Patrick Gunning of King & Wood Mallesons reports that on November 29, 2024, the Australian Parliament passed more than 30 bills on the final sitting day for the calendar year. Among the flurry of legislative activity were the Privacy and Other Legislation Amendment Act 2024 and the Online Safety Amendment (Social Media Minimum Age) Act 2024.
Privacy Amendment Act
The Privacy Amendment Act represents the initial stage of the Australian government’s response to a long-running reform process, with the government indicating that if it is re-elected in 2025, a second tranche of amendments will be proposed. We highlight some of the 2024 amendments.
Broader Enforcement Powers for the Australian Information Commissioner
This includes changes to:
- Clarify when “serious” contraventions (which can result in fines of A$50 million or more) occur.
- Enable the regulator to bring civil penalty proceedings for contraventions that do not meet the “serious” threshold, but are deserving of court action to deter others (with a maximum fine of up to A$3.3 million).
- Enable the regulator to issue an “infringement notice” for breaches of certain less serious requirements of Australian privacy law. If a regulated entity chooses to pay the penalty set out in the infringement notice (up to A$330,000 per specified contravention), the regulator cannot commence court proceedings in respect of those contraventions unless the regulator withdraws the infringement notice and returns the fine. Alternatively the regulated entity can choose to not pay the fine, in which case the regulator has the discretion to take a different form of enforcement action (such as commencing civil penalty proceedings in a court, where the maximum fine is ten times greater than available under the infringement notice regime).
The current Privacy Commissioner, Carly Kind, was appointed in 2024. She has signalled an intention to more actively enforce the law than her predecessors. The new enforcement powers in the 2024 amendments will give her tools to achieve that objective.
New Statutory Tort of Invasion of Privacy
The Privacy Amendment Act introduces a new statutory tort for serious invasions of privacy involving intrusion upon seclusion and/or misuse of information, where:
- the plaintiff has a reasonable expectation of privacy;
- the conduct by the defendant is intentional or reckless;
- the invasion of privacy is serious; and
- the public interest in the plaintiff’s privacy outweighs any countervailing public interest.
While it remains to be seen how widely the statutory tort of invasion of privacy will be litigated, expectations are that most cases will be brought against media defendants by well-resourced high-profile individuals. While the regulator will have the right to make submissions in such a case, the regulator will not have standing to bring a statutory tort claim on behalf of any individual. Class actions are, however, a possibility if a single event affects multiple individuals. However, a typical cyber incident is not likely to qualify as a serious invasion of privacy, because the conduct of a defendant organization that has been hacked by a malicious third party is rarely intentional or reckless, even if it may involve negligence.
Automated Decisionmaking
In addition to the changes related to enforcement, the Act also provides greater transparency for individuals when regulated entities use personal information for automated decisionmaking. Regulated entities will now be required to include in their privacy notices details about what information is involved and what types of decisions are made using automated decisionmaking technology.
Children’s Online Privacy Code
The Act also directs the Commissioner to develop a Children’s Online Privacy Code, as discussed further below. The Act includes minimal parameters for the Code, however, beyond applicability and consultation provisions.
Social Media Minimum Age Act
The Australian Parliament enacted the Social Media Minimum Age Act only eight days after its introduction. The Act amends the Online Safety Act 2021 by requiring providers of an “age-restricted social media platform” to take reasonable steps to prevent Australian children under the age of 16 from having an account. Providers who fail to do so will be subject to civil penalties of up to A$49.5 million. The eSafety Commissioner will be responsible for administering the new requirements to be imposed on age-restricted social media platforms.
The Act defines an ”age-restricted social media platform” is as a platform that:
- allows users to post material;
- allows users to interact with other end-users; and
- enables social interactions between two or more end-users (as the platform’s sole or significant purpose).
Some forms of messaging services will be covered by this definition, in addition to platforms that would generally be considered social media platforms.
Providers of age-restricted social media platforms will have 12 months to implement age assurance techniques. The Act is not prescriptive about the techniques that may be implemented, but does impose limits on a provider’s right to collect government-issued identifiers and digital IDs for the purpose of enforcing the minimum age requirement.
It is possible that by the time that these age-restriction requirements take effect, the Privacy Commissioner will have developed an enforceable Children’s Online Privacy Code, which also will apply to providers of age-restricted social media platforms, as well as to others that deal with children online (such as e-commerce businesses).
The age-restriction requirements do not apply to platforms where ”none of the material on the service is accessible to, or delivered to, one or more end-users in Australia”. However, given the global nature of most social media platforms, it seems inevitable that some platform providers will regard this law as a legislative overreach by the Australian Parliament. For example, X Corp recently resisted the Australian eSafety Commissioner’s order to remove video footage of a violent attack in an Australian church from the platform. X Corp argued successfully in the Federal Court of Australia that it had taken all reasonable steps to remove the content from its platform by geo-blocking users with Australian IP addresses. As the initial injunction expired, the Australian eSafety Commissioner dropped the court case to pursue administrative action, having lost her argument that X Corp should have removed the content from its platform entirely because Australians using VPNs could circumvent the geo-blocking measures. Similar enforcement difficulties are likely to arise under the Social Media Minimum Age, as Australian children under the age of 16 may also use VPN services that allow them to circumvent whatever measures are put in place to restrict their ability to have an account on an age-restricted platform.
For further detail on these Australian reforms, visit KWM’s insights on data and privacy developments.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code