Privacy law update: is this really what we were waiting for?
Well, the belated privacy review response has come through and… drumroll please… it might be a case of all audit, no action.
After all of the hype, the Privacy and Other Legislation Amendment Bill 2024 has dropped, but it doesn’t cover very many of the review recommendations that the Government committed to and barely scratches the surface of what we actually need.
In an era where it’s believed Australians’ personal information is shared up to 450 times a day without them even knowing, this draft legislation feels…. dare I say, a little flaccid?
So, what is covered?
The new bill called the Privacy and Other Legislation Amendment Bill 2024 says that its objects are to promote the protection of individuals’ personal information, and to recognise the public interest in protecting privacy.
The Bill delivers “a statutory tort for serious invasions of privacy, targeted criminal offences to respond to doxxing and enables the development of a Children’s Online Privacy Code.” It is also referred to as the first stage in the Federal Government’s response with further stages deferred until after the next election.
A tort is a fancy legal word related to harm (not a cake, that has an extra ‘e’ – torte). It allows someone to sue for harm because someone has shared their personal information without permission or used it to spy on them.
What does this mean for business?
Under the new statutory tort for serious invasions of privacy, the existing hotch potch of state and common law rules are all codified into a single test. It allows Australians to sue for compensation for:
- Serious invasions of privacy, including physical privacy and misuse of information, where:
- a person in their position would have had a reasonable expectations of privacy
- the invasion of privacy was intentional or reckless
- the invasion of privacy was serious
There are tiered penalties for various interferences with privacy by organisations covered by the Privacy Act including fines of up to $66,000 for administrative breaches and $660,000 for interferences with privacy that are not deemed ‘serious.’ Fines of up to $50 million are on offer for serious and repeated breaches, or lack of adequate controls, particularly where the individuals are vulnerable.
Organisations are also now required to disclose if they use automated decision making about individuals (think AI tools making calls on your data).
And the Government will prepare a list of countries which have acceptable privacy practices to assist organisations in deciding whether to disclose personal information to overseas recipients.
What is missing?
Given the media response to this bill, it is clear that consumers and clients were expecting more and they want more than the law is prescribing from the organisations they deal with.
We were expecting a ‘fair and reasonable’ requirement for the collection and use of personal information but that change is missing. Also missing are the pop-up ‘opt in’ notices of collection of personal information that we are all used to seeing when using overseas websites.
The right to be forgotten was also forgotten.
For small businesses
We were expecting small businesses to be covered by the new laws but that they are still off the hook.
Even so, I often take questions from small businesses who say that even though they’re not covered by the privacy law, they would like a privacy policy anyway because their customers and clients expect it.
There is a free template available at the Business Victoria website. Just take care in putting it together because if you say you do something you don’t actually do, this could get you in more hot water than not having a policy at all.
Want to know more? Read some tips for small business in our previous article Privacy Law changes for small business.
For larger organisations
Larger organisations, you’re not off the hook. The consequences for breaches are only getting more expansive and serious. There is expanded risk of class actions, compensation claims and fines. Not to mention the reputational damage that goes along with eligible data breach notices and being named in the media.
If you have not already, allocating one executive team member to ‘own’ privacy with responsibility for understanding and improving privacy practices across your organisation would be a good next step.
For everyone
A privacy and data strategy is so much more than just a privacy policy. All organisations should be asking themselves:
- What data you collect
- Why you collect it
- Where it is held and for how long
- Who has access to it
- How it is protected
- Whether the systems are adequate and lawful
With the new consideration of how vulnerable your clients are when assessing fines, your standards for protection may have just increased.
Risks should be written down in a risk register, mitigating strategies should be implemented and responses should be revised at least annually.
If this project has been on your list for a while with no progress, why not outsource it to us? Don’t leave it to chance. Contact Sarah today.