Australia’s data privacy landscape is witnessing radical advancements and the introduction of reforms that set a precedent for others. Most recently, on 12 September 2024, the Australian Government introduced the first set of reforms to the Privacy Act 1988 through the Privacy and Other Legislation Amendment Bill 2024. Most of the Amendments introduced by the Act took effect on 10 December 2024.
However, two key provisions are subject to delayed implementation. The statutory tort for serious invasions of privacy will commence either on a date to be proclaimed or by 10 June 2025, whichever comes first. Meanwhile, provisions addressing automated decision-making include a two-year grace period, effective 10 December 2026.
The Amendments signify a substantial advancement in Australia's privacy landscape. It aims to update the Privacy Act 1988 and enhance individual rights. This comprehensive analysis reviews the Amendments to the Privacy Act 1988.
The Amendments introduce a range of measures to enhance privacy protections and address the challenges of today’s data-driven digital technologies. These include:
1. Introduction of a Privacy Invasion Tort
The amendment introduces a statutory tort for privacy violations. If an individual’s privacy has been breached, they have the right to sue entities and pursue financial compensation. This amendment empowers Australians with bold privacy rights. Simultaneously, it keeps a right robe around organizations that misuse personal data, holding them accountable and discouraging unlawful activity.
Compliance Recommendation
Organizations must swiftly discover the potential risks to the personal information they process on-premise, hybrid, and cloud platforms to secure personal information. Additionally, organizations must implement robust data protection measures to avoid noncompliance penalties.
2. The Children’s Online Privacy Code (COPC)
The Amendment identifies the crucial need for safeguarding children’s online privacy and requires the development of a Children's Online Privacy Code (COPC).
The COPC will provide specific recommendations to secure the protection of minors for APP businesses that collect and handle child data. The Office of the Australian Information Commissioner (OAIC) is responsible for creating a COPC and specifying how applicable Australian Privacy Principles (APPs) should be applied.
Compliance Recommendation
Organizations must establish policies and measures to minimize risks to children's personal information. These practices can include conducting regular assessments, engaging in data mapping, categorizing and managing retention obligations, and securely de-identifying or deleting data that is no longer required or necessary for the intended collected purposes. As a best practice and regulatory requirement, organizations must also obtain valid consent when processing children's personal information and update their privacy policies to reflect the same.
3. Enhanced Transparency for Automated Decision-Making
The Amendments introduce new requirements for APP entities to include specific information in their privacy policies regarding automated decision-making. Organizations that utilize algorithms for individual-impacting choices (such as credit approvals, insurance assessments, or personalized marketing) must now clearly explain the processes involved in these determinations in their privacy policy. If a computer program makes or significantly contributes to decisions that affect an individual’s rights or interests and involves personal information, the policy must detail the types of personal information used, the types of decisions made solely by such programs, and decisions significantly influenced by these programs. This Amendment applies to all relevant decisions made after its commencement, regardless of when the arrangement, data use, or data acquisition occurred.
Compliance Recommendation
Organizations must update their privacy notices to disclose information when using automated decision-making that impacts individuals' rights or interests.
4. Data Sharing in Emergencies and Eligible Data Breaches
The Amendments establish procedures for data sharing that enable the secure and authorized transmission of information to safeguard public safety during emergencies like natural disasters or health crises.
Additionally, companies must notify the Office of the Australian Information Commissioner (OAIC) and the impacted parties as soon as possible in case of an eligible data breach. This step enhances the existing Notifiable Data Breaches (NDB) scheme, ensuring that individuals are informed and can take protective measures promptly.
Compliance Recommendation
Organizations should implement a system to classify personal information by sensitivity and risk, enabling quick identification of data for sharing during emergencies or eligible data breaches.
5. Expansion of OAIC’s Authority
The Amendments significantly expand the OAIC's powers to enforce the new requirements effectively. The OAIC now has enhanced authority to investigate privacy breaches, impose penalties, and issue compliance orders.
Compliance Recommendation
Organizations must review and test their data breach response plans to ensure effectiveness and avoid new penalties.
6. Adequacy Requirement for Cross-Border Data Flow
The Amendments place more stringent limitations on transferring personal information outside Australia. Organizations must demonstrate that the recipient country has adequate privacy protections on par with Australia's Privacy Principles. This aims to protect Australians' personal information beyond the country’s borders.
Compliance Recommendation
Organizations must assess the legal frameworks of recipient countries to ensure alignment with the APPs. They should establish data transfer agreements specifying privacy obligations and regularly review and update them to reflect legislative changes.
Best Practices for Organizational Compliance
With increasing reforms and Australia’s evolving data privacy landscape, organizations must stay abreast of the evolving regulatory requirements and proactively update their policies and practices to demonstrate compliance. Key steps include:
- Realign internal practices and update privacy policies and notices to align with the new reforms/regulatory requirements, especially concerning transparency in automated decision-making and data handling for children.
- Implement robust data security measures and ensure personal information is safeguarded with the most advanced security algorithms to drastically minimize the chances of falling victim to data breaches and prevent privacy violations.
- Regularly conduct privacy impact assessments and risk assessments for high-risk activities and implement a system to classify personal data by sensitivity and risk.
- Regularly review and test data breach response plans to ensure they are effective and compliant with updated regulations.
- Implement explicit consent mechanisms, especially for processing children's data. Ensure explicit consent is obtained prior to processing children’s personal information.
- Establish protocols for securely sharing data cross-borders during emergencies.
How Securiti Can Help
Navigating these new privacy requirements can be complex. Fortunately, Securiti’s suite of automation modules offers a comprehensive solution for organizations seeking to ensure compliance with the Privacy and Other Legislation Amendment Bill 2024.
Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI. Securiti provides unified data intelligence, controls, and orchestration across hybrid multi-cloud environments. Large global enterprises rely on Securiti's Data Command Center for data security, privacy, governance, and compliance.
Request a demo to learn more.
