Australia is gearing up for more privacy law reform with the introduction of the Privacy and Other Legislation Amendment Bill 2024. But those hoping for a more ambitious set of changes – including a new right of erasure, a “fair and reasonable” test, stronger consent requirements and the removal of the small business exemption – were disappointed.
Instead, the “first tranche” of reforms will introduce:
- a new statutory tort for serious privacy breaches
- a Children’s Online Privacy Code
- transparency requirements for automated decisions
- clarification that the data security principle (APP 11) includes both organisational (like training) and technical measures
- expanded powers and enforcement measures for the privacy regulator.
Not to be sniffed at from a Kiwi privacy law reform perspective! But disappointing for many privacy professional over the ditch who were hoping for a lot more given the Australian government’s earlier indication of more extensive law reform. See the commentary from our friends at Salinger Privacy here and eleven M’s podcast here.
These changes will impact New Zealand companies doing business in Australia. You should pay particular attention if you’re doing any automated decision-making or handling children’s personal information.
Sadly, the opportunity to clarify the data controller and data processor distinction we know and love from the GDPR and section 11 of the Privacy Act has not yet eventuated. This leaves an ongoing question mark for Kiwi service providers used to the limited compliance obligations enjoyed where they can be classified as an “agent” under section 11. We’ve been advising a number of companies on this point recently, so get in touch if you’re a data processor and want to get a clearer picture of where you stand under the Australian Privacy Act.