Major changes to Australian privacy laws

Directors tired of being over an insurance barrel now have some new tactics to tackle risk management.

Major changes to privacy laws

The Australian government recently issued its response to the Privacy Act Review report. The revamp aims to modernise and strengthen Australia’s privacy law, to “bring privacy law into the digital age”, create stronger personal protections and increase corporate accountability.

The review made 116 recommendations. The government has “agreed” to 38 of these, “agreed in principle” to 68 more, and “noted” 10. It has committed to legislate for those proposals it supports as a priority in 2024 and will undertake further consultation on those “agreed in principle”. Key outcomes for directors include:

Removal of small business exemption: The government “agreed in principle” to the recommendation to remove the current exemption for small business (less than $3m in turnover) from the Privacy Act 1988, committing to transition and consultation with small business groups.

New direct right of action: “Agreed in principle” to create a direct right of action for individuals to seek compensation through court action where they have suffered loss or damage as a result of a serious breach of privacy.

Statutory tort for privacy: “Agreed in principle” to introduce a new statutory tort of privacy, enabling individuals to sue for serious invasions of privacy committed “intentionally and recklessly” in circumstances that fall outside the coverage of the Privacy Act. 

Employee data: “Agreed in principle” to capture employee records under privacy laws.

Other important changes include a new definition of “personal information”, “fair and reasonable” information handling, enhanced notification requirements (within 72 hours of breaches), requiring senior appointed privacy officers within organisations, and new penalty provisions. Children will also have increased protections, including bans on direct marketing or trading their personal information.

In consultations to date, the AICD has argued that careful drafting and appropriate constraints are essential for the proposed right of action, including taking account of cyber-attacks. A direct right of action with a low harm threshold and a gateway model subject to inadequate scrutiny could risk significant increases in funded class actions. The AICD does not support the wholesale removal of the small business exemption. In our view, the costs and regulatory challenges in all small businesses in meeting these requirements are likely to outweigh potential benefits. We will continue to recommend a more targeted and proportionate approach on areas with high privacy risks as a better policy response. The AICD will contribute to further consultations on these and other key items over coming months.

Notably, review recommendations to capture political organisations under the Privacy Act, including political marketing and use of personal data, have not been supported by government.

Continuous disclosure reforms

Assistant Treasurer Stephen Jones recently announced the statutory review of important amendments made to Australian continuous disclosure laws in 2021. Those reforms reintroduced a fault element component into market reporting obligations, requiring negligence, recklessness or intention on behalf of the disclosing entity to trigger liability.

The AICD was a strong advocate for the changes. We believe they send an important market signal and can help deter opportunistic claims. The reforms were, at the time, opposed by the then Labor opposition, litigation funders and plaintiff law firms, among others.

The government has appointed experienced corporate lawyer and former ASX chief compliance officer Kevin Lewis to conduct the review, with a final report by 14 February 2024. The review’s terms of reference include whether the changes are working in support of an efficient, effective and well-informed market, the impact on the nature of disclosures made by listed companies, and consistency with other jurisdictions.

The AICD will advocate for the retention of the laws, given the balance they bring to critical market disclosure settings. We welcome member feedback at policy@aicd.com.au. 

New TNFD framework

The Taskforce for Nature-related Financial Disclosures (TNFD) framework is modelled on the Taskforce for Climate-related Financial Disclosures (TCFD) that has guided climate-related disclosures to date (see p64 for more on climate reporting). The Australian government is an active supporter of the TNFD process.

Nature-related financial reporting in Australia is voluntary, and relatively immature. The TNFD has recommended that organisations familiarise themselves with its framework and consider disclosing on a voluntary basis, with nature-related reporting expected to be included in international sustainability standards over time.

The TNFD framework aligns with global commitments under the 2022 Global Biodiversity Framework to halt and reverse nature loss by 2030.

The framework aims to guide management of nature-related risks and disclosure with 14 disclosures recommended across four core pillars: governance processes, strategy, risk and impact management, and metrics and targets. These disclosures align with the TCFD, with three further disclosure areas added: engagement with Indigenous peoples, priority locations (including operations in high biodiversity risk areas) and value chains. Of note, many organisations piloting the TNFD framework cited constraints with value- chain disclosures, similar to scope 3 climate reporting, given reliance on third-party data. 

This article first appeared under the headline 'Privacy Law Reform’ in the November 2023 issue of Company Director magazine.