic regulators, and increase legal certainty for entities and individuals who are subject to those powers.

Items 74, 75, 76, 77, 78, 79, 80 and 81 - Consequential amendments

247. In addition to the Privacy Act, there are other Acts that confer functions to the Information Commissioner that are supported by monitoring, assessment and investigation powers.

248. The Bill would make necessary consequential amendments to other Acts that enliven the Information Commissioner's investigation powers within those Acts by applying provisions of the regulatory regime in the Privacy Act.

249. These amendments would ensure that any references to the regulatory regime of the Privacy Act, which trigger the standard investigation and monitoring powers of the Regulatory Powers Act, remain accurate.

250. Consequential amendments are required to the Competition and Consumer Act 2010, Crimes Act 1914, Data-matching Program Act and National Health Act 1953, which currently enliven the Information Commissioner's existing entry and inspection power under those Acts by applying section 68 or Part V (which includes section 68) of the Privacy Act. These consequential amendments reflect that the Information Commissioner is able to exercise powers in relation to those Acts through new Division 1AB and 1AC of Part VIB of the Privacy Act.

Competition and Consumer Act 2020

251. As outlined by section 56ET of the Competition and Consumer Act 2010, the Information Commissioner has responsibility for investigating breaches of the CDR privacy safeguards, consumer data rules that relate to the privacy safeguards or the privacy or confidentiality of CDR data, and particular sections of the Privacy Act that apply in relation to CDR data.

252. The Information Commissioner's powers to investigate complaints are enlivened through subsections 56ET(3) and (4) of the Competition and Consumer Act 2010, which applies the Information Commissioner's powers in Part V (including section 68 which would be repealed) of the Privacy Act with modifications.

253. Item 74 amends the Note to subsection 56ET(3) of the Competition and Consumer Act 2010 to state that the Information Commissioner also has the power under Division 1AC of Part VIB (see subparagraph 80TD(1)(b)(iv)) of the Privacy Act to investigate contraventions of civil penalty provisions in Division 5 of Part IVD.

254. Item 75 repeals Item 5 of the table in subsection 56ET(4) of the Competition and Consumer Act 2010, as this relates to subsection 68(1) of the Privacy Act, which will be repealed. The modifications to the Information Commissioner's investigation powers that are exercisable in relation to a civil penalty provision that is enforceable by the Information Commissioner under Division 5 of Part IVD of the Competition and Consumer Act 2010 are now contained in subsection 80TE(2) of the Privacy Act.

255. Item 76 and 77 amends Note 1 and repeals Note 2 in subsection 56ET(4) to reflect the removal of Item 5 of the table.

Crimes Act 1914

256. As outlined by section 85ZZ of the Crimes Act 1914, the Information Commissioner has responsibility for investigating breaches of the Commonwealth Spent Convictions Scheme in Divisions 2 and 3 of Part VIIC.

257. The Information Commissioner's powers to investigate complaints are enlivened through section 85ZZG of the Act, which applies the Information Commissioner's powers in specified provisions of the Privacy Act (including section 68 which would be repealed).

258. Item 78 removes the reference to section 68 of the Privacy Act in subsection 85ZZG(1) of the Crimes Act 1914, and replaces it with section 67.

259. Item 79 includes a Note at the end of section 85ZZG(1) to state that under subsection 80TB(1) of the Privacy Act, the Information Commissioner has the power to monitor, under the Regulatory Powers Act, compliance with Divisions 2 and 3 of Part VIIC of the Crimes Act 1914.

Data-matching Program (Assistance and Tax) Act 1990

260. As outlined by subsection 13(2) of the Data-matching Program Act, the Information Commissioner has responsibility for investigating any act or practice which might be a breach of the Data-matching Program Act or the rules issued under section 12 of that Act.

261. The Information Commissioner's powers to investigate are enlivened through subsection 13(7) of the Act, which applies the Information Commissioner's powers in Part V (including section 68 which would be repealed) of the Privacy Act.

262. Item 80 inserts a Note to subsection 13(7) of the Data-matching Program Act to state that under paragraphs 80TB(1)(b) and 80TB(3)(b) of the Privacy Act the Information Commissioner has the power to monitor compliance with the Data-matching Program Act, or rules issued under section 12 of that Act.

263. The Note clarifies that under paragraph 33C(1)(d) of the Privacy Act the Information Commissioner may also conduct an assessment of whether the data matching program (within the meaning of the Data-matching Program Act) of an agency complies with Part 2 of the Data-matching Program Act and the rules issued under section 12. Paragraph 80TB(3)(b) of the Privacy Act enables the Information Commissioner to exercise monitoring powers in Part 2 of the Regulatory Powers Act when undertaking these assessments.

National Health Act 1953

264. As outlined by section 135AB of the National Health Act 1953 the Information Commissioner has responsibility for investigating breaches of the privacy rules issued under section 135AA.

265. The Information Commissioner's powers to investigate are enlivened through subsection 135AB(3) of the National Health Act 1953, which applies the Information Commissioner's powers in Part V (including section 68 which would be repealed) of the Privacy Act with such modifications as the circumstances require.

266. Item 81 amends subsection 135AB(3) of the National Health Act 1953 to include that the Information Commissioner's investigation powers in Division 1AC of Part VIB of the Privacy Act apply in addition to Part V. This is because paragraph 80TD(1)(a) of the Privacy Act enables the Information Commissioner to exercise investigation powers in Part 3 of the Regulatory Powers Act to investigate complaints for breaches of the privacy rules issued under section 135AA of the National Health Act 1953. Subsection 135AB(1) provides that a breach of the rules constitutes an act or practice involving interference with the privacy of an individual for the purposes of section 13 of the Privacy Act, and as such is covered by civil penalty provisions in section 13G and 13H.

Item 82 - Subsection 6(1)

267. Item 82 amends subsection 6(1) to insert a definition for a 'member of the staff of the Commissioner', which means a person referred to in section 23 of the Australian Information Commissioner Act 2010. This will ensure consistent application of this term in existing subsection 36(4) and paragraph 80UB(2)(b) and throughout new sections 80TB and 80TD.

Item 83 - Sections 68 and 68A

268. Item 83 repeals section 68 and 68A as matters relating to the Information Commissioner's power to enter premises are now contained in Division 1AB and 1AC of Part VIB.

Item 84 - Part VIB (heading)

269. Item 84 repeals the heading of Part VIB and substitutes with 'Part VIB-Compliance and enforcement'.

Item 85 - Before Division 1 of Part VIB

270. Item 85 inserts Division 1AA (Introduction), 1AB (Monitoring powers) and 1AC (Investigation powers) in Part VIB.

271. Section 80TA provides a simplified outline of Part VIB to reflect that this Part contains provisions in relation to civil penalties, court orders, monitoring and investigation powers, infringement notices, enforceable undertakings and injunctions.

272. Division 1AB contains provisions to apply Part 2 of the Regulatory Powers Act.

273. Part 2 of the Regulatory Powers Act creates a framework for monitoring compliance with an Act or a legislative instrument. Subsection 7(2) of the Regulatory Powers Act states that, in order for Part 2 of the Regulatory Powers Act to operate, a provision of an Act or legislative instrument must be made subject to monitoring under Part 2 by another Act (a triggering Act). When a triggering Act applies Part 2 of the Regulatory Powers Act, it must identify provisions subject to monitoring, any information or matters subject to monitoring, any related provisions and who is an authorised applicant, authorised person, issuing officer, the relevant chief executive and the relevant court or courts that may exercise powers under Part 2 (see sections 8, 9, 9A, 10, 11, 12, 14, 15 and 16 of the Regulatory Powers Act). The triggering Act must also express whether an authorised person may be assisted by another person (see section 23 of the Regulatory Powers Act), and whether an authorised applicant, authorised person, issuing officer or relevant chief executive may delegate their powers and functions in relation to the provisions. If provisions, matters or information subject to monitoring under the triggering Act apply in external Territories or offshore areas, the triggering Act should identify whether Part 2 of the Regulatory Powers Act extends to any external Territories.

274. Applying the provisions in Part 2 of the Regulatory Powers Act would provide important clarity in relation to how the Information Commissioner's monitoring powers operate in a digital environment and facilitate effective monitoring by the Information Commissioner. Monitoring is an important role of the Information Commissioner and is used to support and facilitate entities' legal and best practice compliance with their privacy obligations and to identify and address privacy risks and harms before they arise.

275. This would also be an expansion to the Information Commissioner's existing entry and inspection powers in section 68. This is appropriate as the following practices, illustrated as examples permitted by the additional powers, would enable more robust and effective monitoring and assessments:

a.

searching the premises and anything on the premises, and to inspect any document on the premises, will assist in circumstances where staff of the Commissioner query whether the target of an assessment or other monitoring has provided originals or true copies of records

b.

physical observation of practices and the ability to conduct tests can provide evidence of compliance with privacy obligations (such as observing compliance with particular security protocols or processes for destruction of data);

c.

taking still or moving images or recordings on the premises, operating electronic equipment to put relevant data in documentary form and taking copies or extracts for internal records would support the OAIC's decision-making process and development of an evidence base for findings of compliance or non-compliance;

d.

the ability to operate electronic equipment allows for the inspection of ICT systems, interfaces and code which is relevant to determining whether entities are meeting privacy obligations, given that personal information is usually stored digitally; and

e.

the ability to take equipment and materials onto the premises will facilitate the exercise of other powers (for example, bringing hard drives where data needs to be copied digitally).

276. Subsection 80TB(1) provides the Information Commissioner standard monitoring powers under Part 2 of the Regulatory Powers Act in relation to provisions in:

a.

Division 2 and 3 of Part VIIC of the Crimes Act 1914 (pardons, and quashed and spent convictions); and

b.

Part 2 of the Data-matching Program Act or rules issued under section 12 of that Act.

277. The Note to subsection 80TB(1) explains that Part 2 of the Regulatory Powers Act creates a framework for monitoring whether the provisions mentioned in this subsection have been complied with.

278. Subsection 80TB(2) provides the Information Commissioner standard monitoring powers under Part 2 of the Regulatory Powers Act in relation to information given in compliance, or purported compliance, with any of the following provisions:

a.

subsection 26WU(3) (power to obtain information and documents relating to eligible data breaches);

b.

subsection 33C(3) (requirement to provide information relating to an assessment); and

c.

subsection 44(1) (requirement to provide information relating to investigations).

279. The Note to subsection 80TB(2) states that Part 2 of the Regulatory Powers Act creates a framework for monitoring whether the information is correct.

280. Subsection 80TB(3) provides the Information Commissioner with powers under the Regulatory Powers Act when undertaking a monitoring related function in relation to a matter defined in subsection 28A(1) of the Privacy Act, and when undertaking an assessment of a matter defined in subsection 33C(1) of the Privacy Act.

281. The ability to exercise monitoring powers under the Regulatory Powers Act in relation to these matters will facilitate better regulatory awareness of developing situations and potential risks. The ability to monitor or assess these matters supports effective and robust regulatory action by ensuring the efficient direction of resources and allowing early intervention and graduated enforcement to support continued compliance. It will also facilitate better regulator awareness of developing situations and potential risks.

282. Subsection 80TB(4) provides that for the purposes of Part 2 of the Regulatory Powers Act, the Information Commissioner and a member of staff of the Information Commissioner who is an SES employee, or an acting SES employee, or who holds, or is acting in, a position that is equivalent to, or higher than, a position occupied by an SES employee are authorised applicants. This reflects that authorised applicants should be limited to those with relevant skills and expertise.

283. Subsection 80TB(5) provides for the purposes of Part 2 of the Regulatory Powers Act, the following are authorised persons in relation to the provisions, information and matters mentioned in subsection 80TB(1), (2) and (3):

a.

the Information Commissioner;

b.

a member of staff of the Information Commissioner who is authorised in writing by the Information Commissioner or a delegate of the Information Commissioner; and

c.

a consultant who is engaged under section 24 of the Australian Information Commissioner Act 2010 in relation to performance of the functions or the exercise of the powers of the Information Commissioner, and authorised in writing by the Information Commissioner or a delegate of the Information Commissioner.

284. The range of people who may be appointed as an authorised person is broad due to the structure of the OAIC, which is supported by a multidisciplinary workforce. Ongoing oversight by the Information Commissioner and the corporate governance framework underpinning the operations of the OAIC will ensure accountability, compliance, legal certainty and transparency in the exercise of the new monitoring and investigation powers.

285. These processes will also ensure that the appointed person has suitable qualifications, training or experience. Before being appointed, authorised persons will generally be required to hold a qualification that is relevant to conducting investigations and is recommended by the Australian Government Investigation Standards. The appropriate use of force and preparation for investigations or warrant executions are taught through these recommended qualifications.

286. Further, as the power to appoint authorised persons is limited to the Information Commissioner or a delegate, this will ensure high-level oversight and standardised regulation of persons appointed as authorised persons.

287. Subsection 80TB(6) provides that for the purposes of Part 2 of the Regulatory Powers Act, any judicial officer within the meaning of the Regulatory Powers Act is an issuing officer in relation to the provisions, information and matters mentioned in subsection 80TB(1), (2) and (3). An issuing officer is able to issue a monitoring warrant.

288. Subsection 80TB(7) provides that for the purposes of Part 2 of the Regulatory Powers Act the Information Commissioner is the relevant chief executive in relation to the provisions, information and matters mentioned in subsection 80TB(1), (2) and (3).

289. Subsection 80TB(8) allows the Information Commissioner to delegate the powers and functions under Part 2 of the Regulatory Powers Act in relation to the provisions, information and matters mentioned in subsection 80TB(1), (2) and (3) to a member of staff of the Information Commissioner who is an SES employee, or an acting SES employee, or who holds, or is acting in, a position that is equivalent to, or higher than, a position occupied by an SES employee are authorised applicants.

290. Allowing the Information Commissioner to delegate powers will ensure that the OAIC has an appropriate decision maker available, and to ensure the OAIC's workload can be managed effectively and efficiently.

291. Subsection 80TB(9) provides that a person exercising powers or performing functions under such a delegation must comply with any directions of the Information Commissioner.

292. Subsection 80TB(10) provides that for the purposes of Part 2 of the Regulatory Powers Act, the FCA and the FCFCOA are each relevant courts in relation to the provisions, information and matters mentioned in subsection 80TB(1), (2) and (3). A relevant court has power to make orders for compensation, for example where electronic equipment is damaged in the course of exercising monitoring powers.

293. Subsection 80TB(11) provides that an authorised person may be assisted by other persons when exercising powers or performing functions under Part 2 of the Regulatory Powers Act, in relation to the provisions, information and matters mentioned in subsection 80TB(1), (2) and (3).

294. Assistance from other persons would support the exercise of monitoring powers to be performed efficiently and effectively by those most adept and qualified to do so. The person assisting remains subject, at all times, to directions given by the authorised person (paragraphs 23(2)(d) of the Regulatory Powers Act). The authorised person is responsible for any powers exercised by the person assisting, and any power exercised, or function or duty performed, is taken to be exercised or performed by the authorised person (subsections 23(3)-(4) of the Regulatory Powers Act). The qualifications, training or experience of the authorised person will provide context and guidance for who they seek assistance from, as well as the directions they give, and the assistance they request from, those other persons. The assistance required from other persons will often be unanticipated, and limited in duration and purpose to that which the authorised person requires to safely and effectively carry out exercise of their powers. Professional skilled assistance may be required, such as the use of a locksmith for locked doors or specialised IT forensic experts for recovering data from locked electronic devices.

295. Subsection 80TB(12) provides that monitoring powers provided by Part 2 of the Regulatory Powers Act in relation to the provisions, information and matters mentioned in subsection 80TB(1), (2) and (3) extend to every external Territory.

296. Subsection 80TB(13) provides that monitoring powers provided by Part 2 of the Regulatory Powers Act in relation to the provisions, information and matters mentioned in subsection 80TB(1), (2) and (3) is subject a certificate issued by the Attorney-General under section 70 of the Privacy Act.

297. The Note to subsection 80TB(13) refers to section 70, under which the Attorney-General may certify that the giving to the Information Commissioner of information concerning a specified matter, or production of a specified document or record, would be contrary to the public interest and thus not required to be disclosed.

298. Section 80TC provides that, in executing a monitoring warrant under Part 2 of the Regulatory Powers Act in relation to the provisions, information and matters mentioned in subsection 80TB(1), (2) and (3), an authorised person, or person assisting an authorised officer, may use such force against things as is necessary and reasonable in the circumstances. This would replace the existing use of force provision in subsection 68(4) which enables a member of the staff, under a warrant, to enter premises if necessary by force.

299. The use of force against things remains necessary in this context, as it will enable authorised persons to facilitate access onto the premises if the occupier is not in attendance or is non-compliant, including if access to further secure locations within the premises is prevented, for example locked doors. It may also be needed by an authorised person to open locked cabinets or remove physically secured computers removed from locks if required to be taken off-premises for further forensic examination, if the authorised person reasonably suspects contain things that would provide relevant evidence. Additionally, this provision would enable an authorised officer to secure evidence in an efficient manner and avoid circumstances where evidence may be destroyed if they are required to leave and return at a later time.

300. The power can only be exercised under a monitoring warrant, which must be issued by a judicial officer. Further, the power may only be used as is necessary and reasonable in the circumstances, and use of force against persons is not authorised.

301. Division 1AC contains provisions to apply Part 3 the Regulatory Powers Act.

302. Part 3 of the Regulatory Powers Act creates a framework for gathering material that relates to the contravention of offence and civil penalty provisions of an Act or legislative instrument. Subsection 37(2) of the Regulatory Powers Act states that, in order for Part 3 of the Regulatory Powers Act to operate, an offence or civil penalty provision of an Act must be made subject to investigation under Part 3 by another Act (a triggering Act). When a triggering Act applies Part 3 of the Regulatory Powers Act, it must identify the provisions subject to investigation, any related provisions and who is an authorised applicant, authorised person, issuing officer, the relevant chief executive and the relevant court or courts that may exercise powers under Part 3 (see sections 38, 40, 41, 42, 44, 45 and 46 of the Regulatory Powers Act). The triggering Act must also express whether the authorised person may be assisted by another person (see section 53 of the Regulatory Powers Act), and whether the authorised applicant, authorised person, issuing officer or relevant chief executive may delegate their powers and functions in relation to the provisions subject to investigation under the triggering Act. If offence or civil penalty provisions subject to investigation under the triggering Act apply in external territories or offshore areas, the triggering Act should identify whether Part 3 of the Regulatory Powers Act extends to any external Territories.

303. The general investigation powers of an authorised person set out in Part 3 of the Regulatory Powers Act include the power to:

a.

search the premises and any thing on the premises;

b.

inspect, examine, take measurements of or conduct tests on evidential material;

c.

ask persons on the premises questions and request the production of documents;

d.

bring equipment and materials onto the premises;

e.

take images of things; and

f.

operate electronic equipment.

304. Further, if entry is under an investigation warrant, the authorised person may:

a.

seize a disk, tape or other storage device on the premises if:

i.

it is not practicable to put the evidential material into documentary form or transfer it to a separate disk, tape or other storage device brought onto the premises for the exercise of investigation powers; or

ii.

possession of the equipment or disk, tape or other storage device by the occupier could constitute an offence;

b.

seize evidential material of the kind specified in the warrant if the authorised person finds it on the premises;

c.

seize evidential material that is not the kind specified in the warrant if:

i.

the authorised person finds the thing in the course of searching for material of the kind specified in the warrant; and

ii.

the authorised person believes on reasonable grounds that the thing is evidential material of another kind;

iii.

the authorised person believes on reasonable grounds that it is necessary to seize the thing in order to prevent its loss, concealment or destruction; and

d.

require persons on the premises to answer questions or produce documents relating to evidential material of the kind specified in the warrant.

305. The investigation powers in Part 3 of the Regulatory Powers Act, as applied through Division 1AC, would result in an expansion of the Information Commissioner's existing entry and inspection powers in section 68. This is appropriate as the Information Commissioner's investigation powers would be aligned with best practice and adapted to a changing technology landscape.

306. Paragraph 80TD(1)(a) provides that the offence provisions and civil penalty provisions in the Privacy Act are subject to investigation under Part 3 of the Regulatory Powers Act.

307. Paragraph 80TD(1)(b) provides that civil penalty provisions that are enforceable by the Information Commissioner in the following Acts are subject to investigation under Part 3 of the Regulatory Powers Act:

a.

the Digital ID Act 2024

b.

the Healthcare Identifiers Act 2010 or an instrument made under that Act

c.

the My Health Records Act 2012, and

d.

Division 5 of Part IVD of the Competition and Consumer Act 2010.

308. Applying Part 3 of the Regulatory Powers Act to all civil penalty provisions that are enforceable by the Information Commissioner in these Acts would ensure a robust and consistent approach to enforcement. Moving towards a standardised regulatory framework would also streamline investigation processes and increase legal certainty for entities and individuals who are subject to those powers.

309. Paragraph 80TD(1)(c) provides that an offence provision of the Crimes Act 1914 or the Criminal Code, to the extent that it relates to an offence provision in the Privacy Act, is subject to investigation under Part 3 of the Regulatory Powers Act.

310. Note 1 to subsection 80TD(1) explains that Part 3 of the Regulatory Powers Act creates a framework for investigating whether a provision has been contravened, including powers of entry, search and seizure.

311. Note 2 to subsection 80TD(1) states that the investigation powers provided by Part 3 of the Regulatory Powers Act are subject to modifications outlined in section 80TE.

312. Note 3 to subsection 80TD(1) states that the investigation powers provided by Part 3 of the Regulatory Powers Act in relation to a civil penalty provision that is enforceable by the Information Commissioner under Division 5 of Part IVD of the Competition and Consumer Act 2010 are subject to limitations outlined in subsection 80TE(2).

313. Subsection 80TD(2) provides that for the purposes of Part 3 of the Regulatory Powers Act, the Information Commissioner and a member of staff of the Information Commissioner who is an SES employee, or an acting SES employee, or who holds, or is acting in, a position that is equivalent to, or higher than, a position occupied by an SES employee are authorised applicants in relation to evidential material that relates to a provision mentioned in subsection 80TD(1). This reflects that authorised applicants should be limited to those with relevant skills and expertise.

314. Subsection 80TD(3) provides that for the purposes of the investigation powers provided by Part 3 of the Regulatory Powers Act, the following are authorised persons in relation to evidential material that relates to a provision mentioned in subsection 80TD(1):

a.

the Information Commissioner;

b.

a member of staff of the Information Commissioner who is authorised in writing by the Information Commissioner or a delegate of the Information Commissioner; and

c.

a consultant who is engaged under section 24 of the Australian Information Commissioner Act 2010 in relation to performance of the functions or the exercise of the powers of the Information Commissioner, and authorised in writing by the Information Commissioner or a delegate of the Information Commissioner.

315. The range of people who may be appointed as an authorised person is broad due to the reasons described for subsection 80TB(4) above. Further, as the power to appoint authorised persons is limited to the Information Commissioner or a delegate, this will ensure high-level oversight and standardised regulation of persons appointed as authorised persons.

316. Subsection 80TD(4) provides that for the purposes of Part 3 of the Regulatory Powers Act, any judicial officer within the meaning of the Regulatory Powers Act is an issuing officer in relation to evidential material that relates to a provision in subsection 80TD(1). An issuing officer may issue an investigation warrant.

317. Subsection 80TD(5) provides that for the purposes of Part 3 of the Regulatory Powers Act, the Information Commissioner is the relevant chief executive in relation to evidential material that relates to a provision mentioned in subsection 80TD(1).

318. Subsection 80TD(6) allows the Information Commissioner to delegate the powers and functions under Part 3 of the Regulatory Powers Act in relation to evidential material that relates to a provisions mentioned in subsection 80TD(1) to a member of staff of the Information Commissioner who is an SES employee, or an acting SES employee, or who holds, or is acting in, a position that is equivalent to, or higher than, a position occupied by an SES employee are authorised applicants.

319. Allowing the Information Commissioner to delegate powers to SES employees will ensure that the OAIC has an appropriate decision maker available, and to ensure the OAIC's workload can be managed effectively and efficiently.

320. Subsection 80TD(7) provides that a person exercising powers or performing functions under such a delegation must comply with any directions of the Information Commissioner.

321. Subsection 80TD(8) provides that for the purposes of Part 3 of the Regulatory Powers Act, the FCA and FCFCOA are relevant courts in relation to the provisions mentioned in subsection 80TD(1). A relevant court has power to make orders for compensation, for example where electronic equipment is damaged in the course of exercising monitoring powers.

322. Subsection 80TD(9) provides that an authorised person may be assisted by other persons when exercising powers or performing functions under Part 3 of the Regulatory Powers Act in relation to evidential material that relates to a provision mentioned in subsection 80TD(1).

323. Assistance from other persons would support the exercise of investigation powers to be performed efficiently and effectively by those most adept and qualified to do so. The person assisting remains subject, at all times, to directions given by the authorised person (paragraphs 53(2)(d) of the Regulatory Powers Act). The authorised person is responsible for any powers exercised by the person assisting, and any power exercised, or function or duty performed, is taken to be exercised or performed by the authorised person (subsections 53(3)- (4) of the Regulatory Powers Act). The qualifications, training or experience of the authorised person will provide context and guidance for who they seek assistance from, as well as the directions they give, and the assistance they request from, those other persons. The assistance required from other persons will often be unanticipated, and limited in duration and purpose to that which the authorised person requires to safely and effectively carry out exercise of their powers. Professional skilled assistance may be required, such as the use of a locksmith for locked doors or specialised IT forensic experts for recovering data from locked electronic devices.

324. Subsection 80TD(10) provides that Part 3 of the Regulatory Powers Act, as that Part applies in relation to the provisions mentioned in subsection 80TD(1), extends to every external Territory.

325. Subsection 80TD(11) provides that investigation powers provided by Part 3 of the Regulatory Powers Act is subject to a certificate issued by the Attorney-General under section 70 of the Privacy Act.

326. The Note to subsection 80TD(11) refers to section 70, under which the Attorney-General may certify that the giving to the Information Commissioner of information concerning a specified matter, or production of a specified document or record, would be contrary to the public interest and thus not required to be disclosed.

327. Subsection 80TE(1) provides that, in executing an investigation warrant under Part 3 of the Regulatory Powers Act as that Part applies in relation to the provisions mentioned in subsection 80TD(1), an authorised person, or person assisting an authorised officer, may use such force against things as is necessary and reasonable in the circumstances. This would replace the existing use of force provision in subsection 68(4) which enables a member of the staff, under a warrant, to enter premises if necessary by force.

328. The use of force against things remains necessary in this context, as it will enable authorised persons to facilitate access onto the premises if the occupier is not in attendance or is non-compliant, including if access to further secure locations within the premises is prevented, for example locked doors. It may also be needed by an authorised person to use a locksmith when encountering a locked cabinet or room to urgently secure documents and things specified under a warrant in an efficient manner and avoid circumstances where evidence may be destroyed if they are required to leave and return at a later time.

329. The power can only be exercised under an investigation warrant, which must be issued by a judicial officer. Further, the power may only be used as is necessary and reasonable in the circumstances, and use of force against persons is not authorised.

330. Subsection 80TE(2) sets out limitations to the use of investigation powers in relation to a civil penalty provisions in Division 5 of Part IVD of the Competition and Consumer Act 2010 to align with the regulatory context in Division 5 of Part IVD of that Act. The investigation powers may only be exercised in relation to premises occupied by, or on behalf of, the following (within the meaning of the Competition and Consumer Act 2010):

a.

a CDR participant for CDR data

b.

an accredited person who may become an accredited data recipient of CDR data

c.

a designated gateway for CDR data, or

d.

an action service provider for a type of CDR action who has been, or may be, disclosed CDR data under the consumer data rules.

Item 86 - Application of amendments

331. Item 86 provides that:

a.

Divisions 1AB and 1AC of Part VIB of the Privacy Act, as inserted by this Part, apply in relation to monitoring and investigating matters after the commencement of this Part, whether in relation to acts or practices before or after the commencement of this Part; and

b.

the amendment to subsection 135AB(3) of the National Health Act 1953 made by this Part applies in relation to monitoring and investigating matters after the commencement of this Part, whether in relation to acts or practices before or after the commencement of this Part.

Part 15 - Automated decisions and privacy policies

Item 87 - After subparagraph 13K(1)(b)ii)

332. This item inserts subparagraph 13K(1)(b)(ii). The effect is that if an entity breaches the requirements in APP 1.7 to contain information in their APP privacy policy about using personal information in automated decisions, it will be a contravention of the new civil penalty provision in subsection 13K(1).

Item 88 - At the end of clause 1 of Schedule 1

333. This item inserts APP 1.7 - 1.9 to require entities to include additional information relating to automated decisions in an entity's privacy policy. A privacy policy is a key tool for meeting the objective of APP 1, which is to ensure that entities manage personal information in an open and transparent way.

334. Under APP 1.7, the privacy policy must contain the information outlined in APP 1.8 if:

a.

the entity has arranged for a computer program to make, or do a thing that is substantially and directly related to making a decision (APP 1.7(a)); and

b.

the decision could reasonably be expected to significantly affect the rights or interests of an individual (APP 1.7(b)); and

c.

personal information about the individual is used in the operation of the computer program to make the decision or do the thing that is substantially and directly related to making the decision (APP 1.7(c)).

335. The use of the words 'the entity has arranged for a computer program' in APP 1.7(a) is intended to clarify that it is the entity responsible for arranging the computer program to make, or do a thing that is substantially and directly related to making, a decision which must meet the requirements in APP 1.7. This recognises that a computer program may be operated by one entity, but another entity is responsible for arranging for the computer program to make, or do a thing that is substantially and directly related to making, a decision.

336. The term 'computer program' in APP 1.7(a) is intended to take its ordinary meaning and encompass a broad range of matters, including pre-programmed rule-based processes, artificial intelligence and machine learning processes to make a computer execute a task.

337. The use of the words 'do a thing that is substantially and directly related to making a decision' in APP 1.7(a) reflects that a computer program may be used to recommend a decision to a human decision-maker, or guide a human decision-maker. Where this occurs, the thing must be substantially and directly related to making a decision to be captured:

a.

substantially means where it is a key factor in facilitating the human's decision making; and

b.

directly means where the thing has a direct connection with making the decision.

338. Both factors must be satisfied.

a.

For example, if Microsoft Excel was used to calculate a sum this may be 'directly related to' making a decision, but would not be 'substantially related to' making a decision if Microsoft Excel was only used for the purpose of adding numbers to arrive at a given sum.

b.

However, if Microsoft Excel was used to generate a score about an individual that was a key factor in a human decision-maker making a decision, this would be considered 'substantially related to' making the decision.

339. For avoidance of doubt, where a human decision-maker has made the decision, or done a thing related to making the decision, and has used a computer program for purposes other than facilitating the decision-making (such as using a word processing program to document a decision), this will not be captured.

340. A decision must be a decision that 'could reasonably be expected to significantly affect the rights or interests of an individual' (APP 1.7(b)).

a.

Whether or not a decision could reasonably be expected to significantly affect the rights or interests of an individual depends on the circumstances. For example, a decision's effect on a child or person experiencing vulnerability may be considered significant compared to its effect on other individuals.

b.

The effects must be more than trivial, and must have the potential to significantly influence the circumstances of the individual concerned.

c.

APP 1.9 sets out more information about the types of decisions that may affect a person's rights or interests, and examples.

341. APP 1.8 outlines the information which must be included in the privacy policy if the conditions in APP 1.7 are met. This includes:

a.

the kinds of personal information used in the operation of such computer programs; and

b.

the kinds of such decisions made solely by the operation of such computer programs; and

c.

the kinds of such decisions for which a thing, that is substantially and directly related to making the decision, is done by the operation of such computer programs.

342. APP 1.9 outlines that, for the purposes of APP 1.7 and 1.8:

a.

making a decision includes refusing or failing to make a decision; and

b.

doing a thing includes refusing or failing to do a thing; and

c.

a decision may affect the rights or interests of an individual, whether the rights or interests of the individual are adversely or beneficially affected.

343. APP 1.9(d) provides a non-exhaustive list of examples of the kinds of decisions that may affect the rights or interests of an individual, and includes:

a.

a decision made under a provision of an Act or a legislative instrument to grant, or to refuse to grant, a benefit to the individual. For example, this may include a decision in relation to granting admission to a country or entitlement to a housing benefit.

b.

a decision that affects the individual's rights under a contract, agreement or arrangement. For example, this may include a contract for a life insurance policy.

c.

a decision that affects the individual's access to a significant service or support. For example, this may include access to healthcare services. The use of computer programs to target individuals with content and advertisements may have a significant effect on an individual if, for example, it results in differential pricing for provision of, or access to, significant goods or services, or limits access to employment opportunities.

Item 89 - Application of amendment

344. This item notes the amendment to APP 1 made by this Part applies in relation to decisions made after the commencement of this item, regardless of whether:

a.

the arrangement for a computer program to make the decision, or do a thing that is substantially and directly related to making the decision, was made before or after that commencement; and

b.

the use of personal information in the operation of the computer program occurred before or after that commencement; and

c.

the personal information used in the operation of the computer program was acquired or created before or after that commencement.

Schedule 2 - Serious invasions of privacy

345. This Schedule establishes a cause of action in tort for serious invasions of privacy.

346. This Schedule is intended to be treated as a set of stand-alone provisions which are independent from the rest of the Privacy Act. Provisions contained in this Schedule should be interpreted separately from the provisions contained in the Privacy Act.

Items 1 and 2 - Section 2A

347. Item 1 inserts subsection (1) before the objects of the Privacy Act in Section 2A. Item 2 adds new subsection (2) which provides that section 2A of the Privacy Act does not apply to this Schedule.

348. These items are intended to clarify that the objects of the Privacy Act are not the objects of this Schedule. This Schedule is to be construed separately, in accordance with its own objects (clause 1 of this Schedule).

Items 3 and 4 - Section 3

349. Item 3 inserts subsection (1) before section 3 of the Privacy Act. Item 4 adds new subsection (2) which provides that section 3 of the Privacy Act does not apply to this Schedule.

350. The savings provision that applies to this Schedule is clause 21. This reflects the broader scope of the provisions in this Schedule, which are not restricted to personal information handling.

Items 5 and 6 - Section 5A

351. Item 5 inserts subsection (1) before section 5A of the Privacy Act. Item 6 adds new subsection (2) which provides that section 5A of the Privacy Act does not apply to this Schedule.

352. These items clarify that this Schedule does not apply to external territories.

Item 7 - Section 5B

353. Item 7 clarifies that the section 5B of the Privacy Act, which provides for its extra-territorial operation, does not apply to this Schedule. This is consistent with the general position for private causes of action.

Item 8 - Section 12B

354. Item 8 provides that section 12B of the Privacy Act does not apply to this Schedule. The constitutional basis of this Schedule, and its additional operation, are set out at clauses 4 and 5 of this Schedule.

Item 9 - section 94A

355. Item 9 inserts a new section 94A into the Privacy Act. It gives this Schedule effect. It also clarifies that this Schedule is to be disregarded when determining the meaning of an expression used in a provision contained in other parts of the Privacy Act.

356. The meaning of expressions used in provisions contained in the Privacy Act are not intended to be consistent with expressions used in provisions contained in this Schedule. See also subclauses 6(2) and 6(3) of this Schedule, which provide that expressions used in provisions in this Schedule are not intended to be consistent with expressions used in provisions contained in the Privacy Act.

Item 10

357. Item 10 inserts this Schedule as Schedule 2 of the Privacy Act.

358. The statutory tort for serious invasions of privacy is intended to operate similarly to other torts, in that it would be developed through jurisprudence. It is distinct from the regulatory regime established in the Privacy Act, which requires compliance with the APPs and is overseen by a regulator. As such, it is intended that courts would draw on key concepts from other torts, including privacy torts in other jurisdictions.

Part 1 - Preliminary

Clause 1 - Objects of this Schedule

359. This clause sets out separate objects for this Schedule that are different to the objects of the Privacy Act. The other provisions of this Schedule are to be read, as far as is possible, as being designed to carry out these objects.

Establish a cause of action

360. The objects recognise that individuals should be given the opportunity to take action for serious invasions of their privacy and provided with remedies where the cause of action is established.

Provide for defences, remedies and exemptions

361. The objects recognise that this cause of action should be limited and other competing interests should also be recognised, through the inclusion of a range of defences and exemptions contained in this Schedule.

Recognise a public interest in protecting privacy

362. The objects recognise that there is a public interest in protecting privacy (as well as, and distinct from, individuals' private interests in their privacy).

The public interest in privacy is balanced with other interests

363. The objects recognise that the public interest in the protection of privacy should be balanced with other important public interests.

Implementation of Australia's international obligations

364. The objects recognise that this cause of action implements Australia's international obligations in relation to privacy, including Article 17 of the ICCPR.

Clause 2 - Simplified outline of this Schedule

365. This clause provides a simplified outline of the Schedule, including when an individual may take action, defences and exemptions that apply, remedies and time limits. It clarifies that the Schedule is to be read and construed separately from the rest of the Privacy Act.

366. The simplified outline is included to assist readers to understand the substantive provisions of the legislation and is not intended to be comprehensive. Readers should rely on the substantive provisions of the legislation.

Clause 3 - Crown to be bound

367. This clause provides that the Schedule binds the Crown in each of its capacities. This reflects the fact that Commonwealth, state and territory government entities and public officials would be subject to obligations under the Schedule.

Clause 5 - Constitutional basis of this Schedule

368. This clause provides the constitutional basis of the Schedule. It clarifies that the Act relies on the Commonwealth's legislative powers under section 51(xxix) of the Constitution to give effect to Australia's obligations under the ICCPR.

369. In particular, the Schedule implements Australia's obligations under Article 17 of the ICCPR by providing legal protection against arbitrary or unlawful interferences with privacy.

370. The scope of the cause of action is limited to two types of privacy invasions-intrusions upon seclusion and misuse of information. It is not intended to extend beyond the notion of 'privacy' as articulated in Article 17 of the ICCPR.

Clause 5 - Additional operation of this Schedule

371. The purpose of this clause is to ensure the Schedule has the widest possible operation consistent with Commonwealth constitutional legislative power.

Clause 6 - Interpretation

372. Subclause 6(1) provides definitions for terms used in the Schedule. Some definitions are self-explanatory.

373. Subclauses 6(2) and 6(3) clarify that, unless expressly provided for in this Schedule, expressions and provisions in other parts of the Privacy Act are to be disregarded when determining the meaning of expressions used in provisions contained in this Schedule.

Definitions referring to the Privacy Act (Australian Law; Court/Tribunal Order; enforcement body; and enforcement related activity)

374. The terms 'Australian law', 'court/tribunal order', 'enforcement body' and 'enforcement related activity' would have the same meaning as in the Privacy Act. The intention is that these definitions should be interpreted consistently with those same terms contained in the Privacy Act.

375. The definition of Australian law in this Schedule is included to clarify the scope of the defence contained in clause 8(1)(a). Australian law includes Commonwealth, State and Territory legislation, regulations, an instrument made under an Act, and any law in force in the Jervis Bay Territory or an external Territory. The definition encompasses rules of common law or equity, but contractual obligations are excluded.

Intelligence Agency

376. Subclause 6(1) includes a definition of 'intelligence agencies', as referred to in the exemption for intelligence agencies in clause 17. Agencies defined as intelligence agencies in this clause will be exempt from the operation of the tort. An intelligence agency for the purposes of this schedule includes intelligence agencies that are members of the Australian Intelligence Community, and are overseen by the Inspector-General of Intelligence and Security. These agencies include:

a.

the Australian Geospatial-Intelligence Organisation;

b.

the Australian Secret Intelligence Service;

c.

the Australian Secret Intelligence Organisation;

d.

the Australian Signals Directorate;

e.

the Defence Intelligence Organisation; or

f.

the Office of National Intelligence.

377. An intelligence agency for the purposes of this Schedule also includes the Australian Criminal Intelligence Commission (ACIC) given the ACIC's intelligence functions include collecting, correlating, analysing and disseminating criminal information and intelligence. These functions are inseparable from its other functions. This aligns with the position in the Intelligence Services Legislation Amendment Bill 2023 which would amend the ACIC's oversight arrangements so that it is overseen by the Inspector-General of Intelligence and Security in line with other intelligence agencies.

Intruding upon seclusion

378. Intruding upon the seclusion of an individual includes (but is not limited to) physical intrusions and watching, listening to or recording an individual's private activities or affairs. It includes situations where no further action is taken beyond the physical intrusion.

379. For example, an intrusion upon seclusion could occur where a person spies on the plaintiff in their home. It is not required that any information be shared about the plaintiff for them to be able to establish an intrusion into their seclusion.

Misusing information

380. Misusing information is intended to encompass a wide range of activities, including (but not limited to) invasions of privacy by collecting, using and disclosing information. Maliciously releasing an individual's information online without their consent (doxxing) may amount to a misuse of information. Storing, interfering with or modifying information could also be ways in which information may be misused.

Reckless

381. The term reckless takes its meaning from the Criminal Code. This is appropriate because recklessness is not well established as a fault element under tort law. The fault element of recklessness is intended to distinguish it from the lower fault threshold of negligence and align with the meaning established in the criminal law context. This approach was suggested by ALRC Report 123.

Part 2-Serious invasions of privacy

Clause 7 - Cause of action

382. Clause 7 of the Schedule creates a statutory cause of action in tort for serious invasions of privacy and sets out the elements of the cause of action which the plaintiff must prove. These are based on the recommendations of ALRC Report 123. The tort is actionable by an individual, being a natural person.

383. The elements of the cause of action are:

a.

an invasion of privacy (by intrusion upon seclusion or misuse of information, or both) (subclause 7(1)(a))

b.

a reasonable expectation of privacy in all the circumstances (subclause 7(1)(b))

c.

fault (either intention or recklessness) (subclause 7(1)(c))

d.

seriousness of the invasion (subclause 7(1)(d)), and

e.

that the public interest in protecting the plaintiff's privacy outweighs countervailing public interests that are raised by the defendant (subclauses 7(3) and (4))

384. Subclause 7(2) provides that the plaintiff is not required to prove that they experienced damage as an element of the tort. However, any harm or damaged caused would be relevant to the seriousness of the invasion, as outlined in subclause 7(6).

An invasion of privacy

385. Subclause 7(1)(a) requires a plaintiff to establish that the defendant invaded the plaintiff's privacy, and that the invasion was by intrusion upon seclusion or misuse of information (or both). The tort is confined to these two types of privacy invasions to ensure certainty in the scope of the cause of action, however each type of invasion of privacy is intended to be construed broadly.

386. Subclause 6(1) provides illustrative, but not exhaustive, examples of activities that would fall within the two types of invasions. A plaintiff's privacy may be invaded through the misuse of information that relates to them even if the information is not publicly disclosed, provided the plaintiff can establish all the elements of the cause of action.

387. Relevantly, subclause 7(7) provides that where a defendant invades a plaintiff's privacy by misusing information that relates to the plaintiff, the information that is misused does not need to be true.

388. The requirement that information 'relates to' an individual is intended to be interpreted broadly, but some connection between the misused information and the individual is required. For example, information about an individual's family member, such as a health condition, may not be 'about' the individual. However, if an inference or other connection is drawn between the information and the individual (such as an inference that the individual also has the same health condition) then the information could 'relate to' the individual. As noted above in relation to subclause 7(7), this would be the case even if the inference is untrue.

389. Certain conduct could constitute both an intrusion upon a plaintiff's seclusion and a misuse of private information that relates to an individual- for example, hacking into an individual's private electronic device and disseminating intimate photographs.

390. Information relating to an individual in which there is a reasonable expectation of privacy is not the same as 'personal information', as defined in the Privacy Act for the purposes of the Australian Privacy Principles. 'Privacy' for the purpose of subclause 7(1)(a) is determined on the facts of each case by applying the test in subclause 7(1)(b). Subclauses 7(1)(a) and 7(1)(b) must therefore be considered together.

A reasonable expectation of privacy

391. The statutory cause of action is actionable only where a person in the position of the plaintiff would have had a reasonable expectation of privacy in all the circumstances. This test is intended to be flexible, to reflect the fact that community expectations of privacy may change over time.

392. Subclause 7(5) provides a non-exhaustive list of matters that may be relevant to consider when determining whether paragraph 7(1)(b) is established, and whether a person in the position of the plaintiff would have had a reasonable expectation of privacy in all of the circumstances.

393. Subclause 7(5)(a) provides that the means, including the use of any device or technology, used to invade the plaintiff's privacy may be relevant to whether the plaintiff has a reasonable expectation of privacy.

394. Subclause 7(5)(b) provides that the purpose of the invasion of privacy may be relevant to whether the plaintiff has a reasonable expectation of privacy.

395. Subclause 7(5)(c) recognises that particular attributes of the plaintiff might contribute towards a greater expectation of privacy in the circumstances. For example, children may have a greater expectation of privacy than an adult in certain situations, and people from different cultural backgrounds may consider different information to be private. Additional attributes not listed in paragraph 7(5)(c) could include (but are not limited to) sex, gender identity, sexual orientation and disability.

396. Subclause 10(5)(d) provides that the conduct of the plaintiff, including whether the plaintiff invited publicity or manifested a desire for privacy, may be relevant to whether the plaintiff has a reasonable expectation of privacy.

397. Subclause 7(5)(e) provides that the place where the invasion occurred may also be relevant. For example, a person will generally have a greater expectation of privacy in their home than in a public place. Information that is publicly available may nevertheless remain private in nature, however the extent of its availability would be relevant to whether the plaintiff has a reasonable expectation of privacy in the circumstances.

398. Subclause 7(5)(f) provides that the nature of the information relating to the plaintiff is a relevant consideration as to whether the plaintiff has a reasonable expectation of privacy. The listed factors in this paragraph are inherently private (for example, intimate, health or family information). Other private matters are not intended to be excluded.

399. The nature of the types of information listed in the definition of 'sensitive information' in section 6 of the Privacy Act may be relevant to assessing whether there is a reasonable expectation of privacy. However, the fact that information is sensitive information does not of itself give rise to an expectation of privacy under the tort-whether there is a reasonable expectation of privacy of such information will depend on the context. For example, information about a person's political opinion or membership of a professional association is sensitive information, but may be less likely to give rise to an expectation of privacy if it was already in the public domain.

400. Matters that are relevant to determining whether the plaintiff has a reasonable expectation of privacy may also be considered as part of the balancing of public interests, or be the subject of a separate defence.

Fault element

401. Subclause 7(1)(c) establishes a fault requirement. The plaintiff must prove that the defendant intentionally or recklessly invaded the plaintiff's privacy. Proof of negligence is not sufficient to establish the fault element.

402. As noted under subclause 6(1), 'recklessness' has the same meaning as in the Criminal Code to ensure that there is a uniform national approach to applying the fault element, and to clearly distinguish it from the lower fault threshold of negligence. It covers situations where a person is aware of a substantial risk and-having regard to the circumstances known to them-it is unjustifiable for the person to take the risk.

403. 'Intentional' has its ordinary meaning. The defendant's intent may be subjective or imputed. The intention must relate to the invasion of the plaintiff's privacy by intrusion upon seclusion or misuse of information. It is not sufficient that the defendant intended to do an act that has the consequence of invading a person's privacy.

404. For example, a photographer who takes a photograph of a public event, without realising that it captures a private activity, would not be committing an intentional or reckless invasion of privacy. Similarly, a defendant who establishes a digital platform that is used by a third party to invade privacy would not be liable where they have no knowledge of the invasion of privacy.

405. The plaintiff does not need to establish that the defendant intended to commit a legal wrong, or intended to fulfil the other elements of the cause of action.

Serious invasion of privacy

406. Subclause 7(1)(d) requires the plaintiff to prove that the invasion of privacy was serious. The requirement of seriousness is intended to deter individuals from bringing trivial claims. Whether an invasion of privacy is 'serious' is an objective test.

407. Subclause 7(6) provides a number of factors that the court may have regard to when assessing whether the invasion of privacy was serious. This is not an exhaustive list of factors but is intended to provide guidance.

408. Subclause 7(6)(a) includes the degree of offence, distress or harm to dignity that the invasion of privacy is likely to cause. The assessment is to be made in relation to a person of ordinary sensibilities in the position of the plaintiff, rather than based on the subjective views of the plaintiff. This would distinguish the likely effect of the conduct from the actual effect of the conduct.

409. The inclusion of likely harm to dignity as a consideration in this subclause recognises that an invasion of privacy may be serious even if it does not cause material harm or offence. An invasion of privacy that harms an individual's dignity may occur without the person's knowledge, for example, where the person is a young child.

410. Subclauses 7(6)(b) and (c) provide that the knowledge and motive of the defendant are also relevant factors. For example, an invasion of privacy motivated by malice, or where the defendant knew the particular plaintiff was likely to be offended, distressed or harmed by the invasion of privacy, is more likely to be serious.

411. Other matters may also be relevant, for example: the effect of the offence, distress or harm to dignity that the invasion of privacy had on the individual, or the number of individuals affected.

412. The tort is intended to protect intangible interests and the dignity of the plaintiff, and is therefore actionable without proof of damage.

Public interest balancing

413. Subclause 7(3) provides a mechanism to balance the public interest in protecting the plaintiff's privacy with other public interests, in situations where the defendant adduces evidence of a public interest, or public interests, in relation to their conduct.

414. This balancing exercise recognises that privacy interests are important but not absolute.

415. This balancing exercise is similar to that identified by the United Kingdom House of Lords in Campbell v Mirror Group Newspapers [2002] EWHC 499 (QB), involving the court:

a.

assessing the comparative importance of the interests;

b.

considering the justifications for interfering with or restricting each; and

c.

applying a proportionality test to each.

416. No one interest should have automatic priority over another, but some interests may be given more weight. For example, the public interest in freedom of political communication would be given considerable weight in the balancing exercise because of its importance to Australia's democratic system of government.

417. For the plaintiff to establish the elements of the cause of action, the court must be satisfied that the public interest in protecting the plaintiff's privacy outweighs any countervailing public interest raised by the defendant. In circumstances the privacy interests and other public interests at stake in a particular case are evenly weighted, the plaintiff would not be able to meet the public interest element of the cause of action.

418. Subclause 7(4) provides a non-exhaustive list of countervailing public interest considerations that a defendant may adduce for a court to consider when assessing whether an invasion of privacy is in the public interest. The purpose of the list is to provide guidance as to what might be a countervailing public interest.

419. The list is not intended to be exhaustive; a defendant may be able to identify other important countervailing public interests not included in the list that are engaged in the circumstances of a particular case.

420. The list includes important and widely recognised public interest matters that may conflict with privacy interests. These examples are outlined below.

Freedom of expression, including political communication

421. This freedom includes (among other things) artistic expression. This freedom is important because it allows people to discuss and debate political matters and express opinions about the various facets of public life. However, freedom of expression is not absolute and not all expression is of equal value to warrant protection.

Freedom of the media

422. Freedom of the media is a public interest in responsible investigation and reporting of matters of public concern and importance. The court may consider the public interest in such activities even if undertaken by individuals who are not professional journalists.

The proper administration of government

423. The public interest in the proper administration of government recognises the broad public interest in the government undertaking its usual functions and duties in the service of the citizenry. Not all activity that is necessary for government functions is expressly authorised in legislation.

Open justice

424. There is a broad public interest in a system of justice that is transparent, predictable, comprehensible and efficient.

Public health and safety

425. The public interest in public health and safety may include a wide range of activities. For example, an individual's privacy may be invaded in the course of taking action to protect the community from a disease that threatens public health.

National security

426. There is a public interest in protecting Australia's national security. It is not restricted to the activities of enforcement bodies and intelligence agencies. For example, an individual who reports suspicious conduct may be acting in the interest of national security.

The prevention and detection of crime and fraud.

427. Law enforcement agencies might invade privacy to prevent and detect crime and fraud, but others (including individuals) may also do so in the public interest.

Clause 8 - Defences

428. Clause 8 sets out defences that apply to the cause of action for serious invasions of privacy. Defendants bear the onus of proving their conduct is subject to a defence.

429. Subclause 8(1)(a) provides a defence for conduct that was required or authorised by an Australian law or a court/tribunal order (both defined in clause 6). This defence may be used by any body, organisation or individual that invades privacy under lawful authorisation. This defence is not restricted to government agencies. For example, it may be relied upon where legislation authorises handling of information about a person, for example in workplace health and safety laws or mandatory reporting schemes. It also might apply in relation to lawful monitoring and surveillance activities.

430. This defence is similar to the exception provided in a number of the APPs. The OAIC has provided guidance that may be informative in interpreting the scope of what is 'authorised' or 'required' by an Australian law. For instance, conduct may be impliedly authorised if it is directly entailed by a law. However, conduct will not be authorised simply because it is not prohibited, or by virtue of general authority to perform specific functions or activities.

431. Subclause 8(1)(b) provides a defence where consent was given. Consent may be express or implied. It must be provided by a person with the requisite legal capacity. Whether an individual is capable of giving consent, and whether valid consent has been provided, would be questions of fact for the court to determine.

432. Subclause 8(1)(c) provides for a defence of necessity. This would apply where the defendant reasonably believes the invasion of privacy was necessary to prevent or lessen a serious threat to the life, health or safety of a person. This defence would generally arise where the conduct was a response to an emergency or a serious or imminent danger. An example would be where health professionals or emergency services must enter a private premises, or disclose private information, to assist or intervene with a health emergency. It also may apply where action was taken to prevent a serious domestic and family violence incident. There is no requirement that the threat be imminent for it to be serious.

433. To be serious, a threat must pose significant danger to the person, having regard to all the circumstances, including the gravity of the potential outcome and the likelihood that it will occur.

434. Subclause 8(1)(d) provides a defence for invasions of privacy that are incidental to the exercise of a lawful right of defence of persons or property where the conduct is proportionate, necessary and reasonable.

435. Subclause 8(2) provides defences that are intended to align with related defences in defamation law. The related defences are set out in subclause 8(3): absolute privilege (paragraph a), publication of public documents (paragraph b) and fair report of proceedings of public concern (paragraph c). These defences protect a wide range of matters where there is an inherent public interest in free expression.

436. For the related defences to apply, the invasion of privacy must have occurred through the 'publication' of information that relates to the plaintiff, as the term is understood in defamation law. 'Publication' has a specific meaning within defamation law. It can include the communication of material from one person to another in circumstances where the material is not communicated to the general public.

437. Subclause 8(3)(a) provides for a defence of absolute privilege. It incorporates defences of absolute privilege that arise from the common law and as well as Commonwealth, state and territory legislation. It does this by providing that where absolute privilege is available as a defence to defamation proceedings under any Australian law, it is also a defence to an action for serious invasions of privacy. The rationale for the defence is equally applicable in both actions. The defence of absolute privilege protects certain communications in the interests of free speech and transparency. For example, it would protect individuals who reveal personal information about another person in the course of public forums such as Parliament and proceedings in a court or tribunal.

438. Recent amendments to defamation laws in some jurisdictions have extended the defence of absolute privilege to reports made to police (for example, a complaint of sexual assault). The extended defence would be available for actions for serious invasions of privacy, regardless of the jurisdiction in which they were brought. This is because the absolute privilege defence applies to the tort when it is available as a defence under any Australian law dealing with defamation.

439. Subclause 8(3)(b) provides a defence for publication of public documents. The defence aligns with the defence available in defamation law. The defence recognises that the publication of public documents promotes an open and transparent government and legal system.

440. Subclause 8(3)(c) provides a defence for fair report of proceedings of public concern which is co-extensive with the defence available in defamation law. This defence would protect interests of open government, transparency and open justice, and be of particular significance for court reporters and educational institutions. Whether a report is fair would be a question of fact for a court, to be determined objectively by comparing the report to the events or facts it described. The impression conveyed in the report must not be substantially different from the impression that someone would have gleaned had they been present at the relevant event.

441. Other defamation defences were not included because they are not relevant in the context of the statutory tort. For example, the defamation defence of truth is not relevant for the tort because where information is misused, subclause 7(7) provides that it does not matter if the information that is misused is true or not. The defamation defence of fair comment is also not relevant, because it relates to matters of public interest. The tort already contains the public interest balancing provisions, which the fair comment defence would duplicate. An 'innocent dissemination' defence would not be relevant in the context of the tort, because fault is an essential element of the tort.

Clause 9 - Interim injunctions

442. Subclause 9 (1) provides that courts may grant interim injunctions restraining an invasion of privacy at any stage of proceedings.

443. Subclause 9 (2) clarifies that when considering interim injunctions for invasions of privacy involving publishing information relating to the plaintiff, the court must have particular regard to the public interest in the publication of the information.

444. A court also has the power to grant injunctions in relation to an invasion of privacy under subclause 12(2)(b).

Clause 10 - Summary judgment

445. Subclause 10(1) provides that a court may give judgment if it is satisfied that the plaintiff has no reasonable prospect of successfully prosecuting the proceedings (such as, for example, where the invasion of privacy was clearly and unambiguously authorised or required by law in accordance with subclause 8(1)(a)). This clause would ensure that a court in any jurisdiction can give summary judgment in relation to an action brought under this Bill.

446. Summary judgment provides a mechanism for courts to make a final determination on the merits of a dispute without the parties having to go through a full trial. This enables the parties to avoid incurring potentially substantial costs in needless litigation.

447. Subclause 10(2) clarifies that the power to give summary judgment in subclause 10(1) does not limit any powers that a court has apart from clause 10.

Clause 11 - Damages

448. Clause 11 empowers the court to award damages to a plaintiff for invasions of privacy and regulates the exercise of this power.

449. Subclause 11(2) provides that the court must not award aggravated damages. The limit on awarding aggravated damages is appropriate because there is a risk that awarding aggravated damages (which compensate a plaintiff for additional suffering and humiliation caused by the especially outrageous conduct of the defendant) would overlap with the general damages that a court might already award (e.g. under subclauses 11(6)(c) or 11(6)(d)), essentially providing the same damages twice. This problem does not arise for exemplary or punitive damages, which are based on deterrence.

450. Subclause 11(3) provides that the court may award damages for emotional distress. While there is no requirement for harm to be caused to establish the cause of action, this subclause provides redress where an invasion of privacy causes emotional distress.

451. Subclause 11(4) provides that the court may award exemplary or punitive damages in exceptional circumstances. Exemplary damages are intended to punish a defendant and deter similar conduct in the future. In assessing whether they are warranted the court would consider whether any other damages or remedy awarded are sufficient. Egregious invasions of privacy may justify the award of exemplary damages. For example, image-based abuse or where a defendant has attempted to procure financial gain from an intentional invasion of privacy.

452. Subclause 11(5) sets out the maximum sum of damages. Subclause 11(5)(c) sets out the amount of $478,550 as the cap for damages. This is the current cap for damages available under defamation law. Subclause 11(5)(d) ensures that the cap can be adjusted, along with the annual indexation of the cap for damages under defamation law. This maximum amount reflects the maximum damages available for defamation in all jurisdictions, to ensure equal protection to privacy and reputational interests and to discourage plaintiffs from choosing between causes of action based on the availability of higher awards of damages.

453. Subclause 11(6) provides a non-exhaustive list of matters that the court may consider in determining the amount of damages to be awarded. It is intended that this list of matters be interpreted broadly. For example, the terms outlined in subclause 11(6)(e) include embarrassment, harm, distress or humiliation. It is appropriate that the terms are slightly different to those included in subclause 7(6) as consideration of factors that are relevant to damages may be broader (and potentially of a less serious character) than considerations required to establish the cause of action under subclause 7(6).

Clause 12 - Other remedies

454. Clause 12 provides a non-exhaustive list of remedies that a court may grant in addition to, or instead of, damages, including an account of profits, an injunction, an apology order, a correction order, a destruction or delivery up of materials (including copies) order, or a declaration that the defendant has seriously invaded the plaintiff's privacy.

455. The wide range of remedies reflects the range of circumstances in which a serious invasion of privacy might occur, and that a court may seek to provide a range of consequences depending on the facts of the case. This clause ensures that the court is empowered to award remedies that are appropriate in a particular case.

Clause 13 - The effect of apologies on liability

456. Clause 13 clarifies that no admission of fault or liability is to be attached to an apology. An apology may support the early resolution of a dispute. However, there would be a disincentive for a defendant to apologise if doing so could be considered an admission of fault.

457. The term apology is not defined and has its ordinary meaning. This clause ensures that determination of whether there has been a serious invasion of privacy is to be determined by reference to the elements of the cause of action set out in clause 7 and applicable defences and exemptions.

458. The note attached to the clause clarifies that a court may take an apology into account in determining the quantum of damages to be awarded. This recognises that the aim of the tort is to provide an avenue of redress to harm done to a person, including their dignity, and that an apology may assist in redressing a plaintiff's feelings of embarrassment and distress.

Clause 14 - When proceedings must be commenced

459. Clause 14 sets out the limitation periods within which an action for serious invasion of privacy must be commenced, consistent with the ALRC recommendation. These limitation periods are intended to provide certainty to defendants and encourage the timely and proper administration of justice.

460. Subclause 14(1) provides that the plaintiff must commence an action before the earlier of the day that is one year after the day on which the plaintiff became aware of the invasion of privacy and the day that is three years after the invasion of privacy occurred. However, if the plaintiff was under 18 years of age when the invasion of privacy occurred, the action may be commenced before the plaintiff's 21st birthday. This aspect of subclause 14(1) is included because individuals under 18 cannot generally be expected to make the difficult personal and financial decision to commence legal proceedings.

461. Subclauses 14(2), 14(3) and 14(4) provide that this period may be extended to a day not later than 6 years after the day on which the invasion of privacy occurred, if the court is satisfied on application of the plaintiff that it was not reasonable in the circumstances for the plaintiff to have commenced an action in relation to the invasion of privacy within the period specified in subclause 14(1).

Part 3-Exemptions

Clause 15 - Journalists

462. Subclause 15(1) provides an exemption for invasions of privacy by a journalist, the journalist's employer, or certain persons assisting the journalist, where the invasion involves the collection, preparation for publication or publication of journalistic material. It would apply to privacy invasions involving intrusion into seclusion or misuse of information. The exemption recognises the important and beneficial role of journalism to a free and democratic society and that the prospect of litigation could have a chilling effect on public interest reporting.

463. Subclause 15(2) defines a 'journalist' as a person who works in a professional capacity as a journalist and who is subject to standards of professional conduct or a code of practice that applies to that profession.

464. A journalist may be a reporter, editor, producer or other person involved in the collection, preparation for publication or publication of journalistic material - provided the criteria in subclause 15(2) are met.

465. Subclause 15(3) provides a definition of journalistic material. Journalistic material has the character of news, current affairs or a documentary or is material that consists of commentary, opinion or analysis about these kinds of material. There is a public interest in the free flow of information to the public about such matters.

466. Subclause 15(4) clarifies that, for the purposes of the exemption, the court is not required to examine whether the journalist's conduct complies with the standards of professional conduct or code of practice to which they are subject. This is appropriate because the question for the court is an objective assessment about whether a journalist is subject to those standards or codes of conduct (subclause 15(2)). This provision would preserve the ability for media industry to self-regulate compliance with professional standards.

467. The exemption operates in addition to the requirement that the court balance the public interest in the plaintiff's privacy with other public interests as part of the cause of action. Non-professional journalists, and others who are not covered by the exemption, may nevertheless establish on the facts that their activities engage the public interest in freedom of the media, or freedom of expression.

Clause 16 - Enforcement bodies

468. Clause 16 provides an exemption for law enforcement bodies that aligns with the exception to APP 6.2(e) in the Privacy Act. The definitions for 'law enforcement body' and 'enforcement related activity' mirror the Privacy Act definitions.

469. Conduct is exempt only to the extent that an enforcement body reasonably believes it is reasonably necessary for one or more of the enforcement related activities it is undertaking.

470. This conditional exemption would complement the 'required or authorised by law' defence in subclause 8(1)(a), and is intended to ensure that enforcement bodies are not unduly restricted in carrying out their legitimate functions, which may necessarily be privacy intrusive.

Clause 17 - Intelligence Agencies

471. Clause 17 provides an exemption for intelligence agencies as defined in clause 6. The activities of these agencies are generally overseen by the Inspector-General of Intelligence and Security, and require special arrangements to be made around handling of sensitive information. The exemption encompasses invasions of privacy by an intelligence agency, as well as disclosures of information to and by intelligence agencies.

472. The exemption recognises that intelligence agencies may undertake covert and privacy invasive activities in the public interest and that these activities are subject to a range of other accountability mechanisms.

Clause 18 - Children under 18

473. Clause 18 provides an exemption for defendants who were under the age of 18 when the invasion of privacy occurred. Civil liability under the tort should not apply to children. This position reflects that age is a factor in an individual's understanding of the implications of their conduct.

Part 4-Miscellaneous

Clause 19 - Single publication rule

474. Clause 19 provides for a single publication rule which, together with clause 14, clarifies when action must be commenced.

475. This provision is based on the Model Defamation Provisions, with some adjustments to reflect that not every invasion of privacy is a publication (as is the case under defamation law).

476. The purpose of this rule is to ensure that the limitation period for the commencement of action is effectual. The effect of the clause is that, where information that is substantially the same is published multiple times by the same publisher, or the publisher's associate, the date of the first publication would be taken to be the date of the invasion of privacy.

Clause 20 - Deceased persons

477. Clause 20 provides that the statutory cause of action does not survive the death of the plaintiff or the defendant. This is because a privacy interest is personal to an individual. Similarly, the reasons why a privacy invasion may have occurred are uniquely in the mind of the defendant.

478. To mitigate the financial impact of this provision, subclause 20(2) clarifies that the court retains discretion in relation to costs. For example: if a defendant dies at any stage during the course of proceedings, the proceedings come to an end. However, the court may determine that it is in the interest of justice that the defendant's estate pay all or some of the costs that the plaintiff has incurred in bringing the action. Likewise, if a plaintiff dies before a case has been determined the court may consider it to be in the interest of justice that the plaintiff's estate pay some or all of the costs the defendant has incurred in defending the claim.

Clause 21 - Saving of other laws and remedies

479. This clause provides that the Bill is not meant to exclude or limit the concurrent operation of any law, written or unwritten, of a State or Territory.

Clause 22 - Intervention of Information Commissioner

480. This clause provides that the Information Commissioner may intervene in proceedings under the Bill, or assist the court as amicus curiae, where the court gives leave.

Clause 23 - Jurisdiction

481. This clause provides that jurisdiction is conferred on the FCFCOA (Division 2) and the courts of the Territories in relation to matters arising under this Bill.

482. This clause also provides that jurisdiction is only conferred on the courts of the Territories as far as the Constitution permits, and within the limits of the jurisdiction of the court (other than limits of locality).

483. This clause notes that state courts and the FCA have jurisdiction under subsection 39(2) and paragraph 39B(1A)(c) of the Judiciary Act 1903 (Cth) respectively.

Schedule 3 - Doxxing offences

Item 1 - After section 474.17B of the Criminal Code

Section 474.17C - Using a carriage service to make available etc. personal data of one or more individuals

484. Item 1 inserts a new offence to the Criminal Code. To establish this offence, the prosecution will need to prove beyond reasonable doubt that:

a.

a person used a carriage service to make available, publish or otherwise distribute information;

b.

the information is personal data of one or more individuals; and

c.

the person engages in the conduct in a way that reasonable persons would regard as being in all the circumstances, menacing or harassing towards those individuals.

485. The first element of this offence in paragraph 474.17C(1)(a) requires that a person use a carriage service to make available, publish or otherwise distribute information. Section 5.6 of the Criminal Code will apply the automatic fault element of intention to this element. Under subsection 5.2(1) of the Criminal Code, a person has intention with respect to conduct if he or she means to engage in that conduct.

486. The requirement that a carriage service is used to engage in the conduct provides the relevant connection to the Commonwealth's telecommunications power under the Australian Constitution. As the offence will be inserted into Subdivision C of Division 474 of the Criminal Code, the presumption set out in section 475.1B of the Criminal Code - that conduct is engaged in using a carriage service - will apply. This presumption provides that, if an element of the offence consists of a person using a carriage service to engage in particular conduct, if the prosecution proves beyond reasonable doubt that the person engaged in that particular conduct, then it is presumed, unless the person proves to the contrary, that the person used a carriage service to engage in that conduct.

487. The first element of the offence requires the person to 'make available, publish or otherwise distribute' information. The harm from doxxing arises from the circulation of the material to a number of people, which can result in a range of actual or apprehended harms to the victim. The concepts of 'making available', 'publishing' and 'otherwise distributing' information are intended to capture a wide range of ways in which a person may circulate or cause to be circulated person data, to ensure that a person cannot avoid liability by circulating or causing to be circulated the personal data in a particular manner.

488. The act of publishing information includes publication to the public at large, or to a section of the public. This could include publishing the information through posts on social media, on a blog, or on a private online forum. This is intended to capture the online exposure of the individual's personal data. It is immaterial to the concept of publishing information, whether a person actually viewed the information.

489. The act of making available information is intended to capture instances where a person may post a link online to direct the audience to view the information, or invite persons to contact them directly to receive the information, without directly 'publishing' the information. Criminalising this type of conduct is intended to ensure offenders cannot avoid liability by making the information available to be downloaded, accessed or disclosed on request, rather than publishing the information directly. The act of making available information includes, but does not require, making the information available to the public at large or a section of the public. The act is also intended to include making the information available in a more a targeted manner, for example by making their information available to people who may be motivated to act on it, or whom the victim may fear may act on it. It is immaterial to the concept of making available information, whether a person actually accessed or downloaded the information.

490. The act of otherwise distributing information is intended to be construed broadly, in line with the ordinary meaning of 'distribute' being to give something out to several people, to spread something, or to supply something. It is intended to cover circumstances where, for example, the person gives the information to, or shares the information with, a recipient or recipients, for example in a chat or via email. This could be done in a single message addressed to multiple recipients, or via an individual message or messages to each recipient. The act of otherwise distributing information includes, but does not require, distributing the information to the public at large or a section of the public (which may also constitute publication). The act is also intended to include distributing information in a more a targeted manner, for example by distributing the information to people who may be motivated to act on it, or whom the victim may fear may act on it.

491. The second element of the offence in paragraph 474.17C(1)(b) requires the information to be personal data of one or more individuals. The fault element for the circumstance element is recklessness, consistent with the default fault elements in section 5.6 of the Criminal Code. Section 5.4 of the Criminal Code provides that a person is reckless with respect to a circumstance if he or she is aware of a substantial risk that the circumstance exists or will exist and, having regard to the circumstances known to him or her, it is unjustifiable to take that risk.

492. For the purposes of paragraph 474.17C(1)(b), 'personal data' of an individual is defined in subsection 474.17C(2) to mean information about the individual that enables the individual to be identified, contacted or located. It includes information such as the name of the individual, a photograph or other image of them, their telephone number, email address, online account, residential address, work or business address, place of education or place of worship. The list provides common examples of the type of information used when doxxing occurs. It is not intended to be an exhaustive list and could extend to other forms of information that enables the individual to be identified, contacted or located.

493. This definition recognises that doxxing can occur in a number of different ways. For example, it could reveal specific information about someone that allows them to be contacted or located using a personal phone number or home address, but it could also simply reveal the identity of someone who was previously anonymous (e.g. someone using a pseudonym). The above kinds of information may also be revealed in combination with other information, or in a context that may compound the harms to the victim. This may occur where, for example, a person's contact details or identity are published in combination with sensitive information, for example concerning their sexuality or health information about them, or with information that could damage their credibility or reputation (e.g. revealing their messages to a private group chat).

494. A court will have the discretion when sentencing a person convicted of this offence to consider all the circumstances of the release of personal data and the harm caused to the victim. For example, a court may take into account the amount or detail of personal data that is released, the sensitivity of the information shared alongside the personal data or the accessibility of the personal data.

495. The third element of the offence in paragraph 474.17C(1)(c) requires that the person engages in the conduct in a way that reasonable persons would regard as being, in all the circumstances, menacing or harassing towards those individuals. The language 'in a way' requires the trier of fact to consider the circumstances and broader context in which the conduct occurred. This could include, for example:

a.

whether there were other things said as part of that communication or in addition to that communication, including but not limited to whether:

i.

the person made threats, called for others to take action, or used particularly vitriolic language in the communication, or in associated communications, that in combination a reasonable person would regard, in all the circumstances, as being menacing or harassing; or

ii.

the person also published, made available or otherwise distributed sensitive information about the individual that, in combination with the publication of their personal data, a reasonable person would regard, in all the circumstances, as being menacing or harassing;

iii.

if the communication occurred as part of a pattern of communications targeting the individual, or if the communication occurred in response to a request or as part of a broader discussion about taking action against an individual; or

b.

any broader circumstance or context within which the conduct occurs, which may include, for example, if there is a history of violence, abuse or harassment, or threats of such behaviours, by the person against the individual.

496. The 'reasonable persons' test means that it is an objective standard and allows community standards and common sense to be imported into a decision on whether the conduct is in fact, menacing or harassing towards those individuals. It ensures that conduct is not inappropriately criminalised and recognises that there are a range of contexts in which people publish, make available or otherwise distribute information, including information about other individuals' identity, contact details and movements, that are not menacing or harassing in nature. For example, media reporting, political commentary and public debate on matters of public interest routinely involve journalists and commentators identifying key figures and sharing information about their movements and engagements. Similarly, there may be circumstances where people share the social media account details of other users on public forums in the course of ordinary, everyday engagement and interaction.

497. The terms 'menacing' and 'harassing' imply a serious potential affect on the person that is the target of that conduct. This may be one which causes an apprehension, if not a fear, for their safety, or in the case of 'harassing', may also include causing significant distress or anxiety in an affected person. Both actions may prevent or limit persons from engaging in public debate or otherwise freely go about their daily lives. It is not necessary for the prosecution to prove that a third party acted on the sharing of the personal data to meet the offence. A person may still be liable for the offence if they share the personal data of an individual in a way that is menacing or harassing towards the individual even if no one uses that information to subsequently send threatening messages to the affected individual.

498. This element constitutes a circumstance in which the offending conduct must occur. By application of the default fault elements in section 5.6 of the Criminal Code, the fault element of recklessness will apply to a physical element of an offence that is a circumstance. 'Recklessness' as it applies to a circumstance is defined in section 5.4 of the Criminal Code.

499. The Note under subsection 474.17C(1) provides an example of the type of conduct covered by this offence. It provides that publishing the name, image and telephone number of an individual on a website and encouraging others to repeatedly contact the individual with violent or threatening messages is conduct covered by this subsection and this conduct is more commonly referred to as doxxing.

500. Another example of where this new offence could apply is where an offender is vitriolically criticising the position taken by an individual on a topical issue and posts that individual's home address on an online forum or chat group in a way that a reasonable person would consider would make the individual feel threatened or apprehensive to their safety or well-being.

501. The offence at section 474.17C will be punishable by a maximum penalty of 6 years' imprisonment. This has a higher maximum penalty than section 474.17 of the Criminal Code, which makes it an offence to use a carriage service to menace, harass or cause offence. This higher maximum penalty is appropriate to reflect the seriousness of such conduct, and the additional harms that doxxing can cause, including by exposing victims to physical threats, stalking, harassment, identity theft and fraud, humiliation and shaming, and discrimination, as well as psychological harms, the potentially enduring nature of these harms once an individual's personal data has been released, and the significant steps that a victim may need to take to mitigate these harms.

Section 474.17D - Using a carriage service to make available etc. personal data about one or more members of certain groups

502. Section 474.17D inserts a new offence to the Criminal Code. To establish this offence, the prosecution will need to prove beyond reasonable doubt that:

a.

the person used a carriage service to make available, publish or otherwise distribute information

b.

the information is personal data about one or more members of a group

c.

the person engages in the conduct in whole or in part because of the person's belief that the targeted group is distinguished by race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality, national or ethnic origin, and

d.

the person engages in the conduct in a way that reasonable persons would regard as being, in all the circumstances, menacing or harassing towards those members.

503. Section 474.17D has many of the same elements of the offence at section 474.17C. The distinguishing factors are that:

a.

the offence applies to the making available, publishing or distribution of information that is personal data about one or members of a group; and

b.

the offence requires that the person engages in the conduct in whole or in part because of their belief that the targeted group is distinguished by one or more protected attributes.

504. The first element of this offence in paragraph 474.17D(1)(a) requires that a person use a carriage service to make available, publish or otherwise distribute information. Section 5.6 of the Criminal Code will apply the automatic fault element of intention to this element.

505. The second element of the offence in paragraph 474.17D(1)(b) requires the information to be personal data about one or more members of a group. The definition 'personal data' is set out in subsection 474.17D(2), and mirrors the definition in subsection 474.17C(2). The fault element for this circumstance element is recklessness, consistent with the default fault elements in section 5.6 of the Criminal Code.

506. The third element of the offence in paragraph 474.17D(1)(c) establishes another circumstance element of the offence. It requires that the person engaged in the conduct in whole or in part because of their belief that the group is distinguished by one or more protected attributes, such as race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality or national or ethnic origin. The requirement that the person must believe the targeted group is distinguished by a protected attribute is important because it draws a distinct connection between engaging in the conduct and the motive behind it.

507. The language 'in whole or in part because of the person's belief' requires that the conduct was motivated at least in part because they believe that the other person is a member of a group that is distinguished. The motivation does not need to be the sole reason or dominant factor for engaging in the conduct. It will often be the case that a person will have multiple motivations when engaging in the conduct, some of which may be closely connected to the person's belief that the group is distinguished by one or more protected attributes. These may include, for example:

a.

because of a desire to improve their own reputation or standing amongst like-minded individuals;

b.

because of personal animosity towards particular individuals within the group; or

c.

because of a belief that the specific group, or people who share that protected attribute more broadly, have engaged in conduct that 'deserves' a response.

508. The existence of additional motivations in no way diminishes the particular harms that may be caused by doxxing members of a group, based on a belief that the group is distinguished by one or more protected attributes. In some cases, those additional motivations may in fact go directly to the person's culpability for their conduct.

509. The word belief is not defined and would take its ordinary meaning, being a subjective conviction of the truth or reality of the thing. The person's belief that the targeted person is a member of a group distinguished by protected attributes could be demonstrated in a number of ways, having regard to the circumstances of the offence. It could include consideration of language the offender used that relates to the group or individual, or if the threat forms part of a pattern of conduct that targets the group or its members.

510. The new subsection 474.17D(3) provides that for the purposes of subsection 474.17D(1)(c), it is immaterial whether the group is actually distinguished by the attributes listed in paragraph 474.17D(1)(c). This is consistent with the ordinary meaning of 'belief', as outlined above. The relevant factor here is that the person sharing the personal data believed the targeted group was distinguished by race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality, or national or ethnic origin. There is no requirement that the person or persons actually have or share that protected attribute. It will be sufficient that they are members of any group, including that the offender had 'grouped' them, and engaged in their conduct because of their belief that the group was distinguished by these attributes. This recognises that discrimination against persons on the basis of protected attributes is particularly serious in nature. It can also encourage or incite other persons who share discriminatory views in relation to the protected group to engage in similar menacing or harassing conduct towards the victims and, in particularly serious cases, may be intended to cause that result. Moreover, the act of doxxing members of a group because of a belief they are distinguished by a protected attribute (regardless of whether this is true) is likely to result in trauma or fear for other people who do, in fact, share that attribute.

511. The fourth and final element in paragraph 474.17D(1)(d) is where the person engages in the conduct in a way that reasonable persons would regard as being, in all the circumstances, menacing or harassing towards those members. By application of the default fault elements in section 5.6 of the Criminal Code, the fault element of recklessness will apply to a physical element of an offence that is a circumstance. 'Recklessness' as it applies to a circumstance is defined in section 5.4 of the Criminal Code.

512. The Note under subsection 474.17D(1) provides an example of the type of conduct covered by this second offence. It provides that publishing the names, images and residential addresses of members of a private online religious discussion group across multiple websites and encouraging others to attend those addresses and block entryways or otherwise harass the members of the group is conduct covered by the offence and this conduct is more commonly referred to as doxxing.

513. Another example of where this new offence could apply is where a person posts the name, image and LGBTIQ+ status of a person on an anti- LGBTIQ+ website or platform with hate speech rhetoric.

514. The offence at section 474.17D will be punishable by a maximum penalty of 7 years' imprisonment. This higher maximum penalty is appropriate to reflect the seriousness of such conduct. The malicious release of personal data exposes victims to physical threats, stalking, harassment, humiliation and shaming, discrimination and many other serious harms. Doxxing persons because of a belief that they are part of a group that shares one or more protected attributes is particularly serious in nature. It is particularly likely to instil fear or anxiety in victims where there is a history of, or ongoing, persecution, prejudice or discrimination against people with that attribute, and may re-traumatise people who have themselves been victims of such conduct. It can encourage or incite other persons who share discriminatory views in relation to the protected group to engage in similar menacing or harassing conduct towards the victims and, in particularly serious cases, may be intended to cause that result. Moreover, the act of doxxing members of a group because of a belief they are distinguished by a protected attribute is likely to result in trauma or fear for other people who share that attribute.

515. Victims may be required to incur significant costs, or go to significant lengths, to mitigate the risks of harm arising from the release of their personal data, such as temporarily or permanently moving from an address that has been released, ceasing to use a phone number or account that has been disclosed, or engaging protective security. The serious nature of the offending conduct is matched by commensurate punishment.