Chapter 1Introduction
1.1On 19 September 2024, the Senate referred the provisions of the Privacy and Other Legislation Amendment Bill 2024 (the bill) to the Legal and Constitutional Affairs Legislation Committee (the committee) for inquiry and report by 14November 2024.
1.2The referral followed a recommendation of the Senate Standing Committee for the Selection of Bills. Appendix 4 to that committee's report suggested an inquiry would allow stakeholders to examine the new offences in the bill particularly in relation to doxxing reforms and the effect of regulatory changes on online platforms and social media.
Conduct of the inquiry
1.3In accordance with its usual practice, the committee advertised the inquiry on its website and wrote to relevant organisations and individuals inviting submissions by 11 October 2024. The committee received 75 submissions, which are listed at Appendix 1 and are available on the committee's website.
1.4The committee held a public hearing in Canberra on 22 October 2024. A list of witnesses is provided at Appendix 2.
1.5Answers to questions on notice and other material received by the committee are listed at Appendix 1. Submissions and the Hansard transcript of evidence may be accessed through the committee website.
1.6The committee thanks the organisations and individuals who gave evidence at the public hearing as well as those who made written submissions.
Structure of the report
1.7The report comprises two chapters as follows:
Chapter 1 outlines the administrative details of the inquiry, background to the inquiry and the key provisions of the bill.
Chapter 2 explores the key issues raised in evidence and provides the committee's views and recommendations in relation to the bill.
Note on references
1.8References to Committee Hansard are to proof transcripts. Page numbers may vary between proof and official transcripts.
Purpose of the bill
1.9The bill would enact a first tranche of reforms to the Privacy Act 1988 (Privacy Act) agreed by the government in its Response to the Privacy Act Review. The bill would also introduce a new statutory tort for serious invasions of privacy and targeted criminal offences to respond to doxxing.
Background
1.10On 3 September 2014, the Australian Law Reform Commission (ALRC) released the final report for its inquiry into serious invasions of privacy in the digital era. In that report, the ALRC recommended the establishment of a statutory cause of action for serious invasions of privacy.
1.11In June 2019, the Australian Competition and Consumer Commission (ACCC) released the Digital Platforms Inquiry report (DPI report). That report recommended that the government undertake a review of the Privacy Act.
1.12The DPI report also recommended the introduction of a statutory tort for serious invasions of privacy.
Box 1.1 Recommendation 19 — Statutory tort for serious invasions of privacy Introduce a statutory cause of action for serious invasions of privacy, as recommended by the Australian Law Reform Commission (ALRC). This cause of action provides protection for individuals against serious invasions of privacy that may not be captured within the scope of the Privacy Act. The cause of action should require privacy to be balanced against other public interests, such as freedom of expression and freedom of the media. This statutory cause of action will increase the accountability of businesses for their data practices and give consumers greater control over their personal information. |
1.13On 16 February 2023, the Hon Mark Dreyfus KC MP, Attorney-General, released the Privacy Act Review Report 2022 (Privacy Act Review). It recognised that technological advancements have had significant implications for the privacy of personal information since the passage of the Privacy Act. Since that time:
Digitalisation and technological innovation have had a significant impact on the ways in which personal information is exchanged and used, as well as the volume of information handled. Our society is increasingly networked:decisions made by one individual about their personal information can impact the privacy of others. At the same time, the community expects that personal information will be protected.
1.14On 28 September 2023, the government released its response to the Privacy Act Review. That response acknowledged the implications that technological advancement has had for the privacy of Australians' information:
The digital economy has led to innovation, advances in productivity and efficiency and a range of other benefits for Australians. However, the vast data flows underpinning digital ecosystems have also created the conditions for recent major data breaches affecting millions of Australians, with their sensitive personal information being exposed to the risk of identity fraud and scams. Strong privacy protections are critical to building the security, confidence and trust necessary to drive innovation and economic growth.
1.15The Privacy Act Review 'concluded that it is necessary to overhaul Australia's privacy laws, as many other countries have done, to ensure they remain fit-for-purpose in the digital age'.
1.16There is widespread public support for privacy reform. According to the 2023 Office of the Australian Information Commissioner Australian Community Attitudes to Privacy Survey:
Three in five (62%) of Australians surveyed see the protection of their personal information as a major concern in their life, and 75% consider that data breaches are one of the biggest privacy risks they face today (increasing by 13% since 2020). Only 32% feel in control of their data privacy, and 84% want more control and choice over the collection and use of their personal information. 89% would like the Government to provide more legislation in this area.
1.17According to the Explanatory Memorandum (EM), the Privacy Act is not fit-for-purpose in the digital age. It does not adequately protect Australians' data, particularly as the digital landscape has evolved. Privacy legislation:
…has not kept pace with Australians' widespread adoption and reliance on digital technologies, which increases the risks that personal data will be subject to misuse or mishandling, including through data breaches, fraud and identity theft, unauthorised surveillance and other significant online harms.
1.18The EM defines doxxing as 'the intentional malicious exposure of an individual's personal data online'. The public release of that data may:
…expose victims, including family members and associates of the individual whose data is released, to a wide range of harms including harassment and threats to their lives or physical safety, public embarrassment, humiliation or shaming, discrimination, stalking, identity theft and financial fraud.
1.19It further states that, once the data becomes publicly available, the risk of harm may be enduring. To address that risk:
Victims of doxxing may be required to take significant steps, and incur significant cost and hardship…Doxxing can also cause psychological harms, both directly and as a result of the occurrence, or the fear of the occurrence, of the previously-mentioned harms.
1.20The victims of doxxing are exposed:
…to physical threats, public embarrassment, humiliation or shaming, discrimination, identity theft and financial fraud, and other serious harms. These risks are magnified where the release of personal information involves women and children in the context of domestic and family violence.
1.21The Attorney-General's Department (AGD) reported that it:
…received approximately 100 submissions through the public consultation process on doxxing. That was a process that we held between 11 to 20March2024. In addition to that, we convened a roundtable on doxxing and privacy reforms alongside the eSafety Commissioner.
1.22The government agreed that an overhaul of the Privacy Act is required for multiple reasons, including to safeguard personal information and the competitiveness of Australian businesses:
Australia can no longer afford to have inadequate privacy protections. Privacy uplift is needed to guard against identity fraud, scams and the risk to businesses of failing to manage personal information appropriately. Business sustainability relies on the ability to protect personal information. A failure to uplift Australia's privacy standards to more closely align with global standards also has the potential to adversely impact the international competitiveness of Australian businesses.
1.23The Privacy Act Review proposed 89 legislative changes. Of those proposed changes, the government 'agreed to 25 proposals, agreed in-principle to 56 and noted eight'. If it is passed, '[t]he bill would implement 23 of the 25 legislative proposals that were agreed in the Government Response to the Privacy Act Review'.
1.24In introducing the bill to the House of Representatives, the Attorney-General outlined its main provisions:
Schedule 1 of the bill will amend the Privacy Act to enhance its effectiveness, strengthen the enforcement tools available to the privacy regulator and better facilitate safe overseas data flows. It will require the development of a children's online privacy code, streamline information-sharing in emergencies and following eligible data breaches, and increase transparency when entities are automating significant decisions which use personal information.
Schedule 2 of the bill will introduce a new statutory tort to provide redress for serious invasions of privacy.
Schedule 3 of the bill will amend the Criminal Code Act 1995 to introduce new criminal offences to target the harmful practice of doxxing.
Key provisions of the bill
1.25The bill comprises the following three schedules:
Schedule 1—Privacy reforms;
Schedule 2—Serious invasions of privacy; and
Schedule 3—Doxxing offences.
Schedule 1—Privacy reforms
1.26The privacy reforms contained in Schedule 1 of the bill are divided into 15 parts. The key provisions of Schedule 1 raised by submitters are contained in the following parts:
Part 2—Australian Privacy Principle (APP) codes;
Part 3—Emergency declarations;
Part 4—Children's privacy;
Part 6—Overseas data flows;
Part 8—Penalties for interference with privacy; and
Part 15—Automated decisions and privacy policies.
Part 2—Australian Privacy Principle codes
1.27The bill would amend the Privacy Act to allow the minister to direct the Information Commissioner to develop an APP code. Before registering that code, the Information Commissioner would be required to make a draft of it publicly available and invite the public to make submissions about the draft over a period of at least 40 days.
1.28An APP code is:
…a written code of practice for the handling of personal information…[that] sets out how one or more of the APPs are to be applied or complied with, and the APP entities that are bound by the code.
1.29The bill would also amend the Privacy Act to allow the minister to direct the Information Commissioner to develop a temporary APP code if there is an urgent need for such a code to be made. A temporary APP code would not be able to operate for a period longer than 12 months.
1.30According to the EM:
APP codes provide greater clarity and specificity about how the principles-based [APPs] are to be applied and complied with. The Bill enhances the right to privacy by promoting greater compliance and providing confidence to members of the community that their personal information will be handled appropriately. This is particularly important given the growing calls for APP codes to be developed in response to the privacy risks arising from new and emerging technologies.
1.31The establishment of temporary APP codes 'would promote the right to privacy by providing greater flexibility and efficiency to the APP code-making process'. For example, during a pandemic emergency temporary APP codes could be developed:
…to instruct APP entities on how to comply with APPs while collecting contact-tracing information, and give greater transparency to the community on how their personal information is being handled.
1.32Temporary APP codes are intended to only be in force during urgent situations:
If it was proposed that the enforceable requirements within a temporary APP code would be extended beyond a 12-month period, these should be subject to the usual provisions for developing an APP code, including mandatory consultation on the code and tabling in Parliament.
Part 3—Emergency declarations
1.33The bill would amend the Privacy Act to require an emergency declaration to specify the kinds of personal information, types of entities permitted to share personal information, and the purposes for which that information may be shared.
1.34The permitted purposes for sharing that information would be required to relate to the Commonwealth's response to the emergency or disaster for which an emergency declaration is in force.
1.35During declared emergencies or disasters, those purposes may include:
identifying individuals involved, or at risk of being involved;
assisting individuals affected, or at risk of being affected, to gain access to services;
assisting law enforcement;
coordinating or managing the response;
ensuring that other persons responsible for those individuals affected, or at risk of being affected, are informed of matters related to those individuals.
1.36The emergency declarations provisions of the bill would 'authorise more targeted handling of personal information to assist individuals in emergency and disaster situations'.
1.37The Attorney-General explained that the bill would allow the sharing of personal information by permitted entities following disasters or emergencies. The sharing of that information would 'support response efforts, including to assist affected individuals'.
Part 4—Children's privacy
1.38The bill would require the Information Commissioner to develop an APP code about online privacy for children. That APP code would be known as the Children's Online Privacy Code (COP Code).
1.39According to the EM, '[t]he COP Code would be an enforceable APP code that sets out how one or more of the APPs are to be applied or complied with in relation to the privacy of children'.
1.40An APP entity would be bound by the COP Code if:
it provides a social media service, relevant electronic service or designated internet service within the meaning of the Online Safety Act 2021;
children are likely to access the service; and
it does not provide a health service; or
it is an APP entity, or is included in a class of APP entities, specified in the COP Code.
1.41The Information Commissioner must develop and register the COP Code within two years of the bill receiving Royal Assent.
1.42The COP Code would be required to set out how the APPs 'are to be applied or complied with in relation to the privacy of children'. For example, the COP Code could set out how APP entities communicate their privacy policies and consent notices to children:
…the COP Code may set out how regulated entities must meet requirements in APP 1 and 5 in relation to privacy policies and consent notices by ensuring that information addressed to a child is clearly expressed and understandable – such as through the use of graphics, video and audio content rather than relying solely on written communication.
1.43Providers of online services 'are expected to proactively assess the likelihood that their service is accessed by children, regardless of if the service is not explicitly targeted at children'. To assist them in making that assessment, the Information Commissioner may provide written guidelines to assist entities in determining whether they provide a service that is likely to be accessed by children.
1.44The COP Code would differ from other APP codes as it must be developed by the Information Commissioner rather than 'by an APP code developer on their own initiative, or on request by the Information Commissioner'. The COP Code would be developed in this way as:
There is a public interest and community expectation in ensuring that a COP Code is developed and registered, and is developed by the Information Commissioner who has particular expertise in privacy. This will avoid any potential industry regulatory biases, and conflicting commercial interests.
1.45The Attorney-General indicated that children are particularly vulnerable to online privacy risks. The extent of that risk is evident in the amount of data that is collected about them. According to the Attorney-General, 'by the time a child turns 13, around 72 million pieces of data will be collected about them'.
1.46Social media companies and other providers of online services accessed by children would be required to adhere to the COP Code. The code would 'specify how these entities must comply with privacy obligations in relation to children'. It would also align as closely as 'possible with similar codes in like-minded countries, such as the United Kingdom'.
Part 6—Overseas data flows
1.47The bill would amend the Privacy Act to introduce APP 8.3. That APP would allow for countries, or binding schemes, that have data privacy laws that are 'substantially similar' to Australia's to be prescribed via regulation.
1.48The EM states that its introduction:
…would enhance the free flow of information across national borders while ensuring the privacy of individuals is respected by providing greater certainty to disclosing entities about the standard of privacy protections in countries in which overseas recipients of personal information are located.
1.49In the globalised economy, the transnational flow of information 'is critical for international trade and services'. The bill would enable 'countries with substantially similar data privacy laws to Australia to be prescribed. Businesses and individuals will be able to have greater confidence that personal information will be kept safe'. The provision would 'also reduce costs for business when entering into contracts and agreements with overseas entities'.
Part 8—Penalties for interference with privacy
1.50The bill would amend the Privacy Act to introduce civil penalty provisions for the serious interference with the privacy of an individual.
1.51To determine if an interference with the privacy of an individual is serious, the following factors may be taken into account:
1.52The maximum penalty that would be applied to someone who is found to have seriously interfered with an individual's privacy would be 2000 penalty units (currently $626 000). Alternatively, if the court finds that an individual's privacy has been interfered with, but not in a serious manner, it may make a pecuniary penalty order.
1.53The bill would allow a court to apply a civil penalty to an entity if it is found noncompliant with certain APPs. That penalty would not exceed 200 penalty units (currently $62 600).
1.54The EM states that the bill would introduce a tiered penalty regime that is 'commensurate with the seriousness of the interference with privacy'.
1.55The Attorney-General argued the tiered civil penalty regime would assist in the enforcement of the Privacy Act.
Part 15—Automated decisions and privacy policies
1.56The bill would amend the Privacy Act to introduce APP 1.7. That principle would apply to an APP entity if:
1.57If APP 1.7 applies to an entity, the entity would be required to provide the following information in its privacy policy:
1.58Automated decision-making processes 'have the potential to increase the efficiency, accuracy and consistency of decisions, and they present opportunities for improved outcomes in health, environment, defence and national security'.
1.59The bill would 'provide individuals with transparency about the use of their personal information in automated decisions which significantly affect their interests'. Any entity that makes automated decisions would be required 'to specify the kinds of personal information used in these sorts of decisions in their privacy policies'.
Schedule 2—Serious invasions of privacy
1.60Schedule 2 of the bill would insert a statutory tort for serious invasions of privacy into the Privacy Act.
1.61The objects of Schedule 2 would be to:
(a)establish a cause of action for serious invasions of privacy;
(b)provide for defences, remedies and exemptions in respect of the cause of action;
(c)recognise that there is a public interest in protecting privacy;
(d)recognise that the public interest in protecting privacy is balanced with other public interests; and
(e)implement Australia's international obligations in relation to privacy.
Cause of action
1.62The bill would provide a plaintiff with a cause of action in tort against a defendant if:
(a)the defendant invaded the plaintiff's privacy by doing one or both of the following:
(i)intruding upon the plaintiff's seclusion;
(ii)misusing information that relates to the plaintiff; and
(b)a person in the position of the plaintiff would have had a reasonable expectation of privacy in all of the circumstances;
(c)the invasion of privacy was intentional or reckless; and
(d)the invasion of privacy was serious.
1.63Proof of damage would not be required to demonstrate that the defendant invaded the plaintiff's privacy.
1.64If the defendant argues that there was a public interest in invading the privacy of the plaintiff, the defendant would be required to provide evidence to demonstrate the public interest outweighed the protection of the plaintiff's privacy.
1.65Without restricting the kind of evidence that the defendant could present, the kind of evidence they could provide to meet the public interest test would include:
(a)freedom of expression, including political communication;
(b)freedom of the media;
(c)the proper administration of government;
(d)open justice;
(e)public health and safety;
(f)national security; or
(g)the prevention and detection of crime and fraud.
1.66In its consideration of whether the plaintiff had a reasonable expectation of privacy, the court may consider the following non-exhaustive matters:
how the defendant invaded the plaintiff's privacy, including through the use of a device or technology;
the defendant's reason for invading the plaintiff's privacy;
the plaintiff's personal attributes, such as age, occupation or cultural background;
whether the plaintiff 'invited publicity or manifested a desire for privacy';
where the intrusion of the plaintiff's privacy occurred;
the type of information that the defendant misused in their invasion of the plaintiff's privacy, how that information was obtained or shared by the defendant, and the extent to which that information was already in the public domain.
1.67To determine if the invasion of privacy was serious, the court may consider a range of matters not limited to:
(a)the degree of any offence, distress or harm to dignity that the invasion of privacy was likely to cause to a person of ordinary sensibilities in the position of the plaintiff;
(b)whether the defendant knew or ought to have known that the invasion of privacy was likely to offend, distress or harm the dignity of the plaintiff;
(c)if the invasion of privacy was intentional—whether the defendant was motivated by malice.
1.68The EM states that the statutory cause of action:
…would implement the Australian Law Reform Commission's recommendation in its 2008 report For Your Information: Australian Privacy Law and Practice (ALRC Report 108). The model of the statutory tort set out in this Bill is informed by the ALRC's 2014 report Serious Invasions of Privacy in the Digital Era (ALRC Report 123).
1.69The Attorney-General explained that the bill would address community expectations in relation to individual rights to seek legal recourse when reasonable expectations of privacy have been breached. He stated:
There are parts of our lives that we reasonably expect to be able to keep to ourselves. The freedom to enjoy a private and family life, and express ourselves and our beliefs in safety, is critical to our wellbeing and dignity.
Ensuring that individuals have a clear right to seek a legal remedy against people or entities who seriously invade their privacy is a key part of ensuring that our privacy laws keep pace with community expectations and advances in technology.
Defences
1.70It would be a defence to the cause of action if the:
invasion of the plaintiff's 'privacy was required or authorised by or under an Australian law or court/tribunal order';
plaintiff, or a person lawfully acting on their behalf, 'expressly or impliedly consented to the invasion of privacy';
defendant had a reasonable belief that invading the plaintiff's 'privacy was necessary to prevent or lessen a serious threat to the life, health or safety of a person';
invasion of the plaintiff's privacy was 'incidental to the exercise of a lawful right of defence of persons or property and proportionate, necessary and reasonable';
defendant published defamatory information about the plaintiff and there is a related defence under Australian law that references the invasion of privacy.
Interim injunctions
1.71The bill would allow a court to 'grant an injunction restraining the defendant from invading the plaintiff's privacy'. In cases where the defendant invaded the plaintiff's privacy by publishing information related to them, 'the court must have particular regard to the public interest in the publication of the information when considering whether to grant the injunction'.
Damages
1.72The bill would not allow a court to award aggravated damages. The court would be able to award damages for emotional distress. In exceptional circumstances, the court would be able to award exemplary or punitive damages.
1.73The sum of the damages awarded against the defendant would not exceed the greater of $478 550 and 'the maximum amount of damages for non-economic loss that may be awarded in defamation proceedings under an Australian law'.
1.74When determining the amount of damages, the court may consider how the plaintiff and defendant engaged with each other after the invasion of privacy occurred. The matters it could consider could include, but not be limited to:
(a)whether the defendant apologised to the plaintiff;
(b)if the defendant invaded the plaintiff's privacy by publishing information that relates to the plaintiff—whether the defendant published a correction;
(c)whether the plaintiff received or agreed to receive compensation in relation to the invasion of privacy;
(d)whether the plaintiff or the defendant took reasonable steps to settle the dispute;
(e)whether the defendant engaged in conduct after the invasion of privacy, including during the proceedings, that was unreasonable and subjected the plaintiff to particular or additional embarrassment, harm, distress or humiliation.
1.75The court would be able to grant other remedies instead of, or in addition to, awarding damages.
Exemptions
1.76If the invasion of privacy involved 'the collection, preparation for publication or publication of journalistic material', the cause of action would not apply to:
(a)a journalist;
(b)an employer of a journalist;
(c)a person assisting a journalist who is employed or engaged by the journalist's employer; or
(d)a person assisting a journalist in the person's professional capacity.
1.77The cause of action would also not apply to:
enforcement bodies, provided 'that the invasion of privacy is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body';
intelligence agencies;
someone under the age of 18; or
a deceased person or a representative of that person.
1.78According to the Attorney-General, '[t]hese exemptions are important to protect press freedom, and ensure that legitimate activities of government can be delivered effectively'.
Schedule 3—Doxxing offences
1.79Schedule 3 of the bill would amend the Criminal Code Act 1995 (Criminal Code) to create new doxxing offences.
1.80For the purpose of the doxxing offences, the bill would define personal data as information that could enable an individual or group of individuals to be identified, contacted or located. That information would include any of the following details of an individual or group of individuals:
their name or names;
photographs or other images of them;
their telephone number or numbers;
their email address or addresses;
details of an online account or accounts belonging to them;
their residential address or addresses;
their work or business address or addresses;
a place or places of education attended by them; or
a place or places of worship attended by them.
Using a carriage service to make personal information publicly available
1.81If a person uses a carriage service to share the personal data of one or more individuals in a menacing or harassing way, then that person would have committed an offence. The penalty for committing the offence would be imprisonment for six years.
1.82For example, if a person publishes an individual's name, image and telephone number on a website and encourages other people to harass that individual by leaving them violent or threatening messages that is an example of doxxing that would be covered by the bill.
Using a carriage service to make personal information of one or more members of certain groups publicly available
1.83A person would have committed an offence if they use a carriage service to share the personal information of one or more members of a group based on a belief that they have certain characteristics and share that information in a menacing or harassing way. The penalty for committing this offence would be imprisonment for seven years.
1.84For example, if a person publishes the name, image and residential address of one or more members of a private online religious discussion group on a website and encourages other people to attend those addresses, block entryways, or otherwise harass the members of the group that would be an example of doxxing that would be covered by the bill.
Consideration by other parliamentary committees
1.85When examining a bill, the committee takes into account any relevant comments published by the Senate Standing Committee for the Scrutiny of Bills (the Scrutiny Committee) and the Parliamentary Joint Committee on Human Rights (PJCHR).
Senate Standing Committee for the Scrutiny of Bills
1.86The Scrutiny Committee stressed that the exemption of legislative instruments from disallowance should only be permitted under 'exceptional circumstances'. There should be a full justification as to why legislation would be exempt from the usual disallowance process in the bill's EM.
1.87The Scrutiny Committee acknowledged that the EM explains the exemption is necessary 'to ensure that decisive action can be taken'. In emergency situations or in scenarios where events are quickly changing the exemption 'would establish an immediate, clear and certain legal basis for entities to handle personal information'.
1.88In the view of the Scrutiny Committee that could be achieved 'while allowing parliamentary oversight'. It did not consider this an appropriate basis for 'an exemption from disallowance'. The Scrutiny Committee left it for the Senate to determine the appropriateness of exempting the provisions from disallowance and drew the matter to the attention of the Senate Standing Committee for the Scrutiny of Delegated Legislation.
1.89In relation to the exemption of disallowance for the creation of temporary APP codes, the Australian Human Rights Commission considered 'the exemption from disallowance is – on balance – appropriate in these limited circumstances'.
1.90The AGD stated the provisions of the bill that would be exempt from disallowance relate to circumstances 'where prompt action and certainty is required'. For example, during declared emergencies and data breaches 'people would be able to rely on the contents of [the legislative instrument] immediately'.