Long-awaited Privacy Act reforms will criminalise ‘doxxing’, strengthen protection of children online, and streamline information sharing – but as experts pore over the details of the major policy overhaul, some are warning of significant deficiencies that make Australia look “outdated”.
Introduced after an extended review process that culminated in the government’s response to the recommendations in the summative Privacy Act Review Report, Attorney-General Mark Dreyfus said the new Privacy and Other Legislation Amendments (POLA) Bill 2024 “represents a significant step forward in the Government’s commitment to bring the Privacy Act into the digital age.”
A key goal of the original Privacy Act 1988 was to contain the increasing risk posed by 1980s-era information processing, Dreyfus noted in his second reading speech – but 36 years later, he said, “the Privacy Act has not kept pace with the adoption of digital technologies.”
“The vast data flows that underpin digital ecosystems have also created the conditions for significant harms” such as through recent major data breaches, Dreyfus said, arguing that “we must be vigilant in ensuring that evolving technology does not erode our ability to protect information about who we are, what we do, and what we believe from being misused.”
POLA implements 23 of the 25 legislative proposals agreed to in the government’s response – including $3 million over three years to develop a Children’s Online Privacy Code (COPC) that Dreyfus said would force online services to comply with privacy obligations that will “better protect children from a range of online harms”.
Robodebt lessons learned
Individuals will get “greater transparency” about the use of their personal information in “automated decisions that affect them” – a nod to impact of the Robodebt debacle and the growing use of AI for automated data processing in an age where it is also empowering social media aggressions, cyber crime, disinformation, and identity politics.
Recognising that contemporary technologies often threaten personal privacy, a new tort will punish physical or information privacy breaches caused by what Dreyfus called “an intrusion upon the individual’s seclusion…. or by misuse of their information, in circumstances where the individual had a reasonable expectation of privacy.”
Journalists, law enforcement agencies, and intelligence agencies are exempt from the new rules – confirming the government position, stated in POLA’s explanatory memorandum, that “the protection of the privacy of individuals must be balanced with the interests of entities in carrying out their functions or activities.”
That extends to companies moving private data overseas, with POLA enabling the designation of countries with “substantially similar data privacy laws to Australia” – so businesses can enter into overseas contracts with “greater confidence” – and new ‘eligible data breach declarations’ allowing rapid sharing of private information after notifiable data breaches or natural disasters.
POLA will also criminalise and provide up to six years’ imprisonment for doxxing – defined by Dreyfus as “the release of personal data in a manner that is menacing or harassing” and subject to a ‘reasonable person’ test – and up to seven years’ imprisonment where a person or group is targeted because of their race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality, or national or ethnic origin.
“Doxxing can occur in a number of different ways,” Dreyfus said, noting that in the context of the new legislation ‘personal data’ “means information about an individual that enables them to be identified, contacted, or located” including their name, photograph, telephone number, email address, online account, residential or work address, and place of education or worship.
New laws a “modest” start
The new legislation comes at a time when mass privacy breaches are catching Australian businesses unawares and consumers increasingly distrust institutions they feel are ignoring their privacy – with data-hungry companies Facebook, Meta, X, and TikTok now among Australia’s ten least trusted brands and a recent Reset Australia survey finding 73 per cent of respondents feel their data is “insecure and exposed.”
The Office of the Australian Information Commissioner’s Australian Community Attitudes to Privacy Survey 2023 found that 85 per cent of Australians want more control and choice over how their information is used and collected – but 58 per cent don’t understand how their data is used, and 57 per cent care about data privacy but don’t know what to do about it.
Many privacy advocates aren’t convinced that POLA will fix these problems: MinterEllison partners Paul Kallenbach and Sonja Read, for example, called the proposed legislation a “modest response to the substantial overhaul proposed in the report” and warned that “some of the reforms will have little real effect on privacy protection.”
“It remains to be seen,” they warned, “whether there will be any material impact on strengthening and enforcing privacy provisions in Australia.”