Although the Privacy Act, 1998, was established to create a framework for protecting personal information, it has undergone numerous amendments over the years. However, it has become outdated in addressing modern technological advancements, cyber risks, and the growing collection and use of personal data. The Act hasn't seen a significant overhaul since 2012 and is struggling to keep pace with Europe's General Data Protection Regulation (GDPR), which has become a global benchmark and has influenced data protection laws in Asia Pacific countries.
The Privacy and Other Legislation Amendment Act 2024 was passed by the Parliament of Australia on 29th November 2024 and is now awaiting Royal Assent. While it does not address all the complex issues at hand, it brings Australia’s threat landscape one step closer to the long-awaited updates, representing a significant step forward in advancing privacy protections for both Australian businesses and individuals. New measures, including the introduction of a statutory tort for serious invasion of privacy and the expansion of the Office of the Australian Information Commissioner’s (OAIC) investigation and enforcement powers, come at a critical time as privacy concerns escalate, with increasing demand for Australians to have greater control over their personal information. With these reforms representing an important first step, it’s vital for businesses to prepare and adapt their data security measures to align with the updated legislation.
The first Bill contains significant measures, including but not limited to the introduction of a statutory tort for serious invasion of privacy, the expansion of the Office of the Australian Information Commissioner's (OAIC) investigation and enforcement powers, and a mandate to develop a Children's Online Privacy Code. The Bill will also amend the Criminal Code Act 1995, introducing new offences for the menacing or harassing release of personal data. As such, it will impact businesses, government agencies and regulators, advocacy groups and the general public.
The Bill introduces specific compliance obligations for businesses, with greater investigative and enforcement powers providing a strong incentive to ensure compliance once the reforms become law, while ensuring individuals gain more control over their information. In addition, the deliberate release of personal information to harass or intimidate (doxxing) will be criminalised. While most businesses are expected to have these protections in place at a minimum level, the legal compliance requirement of these provisions moving forward represent a significant liability risk for businesses that mishandle personal data and underscore the need for robust privacy protections with clear policies and prompt response to data breaches.
The Bill highlights the critical need for businesses to start adopting the new measures and enhance data security practices. Failure to meet the new standards may result in significant liability and reputational damage. With this in mind, key data security updates businesses may need to consider include:
While these measures are necessary at a minimum level to ensure compliance and avoid severe penalties, they also represent an opportunity for businesses to champion privacy and data protection and build trust and transparency with their key stakeholders.
With the Privacy and Other Legislation Amendment Bill, Australian businesses face a critical review of their current security postures. This represents an important step in addressing systemic vulnerabilities, promoting public trust, and reducing the impact of cyberattacks. As such, it's vital that your business understands the changes and how they affect your operations. By seeking professional advice on how to take proactive steps to update your strategies and align with the new legislation, you can protect your business, safeguard customer data, and preserve your reputation.
If you'd like to learn more about how to adapt to the new regulations and ensure your business remains compliant once the Bill is passed, reach out to our Governance, Risk and Compliance (GRC) experts at Infotrust today.
