On 12 September 2024 the Privacy and Other Legislation Amendment Bill 2024 (Bill) was introduced into parliament. Constituting the first tranche of proposed privacy reforms we have previously considered, if enacted, the reforms will have an immediate impact on the content of privacy policies and business practices. There will be significant consequences for those entities that continue to ignore what is an increasingly regulated area of law.

Privacy Policies, Procedures, and Enforcement

Currently the Information Commissioner can commence proceedings for ‘serious or repeated’ breaches of privacy. It is proposed that the Privacy Act will be amended to remove the word ‘repeated’, meaning one-off breaches will be sufficient to trigger proceedings. This means the regulator will have greater scope to commence proceedings for breaches of the Privacy Act and the Australian Privacy Principles (APPs). Indeed, the regulator has recently made several public announcements foreshadowing an appetite to commence more proceedings in future.

Like the enforcement powers possessed by other regulators, including ACCC and ASIC, it is proposed that the Information Commissioner have available new civil penalty provision powers to cover interferences with privacy, including the ability to issue infringement notices.

For example, it is proposed that the regulator will be able to issue infringement notices for breaches of the following APPs:

  • 1.3: requirement to have a privacy policy
  • 1.4: contents of a privacy policy
  • 2.1: not facilitating an individual’s choice not to identify themselves in dealing with entities
  • 6.5: not providing written notice of certain uses or disclosures
  • 7.2(c) or 7.3(c): not providing a simple means for individuals to opt out of direct marketing communications
  • 7.3(d): not drawing attention to the ability to opt out of direct marketing communications
  • 7.7(a): not giving effect to opt-out of direct marketing requests within a reasonable period
  • 7.7(b): not providing notification of the source of direct marketing information
  • 13.5: not dealing with correction requests appropriately

In addition to the proposed expansion of civil penalty powers including infringement notices, a previous tranche of privacy reforms amended the penalty regime, in which privacy breaches could attract penalties being the higher of:

  • $50 million, or
  • Three times the value of any benefit obtained through the misuse of information, or
  • 30% of the breaching entity’s annual adjusted turnover during the breach period

Action: It is vital that entities take action to review and update their privacy policies and review their personal information handling processes to ensure that they comply with the Privacy Act and the APPs. Specific attention is drawn to the APPs listed above, including APP1.4 (contents of the privacy policy). The regulator may be inclined to issue an infringement notice for a breach of the Privacy Act or the APPs, or may otherwise be predisposed to commencing proceedings seeking significant penalties.

Privacy Policies and Automated Decision Making

The Bill also proposes that privacy policies are to set out the types of personal information that will be used in ‘substantially automated’ decisions. In effect:

  • The entity has arranged for a computer program to make, or do a thing that is substantially and directly related to making, a decision; and
  • The decision could reasonably be expected to significantly affect the rights or interests of an individual; and
  • Personal information about the individual is used in the operation of the computer program to make the decision or do the thing that is substantially and directly related to making the decision.

The above principles also apply to any refusal or failure to make a decision.

For those entities that handle personal information about individuals in the UK or the EU, it should be noted that the use of ‘substantially automated’ differs from the GDPR’s ‘decisions based solely on automated processing’.

Accordingly, privacy policies will need to specify the following:

  • The kinds of personal information used in the operation of such computer programs
  • The kinds of such decisions made solely by the operation of such computer programs
  • The kinds of such decisions for which a thing, that is substantially and directly related to making the decision, is done by the operation of such computer programs

Of particular concern are decisions involving the denial of consequential services or support, such as financial and lending services, housing, insurance, education enrolment, criminal justice, employment opportunities and health care services or access to basic necessities such as food and water. Given the increasing use of algorithms and artificial intelligence in decision making processes, privacy policies will need to be amended and incorporate relevant information.

Action: It will be incumbent on entities to identify what aspects of their operations are ‘substantially automated’ processes that involve personal information and to communicate the kinds of personal information and the kinds such decisions in their privacy policies. For larger entities operating in particular industries, this may be a difficult and time-consuming task. Noting the regulator may take action or issue an infringement notice over the content of privacy policies, this will extend to privacy policies that do not adequately detail automated decision making.

 

Conclusion

The Bill proposes several reforms. From a practical perspective, the reforms relating to enforcement as well those relating to automated decision making will have significant immediate implications for entities.

Entities must invest more in privacy and have a greater understanding of the implications of internal processes, procedures, and decisions on individuals. That understanding will better inform what amendments will be required to each entity’s privacy policy.

Entities will be incentivised to pay considered attention to their privacy policy, as a failure to do so may attract the attention of a better funded and more assertive regulator with an increased number of enforcement options at its disposal.

Should you wish to discuss the Bill, privacy rights and obligations, please do not hesitate to contact the author, Bill Fragos, Special Counsel or your usual contact at Moray & Agnew. We also deliver presentations and training to our clients on privacy laws, data breaches and the implications of privacy law reforms.

 

The content of this publication is intended to provide a summary and commentary only. It is not intended to be comprehensive nor does it constitute legal advice, and has been prepared based on applicable legislation at the date of publication. You should seek legal advice on specific circumstances before taking any action.

Subscribe to our Publications

 

Other Recent Insights & Events