The majority of the amendments to the Privacy Act 1988 (Cth) will commence the day after the Privacy Act Bill receives Royal Assent, with a few exceptions.

The Privacy Act Bill contains key amendments to the Privacy Act including:

• A statutory tort for serious invasions of privacy – this will only apply (amongst other criteria) where the conduct in question was intentional or reckless, and this section of the Bill will take effect no later than six months after the Act receives Royal Asset.
• The framework for a Children’s Online Privacy Code – this will be developed by the Information Commissioner and will apply to social media platforms and any online services likely to be accessed by children.
• Tiered sanctions for less serious privacy breaches – this includes civil penalties of up to AUD 3.3 million for an “interference with privacy” and lower level fines of up to AUD 330,000 for administrative breaches, such as deficient privacy policies.  The headline penalties of up to the greater of AUD 50 million, three times the benefit of a contravention, or 30% of annual turnover, remain for conduct which amounts to a “serious interference with privacy”.
• Requirements to include details of the use of automated decision making into privacy policies, where personal information is used in wholly or substantially automated decision making that could reasonably be expected  to significantly affect the rights or interests of an individual.  This requirement will not take effect for 24 months however.
• The introduction of a criminal offence for doxing.
• Eligible data breach declarations and information sharing – these are designed to allow limited information sharing following a data breach, in circumstances which would otherwise be in breach of the Privacy Act (such as disclosing information to banks and other institutions for the purpose of enhanced monitoring).
• Clarifications to APP 11 to ensure it is clear that the reasonable steps which entities must take to protect personal information include “technical and organisation measures”.
• The introduction of equivalency decisions under APP 8 to facilitate cross-border transfers of data.

Our previous post, available here, provides further insights regarding these changes.

Whilst the Privacy Act Bill implements some of the recommendations from the Privacy Act Review Report, subsequent tranches of amendments are expected in the next 12-18 months to implement the remaining recommendations.

The Cyber Security Act 2024 (Cth), which received Royal Asset on 29 November 2024, introduces:

• A mandatory ransomware reporting requirement – reports must be made to the Department of Home Affairs if a ransomware payment is paid to an extorting entity. This requirement will be implemented after a 6 month implementation period, and is drafted so as to also capture ransomware payments made on behalf of an entity doing business in Australia.
• A Cyber Review Board which will conduct no-fault, post incident reviews of significant cyber security incidents in Australia.
• A limited use exception –  this prevents information which is voluntarily provided to certain Government departments from being used for enforcement purposes, and is designed to encourage enhanced cooperation between industry and Government during cyber incidents.
• Mandatory security standards for smart devices.

Our previous post, available here, includes further details on cyber security legislative package.

The Office of the Australian Information Commissioner (OAIC) has released the findings of its much-awaited investigation into the use of FRT in at least 62 Bunnings stores in Victoria and New South Wales between November 2018 and November 2021. FRT was used to, as Bunnings submitted, monitor and identify individuals known by the retailer to engage in antisocial behaviour in its stores.

The investigation was sparked by consumer advocate group Choice, which flagged concerns about the use of FRT by Bunnings and other retailers in 2022. Facial recognition technology collects biometric information about an individual. Biometric information is sensitive information, which is entitled to specific protections under Australia’s overarching privacy law, the Privacy Act 1988 (Cth) (Privacy Act). Choice took the view that sensitive personal information was being collected via in-store FRT without sufficient notice to customers, and that the collection was “disproportionate” to legitimate business functions.

The OAIC’s investigation has affirmed these concerns.

Key Findings

Bunnings breached the Australian Privacy Principles (APPs) in the Privacy Act by unlawfully interfering with the privacy of individuals whose personal and sensitive information it collected through the FRT system.

• Lack of Consent: Sensitive information was collected without consent, breaching APP 3.3, which prohibits such collection unless specific consent is given (or an exception applies, which it did not in this case).
• Failure to Notify: Bunnings did not adequately inform individuals about the collection of their personal information. This was a breach of APP 5.1, which requires entities to notify individuals about certain matters regarding their personal information as it is collected.
• Inadequate Practices and Policies: Bunnings failed to implement proper practices, policies, and procedures to ensure compliance with the APPs, breaching APP 1.2.
• Incomplete Privacy Policies: Bunnings’ privacy policies did not include information about the kinds of personal information it collected and held, and how, breaching APP 1.3.

The OAIC has emphasised that entities using FRT must be transparent, and ensure individuals can provide informed consent.

Along with the outcome of the investigation, the regulator has also issued specific guidance on the use of FRT, stating, “the use of facial recognition technology interferes with the privacy of anyone who comes into contact with it,” and that convenience is not a sufficient justification for its use. Businesses must consider five key principles when looking to employ FRT: 1) privacy by design; 2) necessity and proportionality; 3) consent and transparency; 4) accuracy and bias; and 5) governance and ongoing assurance.

What’s Next for Bunnings?

Bunnings had already paused its use of FRT. As a result of its investigation, the OAIC has made declarations that Bunnings:

• Not repeat or continue the acts and practices that led to the interference with individuals’ privacy.
• Publish a statement about the conduct.
• Destroy all personal information and sensitive information collected via the FRT system that it still holds (after one year).

This decision aligns with the continued emphasis on privacy rights in Australia. As we await further legislative updates to the Privacy Act in the new year, businesses operating in Australia will need to apply greater scrutiny to the security and privacy practices adopted in respect of consumers.

The key takeaways from the new Bills are summarised below:

Mandatory ransomware reporting

The Cyber Security Bill 2024 (Cyber Security Bill) introduces a mandatory reporting requirement where a ransomware payment (or other benefit) is paid to an extorting entity. The aim is to give the Australian Government greater visibility over the extent of the threat which ransomware poses to Australian businesses, particularly in light of the Australian privacy regulator’s ongoing concern regarding the under-reporting of ransomware incidents under the notifiable data breach regime in the Privacy Act 1988.

A report will need to be made to the Department of Home Affairs within 72 hours, if the following criteria are met:

• a cyber security incident has occurred, is occurring or is imminent and has had, is having or could reasonably be expected to have, a direct or indirect impact on a reporting business entity;
• an extorting entity makes a demand of the reporting business entity, or some third party directly related to the incident impacting the reporting entity, in order to benefit from the incident or the impact on the reporting business entity; and
• the reporting business entity provides, or is aware that another entity, directly related to the reporting entity, has provided a payment or benefit to the extorting entity that is directly related to the demand.

Some Australian businesses will be exempt from the reporting requirement, if their annual turnover falls below an as-yet unspecified amount.

A two-stage reporting obligation had previously been proposed, which would have required notifications to be made if a request for payment of ransomware was received and additionally if any payment was subsequently made.

Cyber Review Board

Australia is following in the footsteps of other jurisdictions such as the United States by establishing a Cyber Review Board. The Board’s remit will be to conduct no-fault, post-incident reviews of significant cyber security incidents in Australia. The intent is to strengthen cyber resilience, by providing recommendations to Government and industry based on lessons learned from previous incidents.

Limited information gathering powers will be granted to the Board, so it will largely rely on cooperation by impacted businesses. 

The Board will be comprised of a Chair, standing members and an Expert Panel. The Expert Panel will be drawn from of a pool of industry members with relevant expertise.

Limited Use Exception

A ‘limited use’ obligation will be established under the Cyber Security Bill and the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 (Intelligence Services Bill), designed to encourage engagement and reporting between industry and the Government during cyber incidents.

The regime is designed to assure businesses that any information which is voluntarily provided to the National Cyber Security Coordinator or Australian Signals Directorate (ASD) regarding a cyber incident can only be recorded, used and disclosed by those entities for limited purposes.

Crucially, it guarantees that information which is provided voluntarily or in response to a request within the framework of the limited use regime cannot later be used against the entity by a regulator.

The ‘limited use’ obligation will apply to information provided to, acquired or prepared by the National Cyber Security Coordinator or ASD by an impacted entity during a cyber security incident, as well information which is provided on behalf of the impacted entity (such as by its external advisors).

Mandatory security standards for smart devices

The Cyber Security Bill also establishes a framework under which mandatory security standards for smart devices will be issued.

Suppliers of smart devices will be prevented from supplying devices which do not meet these security standards, and will be required to provide statements of compliance for devices manufactured in Australia or supplied to the Australian market.

The Secretary of Home Affairs will be given the power to issue enforcement notices (including compliance, stop and recall notices) if a certificate of compliance for a specific device cannot be verified.

Security of Critical Infrastructure

The Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 will amend the Security of Critical Infrastructure Act 2018, by giving effect to the legislative reforms contained in the 2023-2030 Australian Cyber Security Strategy.

The changes are designed to strengthen the security and resilience of critical infrastructure assets in Australia. 

The key change to note for regulated entities is that secondary assets which hold ‘business critical data’ may also be captured as critical infrastructure assets, regardless of the primary purpose of the asset. This is not intended to capture all non-operational systems which hold business critical data, but rather those where there is a material risk that a hazard to the data storage system could have an adverse impact on a critical infrastructure asset.

Other changes to the Security of Critical Infrastructure Act 2018 include the provision of further clarity on the secrecy and disclosure provisions, and the implementation of new powers for the Secretary of the Department of Home Affairs.

We will provide further updates once these Bills are passed. 

The changes to be implemented by the Privacy and Other Legislation Amendment Bill 2024 include the introduction of:

• A statutory tort for serious invasions of privacy, which has previously been referred to as filling an “increasingly conspicuous gap” in Australian law regarding the rights and remedies available to individuals following a breach of their privacy.  The cause of action will be based on a misuse of information in circumstances where the individual has a reasonable expectation of privacy, the invasion of privacy was serious and the invasion of privacy was intentional or reckless.  Claimants won’t need to prove that losses arose from the invasion of privacy, but will need to demonstrate that the public interest in protecting their privacy outweighs any competing public interest raised by the defendant.  The remedies will include recovery of non-economic losses, however damages will be capped at AUD 478,550.  This is a significant development that will materially change the risk profile for entities processing personal information in Australia.  In the last few years we’ve seen a rapid rise in the number of class actions following data breaches and other privacy incidents, and the introduction of a statutory tort will add  further fuel to the fire;

• An online Children’s Online Privacy Code, to be developed by the Information Commissioner, which will apply to social media and other internet services which are likely to be accessed by children;

• Tiered sanctions for less serious privacy breaches.  The power to seek civil penalties of up to the greater of AUD 50 million, three times the benefit of a contravention, or 30% of annual turnover for serious interferences with the privacy of individuals will not be impacted.  However, a lower civil penalty of up to AUD 3.3 million (using current penalty units) will apply for non-serious interferences with privacy, and infringement notices and penalties of up to AUD 330,000 may be issued for certain more technical breaches, including deficient privacy policies;

• A requirement to include details of the use of personal information for “automated decision making” in privacy policies, with “automated decision making” including decisions which are wholly or substantially automated;

• Eligible data breach declarations, to allow the sharing of personal information following notifiable data breaches for the purpose of preventing or reducing the risk of harm to individuals.  This would allow, for example, details of individuals impacted by an eligible data breach to be shared with banks so that the necessary protective measures could be applied to their accounts;

• A mechanism to allow for declarations of equivalency to be issued, for the purpose of overseas transfers of personal information.  Currently, the law recognises that personal information can be shared with recipients which are subject to an equivalent law or binding scheme, however no formal declarations of equivalency have been made by the regulator to date; and 

• A criminal offence of doxxing, which will sit under the Criminal Code 1995 rather than privacy law. 

The Bill follows the Privacy Act Review Report issued by the Attorney-General’s Department in February 2023, which identified 89 proposals directed at legislative change.  In its response in September 2023, the Australian Government accepted the majority of these recommendations.  However, its response differentiated between changes which could be accepted with minimal consultation, and those areas where more extensive engagement was required.

This Bill introduces 23 out of 25 of these expected changes, with the Attorney-General stating that “It begins the much-needed work of updating our privacy laws to be fit-for-purpose for the digital age… It implements a first tranche of agreed recommendations of the Privacy Act Review, ahead of consultation on a second tranche of reforms“.  The Government has committed to developing the next tranche of reforms for targeted consolation over “the coming months“, to ensure “genuine privacy reform in Australia“.

Scam Code Act

In light of the 601,000 scams reported by Australians in 2023 accounting for an estimated $1.3 billion in losses, it has been reported this week that the Government will introducing a new Scam Code Act.

This will require digital communications platforms, telecommunications carriers and banks to report scams as soon as they are detected, or face fines of up to AUD 50 million. The Australian Consumer & Competition Commission will be granted powers to draft mandatory codes across the three sectors, and also for individual business and platforms. It is expected that the new regime will also include requirements for:

• platforms to verify their advertisers;

• banks to warn customers if they attempt to make a transfer to an account that is identified as fraudulent;

• carriers to take certain measures to prevent scams being spread by SMS;

• companies designated by the ACCC to establish internal dispute resolution processes to hear complaints from customers and consider refunds; and

• all companies to maintain a “scams defence plan” to assist customers.

It is expected that the legislation will be tabled in parliament later this year, and we will keep you updated as more information is released about the proposed legislation.  

Other cyber security measures  

As a further rollout of the 2023-2030 Australian Cyber Security Strategy, the Australian Government has consulted on a range of proposed new cyber security legislation. In order to combat existing gaps in regulation, consultation was sought on the following proposed measures:

• mandating a security standard for consumer-grade smart devices, to incorporate basic security features by design and help prevent cyber attacks on Australian consumers;

• creating a no-fault, no-liability ransomware reporting obligation to improve collective understanding of ransomware incidents across Australia,in order to counteract the limited visibility over the amount of ransoms paid by Australian organisations. The laws are proposed to apply to businesses with an annual turnover of more than $3 million and include fines for failure to disclose;

• creating a ‘limited use’ obligation to clarify how the Australian Signals Directorate and the Cyber Coordinator may use information voluntarily disclosed to them during a cyber incident, in order to encourage industry to collaborate with the Government as part of an incident response; and

• establishing Cyber Incident Review Board to conduct no-fault incident reviews and share lessons learned to improve Australia’s national cyber resilience.

The Government received 130 submissions as part of the consultation, which closed on 1 March 2024. We will keep you updated on the outcome of the consultation.

1. What is the primary goal of the proposed legislation?

The proposed legislation, as set out in the paper submitted by the Hong Kong Government to the Legislative Council Panel on Security on 25 June 2024, aims to enhance the security of Hong Kong’s CIs that are necessary to maintain  “normal functioning” of Hong Kong society and people’s lives, by minimising the chance of disruption to, or compromise of, essential services by cyberattacks.

2. Who and what will be captured by the proposed legislation?

The proposed legislation would regulate only CI operators (“CIOs”) in respect of their critical computer systems (“CCSs”). Similar to the helpful approach in Mainland China, both CIOs and CCSs will be expressly designated by a new Commissioner’s Office to be set up (or, as explained in Question 6 below, the Designated Authorities for certain groups of organisations). This will ultimately remove uncertainty around whether or not a given organisation is a CIIO, and which of their systems will fall within the CCS framework. However, until such designations are made by the relevant authorities, it does leave significant uncertainty for organisations that may not obviously fall within the definition, especially technology companies.

Designation of CIOs

Under the proposed legislation, an organisation would be designated as a CIO if it were deemed responsible for operating an infrastructure that the Commissioner’s Office determines to be a CI, taking into account the organization’s level of control over the infrastructure. It is proposed that CIs cover the following two categories:

• infrastructures for delivering essential services in Hong Kong, i.e. infrastructures of the following eight sectors: energy, information technology, banking and financial services, land transport, air transport, maritime, healthcare services, and communications and broadcasting (“Essential Service Sectors”); and
• other infrastructures for maintaining important societal and economic activities, e.g., major sports and performance venues, research and development parks, etc.

When deciding whether an infrastructure within the scope of the two categories above constitutes a CI, the Commissioner’s Office would take into account:

• the implications on essential services and important societal and economic activities in Hong Kong in case of damage, loss of functionality, or data leakage in the infrastructure concerned;
• the level of dependence on information technology of the infrastructure concerned; and
• the importance of the data controlled by the infrastructure concerned. 

The Government also emphasized that CIOs will mostly be large organisations, and the legislation will not affect small and medium enterprises and the general public. 

The list of the designated CIOs will not be made public to prevent the CIs from becoming targets of cyberattack.

Designation of CCSs

The proposed legislation would only require CIOs to take responsibility for securing the expressly designated CCSs. Systems operated by CIOs but not designated as CCSs would not be regulated by the proposed legislation.

The Commissioner’s Office would only designate as CCSs the computer systems which:

• are relevant to the provision of essential service or the core functions of computer systems; or
• will seriously impact the normal functioning of the CIs if interrupted or damaged.

Importantly, computer systems physically located outside of Hong Kong may also be designated as CCSs.

3. Would organisations have opportunities to object to CIO or CCS designations?

Yes. Under the proposed legislation, before making CIO or CCS designations, the Commissioner’s Office will communicate with organisations that are likely to be designated, with a view to reaching a consensus on the designations. This is helpful, but adds to the recommendation that those potentially caught as a CIO should start planning now to be ready to put forward a clear, reasoned view on whether or not they – and/or all of their systems – should be designated.

After a CIO or CCS designation is made, any operator who disagrees with such designation can appeal before a board comprising computer and information security professionals and legal professionals, etc.

4. What are the obligations of CIOs?

Statutory obligations proposed to be imposed on CIOs under the proposed legislation are classified into three categories:

• Organisational:
  
  • provide and maintain address and office in Hong Kong (and report any subsequent changes);
  • report any changes in the ownership and operatorship of their CIs to the Commissioner’s Office;
  • set up a computer system security management unit, supervised by a dedicated supervisor of the CIO;
    

• Preventive:
  
  • inform the Commissioner’s Office of material changes to their CCSs, including those changes to design, configuration, security, operation, etc.;
  • formulate and implement a computer system security management plan and submit the plan to the Commissioner’s Office;
  • conduct a computer system security risk assessment at least once every year and submit the report;
  • conduct a computer system security audit at least once every two years and submit the report;
  • adopt measures to ensure that their CCSs still comply with the relevant statutory obligations even when third party services providers are employed;
    

• Incident reporting and response:
  
  • participate in a computer system security drill organised by the Commissioner’s Office at least once every two years;
  • formulate an emergency response plan and submit the plan; and
  • notify the Commissioner’s Office of the occurrence of computer system security incidents in respect of CCSs within (a) 2 hours after becoming aware of serious incidents and (b) 24 hours after becoming aware of other incidents.
    

5. What would be the offences and penalties under the proposed legislation?

The offences under the proposed legislation include CIOs’ non-compliance with:

• statutory obligations;
• written directions issued by the Commissioner’s Office;
• investigative requests of the Commissioner’s Office; and
• requests of the Commissioner’s Office for relevant information relating to a CI.

The penalties for these offences would consist exclusively of fines. The level of fines would be determined by court trials, with maximum fines ranging from HK$500,000 to HK$5 million. For certain offences, persistent non-compliance would result in additional daily fines of HK$50,000 or HK$100,000 per day.

It is noteworthy that a CIO will still be held liable for the non-compliance with its statutory obligations if the non-compliance is caused by a third-party service provider. As such, service providers should also start planning now as to whether or not their customer base may be designated CIOs and, if so, what consequences this may have on contractual service obligations, incident notification obligations, security standards/specifications, SLAs, powers of investigation/inspection (including by regulators) and liability/indemnity provisions (including financial caps and exclusions). We anticipate CIOs will expect higher standards from their service providers in advance of the new regulations being introduced.

6. Which authorities would enforce the proposed legislation, and what would their powers be?

Commissioner’s Office

A Commissioner’s Office is proposed to be set up under the Security Bureau to implement the proposed legislation, headed by a Commissioner appointed by the Chief Executive. Its powers would include:

• designating CIOs and CCSs;
• establishing Code of Practice for CIOs;
• monitoring computer system security threats against CCSs;
• assisting CIOs in responding to computer system security incidents;
• investigating and following up on non-compliance of CIOs;
• issuing written instructions to CIOs to plug potential security loopholes; and
• coordinating with various government departments in formulating policies and guidelines and handling incidents.

Among these powers, the most significant might be the investigative powers granted to the Commissioner’s Office. Specifically, in respect of investigations on security incidents, the Commissioner’s Office would have, among others, the powers to:

• question and request information from CIOs;
• direct CIOs to take remedial actions; and
• check the CCSs owned or controlled by CIOs with their consent or with a magistrate’s warrant.

In respect of investigations on offences, it would have the powers to:

• question and request information from any person who is believed to have relevant information in his or her custody; and
• enter premises and take possession of any relevant documents with a magistrate’s warrant.

From a service provider perspective, these powers will likely extend – either directly or more likely via contractual flow down – from CIOs to their service providers. As such, again service providers may need to revisit their customer contracts in this regard.

Designated Authorities

Existing regulators of certain Essential Service Sectors which already have a comprehensive regulatory framework, such as a licensing regime in the financial services and telecoms sectors, may be designated as designated authorities (“Designated Authorities”) under the proposed legislation. The Designated Authorities would be responsible for designating CIOs (and CCSs) among the groups of organisations under their supervision and for monitoring such CIOs’ compliance with the organisational and preventive obligations. It is currently proposed to designate the Monetary Authority and the Communications Authority as the Designated Authorities for the banking and financial services sector and the communications and broadcasting sector respectively. The Commissioner’s Office, on the other hand, would remain responsible for overseeing the incident reporting and response obligations of, and retain the power to issue written directions to, such CIOs. It is hoped that the interaction between the Designated Authorities and the Commissioner’s Officer will be clearly defined when it comes to practicalities before the new framework is finalised.

7. How does the proposed legislation compare to critical infrastructure cybersecurity laws in other jurisdictions?

In formulating the proposed legislation, the government made reference to the legislation of other jurisdictions on critical infrastructure protection, including the United Kingdom, Australia, the United States, the European Union, Singapore, Mainland China and Macao SAR. For instance, the designation-based framework envisaged by the legislation mirrors Australia’s regulatory approach to systems of national significance under the Security of Critical Infrastructure Act 2018. Moreover, many obligations of the CIOs, such as those in respect of security risk assessments, audits and drills, have corresponding counterparts in the cybersecurity legislation of jurisdictions like Mainland China and Singapore. The investigative powers of the regulator to request information, access documents and enter premises can also be found in foreign legislation, including the UK’s Network and Information Systems Regulations 2018 and Singapore’s Cybersecurity Act 2018.

There are, however, technical nuances between similar mechanisms under the proposed legislation and existing laws in other jurisdictions. For instance, the proposed legislation requires organisations to report non-serious security incidents within 24 hours of becoming aware of them, providing greater flexibility compared to Singapore’s requirement of reporting all security incidents affecting critical information infrastructure within two hours of awareness.  

8. What are the next steps for the proposed legislation?

The proposed legislation is expected to be tabled in the Legislative Council by the end of 2024. Once passed, the Commissioner’s Office will be established within a year, and the law will come into effect around six months thereafter. This, therefore, gives a critical planning period until mid-2026 for organisations which may be designated CIOs and their services providers.

9. What must organisations do in light of the proposed legislation?

It is hopes that the uncertainty around some critical issues, including the scope of the Essential Service Sectors (particularly the information technology sector), the specific criteria to distinguish CIs among the Essential Service Sectors, and the threshold for “serious” security incidents, will be resolved as the proposed legislation passes through the public consultation and the usual legislative process. 

Organisations should closely monitor the development of the proposed legislation, develop an internal position on their designation (or their customers’ designation, in the case of service providers, as a CIIO and systems as CCS, and prepare to advocate/lobby for their position once the designation communications commence, and monitor and update their cybersecurity measures and procedures and contracts.

The ACMA has consistently demonstrated a clear intolerance for breaches of the spam requirements, penalising business with over AUD 15 million in spam and telemarketing fines over the past 18 months.

Under the Spam Act 2003 (Cth), businesses must obtain consent from customers (including business customers) before sending any direct marketing communications via email, SMS or other electronic means. Consent can be express or inferred, but should only be inferred where there is an existing commercial relationship between the sender and the customer which relates to the subject matter of the marketing communication.  

ACMA recommends using express consent as it represents a clear and unambiguous decision by a customer to receive direct marketing. Customers can give express consent via filling in a form, ticking a box on a website, over the phone, or face to face.

Records of consent should be maintained and include details such as the method by which consent was obtained, the terms applied to the consent and the date/time of collection. Outsourced providers of marketing services should maintain appropriate consent records on behalf of their customers, and businesses remain responsible for meeting their consent obligations regardless of whether they outsource e-marketing or consent gathering to third parties. 

Based on the ACMA’s expectations regarding the spam laws, best practice includes the following:

• Obtain express consent based on clear terms and conditions which are accessible to the customer at the time of seeking consent. Avoid embedding the references to consent in fine print or long privacy policies.
• Consent terms and conditions should clearly explain what the consent is for, who it is being provided to, for how long, and how a customer may withdraw their consent.
• Make sure that only current consents are relied upon – consent should be refreshed regularly.
• Consider a double opt-in approach to obtaining consent. For example, asking customers via email to confirm their consent by clicking on the link provided (which also helps to identify genuine email addresses).
• Do not use pre-ticked boxes.
• If seeking to relying on inferred consent, carefully evaluate whether there is a clear, current or ongoing relationship with the customer, and that the goods or services being marketed are directly related to that relationship. Consent should not be inferred from a one-off purchase by a customer (even where they have provided a phone number or email to receive a receipt).
• Ensure all electronic messages contain easy to use and functional unsubscribe facilities. Avoid asking customers to log in to accounts or charging customers a fee to unsubscribe.
• Ensure that customers are given the option to unsubscribe from all marketing messages (and not only certain types of messages).
• Ensure to action unsubscribe requests as quickly as possible and within 5 business days.
• Do not continue sending marketing messages after an unsubscribe request has been received, or re-contact consumers encouraging them to resubscribe.

Please reach out to us if you require any further guidance about your obligations under the Spam Act 2003 (Cth).

Of the 116 recommendations for reform made by the Attorney-General’s Department in 2023, 38 were accepted in full by the Federal Government, and a further 68 accepted in principle, where more extensive consultation is required.

We are expecting all 38 of the “accepted in full” changes to be implemented in the August bill, which includes:

• changes to the civil penalty regime, to introduce low, medium and high tiers, based on the severity of the breach, to allow for more targeted enforcement;
• a requirement for privacy policies to include details of any personal information used in substantially automated decisions with legal or other significant effects;
• a right for individuals to request meaningful information about how substantially automated decisions with legal or other significant effects are made; and
• a Children’s Online Privacy Code, for online services likely to be accessed by individuals under the age of 18.

We don’t know at this stage how many of the “agree in-principle” reforms will be tabled in August, however in its messaging regarding the issue of online safety and the link with privacy reform the Federal Government has highlighted:

• the introduction of a statutory tort for serious invasions of privacy; and
• expanding data subject rights beyond access and correction, to include a right of erasure, and a right to de-index certain online search results.

One issue which has been repeatedly highlighted is the need to offer protection against doxxing (i.e. the release of personal information with an intent to cause harm), as well as the wish to offer women suffering domestic and family violence “greater control and transparency over their personal information.”

Australia’s Attorney-General recently confirmed his views that the current regime is “woefully outdated and unfit for the digital age,” with “speed of innovation and the rise of artificial intelligence” underlining the need for reform.

We’ll provide further updates once more information about the August bill is available.

As we noted back in February this year (see here), the Attorney-General’s Department recommended a number of changes to Australia’s core privacy regime, which saw its last major overhaul in 2014.

The Australian Government has now formally responded to the report, flagging its intention to adopt the vast majority of the 116 recommendations in the Attorney-General Department’s report. 

The changes are expected in two phases.

First up will be the 38 changes accepted in full, where drafting will commence immediately followed only by “targeted” consultation. This includes:

• Adjustments to the civil penalty regime (which was last updated in December 2022 – see here), with a mid-tier penalty for breaches lacking a serious element, and a low-level civil penalty for administrative breaches;
• Greater transparency around automated decision making, including a new content requirement for privacy policies and a right for individuals to request “meaningful information” as to how automated decisions with legal / significant effects are made;
• Enhancements to OAIC guidance, particularly in respect of information security and retention; and
• Introduction of a Children’s Online Privacy Code.

Whilst Australian businesses should start preparing, the compliance burden for these changes will be relatively light for most organisations.

Next up will come those changes which the Government has accepted in principle, subject to further consultation and impact analyses given the likely complexity.  Included in this batch are:

• Introduction of direct rights of action under the Privacy Act, as well as a statutory tort of privacy (which could have huge ramifications for anyone doing business in Australia);
• An expansion of data subject rights, including the right to object to collection, use or disclosure, a right of erasure, a right to withdraw consent (which isn’t expressly enshrined as a data subject right at present) and, interestingly, a right to request the de-indexation of certain online search results containing personal information;
• Removal of the small business exemption (which currently excludes organisations with a turnover of less than AUD 3 million from compliance with the Act);
• Enhancing protections for employee records (which are currently excluded from the Act entirely), including bring HR data within the scope of the notifiable data breach regime; and
• The introduction of standard contractual clauses for overseas data transfers.

No announcements have been made as yet as to when we can expect to see the next steps in the review actioned.

On 30 March 2023, the Digital Identity Services Trust Framework Bill (the Bill) passed its third and final reading in New Zealand’s House of Representatives, with cross-party support. The Digital Identify Services Trust Framework Act will come into effect on 1 July 2024 (at the latest).  It is a ‘flagship initiative’ under the current Government’s Digital Strategy for Aotearoa New Zealand, and will establish a voluntary accreditation scheme for digital identity service providers, similar to existing frameworks in the United Kingdom, Canada and Australia.

What is it?

The Framework is similar to the equivalent scheme in Australia – digital identification verification service providers who opt-in will be required to adhere to a set of trust framework rules (the TF Rules) and in return will be granted the right to use a mark accrediting their services. Individuals and businesses that use the identity verification services are not required to be accredited.

Again, in alignment with the Australian framework, the Bill establishes two administrative bodies: the Trust Framework Board (the TF Board) and the Trust Framework Authority (the TF Authority).  The TF Board will take on governance responsibilities for the framework, including providing guidance about the framework, monitoring its performance and advising the Minister on making and updating the trust framework rules. The TF Authority will be responsible for the day-to-day operations of the framework, including assessing accreditations, investigating complaints, enforcing the TF Rules, and granting remedies for breaches.

While the Bill represents an important building block of the Government’s Digital Strategy, the Bill itself does not establish the TF Rules. The TF Rules will instead be set out in Secondary Legislation made by the Minister and will, at a minimum, cover requirements for identification management, privacy and confidentiality, security and risk, information and data management, and sharing and facilitation.

What do we think?

Although the Bill is a step in the right direction for encouraging public trust of digital services, it does very little to grapple with the bigger issues of the online world, such as rights to digital identity and the data associated with an individual’s online presence and interactions.

In many ways, the Bill is reflective of the slow and usually toothless approach to digital governance in New Zealand to date. New Zealand is often playing catch up when it comes to regulating digital technologies and, given it has taken 18 months to get to this stage without actually establishing any substantive rules for the provision of secure and trusted digital identity services, the final passage of the Bill through the House feels a little underwhelming. Particularly as the scheme is voluntary, largely based on the equivalent Australian framework and was developed with the benefit of learning from similar frameworks in the United Kingdom and Canada.

What’s unique?

Despite its clear Commonwealth influences, the Bill does introduce an important element which is unique to Aotearoa – the need to consider te ao Māori (broadly, the Māori worldview including tikanga Māori – Māori customs and protocols) approaches to identity when developing the TF Rules. The Bill establishes a Māori Advisory Group which the TF Board will be required to consult with prior to advising the Minister on the making of TF Rules and the TF Board must also include members “with expert knowledge of te ao Māori approaches to identity.” These consultation and participation requirements are intended to facilitate equitable Māori participation in the digital environment and recognise the Government’s commitment to the principle of partnership under te Tiriti o Waitangi (the founding document of colonial New Zealand).

In a rather satirical twist, the legislative process itself became the victim of authenticity issues in the online world as a result online misinformation campaigns during the height of the COVID-19 pandemic. Of the roughly 4,500 public submissions on the Bill, around 4,050 of those were received during the last two days of the six week public consultation period, including 3,600 submissions in the final three hours. Parliamentary advisers attributed this influx to “misinformation campaigns on social media that caused many submitters to believe that the Bill related to COVID-19 vaccination passes.” Perhaps this incident was evidence enough that New Zealand needs to take a more proactive approach to regulating the digital environment, as the Bill ended up attracting cross-party support.

What’s next?

While the Bill’s passage itself is nothing to write home about, it will be interesting to see how the framework grapples with te ao Māori perspectives on identity in practice. Hopefully, the cross-party support this Bill garnered will energise the Government to tackle some of the bigger digital rights and privacy issues we are currently facing, both nationally and globally.