Australian Privacy Reform 2024 – What you need to know

Recall that in September 2022, the Optus data breach saw a hacker obtaining details of up to 10 million customers. Following right on its heels, in October 2022 the Medibank data breach compromised the sensitive health information of nearly 10 million Australians. On top of these high-profile data breaches, there have been many more, placing Australia 7th in the world in data breaches in 2023.

In recognition of the increasing risk and frequency of data breaches in recent years and following extensive consultation, the Australian Government has released its response to the Attorney-General’s Privacy Act Review Report and at the same time announced that it is committed to introducing legislative amendments to strengthen privacy laws in 2024.

The Response indicates that of the 116 proposals from the Attorney-General’s Department to amend the Privacy Act 1988 (Act), the Government has now agreed to 38 and agreed in-principle to 68. We highlight some of the most noteworthy proposals below.

The 38 key reforms the Government has already agreed to include:

1. Mandating privacy policies to set out the types of personal information that will be used in substantially automated decisions which have a legal, or similarly significant effect on an individual’s rights;
2. Creation of a new mid-tier civil penalty provision to cover interferences with privacy which do not meet the threshold of being ‘serious’, and a new low-level civil penalty provision for specific administrative breaches of the Act and the Australian Privacy Principles;
3. Broadening the definition of a ‘serious’ interference with privacy to include those involving sensitive information, impact on people experiencing vulnerability, serious failures to take proper steps to protect personal data, repeated breaches and others;
4. Requiring entities to identify, mitigate and redress actual or foreseeable loss suffered by an individual; and
5. Development of a Children’s Online Privacy code which applies to online services likely to be accessed by children under the age of 18.

The 68 key reforms the Government has agreed in-principle to, subject to further engagement with entities and a comprehensive impact analysis, include:

6. Removal of the small businesses exemption that presently exempts businesses with an annual turnover of $3 million or less from the Act;
7. Expanding the definition of personal information protected by the Act to include technical and inferred information such as IP addresses, device identifiers and biometric data;
8. Creation of new individual rights (albeit subject to exceptions), including to challenge the information handling practices of an entity and require an entity to delete or de-identify personal information through a right to erasure;
9. Requiring collection, use and disclosure of personal information to be fair and reasonable in the circumstances, irrespective of whether consent has been obtained;
10. Requiring that consent be voluntary, informed, current, specific and unambiguous, and expressly recognise the ability for individuals to withdraw consent in a manner as easily as the provision of consent;
11. Requiring entities to put in place measures to improve organisational accountability, including recording the purposes for which personal information is collected, used or disclosed, and appointing or designating a senior employee as being responsible for privacy within the organisation;
12. Introduction of a direct right of action to permit individuals to apply to the courts for relief in relation to breaches of the Act, and a statutory tort for serious invasions of privacy.

With the Government looking to introduce legislative changes this year, businesses and organisations should start preparing for the upcoming reforms, starting with an assessment of the personal information that your entity collects (including to identify the source for the information and purposes of the collection), and a review of your entity’s data collection practices and security measures.

If you would like to discuss cybersecurity risks or the incoming changes to the Privacy Act, please do not hesitate to contact Cheryl Sun at (08) 9221 0033 or csun@mphlawyers.com.au.