For those following Australia’s long-and-winding road to privacy reform, it’s truly been a marathon rather than a sprint. The starter’s gun (officially) fired in October 2020 with an Issues Paper that reviewed the Commonwealth Privacy Act, 1988 followed by a Discussion Paper in late 2021, and then picked up pace with the Privacy Act Review Report in February 2023, with more than 100 reform recommendations. In November 2023, the Commonwealth Government’s Response to the Privacy Act Review Report agreed or agreed-in-principle to almost all of those recommendations. And on Parliament’s last sitting day for 2024, the reforms finally crossed the finished line, with the Senate’s passage of the Privacy and Other Legislation Amendment Bill 2024 (2024 Privacy Bill). Spoiler alert, the 2024 Privacy Bill was only the first leg on the journey – and it contained less than a quarter of all the proposed privacy reforms. Despite that fact, the first tranche of privacy reforms do pack a punch – and in ways that may not be readily apparent.
Many commentators have focused on the ‘heavy hitters’ in the 2024 Privacy Bill. These include a statutory tort for serious invasions of privacy, strengthening the Office of the Australian Information Commissioner’s enforcement and civil penalty powers, the development of a Children’s Privacy Code and doxing provisions, along with criminalising the public release of personal information for malicious purposes. What hasn’t received much comment were the Emergency and Eligible Data Breach Declaration powers – sections 80KA and 26X of the 2024 Privacy Bill. These ‘lesser hyped’ reforms could potentially offer real opportunities for Commonwealth agencies, businesses and other entities subject to the Australian Privacy Principles (APP entities) to work in concert – and help to protect Australians from the effects of data breaches and identity theft.
How? Sections 80KA and 26X of the 2024 Privacy Bill contemplate the making of Ministerial declarations in the case of emergencies or Eligible Data Breaches. That would enable APP entities to rely on exemptions to use and disclose personal information during the 12 months of a Ministerial Declaration. In particular, this would allow APP entities to share and disclose Australians’ personal information in ways that are normally barred under the APPs or Australian Privacy Principles.
In the case of section 80KA, Emergency Declarations broadly relate to disaster assistance and recovery activities – and enable impacted individuals to obtain access to medical and financial services, as well as providing assistance to law enforcement agencies. It is not clear as to what would constitute a disaster or an emergency. However, it may be possible for the Minister to consider certain cyberattacks – and the resulting loss of personal information, as an emergency that is worthy of a formal Declaration. Arguably, a cyberattack is the digital equivalent of floods, fires or storms. While not destroying physical possessions, a cyberattack could, in seconds, destroy an individual’s ability to pay for the necessities of life or function in a society where digital identity and payments have become the norm. Hypothetically speaking, an Emergency Declaration could be used to coordinate efforts to combat large scale (digital) emergencies that require rapid responses from a host of different organisations – from Commonwealth and State law enforcement agencies to banks, telecommunications providers, government agencies and others.
Not convinced by the ‘Digital Emergency’ argument? Well, look no further than section 26X of the 2024 Privacy Bill – that’s the Eligible Data Breach Declarations. The Minister can make a Declaration that exempts APP entities from adhering to standard privacy protections when attempting to prevent or reduce the risk of a data breach. For a period up to 12 months, APP entities would be able to use or disclose personal information in relation to:
cybersecurity incidents,
responding to a cybersecurity incident, fraud, scam activity or identity theft,
responding to the consequences of a cyber security incident, fraud, scam activity, identity crime and misuse, financial loss, emotional and psychological harm, family violence and physical harm or intimidation, and
addressing malicious cyber activity.
To borrow a phrase from my teenage daughter – That-is-huge. Why? The 2024 Privacy Bill specifically refers to prevention and risk reduction. In line with core privacy-by-design principles, these measures are proactive, rather than reactive. In other words, the reforms are seeking to combat the risk of identity theft, fraud and scams before they occur.
At the same time, some may think that these Ministerial Declarations could involve the over-sharing of personal information between APP entities, law enforcement and others. Fair point. However, I think that most Australians would agree with the adage that ‘prevention is better than the cure.’ For those who have experienced the debilitating impacts of identity theft – and have spent days-and-weeks trying to reestablish their identity after they’ve been the victim of a fraudster, this sort of prevention would be welcome news.
Of course, this raises a series of question, like – How will this work in practice? Who will coordinate and keep secure the shared personal data? Will APP entities be willing to raise the alarm early so that they can front-foot a Digital Emergency or an Eligible Data Breach Declaration? And most importantly – Will these ‘Declarations’ and related measures make a real difference in the lives of ordinary Australians?
The response to those questions, I hope, will be a resounding yes. I also think that if large corporates, Commonwealth and State Government agencies, telcos, banks and other organisations lead the way in building protocols for quickly and efficiently sharing data about scammers and their techniques, the better off Australians will be. At the same time, the community will be more likely to view these Emergency or Eligible Data Breach Declaration exchanges favourably, and not as an overreach, but only if there are clear governing protocols in place. Let’s hope that these eventuate on the next leg of our privacy marathon run – and well before the next Summer Olympics!
