Parliament House showing privacy reform for Australia privacy law

Privacy Reform Underway in Australia With Introduction of New OAIC Bill

The long process of overhauling Australia’s Privacy Act 1988 has hit a significant landmark with the introduction of a bill that increases the Australian Information Commissioner (OAIC)’s powers and responsibilities. This is the first of a planned set of privacy reforms to update the country’s primary piece of legislation protecting the handling of personal information.

The Privacy Act 1988’s review process began in 2020, with the government releasing a response to the review in late 2023 that indicated it had agreed at least in principle to the vast majority of its 116 proposals and that the now-dated regulation was in need of some priority amendments. Attorney General Mark Dreyfus announced the current set of privacy reforms in early May of this year in response to a request from the Prime Minister.

Australia rolling out substantial privacy reforms after serious data breaches

The first tranche of privacy reforms introduced to Parliament provides the OAIC with new penalties for data violators and a new privacy code for children, along with the addition of a new statutory tort for serious invasions of privacy.

The OAIC’s enforcement toolkit would be bolstered with several new penalties including a mid-tier civil fine for interferences with privacy and a low-level civil penalty provision for specific administrative breaches. The Australian Privacy Commissioner commented that these new penalties provide OAIC with more discretion and flexibility in how penalties are weighted to the perceived severity of the action, allowing primarily for more proportionate fines.

Protection of underage internet users would also be greatly enhanced with the creation of the Children’s Online Privacy Code. The terms would cover all those in the country under 18 years of age and would apply to social media platforms and other electronic or internet services likely to be accessed by children. The specific rules have not yet been drafted; OAIC would be given three years and a budget boost of $3 million AU to do so.

Finally, the new statutory tort addresses a gap in the law for intentional crimes that involve serious breaches of personal information (such as doxxing). This would allow for civil redress outside of the terms of the Act, empowering victims to bring suits on their own; doxxing specifically could also land offenders in prison for up to seven years. As the privacy reform announcement notes, the prior rules never anticipated so much damaging personal information being readily available to so many people.

A string of major data breaches in Australia, now dating back at least two years, seems to have finally prompted real action on privacy reform. This string began with the Optus breach of 2022, which ended up compromising millions of records, and has continued to similarly concerning breaches of Telstra and Shell (among others) within the last six months. While privacy action is broadly welcomed, some critics contend that the plan has yet to address all of the country’s known deficiencies.

Does Australia’s privacy reform campaign go far enough?

Critics point out that though the government has committed to multiple tranches of privacy reform actions, it has not laid out a specific timeline for these as of yet. The government also appears to only be addressing certain groups in fits and starts, rather than proposing a broad overhaul that would put new universal privacy protections in place.

It is true that some of those groups represent priority items, chiefly the underage internet users addressed by the government’s first tranche. A number of disturbing stories have come out in recent months, including spying in classrooms and the creation of explicit deepfakes, and this has obviously spurred more immediate action by OAIC. But most of Australia’s adults will have to wait for some time to see what new data privacy protections they will enjoy, with debate over many of the government’s previously approved proposals postponed likely until the upcoming elections are settled next year. The current bill also needs to pass parliamentary review, also not likely to be taken up until 2025.

One of the points that critics want to see addressed is the company size and record count cutoff, which at the moment excludes the vast majority of Australia’s small businesses from the privacy reform terms. Companies with an annual revenue of less than $3 million AU, which is about 95% of those operating across the country, are exempt from the new rules. Companies are also still governed by rather loose “implied consent” rules, allowing agreement with a privacy policy or “continued use of the service” to potentially serve as a legal defense. Some of these, such as removal of the small business exemption, were among the proposals the government agreed to in principle but have gone back up for debate after pushback from trade groups.

There was some prior movement on privacy reform in the wake of the Optus breach in 2022, but that consisted mostly of the government increasing potential penalties under the old terms rather than true privacy reform. OAIC has not been particularly active since, failing to come anywhere near issuing a maximum penalty since the limits were increased, but it is quite possible it has been waiting for the more granular terms introduced by this bill to take more action. As to what might develop with the second tranche of proposals, that too will likely have to wait until 2025.