Additional comments by Deputy Chair Senator Paul Scarr
1.1The bill deals with three discrete issues; namely:
Privacy reforms implementing various amendments following the Privacy Act Review (Schedule 1);
Enactment of a statutory tort for serious invasions of privacy into the Privacy Act 1988 (Privacy Act) (Schedule 2); and
Introduction into the Criminal Code Act 1995 (Criminal Code) of a criminal offence for so-called doxxing offences (Schedule 3).
1.2Prior to providing comments on the bill, there are a number of legislative process issues which (once again) require comment.
1.3Followers of the work of the committee will note the similarity of many of the below comments to those made in previous inquiry reports.
1.4As I have done on previous occasions, I note that the comments I make in this regard are not intended to be a reflection on the Chair or other government members on the committee. In all the circumstances, including the inappropriately abbreviated timeline, the committee has acted (once again) in a collegiate manner and has done its best to deal with the timeline imposed upon it.
1.5I note that inappropriately abbreviated timelines place a great workload upon the secretariat; especially when multiple bills dealing with important matters are required to be dealt with contemporaneously.
1.6In this case, the committee was required to report on two bills on the day prior to the tabling of this report; namely, the Anti-Money Laundering and Counter-Terrorism Financing Amendment Bill 2024 (a very significant bill which generated an inquiry report of 94 pages with additional comments from a number of Senators) and the Criminal Code Amendment (Genocide, Crimes Against Humanity and War Crimes) Bill 2024, a private senator’s bill dealing with matters of great importance and sensitivity.
1.7It is a great credit to the staff of the secretariat that they manage to navigate the pressures of such a workload.However, their ability to do so, should not be taken as an open invitation to government to continue to impose such demands.
1.8It should also be recognised that relevant staff in the Attorney-General’s Department (AGD) put great effort into engaging meaningfully with the inquiry process. This included processing a large number of questions on notice in a timely fashion. Whilst it is not possible in the time available to canvass all of these matters, it will suffice to comment that the prompt and thorough nature of the responses resolved a number of issues for me which would have otherwise been of concern.
1.9Lastly, I thank all submitters who engaged with the inquiry. Again, given the abbreviated time available, it is not practical to respond to all of the issues raised. However, I found the submissions most useful and of great assistance in formulating my views with respect to the legislation. I am sure that Senate colleagues will find that the submissions provide a very useful resource in formulating their views in relation to the legislation.
1.10As noted above, the bill deals with a number of discrete policy areas where: (a)it could be reasonably anticipated that there would be divergent views in the Parliament; and (b) different scrutiny concerns are raised.
1.11Obviously, the executive may choose to consolidate matters for political reasons. However, this does not enhance the objective of discerning the will of the Parliament with respect to contentious matters. By including three schedules dealing with disparate matters in a single bill, senators will be forced to decide whether or not to support the bill in circumstances where they may agree to one or two schedules, but not all schedules. This is not best practice (if the goal is not to ‘wedge’ political opponents).
1.12The additional complication with respect to this bill is that Schedule 3 deals with amendments to a different act. Schedules 1 and 2 deal with amendments to the Privacy Act (noting it is certainly highly questionable as to whether consideration of introduction of a statutory tort should be dealt with in the same bill as that which deals with less controversial reforms of the nature contained in Schedule 1). However, Schedule 3 deals with doxxing offences to be introduced into the Criminal Code.
1.13Given that Schedule 3 deals with issues relating to the criminal law, it should have been dealt with in a separate bill.
1.14Once again, inadequate time has been provided to those impacted by the proposed law to comment upon the bill.
1.15As previously commented upon, the Law Council of Australia (Law Council) has repeatedly raised its concern (this is the sixth occasion) with the abbreviated inquiry processes that have occurred during this Parliament.[1] In its submission, the Law Council referred to the committee's 'lamentably short inquiry timeframe'.[2]
1.16The Law Council submitted:
The truncated Committee inquiry timeframe is also disappointing, given the significance of the proposed reforms to Australia’s approach to privacy and data law, and the fact that an exposure draft of the Bill was not subject to public consultation.
Whilst the comprehensive Privacy Act Review Report was welcome after a long review process, the adaptation of many of its high-level proposals into the Bill necessitates close scrutiny to ensure that—as drafted, and in practice—these measures will achieve their policy intention and will not give rise to unintended consequences.
The Bill was referred to the Committee for inquiry on 19 September 2024, with a reporting date of 14 November 2024. This reporting date has resulted in a period of approximately three weeks for submissions to be provided. This timeframe has heavily impeded the ability of the Law Council, its Business Law Section, and its Constituent Bodies, to engage at a detailed level with the legislative and explanatory materials (184 pages in total).
In addition, several of our Constituent Bodies were unable to contribute to this submission, despite having a strong interest in these reforms. As a result, we have been unable to ascertain the views of the legal profession on a range of features in the Bill, nor have we had an opportunity to conduct a comprehensive analysis of the entirety of the proposals.
This truncated process is highly problematic from the perspective of broader public scrutiny of the making of Australia’s laws, as part of a democratic process. This is a regrettable—and increasingly prevalent—consequence of the Parliamentary inquiry timeframes during this Parliament. This trend also undermines the Law Council’s role as a membership-based peak organisation, in which we have an obligation to consult with our Constituent Bodies, Sections, and advisory committees on matters of policy.[3]
1.17In this context, concern was also raised in relation to the conjunction of the period of inquiry into this bill with other consultation processes requiring the detailed engagement of key stakeholders.
1.18The Digital Industry Group Inc. (DIGI) is a non-profit industry association that represents the interests of the digital industry in Australia (including Apple, Discord, Google, Meta, TikTok, X and others).It submitted:
1.1.DIGI has been engaging with the reform of the Privacy Act since 2020, offering our expertise through detailed submissions at each juncture of the process. Unfortunately, the timing of the release of this Bill limits our ability to deeply engage with this consultation, because of the concurrent release of legislation relating to the digital industry and submission deadlines. The Bill was released on September 12, 2024, which was:
1.1.1.On the same day as the release of The Communications Legislation Amendment (Combatting Misinformation and Disinformation) Bill 2024 [Provisions] (Misinformation Bill), for which submissions were due on September 30, 2024.
1.1.2.One day before the Government released the Treasury Laws Amendment Bill 2024: Scams Prevention Framework (Scams Bill), for which submissions were due on October 4, 2024.
1.1.3.Three days after the South Australian Government released for consultation the Children (Social Media Safety) Bill 2024, after which the Federal Government indicated in-principle support for similar age restrictions on certain APP entities, for which submissions were due on October 4, 2024.
1.1.4.One week after the release of the Proposals paper for introducing mandatory guardrails for AI in high-risk settings (AI Paper), for which submissions were due on October 4, 2024.
1.2.It is clear that the Government is working to pass bills with speed within the few remaining sitting weeks prior to the Federal Election, in a manner that precludes due stakeholder feedback, particularly as there is considerable overlap in the stakeholders who are interested in the above reforms. The Privacy Bill, along with others noted above, has been released almost one year after the Government response to the Privacy Act Review Report, and it is unclear why the Exposure Draft[4]was delayed to this point in the year…
1.3.
1.4.We are concerned that a lack of Government coordination across these processes, and the concurrent timing of each of their consultations that preclude due stakeholder consultation, will result in conflicts of laws and lack of cohesion in the Government’s reform agenda in the approach to privacy. We recommend that the Committee review these Bills, and encourage greater coordination across Government, to ensure coherence in its reform program.[5]
1.19A number of stakeholders also registered their dissatisfaction that the Labor Government had not released an exposure draft of the bill for consultation prior to the introduction of the bill. This was notwithstanding the fact that a number of key stakeholders specifically requested the Labor Government to release an exposure draft.
1.20The Law Council submitted:
In our April 2023 submission to the Department, we stated:
The Law Council is supportive, at least in principle, of many of the proposals in the Report. However, it calls for and recommends that additional details be provided to give the proposals more certainty. To that end, the Law Council would welcome an opportunity to review an exposure draft bill with a view to providing further comment on legal issues raised… Further, given the high-level nature of the various proposals, it may be that there are further issues which are identified during the legislative process that the Law Council has not identified during this limited consultation process … Therefore, early and reasonable consultation with civil society, regulators and other interested parties and stakeholders on any exposure draft legislation will be critical.
Similarly, in our April 2024 submission to the Department in response to its consultation on civil remedies to address doxxing, we stated:
The Law Council reiterates its call for careful and considered consultation of any draft legislation introducing a statutory tort (for serious invasions of privacy) and other reforms designed to strengthen individual protection, to ensure that measures reflect community expectations and that the courts are empowered to weigh up the public interest in privacy against any other countervailing interests that may arise.
However, the Department did not provide us with an opportunity to review, or provide feedback on, an exposure draft of the Bill or any preliminary materials during its development.
This is disappointing, given the legal profession’s significant ongoing interest in these reforms, as evidenced by our detailed submissions to the Department in the course of the Privacy Act Review, and our subsequent offers to the Department to be consulted directly during its development of the Bill.[6]
1.21BSA | The Software Alliance (BSA), the leading advocate for the global software industry, submitted:
BSA notes that the AGD did not release an exposure draft of the Privacy Bill before introducing it into Parliament, despite multiple requests from various industry stakeholders.
As a matter of good practice, releasing an exposure draft of a bill for public consultation would allow industry to engage on draft legislative text and comment on any potential concerns or ambiguities before it is submitted to Parliament. We find this practice invaluable in helping to create more widely supported and effective legislation.[7]
1.22I agree. The number of issues raised by stakeholders during this inquiry evidence the benefits which would have arisen from the circulation of an exposure draft of the bill.
1.23It is noted that the majority report does not refer to the failure by the Labor Government to release the Cost Benefit Analysis undertaken by ACIL Allen (the Cost Benefit Analysis). This is a material oversight.
1.24The failure of the Labor Government to make public the Cost Benefit Analysis either before or during the inquiry into the bill was pursued (rightly) during the public hearing by my fellow committee member, Senator Shoebridge. The AGD responded to questions on notice in relation to this matter as follows:
The Cost Benefit Analysis undertaken by ACIL Allen was commissioned for the purpose of informing decision-making processes about the impact of potential reforms, the release of which could, or might reasonably be expected to, disclose the deliberations of the Cabinet. Those processes are still underway. Standard government processes provide for an impact analysis, and accompanying assessment, to be published on the Office of Impact Analysis website when a final decision has been taken and announced.[8]
1.25The importance of such analysis has been highlighted in a recent inquiry undertaken by this committee into the Anti-Money Laundering and Counter-Terrorism Financing Amendment Bill 2024. The impact analysis undertaken by the AGD in that case informed the committee’s deliberations into the impact of the bill upon small businesses (lawyers, accountants and real estate agents) and their clients.
1.26The Cost Benefit Analysis is not just being requested by senators.The Council of Small Business Associations of Australia (COSBOA) submitted:
COSBOA also requests that the Attorney-General's office grants public access to the Cost Benefit Analysis so continued consideration can be given to the benefits of maintaining and perhaps expanding the small business exemption to the small businesses between $3 million and $10 million that face the same significant challenges in complying with the full breadth of all 13 Australian Privacy Principles.[9]
1.27It is regrettable that the Labor Government has elected to deprive the Senate and relevant stakeholders the opportunity to consider the Cost Benefit Analysis in considering the bill.
1.28When expressing their concerns with respect to the legislative process, a number of stakeholders (including significant representative bodies) submitted that there should be a road map of future amendments to the Privacy Act.
1.29BSA submitted:
In the Attorney-General’s media release on the Privacy Bill, he stated that the Privacy Bill ‘implements a first tranche of agreed recommendations from the Privacy Act’. However, there was no indication as to which recommendations will be implemented next, and when they will be introduced.
Without a clear roadmap or timeframe, there is significant uncertainty regarding how and when businesses will need to adjust their privacy practices to comply with the evolving landscape.
In the circumstances, we urge the Committee to encourage the AGD to provide a roadmap of future amendments to the Privacy Act. This roadmap should clearly set out which agreed recommendations the AGD will implement next, and when stakeholders can expect these agreed recommendations to be presented in a bill for public consultation.[10]
1.30Digital Rights Watch submitted:
If the Attorney-General’s office intends on introducing these reforms in ‘tranches’, as is suggested, we expect to see a detailed roadmap and timeline for the introduction of the remaining tranche(s), else we risk the remaining reforms being delayed indefinitely. We concur with many other civil society organisations in calling on the government to implement the remaining reforms within six months of taking office, should they win the next election. We also call on the opposition to make a similar commitment should they win office.[11]
1.31Similarly, the Law Council submitted:
Whilst it is pleasing that the Government intends to continue this significant reform work, we call for a roadmap, or strategy, to publicly detail how these reforms will be progressed—similar to the materials that the Government issued in 2023 for the Security of Critical Infrastructure Act 2018 (Cth). The proactive provision of clear details (i.e., what proposals will be addressed in each tranche of reform) will promote much-needed certainty for the multitude of sectors that expect to be impacted by these significant changes.[12]
1.32If the Senate is to perform its function as a house of review, there needs to be adequate time for those impacted by proposed legislation (and their representative bodies), to engage in the Senate committee process. The failure to provide such time is a detriment to the law-making process.
1.33With all due respect, it is embarrassing that the Law Council has on six occasions had to register its dissatisfaction with inquiry processes in relation to legislation introduced by the AGD. This should be a cause for deep reflection on the part of the Labor Government.
Recommendation 1
1.34It is recommended that the Senate note the inappropriateness of the abbreviated timeline for consideration of the Privacy and Other Legislation Amendment Bill 2024 [Provisions]; especially given:
the importance of the legislation;
the failure of the government to circulate an exposure draft of the bill; and
the concurrent examination of other legislation in the same policy area making it difficult for stakeholders to engage in depth.
Recommendation 2
1.35It is recommended that the Senate call for the release of the ACIL Allen Cost Benefit Analysis prior to debate on the bill with a view to ensuring that the Senate has the benefit of all relevant analysis undertaken in relation to the subject matter of the bill prior to voting on the bill.
Recommendation 3
1.36It is recommended that the Senate note the inappropriateness of including in the same bill, provisions which amend different acts and/or deal with different policy areas in circumstances where senators may reasonably be expected to have different views (in good faith) as to whether the provisions in different schedules should be supported and be passed into law.
Recommendation 4
1.37It is recommended that the Senate consider each schedule separately and that the government do all things reasonably necessary to facilitate such consideration.
Recommendation 5
1.38It is recommended that, as requested by a range of key stakeholders, the government provide a road map, or strategy, regarding how future reforms will be progressed.
1.39Schedule 1 of the bill deals with matters which have been the subject of consideration by the Privacy Act Review. The majority report provides a very detailed overview of the issues raised during the inquiry.Given the limited time available to prepare these comments I focus upon areas which, in my view, warrant further consideration.
1.40I support:
the minimum consultation period for the Children’s Online Privacy Code being extended to at least 60 days (recommendation 1);
the bill being amended to require the Information Commissioner to consult with relevant industry bodies or organisations when developing the Children’s Online Privacy Code (recommendation 2);
the rectification of the drafting error in the proposed new paragraph80KA(2)(b) to ensure that the ABC and the Special Broadcasting Service fall within the ambit of ‘media organisations’ (recommendation 3);
the bill being amended to empower the Information Commissioner to issue a discretionary notice to an entity to remedy an alleged breach of one or more of the provisions in section of the bill before issuing an infringement notice (recommendation 4); and
amending the Explanatory Memorandum to make clear the level of information required in privacy policies is not expected to compromise commercial-in-confidence information about automated-decision making systems (recommendation 5).
1.41In summary, I support recommendations 1 to 5 in the majority report for the reasons outlined therein.
1.42The Scrutiny of Bills Committee raised concerns with the exemption from disallowance for a temporary Australian Privacy Principle (APP) code if the minister is satisfied that it is in the public interest for the code to be developed, for the Information Commissioner to develop the code, and that the code should be developed urgently.
1.43In commenting upon the relevant principles, the Scrutiny of Bills Committee commented:
The committee notes that disallowance is the primary means by which the Parliament exercises control over the legislative power that it has delegated to the Executive.Exempting an instrument from disallowance therefore has significant implications for parliamentary scrutiny.In June 2021, the Senate acknowledged these implications and resolved that delegated legislation should be subject to disallowance unless exceptional circumstances can be shown which would justify an exemption.In addition, the Senate resolved that any claim the circumstances justify an exemption will be subject to rigorous scrutiny, with the expectation that the claim will only be justified in rare cases.[13]
1.44In considering the arguments made for exemption from disallowance in this case, the Scrutiny of Bills Committee concluded:
Whilst the committee acknowledges the necessity of an immediate, clear and certain legal basis for entities to know their obligations, the committee consider this is achievable while allowing parliamentary oversight.The committee notes that a legislative instrument has effect from the day of commencement, which may be the day of registration, thereby establishing an immediate legal basis, and will continue to have effect unless it is disallowed within the disallowance period. The committee does not consider the need for certainty in this context to be an indication of exception circumstance that warrant an exemption from disallowance.[14]
1.45The oversight power of Parliament in the context of laws promulgated during emergencies is of great importance. On one view, the importance of that oversight role can be even more important in an emergency context.
1.46In relation to this issue, the Jeff Bleich Centre for Democracy and Disruptive Technologies, Flinders University submitted:
The authors note that caution should be exercised with respect to proposed ss 26 GB(8), 80J(3), and 80K(3) that exclude the operation of section 42 of the Legislation Act (Cth).
Unless exceptions circumstances apply, Parliament should retain ultimate oversight over the exercise of legislative or quasi-legislative power.The proposed ss 26 GB(8), 80J(3), and 80K(3) would undermine the ability for the Parliament to review decision making with respect to delegated legislation.[15]
1.47It is further noted that the Scrutiny of Legislation Committee also made requests in relation to the making of addendums to the Explanatory Memorandum to address scrutiny issues in relation to: (a) provisions reversing the burden of proof (with respect to disclosure of information in certain circumstances);[16] and (b) the justification to include significant matters in delegated legislation (in relation to new exceptions for APP entities in assessing overseas recipients prior to releasing personal information to said recipients).[17]
1.48For completeness, it should be noted that I raised the issue with Human Rights Commissioner Finlay of the Australian Human Rights Commission who opined as follows:
In respect of the Privacy Amendment Bill, the Explanatory Memorandum sets out why the creation of the temporary APP codes should not be subject to disallowance under the Legislation Act 2003 (Cth).For the reasons set out in the Explanatory Memorandum, the exemption from disallowance is – on balance – appropriate in these limited circumstance.[18]
1.49I respectfully disagree. Given that any temporary APP code would be in effect from the time promulgated and it should be reasonably assumed that the Senate would only exercise its power to disallow in extreme cases (following a period of consultation with the minister which may address any scrutiny concerns, as is usually the case), there is insufficient justification to remove the Parliament’s oversight function in this context.
Recommendation 6
1.50It is recommended that the Senate as a whole consider the scrutiny issues raised by the Scrutiny of Legislation Committee with respect to the appropriateness of exempting temporary Australian Privacy Principles Codes and emergency declarations from disallowance given that such codes would have immediate effect and would only be disallowed following consultation undertaken by the Scrutiny of Delegated Legislation Committee with the minister.
Recommendation 7
1.51It is recommended the government make addendums to the Explanatory Memorandum of the bill as requested by the Scrutiny of Legislation Committee.
1.52A number of stakeholders raised the importance of facilitating cross-border data transfers.
1.53I quote from the Global Data Alliance (GDA) submission in depth:
The GDA strongly supports the importance of facilitating cross-border data transfers. As explained in the Memo, companies can already transfer data to overseas recipients through a variety of methods consistent with the Australian Privacy Act 1988 (Privacy Act).
These include disclosing data pursuant to APP 8.1, which adopts the accountability model and requires companies to meet certain obligations before transferring data to an overseas recipient, most notably the requirement to “take reasonable steps” to ensure the overseas recipient does not breach the APPs in relation to the information.
Separately, companies can also transfer data under APP 8.2 to an overseas recipient that is subject to a “substantially similar” privacy law or binding scheme, without adopting the obligations imposed in APP 8.1.
The proposed mechanism under the Privacy Act would prescribe the countries and certification schemes that provide “substantially similar protection” under APP 8.2(a).
The new mechanism would therefore make it easier for companies to transfer data under APP 8.2(a) by identifying countries that have “substantially similar protections,” rather than requiring companies to assess for themselves which countries have such protections.
Crucially, GDA notes that the new scheme would not limit companies from transferring data under the accountability model reflected in APP 8.1 or pursuant to any of the other grounds for transfers recognised in APP 8.2(b)-(f).
In the circumstances, GDA supports the introduction of this proposed mechanism, as it will provide businesses with greater legal certainty and substantially reduce compliance burdens. However, GDA also observed that neither the Privacy Bill nor the Memo explained what would constitute a “substantially similar” level of protection.
If the mechanism establishes an unnecessarily strict interpretation of “substantially similar”, it would be counterproductive to the policy objective of increasing certainty for companies transferring data internationally. For example, to the extent a new mechanism applies the term “substantially similar” to mean a standard akin to the European Union’s “essentially equivalent” standard, it may unnecessarily restrict transfers conducted under APP 8.2(a)…
Relatedly, GDA recalls that the AGD’s Privacy Act Review Report 2022 (AGD Report)suggested that Australia could prescribe the Cross Border Privacy Rules (CBPR) system under APP 8.2(a) as a binding scheme that provides a “substantially similar” level of protection to the APPs.
In this regard, we reiterate our support for recognising internationally recognised certifications and standards such as the Global CBPR system. Similarly, the Act could also recognise compliance with ISO 27701 as creating “substantially similar” protections…
Finally, we also observe that Australia – and many of its closest trading partners – have reflected their commitment to the protection of personal data from governmental overreach in the context of the OECD Declaration on Government Access to Personal Data Held by Private Sector Entities.
The Global CBPR Forum and the OECD Declaration on Government Access to Personal Data Held By Private Sector Entities are specifically designed to bring together governments with a substantially similar view of the importance of personal data protection in a cross-border data policy context. We encourage Australia to consider presumptively deeming the signatories of these mechanisms to meet the “substantially similar” standard under the APPs.
Recommendations:
GDA supports the introduction of a mechanism to prescribe countries and binding schemes that provide substantially similar privacy protections to the APPs. However, we recommend that that the Privacy Bill specify what constitutes “substantially similar” privacy protections and conducts further consultations on the process for, and factors involved in, determining whether a country or certification scheme offers the appropriate level of protection.
We also encourage the Australian Government to take account of the longstanding efforts of Australia and its allies to improve cross-border data privacy interoperability by presumptively deeming the signatories of the Global CBPR Forum and OECD Declaration on Government Access to Personal Data Held By Private Sector Entities to meet the “substantially similar” standard under the APPs.[19]
1.54The Interactive Gaming and Entertainment Association recommended:
While not in the scope of this Bill, the Australian Government should continue to work on a path towards an adequacy decision to facilitate overseas data flows between Australian and the EU.
The EU’s General Data Protection Regulation be prioritised at the first opportunity, in accordance with the overseas data flows provision of the Bill.
The Australian Government (via the relevant Minister) should favourably consider ‘whitelisting’ countries that already have an adequacy decision with the EU, where the GovernorGeneral could then make regulations to prescribe that these countries provide substantially similar protections to the APPs, in accordance with section 100(1A) of the Bill e.g. the United Kingdom and Japan.
The Bill should also clarify Australia's position on ‘onward transfers’, where personal information that was first transferred from Australia to a whitelisted country (Country A), is further transferred from Country A to another country (Country B).
The Government should reconsider whether ‘substantially similar’ is the best term to use as the certification threshold for establishing overseas data flows between Australia and a given country. We would prefer the term ‘adequate’ or ‘similar’.[20]
Recommendation 8
1.55It is recommended that the government and relevant agencies consider the recommendations made by industry leaders with respect to providing greater clarity with respect to which countries have ‘substantially similar’ privacy protections, including through prescribing relevant countries and systems as soon as reasonably practicable to provide clarity to business in relation to cross-border data transfers.
1.56There are a range of additional matters raised in the submissions, including issues which are very technical in nature. There are practical suggestions with respect to implementation. There are also requests with respect to progressing the next stage of reforms. All of these should be considered by the government. In the time provided for this inquiry it is not practical to do justice to all of the recommendations and suggestions made by stakeholders.
Recommendation 9
1.57It is recommended that the government:
systematically review the submissions made to the inquiry;
consider any further amendments to Schedule 1 which would enhance the bill and provide further clarity; and
consider the submissions made in this inquiry in relation to both implementing the reforms contained in Schedule 1 and progressing the next stage of reforms.
1.58Schedule 2 of the bill would introduce a statutory tort for serious invasion of privacy. This was first recommended by the Australian Law Reform Commission in 2014.
1.59Whilst there is support for the introduction of the statutory tort for serious invasions of privacy from a range of stakeholders, there are also material concerns. This includes with respect to unintended consequences.
1.60From a small business perspective, COBOA submitted:
The current small business exemption in the Privacy Act – for entities with less than $3 million annual turnover – ensures a degree of nuance between small and micro-businesses compared to expectations of large multinational companies. Small businesses of all sizes already actively process data with appropriate care and concern, many of which already have a turnover of over $3 million and are therefore already subject to the Act.
However, the rapid introduction of complex and expanding obligations to comply with all 13 Australian Privacy Principles for those small businesses with an annual turnover under $3 million would have undermined the viability of those businesses already facing a laundry list of increased red tape and regulation.
COSBOA is therefore encouraged to see that the small business exemption is being maintained. There is never a good time to hoist higher costs onto small businesses, but to do so in the current environment would be reckless.
COSBOA notes that the ATO defines small business as those with an annual turnover of $10 million or less whilst micro-businesses are defined as those with a turnover of less than $2 million. We note that the current “small business exemption” relating to an annual turnover threshold of $3 million was introduced two decades since but has never been indexed. Therefore, the effect over time has been that an increased number of small businesses have become subject to the Australian Privacy Principles but with few resources to assist them in meeting their compliance requirements…
COSBOA is concerned about the drafting of Schedule 2 – Serious Invasions of Privacy which introduces a statutory tort of privacy into the Act. The Explanatory Memorandum notes that the Schedule is intended to be treated as a set of stand-alone provisions which are independent from the rest of the Act. The inclusion of the Schedule itself in the Act is likely to cause confusion…
There is no reference or exemption for entities who are not required to comply with Schedule 1 (e.g. small businesses with a turnover of less than $3 million). Additionally, the Bill does not make it clear how the actions of employees who seriously invade an individual’s privacy could render employers liable under this provision…
COSBOA reiterates its appreciation that the Government listened to and took on board our significant concerns and decided against pushing ahead with the proposed removal of the small business exemption for small businesses under $3 million. However, further consideration of the new statutory cause of action for serious invasions of privacy is now required…[21]
1.61From a freedom of press perspective, strong submissions were made by Australia’s Right to Know Coalition (ARTK) (comprising many of the leading news media organisations).
1.62ARTK submitted:
The Bill, in proposing a statutory tort of privacy:
(i)actions for injunctions will flourish should the tort be introduced despite the addition of section 9(2) mainly because some persons involved in journalism fall outside the exemption (such as publishers, licensees and sources) and injunctions targeted at them will impact journalism. Any application will invariably be an application for an interlocutory injunction to ensure the plaintiff is immediately protected from any imminent publication (which will indirectly supress media publication); or
(ii)proceedings for pre-discovery against persons involved in journalism who fall outside the exemption such as publishers, licensees and the source of journalist's information.[22]
1.63In answers to questions on notice, ARTK provided extremely strong rebuttal against those who argued that media and journalism exemption was inappropriate, including through comparison with overseas jurisdictions.
1.64ARTK submitted:
ARTK submits that some of the questions posed and ARTK's responses should be considered in light of the following contextual material:
That protection does not exist in Australia. Thus, the ALRC accepted that in the absence of those overarching laws it was “essential” that ALRC include the public interest in free speech as an element of the tort it proposed and not a mere defence. In evidence to the Committee Professor McDonald conceded that the drafting of clause 7(3) of the Bill departed from that principle and that she had “no idea” why that had occurred.
Various submissions made to the Committee make similar assertions that the media has engaged in unjustifiable intrusions of privacy, without providing evidence of such and are without factual basis.
The reason no evidence was put before the Committee is not because of deficiently drafted submissions. The reason is that such evidence does not exist.
-the OIAC has greater powers in relation to declarations and recompensing victims;
-in defamation law the requirement of "serious harm" has been adopted by Australian legislatures as an appropriate counterbalance to excessive litigation and to protect the public interest;
- there continues to be no evidence of any systemic or serious intrusions or misuse of information by media organisations nor is there any evidence of the breach of criminal laws by the media resulting in breaches of privacy;
- the Australian media landscape has changed significantly including that the current economic landscape, competition from social media and the costs of litigation pose an existential threat to journalism. The current debate regarding privacy law and its impact on journalism appears to be being conducted without reference to this critical context;
-serious intrusions and/or misuse of information are more likely to be engaged in by individuals on social media on other platforms; and
-misuse of information from data breaches are more likely to be by foreign criminal actors who are unlikely to be deterred by or sued under the tort.[23]
1.65One area of concern is in relation to the impact of the statutory tort upon sources for press/media stories, including where important information/intelligence is provided to journalists.
1.66In this regard, ARTK submitted:
Likewise, it is unclear how the provision will interact with s.126K of the Evidence Act (Cth) save to say that the legislation is very likely to be used by plaintiffs' lawyers to attempt to unmask confidential sources.
It seems likely that the journalist shield in the Evidence Act will not always apply to assist journalists and their sources, given ambiguities and differences in the drafting, and the limitations built into those separate provisions – so the existence of this separate protection for journalists under the Evidence Act cannot be relied on as solving the vulnerabilities of journalists and their sources under the tort.
It seems the drafting hasn't given consideration to the interplay between the proposed privacy tort and journalists' sources...
Importantly it underlines that consideration has not been given to the interplay between the proposed tort and source protection. In the first ARTK submission we highlighted that and the conflict it will cause which can be summarised as follows:
-there is a real risk that the tort will have a chilling effect on freedom of the media and reporting of matters of public concern as it will be used to prevent dissemination of information including to the media;
-in light of the breadth of the proposed cause of action, there is a real risk that it will be applied by a court so broadly as to: restrict the reporting of investigations or matters of concern relating to public officials (where the constitutional protection does not apply); and have the effect of prohibiting police investigations in an equivalent manner to the development of the tort in the UK; and
-the tort does not prevent individuals seeking interlocutory injunctions against other parties which would in effect apply against journalists and their employers to prevent publication of information to them, or otherwise passing on of the information to others.[24]
1.67In relation to freedom of the press, Commercial Radio Australia (CRA) submitted:
Key points:
CRA and commercial radio broadcasters support the aim of modernising Australia’s privacy legislation so that it is fit for purpose in a digital world.
The proposals in the Bill to introduce a new statutory tort for serious invasions of privacy are not required to achieve this aim. Experience in other jurisdictions, particularly in the United Kingdom, has demonstrated that similar torts have had a significant chilling impact on freedom of speech and journalism.
The exclusion for journalism in the proposed statutory tort will not assist in avoiding these negative consequences, with significant adverse consequences for Australia’s democracy.
CRA recommends that either the proposed tort is removed from the Bill or a more effective exclusion mechanism for journalism is incorporated, as set out in this submission.[25]
1.68Whilst generally supportive of the introduction of a statutory tort, the Australian Institute of Company Directors raised the following concern:
We do not support an outcome where it would be open to claimants to seek compensation for the same invasion of privacy under multiple heads of claim – for example, under both the statutory tort and a direct right of action, potentially on different evidentiary grounds. It is critical that the propensity for class actions to be brought under both redress mechanisms, potentially concurrently, be factored in - particularly in relation to data breaches resulting from a cyber-attack.
We strongly recommend further consideration be given to how the proposed statutory tort would interact with a direct right of action should the Government seek to introduce this latter mechanism as part of future reforms. We also recommend that clarification be provided that an entity cannot be subject to two separate claims under a statutory tort and direct right of action proceeding for the same actionable conduct.[26]
1.69DIGI submitted:
Noting that the proposed tort aims to build on a model developed by the ALRC, DIGI believes that further work needs to be done to ensure that the scope of the Privacy Tort’s application is clear and that it is harmonised with existing Australian laws to minimise the risk of unintended and unreasonable consequences. In particular, the Privacy Tort should be framed to align with the various existing causes of action which have been historically used to protect privacy and reputation, including equitable actions for breach of confidence, tort actions for trespass to land, nuisance and defamation.[27]
1.70The Ai Group raised numerous issues, including with respect to worker information, submitting:
We set out below our key concerns as to the application of this cause of action as follows:
(a) Employers legitimately use worker information, including as set out in paragraph 7 above. Although an individual themselves may consider the retention or use of their personal information in the workplace as being an infringement of a right to privacy it should not always be considered. The prospect of compensation being ordered by way of damages is inappropriate considering the public interest in employers exercising a reasonable use of workers’ information to effectively manage their workforce.
(b) The introduction of a statutory tort for a serious invasion of privacy amounts to a significant change to the enforcement regime pertaining to privacy breaches that is not justified by any apparent shortcomings in the existing avenues available for enforcing individual rights to protection from an invasion of privacy or in the context of the flagged tranche 2 of amendments to the Privacy Act.
(c) Opening an avenue for prosecution on the basis of recklessness as envisaged is oppressive and will likely result in our members being compelled to take an excessively risk-averse stance with respect to the treatment of workers’ information.
(d) The nature of a tort, by focusing on redress by way of an award of damages, is unsuitable in relation to breaches of privacy in a workplace context. Also, the emphasis on damages and compensation in tort law may encourage speculative litigation by individuals claiming mental distress. Vicarious liability for the wrongs of an employee presents a significant risk for employers in the context of tort law. The various risk mitigation strategies and the litigation insurance costs which would be necessitated by the establishment of a privacy tort would not be in the public interest.
(e) An actionable tort per se as is proposed (i.e. where there is no need for the claimant to establish any form of damage) exposes employers to an even greater risk which is not counterbalanced by any public benefit from introducing a tort of privacy.
(f) We consider that the forum with the appropriate expertise lies with the OAIC. The OAIC should be solely responsible for assessing breaches relating to privacy and acting on an affected individual’s behalf. If there are concerns that the OAIC has insufficient resources to undertake its responsibilities or expeditiously resolve matters, a more appropriate response would be to increase the OAIC’s resources. Creating another avenue and action for redress through the courts may generate other problems, including shifting the administrative burden from the OAIC to the courts, duplicating the OAIC’s function, and potentially opening up the floodgates to a litigious culture. Such an outcome would be an administratively inefficient use of public resources and would most likely harm many businesses.
(g) The introduction of the statutory tort is unnecessary given that an employer’s reasonable monitoring or use of employees’ information in connection with work, including in areas of ‘seclusion’ is already comprehensively regulated by state and territory surveillance legislation. Monitoring and surveillance has long been acknowledged by legal decision-makers as being a legitimate practice, particularly in the context of managing conduct and performance, as a pro-active step to prevent unlawful workplace behaviours in the virtual workplace environment and to ensure the health and safety of workers and the community.[28]
1.71As referred to in the majority report, the Australian Medical Association (AMA) raised a number of material issues with respect to the application of the statutory tort in the context of the provision of health services and research.
1.72The AMA submitted:
While the Privacy and Other Legislation Amendment Bill 2024 aims to strengthen privacy protections, the introduction of the statutory tort under Schedule 2 creates substantial risks for the medical and public health sectors.
The lack of clear definitions, the removal of key exemptions, and the potential for dual liability will lead to greater legal uncertainty, increased litigation, and higher operational costs for healthcare providers.
These consequences will not only affect the delivery of medical care but could also stifle medical research and limit open debate in scientific and other publications that fall outside the journalist exception. We respectfully request Schedule 2 is withdrawn, pending further sector and legal consultation.[29]
1.73Electronic Frontiers Australia (EFA) (not-for-profit national organisation that works to ensure that technology makes our lives better, not worse and which promotes the idea that digital rights are human rights) submitted:
EFA holds concerns in respect of the proposed Statutory Tort for Serious Invasions of Privacy being introduced at Schedule 2 of the Privacy Amendment Bill. We note that there are financial barriers of access to this remedy which will be prohibitive to most ordinary Australians, let alone vulnerable classes of Australians. The courts are not a universal remedy, it offers bespoke protection to those that can afford it.[30]
1.74To address these concerns, EFA proposed a number of amendments – amendments which would be strongly contested by other stakeholders.
1.75The above is a selection of the views provided to the committee with respect to the statutory tort.There are many others which have not been included. This provides an insight into the complicated nature of the issues arising from Schedule 2.
1.76The assessment becomes even more vexed when one considers the multitude of amendments proposed by different stakeholders. In the time available, it is simply not practical to undertake a meaningful assessment of the different options for amendment and to determine whether or not they satisfactorily deal with the material concerns raised in relation to Schedule 2.Hence, I provide no opinion with respect to recommendations 6 to 9 in the majority report.At this stage, it is not possible to opine with respect to their adequacy or otherwise to address the many serious issues raised by stakeholders.
1.77Having reviewed the submissions, I am firmly of the view that it would be imprudent for the Senate to attempt to resolve the complicated issues raised by Schedule 2 in a rushed manner. This would no doubt lead to unintended consequences. There is an overwhelming case for further detailed consultation of Schedule 2 prior to it being further considered by the Senate.
Recommendation 10
1.78It is recommended that Schedule 2 be excised from the bill. Prior to any re-introduction into the Parliament there needs to be further extensive consultation, including with respect to the range of stakeholders who have made submissions in relation to potential unintended consequences.As part of the consultation, the government should consider developments since the Australian Law Reform Commission tabled its report recommending the introduction of the statutory tort, including experiences in the United Kingdom with respect to press freedom. Any reintroduction of a bill which proposes the introduction of the statutory tort needs to be preceded by circulation of an exposure draft and consultation. Further, any such bill will need to be the subject of detailed examination by the Legal and Constitutional Affairs Committee with sufficient time to consider and balance competing views and interests.
1.79The case for the introduction of doxxing offences is well made in the majority report. The views of stakeholders is summarised in paragraphs 2.283 to 2.301 of the majority report. There is no need for me to repeat them.
1.80Many of the concern raised by stakeholders are reflected in the submission of the Law Council who submitted:
128. The term ‘doxxing’ is very broad—the eSafety Commissioner defines it as ‘the intentional online exposure of an individual’s identity, private information or personal details without their consent’.
129. Whilst the term is not mentioned in the Privacy Act Review Report, we acknowledge that the issue of doxxing has received significant media attention in 2024. We also appreciate that, as identified by the eSafety Commissioner, doxxing can leave targets vulnerable to—and fearful of—public embarrassment, discrimination, stalking, identity theft, financial fraud, and damage to their personal and professional reputation. We outlined these considerations in more detail in our April 2024 submission to the Department.
130. We also acknowledge that there are instances in which doxxing behaviour is legitimate and should not be circumscribed. For example, doxxing can be part of public interest journalism where it involves the unveiling of private information that exposes contradictory, unethical, or illegal behaviour by public officials or business people.
131. In respect of Schedule 3 to the Bill, we are concerned that there is potential for the proposed offences to be misused. We have received feedback that proposed offences are so broad that they may unintentionally criminalise many forms of conduct that they were not intended to cover, or that they may be used strategically to stifle legitimate public debate. [my emphasis].
132. For instance, a person who writes or publishes an online article that is critical of a group (as per proposed section 474.17D of the Criminal Code), that includes the names of people who are members of that group, may be committing an offence under that section. By way of illustration, in April 2023, there was an ABC Four Corners report about Paralympic athletes who were deliberately overstating their disabilities. The report included the names and images of certain athletes who were alleged to be engaging in this conduct. Under the Bill, that story may constitute a criminal offence (if the test is met that a reasonable person would regard the reporting as being menacing or harassing towards them). Additionally, we query whether the proposed offences would capture instances where an individual has posted allegations on their social media account that a person (or persons) sexually assaulted them.
133. The Bill also should provide further guidance on what constitutes ‘menacing’ or ‘harassing’ behaviour. As drafted, there is no clear definition of what behaviour constitutes ‘harassing’—the term most likely applicable to doxxing.
134. Moreover, the concept of ‘personal data’ is defined very broadly in proposed subsections 474.14C(2) and 474.14D(2) to mean information about the individual or group members that allows them to be ‘identified, contacted or located’. There also appears to be no clear differentiation between penalties for certain types of ‘personal data’ being released. For instance, leaking sensitive information (e.g., private medical, legal, or financial records) may warrant a harsher punishment under the Bill, compared to publishing an individual’s name and social media handle.
135. Certainty about these matters is crucial, particularly noting the significant penalties of six and seven years’ imprisonment for the offences in proposed sections 474.14C and 474.14D, respectively.
136. Finally, further education is needed to inform the community about the harms associated with doxxing. Emphasis should be placed on the importance of limiting public disclosure of personal information online, not only the information of individuals but also the information of groups of individuals.[31]
1.81To address these concerns, the Law Council recommended:
Schedule 3 to the Bill should be redrafted to address the concerns raised in this submission about: - the doxxing offences being drafted too broadly; - the need for guidance on what constitutes ‘menacing’ or ‘harassing’ behaviour; and - the lack of differentiation between penalties for the release of certain types of ‘personal data’.[32]
1.82I note that the Australian Federal Police (AFP) consider that there is sufficient law with respect to what constitutes ‘menacing or harassing behaviour. In their submission:
The Bill seeks to introduce new offences targeting the release of personal data using a carriage service in a manner that would be menacing or harassing (i.e. doxxing). In this digital age it is easier than ever to not only obtain someone’s personal information,but share it with millions of people. The harms and risks associated with doxxing are varied and can be significant. Criminalising this conduct may deter offenders and will provide a clear message to the community that this conduct is not tolerated. The new offences complement existing offences in the Criminal Code Act 1995 for using a carriage service to menace, harass or cause offence (section 474.17).
The AFP was consulted during the development of the new offences, to ensure they are operationally workable. Doxxing offences reported to the AFP for investigation will be reviewed and prioritised according to the AFP’s Operation Prioritisation Model (OPM), which considers the severity of the threat of harm and the impact that the AFP could have in eliminating or reducing that threat. All reports of crimes to the AFP are prioritised through the OPM, which is designed to ensure AFP operational decisions are appropriately focused on ensuring public safety, minimising community harm, and protecting national interests. The offences will also be available to state and territory police to investigate and prosecute.
Based on past experience, the AFP would expect to investigate the new offences in the broader context of racially or politically motivated violence or harassment. In other cases, investigations may fall to state and territory police in their community policing roles.[33]
1.83Noting the experience of the AFP in investigating offences dealing with menacing and harassing conduct through use of a carriage service, it should be possible to resolve the concerns of the Law Council with appropriate amendments.
1.84In this regard, I note the proposal from the Human Rights Commissioner Lorraine Finlay who submitted:
The proposed criminal offence of doxxing will limit the human right to freedom of expression by restricting certain forms of sharing information. The key issue is ensuring any offence is carefully tailored to meet the strict tests of necessity and proportionality and to avoid capturing reasonable online discourse about a person.
One example of a potential risk area is students sharing in online forums the names and subjects taught by teachers at educational institutions. Such a case arose in Germany: A profile of a teacher was created on a website where students can rate their teachers … The teacher ‘filed a lawsuit seeking the erasure of the data and an injunction restraining the website provider from publishing this information again’.
The relevant court, however, did not grant the request. Given that the students’ right to freedom of expression, and that the information was already publicly available on the educational institution’s website, the comments were not considered to be defamatory, and further that they did not relate to her private life, but only to her working life as a teacher.
Challenges may also arise concerning online groups created to share information, and warnings about individuals who allegedly engaged in conduct that was abusive, harassing or otherwise inappropriate. For example, a 2022 survey by the Australian Institute of Criminology found that three in four dating app users have experienced harassment when using dating apps.
Many have turned to social media to share their experiences and warn others about potentially dangerous individuals.
While the sharing of information online in this way has the potential to enhance public safety, there is also a potential risk of digital vigilante activity, which may see individuals seek to enforce a ‘parallel form of criminal justice’, and can undermine rule of law protections.
There are also concerns that doxxing laws may unreasonably capture public interest whistleblowing and journalism.
The Bill as currently drafted seeks to guard against these risks by providing that the offences only apply where ‘the person engages in the conduct in a way that reasonable persons would regard as being, in all the circumstances, menacing or harassing towards those individuals’.
However, including a provision in the Bill which expressly protects the release of information for legitimate public interest purposes would help to further strengthen the protection of freedom of expression while still effectively addressing the harms caused by doxxing.
Recommendation 6: The Federal Government include a provision in the Privacy and Other Legislation Amendment Bill 2024 (Cth) which provides protection for the release of information for legitimate public interest purposes.[34]
1.85In my view, consideration should be given to the recommendations made by the Law Council and the Australian Human Rights Commission. The conduct contemplated by the provisions is not conduct at the margins – it should be reasonably clear whether relevant behaviour falls outside the realm of legitimate public purpose.
Recommendation 11
1.86It is recommended that the bill be amended to address the concern that the offence as drafted may be too wide.In this regard, consideration should be given to the recommendations made by the Law Council of Australia and the Australian Human Rights Commission.
1.87In summary, I support the passage of Schedule 1 of the bill (subject to the issues raised in recommendations 1 to 5 of the majority report) and the recommendations in these additional comments being addressed.
1.88Schedule 2 introducing a statutory tort needs to be withdrawn for further consultation. Given the strength of the submissions received and the myriad of complicated amendments proposed, it is my strong view that it would be imprudent for the Senate attempt to resolve the issues and pass the provisions into law in an abbreviated period of time.
1.89Lastly, I support the introduction of the doxxing provisions, subject to consideration of opportunities to tighten the drafting to avoid unintended consequence.
Recommendation 12
1.90Subject to Schedule 2 (the introduction of the statutory tort) being withdrawn from the bill for further consultation and detailed consideration, it is recommended that bill be passed comprising Schedule 1 (Privacy Act reforms) and Schedule 3 (the creation of doxxing offences in the Criminal Code) subject to the amendments discussed in these additional comments (including recommendations 1 to 5 in the majority report).
Senator Paul Scarr
Deputy Chair
Footnotes
[1]Refer to my comments in previous committee reports citing the concerns of the Law Council of Australia in relation to each of the following five bills: Administrative Review Tribunal Bill 2023; Migration Amendment (Removal and Other Measures) Bill 2024; Identification Verification Services Bill 2023; Criminal Code Amendment (Deepfake Sexual Material) Bill 2024, and Anti-Money Laundering and Counter-Terrorism Financing Amendment Bill 2024.
[2]Law Council of Australia (Law Council), Submission 67, p. 5.
[3]Law Council, Submission 67, p. 16.
[4]Given no exposure draft of the bill was released, presumably this is a reference to the bill as introduced into Parliament. I comment further below in relation to the issues raised by the lack of an exposure draft of the bill.
[5]Digital Industry Group Inc. (DIGI), Submission 41, pp. 3–4.
[6]Law Council, Submission 67, pp. 15–16.
[7]BSA | The Software Alliance (BSA), Submission 6, p. 7.
[8]AGD, Answers to spoken questions on notice, 22 October 2024 (received 5 November 2024).
[9]Council of Small Business Organisations Australia (COSBOA), Submission 46, p. 3.
[10]BSA, Submission 6, p. 6.
[11]Digital Rights Watch, Submission 50, p. 4.
[12]Law Council, Submission 67, p. 17.
[13]Scrutiny of Bills Committee, Scrutiny Digest 13/24, 9 October 2024, pp. 44–45.
[14]Scrutiny of Bills Committee, Scrutiny Digest 13/24, 9 October 2024, p. 46.
[15]Jeff Bleich Centre for Democracy and Disruptive Technologies, Flinders University, Submission 19, p. 4.
[16]Scrutiny of Bills Committee, Scrutiny Digest 13/24, 9 October 2024, p. 48.
[17]Scrutiny of Bills Committee, Scrutiny Digest 13/24, 9 October 2024, p. 50.
[18]Australian Human Rights Commission, Answers to spoken questions on notice, 22 October 2024 (received 4 November 2024).
[19]Global Data Alliance, Submission 9, pp. 1–2.
[20]Interactive Gaming and Entertainment Association, Submission 18, pp. 4–5.
[21]COSBOA, Submission 46, pp. 1–3.
[22]Australia's Right to Know (ARTK), Submission 59, p. 2.
[23]ARTK, Answers to spoken questions on notice, 22 October 2024 (received 4 November 2024).
[24]ARTK, Answers to spoken questions on notice, 22 October 2024 (received 4 November 2024).
[25]Commercial Radio Australia, Submission 43, p. 1.
[26]Australian Institute of Company Directors, Submission 39, p. 2.
[27]DIGI, Submission 41, p. 6.
[28]Ai Group, Submission 42, pp. 8–9.
[29]Australian Medical Association, Submission 26, p. 4.
[30]Electronic Frontiers Australia, Submission 45, p. 7.
[31]Law Council, Submission 67, pp. 38–39.
[32]Law Council, Submission 67, p. 39.
[33]Australian Federal Police, Submission 71, pp. 1–2.
[34]AHRC, Submission 36, pp. 8–9.
Inquiry into the Privacy and Other Legislation Amendment Bill 2024 [Provisions].
Senate
House of Representatives
Get informed
Bills
Committees
Get involved
Visit Parliament
Website features
Parliamentary Departments