The compliance crunch: What you need to know, and act upon.

The 2024 Privacy Act Amendment Bill brings welcomed changes for consumers regarding the handling of their personal information. 

It is a seismic shift in the Privacy Act that forces businesses to critically rethink their approach to collecting and using data. We live in an age where data breaches and other IT disruptions often dominate headlines. Howcompanies handle personal information,  has become more than a matter of regulatory compliance.  It is a cornerstone of customer trust and business resilience. 

On 29  November 2024 ,  the Privacy and Other Legislation Amendment Bill 2024 passed through both Houses of Parliament. Now after receiving royal ascent it is called the Privacy and Other Legislation Amendment Act 2024 , and includes the following notable changes:

Serious invasions of privacy

How much is consumer data worth to you?

The Act establishes a new unlawful act for serious invasions of privacy. This permits an individual (plaintiff) to take legal action against another individual (or organisation) if that entity is found to have invaded their privacy through imposing on their seclusion or misusing their information. 

The Office of the Australian Information Commissioner (OAIC)  has never been more empowered to investigate interferences with privacy and commence civil proceedings.

Punitive damages, and damages for non-economic loss can range up to $478,550. Organisations must consider how their data practices could expose them to significant financial and reputational risks. 

Be clear about how your customer data is collected and used. 

The Act directs courts to assess the ‘reasonable expectations of privacy’ when deciding whether privacy has been breached. Organisations must be clear about the collection, use, disclosure and storage of customer information.

A breach due to inadequate security could be considered a ‘serious’ privacy invasion, especially under the new unlawful act. Strengthening cybersecurity measures is essential to prevent breaches and limit exposure to liability. Organisations should consider independent and objective third-party reviews and advice to understand their risk exposure and methods to mitigate these risks. 

Monitoring and investigation

Since the release of the act, there has been an increase in privacy determinations, indicating heightened enforcement and scrutiny. The act adds additional authority to the OAIC to issue infringements and compliance notices under the Regulatory Powers Act, for any act that contravenes the Privacy Act. Failure to comply with compliance notices issued may result in civil penalties for non-compliance. 

For businesses who lack compliance staff, outsourcing privacy and data protection compliance may be a more viable solution. In the long run, a proactive approach will prove more cost-effective than dealing with a potential breach of the Act.

Automated decision-making systems

Organisations who use automated decision-making systems that could potentially  affect an individual’s rights, interests or personal information must update their privacy policy to include this information. 

Specifically, an organisation needs to delineate the kinds of personal information used within the automated process, and what decisions are made. Failure to inform the use of automated technology can put organisations at risk of non-compliance.

Overseas data-sharing and whitelist powers

To facilitate smooth consumer information sharing across geopolitical borders, the new Act is set to introduce a ‘whitelist’ system to identify countries with similar privacy requirements to Australia. 

This change will help organisations decide whether they can share personal information with their overseas counterparts. There are nuances that may apply to specific entities or data types.It is important that organisations understand whether the sharing of consumer information overseas aligns with the Act, to avoid non-compliance. 

What will you do?

Consumer trust is more valuable than ever, and the 2024 Privacy Act amendment is a wake-up call for businesses. Ensure that your data practices uphold the trust of your customers, and reduce your risks. With stricter enforcement, tougher penalties, and a greater focus on transparency, it’s time for organisations to rethink how they handle consumer data.

How well do you understand the journey your data takes from inception to the point where it leaves your organisation? The path may be clearer than ever, but the responsibility to safeguard it lies with you. Act now to secure both your customers' trust and your organisation's future in the market. 

FOR MORE INFORMATION

Contact your local RSM office today.