04 December 2024
4 min read
Published by:
The Privacy and Other Legislation Amendment Bill (Bill), introduced in September, was passed by both Houses of Parliament on 29 November 2024. This marks the beginning of the first tranche of reforms to the Privacy Act 1988 (Privacy Act), following the government’s response in 2023 to the proposals arising from the Privacy Act Review.
Once the Bill receives Royal Assent, 23 of the first 25 ‘agreed’ proposals will be implemented. For businesses, the most important changes include:
Our article, Privacy and Other Legislation Amendment Bill marks the beginning of major privacy reform, explains these changes in more detail.
Although the new statutory tort for serious invasions of privacy and the requirement to include automated decisions in privacy policies will come into effect six to 24 months after Royal Assent, businesses should in the meantime consider what steps they can take to reduce the risks of the new laws potentially having an adverse effect on them. This might mean as a minimum:
As consumer sentiment for greater privacy protection continues to grow, privacy has become an important focus in the digital economy. At the same time, businesses are facing greater accountability in managing personal data, prompting the government to take significant steps toward modernising Australia’s privacy laws.
In the week before the Bill was passed, the Privacy Commissioner issued a determination on Bunnings’ use of facial recognition technology in 62 of its stores, and provided guidance to businesses to use the technology only in proportionate ways. The Commissioner also issued a determination against web scraping company Property Lovers Pty Ltd for collecting information in breach of the Australian Privacy Principles and in a way that was not “fair”.
Both these decisions prove that businesses can no longer afford to be complacent about practices which might not pass the ‘pub test’. With the OAIC’s new enforcement powers, businesses can expect more regulatory action, clear guidelines on what good and bad privacy practices look like, and fines being issued by the Commissioner.
In 2025, we may see at least some of the remaining 58 proposals make their way onto the legislative agenda. If the “fair and reasonable test” for the collection and use of personal information is introduced, along with an expanded definition of personal information, the risks for businesses that fail to take privacy seriously are likely to escalate significantly.
Adding to these challenges, the recently passed cyber security package also introduced new reporting requirements for organisations, especially those managing data systems related to critical infrastructure.
Meanwhile, the use of data and AI is being subject to an increasing range of regulations, with further expansion expected in the coming year. The government’s Voluntary AI Safety Standard provides practical guidance for all Australian organisations, while the OAIC has released guidelines for using AI compliantly with the Privacy Act.
Overall, boards and executive teams are becoming attuned to the risks and opportunities associated with data within their organisations and seeking to minimise risks while maximising potential commercial benefits, especially through the use of AI.
This is an ongoing governance journey and is an area where we can provide guidance based on our experience in the field. If you have any questions about the changes or need assistance with reviewing your privacy risk strategies, please get in touch with our Data & Privacy team below.
Disclaimer
The information in this article is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this article is accurate at the date it is received or that it will continue to be accurate in the future.
Published by:
