The Privacy and Other Legislation Amendment Act 2024 (Cth) (the Act) is now in effect, following the Privacy and Other Legislation Amendment Bill 2024 being passed by Parliament on 29 November 2024 and receiving Royal Assent on 10 December 2024.
The Act represents the first tranche of reforms to the Privacy Act 1988 (Cth) and key updates strengthening privacy and personal information protections. These include:
- the introduction of a statutory tort to provide redress for serious invasions of privacy;
- a range of new civil penalties;
- transparency requirements for automated decision-making processes;
- increasing the Information Commissioner’s powers of investigation and enforcement;
- permitting disclosures in emergency situations or following data breaches;
- requiring the development of a Children’s Online Privacy Code;
- providing a “whitelist” to allow overseas disclosures of personal information; and
- creating a new criminal offence for doxxing.
The statutory tort of serious invasion of privacy represents a new right under Australian common law and importantly is actionable without proof of damage. The cause of action will be established if:
- the defendant invaded the plaintiff’s privacy by intruding upon the plaintiff’s seclusion and/or misusing information that relates to the plaintiff;
- the plaintiff had a reasonable expectation of privacy in all the circumstances;
- the invasion of privacy was intentional or reckless;
- the invasion of privacy was serious; and
- the public interest in the plaintiff’s privacy outweighs any countervailing public interest.
Defences includes where the invasion of privacy was permitted by law, the individual consented or where it was believed to be necessary to prevent a threat to health, life or safety of a person. There are also exemptions available for journalists, government agencies, law enforcement bodies and intelligence agencies.
The new availability of an action for breach of privacy without requirement for proof of damage opens up the risk of class actions for organisations, particularly in circumstances where a significant (and public) data breach has occurred.
Causes of action under the statutory tort include the misuse of personal information where the the invasion of privacy was intentional or reckless. Potentially, this could include where there are Privacy Act breaches, such as when personal data has been collected by organisations without proper consent or where there has been a failure to delete personal information when it is no longer required for a legitimate purpose.
In circumstances where there has been an eligible data breach and knowledge of that breach is publicly available (as with the recent Optus breach), the privacy and security practices of an organisation, including compliance with the Privacy Act, will inevitably be subject to scrutiny and assessment of adequacy. In those circumstances, there is the potential for a cause of action for misuse of information that was “intentional or reckless” to arise under the statutory tort and the potential for a class action to follow.
This is commentary published is for general information purposes only. This should not be relied on as specific advice. You should seek your own legal and other advice for any question, or for any specific situation or proposal, before making any final decision.
