The Australian Government’s ‘landmark legislation to strengthen privacy protections for all Australians’ received the Royal Assent on 10 December 2024. Many amendments to the Privacy Act 1988 (Privacy Act) made by the Privacy and Other Legislation Amendment Act 2024 (Amendment Act) have already commenced. However, the Amendment Act’s significant introduction of a new statutory tort for serious invasions of privacy will by 10 June 2025. The Amendment Act has various ‘sticks’ for businesses with the statutory tort in particular attracting criticism.
Background to the Amendment Act
The Privacy Act is the main Australian legislation imposing obligations on Government agencies, larger businesses and other larger private organisations to protect the personal information they collect from individuals. Infamous activities addressed by these obligations include computer hacking, electronic data breaches, virus propagation, and identity theft. The Privacy Act recognises that these activities may cause serious physical, psychological, emotional, economic and financial harm to individuals. Agencies and organisations risk significant civil penalties if they fail to protect an individual’s personal information and one of these activities seriously interferes with the individual’s privacy.
In February 2023, the Australian Government released the Commonwealth Attorney-General’s Department Privacy Act Review Report 2022. This report considered whether the Privacy Act remained fit for purpose in an online environment and made various recommendations to amend the Privacy Act. The Amendment Act implements the first tranche of these recommendations.
A summary of the changes made by the Amendment Act
The changes have numerous ‘sticks’ for the business community. Among these is a remarkable new power for the Office of the Australian Information Commissioner (OAIC) to conduct public inquiries into privacy matters on Ministerial approval. This may include examining processes that businesses have to ensure appropriate handling of personal information within specific sectors and industries. OAIC has flexible fact-finding procedures in these inquiries and isn’t bound by the rules of evidence.
The Amendment Act has availed the general investigation and monitoring powers under the Regulatory Powers (Standard Provisions) Act 2014 to OAIC. Breaches that were previously not ‘serious’ enough to be subject to civil penalties are now caught by a tailored penalty regime in the Privacy Act. The federal courts now also have powers to make any orders they see fit for contraventions of Privacy Act civil penalty provisions. This includes compensation orders.
However, the most uncertain risk for businesses introduced by the Amendment Act is its cause of action in tort for serious invasions of privacy. There are five elements to this cause of action:
- An invasion of privacy by intrusion upon seclusion or misuse of information. For example, hacking into an individual’s private electronic device and selling their digital ID on the dark web.
- A reasonable expectation of privacy in all the circumstances. This element is flexible to reflect community expectations. The use of any technology to invade privacy may be relevant as may be the purpose of the invasion.
- Fault (either intention or recklessness). This may affect a defendant business which is reckless with protecting personal information on their digital platform, resulting in a third party stealing that information.
- Seriousness of the invasion. This doesn’t require material harm or offence. A business defendant’s knowledge (determined objectively) that an individual is likely harmed by the invasion of privacy is more likely to be serious. Proof of damage isn’t required because the intent is for the tort to protect intangible interests and the dignity of the individual.
- The public interest in protecting the individual’s privacy outweighs countervailing public interests raised by the defendant. However, the countervailing public interests contemplated don’t appear available to businesses generally as they concern freedom of political expression, freedom of press, government administration, open justice, public health, national security and prevention of crime.
Maximum damages for breaches of the tort are capped at $478,550 but this is indexed. The Court may also order accounts of profit and apologies for breaches.
Along with the ‘sticks’, the Amendment Act also provides several useful mechanisms for businesses. Regulations will now clarify which overseas countries have data protection laws with substantially similar protections as the Privacy Act. This reduces the burden on businesses in their assessments of overseas data flows. There is also clarification that the Privacy Act’s requirement that there be ‘reasonable steps’ to protect personal information includes technical measures (e.g. encrypting data, anti-virus software and strong passwords) and organisational measures (e.g. employee training and organisational policies and procedures).
Another notably pragmatic feature in the Amendment Act is the insertion of a framework where the Government may permit disclosures of personal information that would otherwise not be permitted to reduce risk of harm from eligible data breaches. This for example may include allowing a business who is the victim of a data hack to disclose personal information to banks so that safeguards for affected customers may be put in place.
Other changes to the Privacy Act include enhanced code-making powers for OAIC and developing a Children’s Online Privacy Code. The Amendment Act also introduces doxing offences into the Criminal Code Act 1995 which criminalise using a carriage service menacingly or harassingly to distribute personal data or target people because of their race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality or national or ethnic origin.
Business concerns with the statutory tort
The originating Bill for the Amendment Act was referred to the Senate Legal and Constitutional Affairs Committee before passing both houses of Parliament with amendments. During the Committee’s submissions process, various industry groups and organisations raised concerns with the statutory tort for serious invasions of privacy. Largely however, these concerns did not result in any drafting amendments to the statutory tort. This prompted one of the Coalition members of the Committee to comment that:[1]
I am firmly of the view that it would be imprudent for the Senate to attempt to resolve the complicated issues raised by [the Statutory Tort] in a rushed manner.
Concerns raised about the statutory tort
Concerns include:
- It appears that small businesses could potentially be defendants under the statutory tort as it is a standalone provision from the rest of the Privacy Act. If so, then this is a radical change as the Privacy Act otherwise only applies to businesses with an annual turnover exceeding $3 million.
- Similarly, there is an issue about whether employers are exposed to the statutory tort when they otherwise lawfully use personal information when managing their workforce. This is because the Privacy Act’s exemptions for employee records do not appear to extend to the statutory tort.
- The statutory tort does not apply to only ‘personal information’ as defined by the Privacy Act (i.e. ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable’). Instead, it applies to ‘information that relates to the plaintiff’. Therefore, the statutory tort appears to extend to a broader range of information than ‘personal information’. Consequently, this may expand the class of potential claimants.
- The statutory tort defines ‘misusing information’ to include without limitation ‘collecting, using or disclosing information about the individual’. This broad definition creates risk that even minor misuse of personal information is caught by the statutory tort.
- Uncertainty about the recklessness standard may increase potential exposure for business.
- Under the statutory tort there is potential for employers to be held vicariously liable for misuse of personal information by their employees. This is even where the employer has taken reasonable steps to stop employees from interfering with the privacy of other individuals.
- It is unclear as to how the statutory tort interacts with other causes of action. Along with the statutory tort a plaintiff may also plead actions such as trespass, nuisance, conversion and defamation. This raises an issue about whether a plaintiff may seek greater damages amounts than provided by the statutory tort for the same invasion of privacy.
- The statutory tort may increase the risk of class action litigation against businesses. This may have flow on effects for insurance premiums and other business costs.
Next steps for businesses following the Amendment Act
The statutory tort puts all businesses – big, small, and in between – in the firing line when there is any data breach. The tort also means greater challenges for employers when managing their employees and employee records. In addition, the new powers relating to regulatory investigations and sanctions are formidable, especially if the OAIC takes the view that the personal information-handling practices of a business are unsatisfactory.
The best protection for businesses is that they truly implement the obligations and expectations set by the Australian Privacy Principles and guidance materials published by the OAIC. Only personal information that the business truly needs should be collected. If collection is reasonably necessary, then the business must strongly secure the information, anonymise it where possible, and immediately delete or destroy the information when no longer needed.
That said, even businesses with the best personal information-handling practices risk being compromised by a data breach and its associated impacts, costs, and potential reputational damage. It is the poor management of a data breach that increases the risk of an unhappy individual looking to sue.
Accordingly, in a data breach, businesses must take immediate steps to eliminate risks of harm to affected individuals and clearly and quickly communicate with them. Businesses should use the new framework to notify banks with respect to affected customers. Businesses should also have in place an up-to-date data breach response plan, implement it, and follow it.
For more information on these changes and the potential impact for business, please contact our Commercial Advice lawyers.
[1] Senate legal and Constitutional Affairs Legislation Committee, Privacy and Other Legislation Amendment Bill 2024, Parliament of Australia, (Report, 14 November 2024) 123 [1.77].
