The Privacy and Other Legislation Amendment Bill 2024 (the Bill) marks a crucial phase in Australia’s overhaul of the Privacy Act 1988 (Cth), following the recommendations of the Attorney-General’s Privacy Act Review Report (February 2023) and the Government's response (September 2023).
With significant reforms such as criminalising doxxing and enhancing data security measures, the Bill presents new challenges and opportunities in cyber security.
Below, we explore the cyber security implications of the Bill’s key provisions.
Strengthening Data Security through APP 11 Amendments
The Bill introduces changes to Australian Privacy Principle (APP) 11, which governs the protection of personal information from misuse, interference, and unauthorised access.
A new APP 11.3 requires entities to implement "technical and organisational measures" to secure personal data, mirroring the wording in Article 32 of the EU General Data Protection Regulation (GDPR).
This reform holds cyber security implications as it raises expectations for data security standards. Companies must now:
Adopt robust cyber security frameworks: These could include encryption, multi-factor authentication, and regular vulnerability assessments.
Implement staff training programs to improve awareness of data protection practices.
Conduct periodic audits to ensure data security measures align with emerging threats.
The increased specificity in APP 11 will likely encourage organisations to invest more in cyber security infrastructure, but it also underscores the need for clearer guidelines from the Office of the Australian Information Commissioner (OAIC) to help companies and organisations understand their compliance obligations.
Criminalising Doxxing: Impact on Cyber Security Threats
A significant addition to the Criminal Code Act 1995 (Cth) is the criminalisation of doxing which is the malicious release of personal data using online platforms in a manner deemed harassing or threatening.
Two distinct offences are introduced:
General doxxing offence: Up to six years' imprisonment for releasing personal data in a harassing manner.
Targeted hate-related doxxing: Up to seven years' imprisonment if the act is motivated by characteristics such as race, religion, or sexual orientation.
From a cyber security perspective, the new offence increases the accountability of individuals and groups who weaponize personal data and this heightens the need for organisations to:
Strengthen access controls: to prevent unauthorised access to personal data.
Monitor insider threats: Employees with access to sensitive data can become targets for exploitation.
Collaborate with law enforcement: Organisations will need procedures to respond to incidents that involve criminal breaches of personal data.
The Bill also expands the definition of "personal data" to include not only information tied to identity but also contact and location data. This broader scope intensifies the need for cyber security measures to protect all forms of identifiable information, even beyond traditional Personally Identifiable Information (PII)
Statutory Tort for Serious Privacy Breaches
Individuals can now file lawsuits for significant invasions of privacy without needing to prove actual harm, if the breach was intentional or reckless. This provides stronger protection against privacy violations and is intended to cover employee records.
The introduction of a statutory tort for serious privacy breaches will significantly impact cyber security in several ways:
1. Increased Accountability:Organisations will face greater legal risks for intentional or reckless breaches, incentivising them to enhance cyber security measures to prevent such incidents.
2. Stronger Data Governance:Since employee records are explicitly included, companies must adopt stricter policies for managing and securing personal information, such as encryption, regular audits, and access controls.
3. Proactive Risk Management:Organisations may invest more in cyber security technologies (e.g., intrusion detection, incident response systems) to avoid the reputational and financial risks of privacy lawsuits.
4. Legal Compliance Pressure:Compliance with privacy laws and cyber security frameworks (like ISO 27001 or NIST) will become more critical to mitigate exposure to potential legal claims.
5. Behavioural Changes in Cyber Security Practices:The risk of lawsuits could encourage organisations to prioritise cyber security training for employees, focusing on preventing reckless behaviour and negligence that could lead to breaches.
6. Incident Reporting and Transparency:Companies may need to increase transparency around breaches, as failure to disclose privacy violations in a timely manner could further expose them to litigation risks.
Automated Decision-Making Systems: New Cyber Risks
Another cyber security-relevant area of reform addresses automated decision-making systems. The Bill requires organisations to disclose in their privacy policies if decisions impacting individuals are made, wholly or partly, by automated systems. While this enhances transparency, it also introduces privacy and cyber security risks, such as:
AI model vulnerabilities: Automated systems may use sensitive personal data, which could become a target for cyber-attacks or data poisoning.
Bias and discrimination risks: Unauthorised manipulation of algorithms could impact decisions involving loans, insurance, or government benefits.
Increased attack surfaces: Organisations relying on complex AI systems must secure both data and infrastructure to prevent breaches or exploitation.
As automation becomes more integrated into decision-making processes, organisations must secure AI systems from both external and internal threats and ensure that security protocols are regularly tested and updated.
Facilitating Secure Overseas Data Transfers
The Bill introduces a ‘whitelist’ mechanism to simplify the process of disclosing personal data to countries with equivalent privacy protections. This reform supports international data flows but introduces cyber security risks, such as:
Third-party vulnerabilities: Entities will need to ensure that overseas recipients maintain adequate security standards.
Cross-border compliance challenges: In the event of a data breach involving an international recipient, entities may face legal and jurisdictional complexities.
To mitigate these risks, organisations must adopt risk management frameworks for data transfers and evaluate international partners' security protocols to ensure they align with the Australian Privacy Principles (APPs).
Expanded OAIC Powers and Enforcement Implications
The enhanced powers of the OAIC under the Bill reflect a shift towards enforcement-led regulation.
New investigative powers and public inquiry capabilities allow the OAIC to:
Issue infringement notices for non-compliance (e.g., failure to report data breaches).
Conduct public inquiries into systemic privacy issues affecting entire industries.
Exercise investigative powers with judicial oversight, such as executing search warrants for privacy breaches.
These expanded powers will likely encourage organisations to proactively enhance their cyber security frameworks to avoid penalties. Furthermore, the broader scope for civil penalties reinforces the importance of compliance monitoring.
Implications for Emergency Data Sharing and Cyber Security Coordination
The Bill introduces amendments to the Privacy Act’s emergency provisions to allow more targeted sharing of personal information during emergencies or data breaches.
These changes promote cyber security coordination by:
Allowing the declaration of emergencies for enhanced data sharing.
Facilitating collaboration between private and public sectors during cyber incidents.
This will be particularly relevant in data breach response scenarios, where rapid information sharing between affected entities and government bodies can mitigate risks and contain breaches.
The Children’s Online Privacy Code
This will be developed to protect children’s data in online services. It will push organisations toward higher cyber security standards, improving safeguards for minors while requiring stricter compliance with privacy policies. This will likely lead to more robust data management practices, enhanced security technologies, and improved user trust in online platforms accessed by children.
A Turning Point for Cyber Security in Australia
The Privacy and Other Legislation Amendment Bill 2024 reflects Australia’s evolving approach to privacy and cyber security. By introducing criminal penalties for doxxing, enhancing data security requirements, and empowering the OAIC, the Bill seeks to address both current and emerging threats in the digital landscape. However, the vague guidance on ‘technical and organisational measures’ may leave organisations struggling to align with evolving standards without further clarification from the OAIC.
Organisations must seize this moment to reassess their data security frameworks.
Key steps include:
Updating privacy policies to reflect automated decision-making practices.
Implementing stronger cyber security protocols to prevent unauthorised data access. Enhancing compliance training to prepare staff for the Bill’s new requirements. The Bill is an incremental but important step toward modernising Australia’s privacy framework. It not only raises the bar for cyber security but also challenges organisations to build trust and transparency through better data protection practices.
As cyber threats grow increasingly sophisticated, the intersection of privacy and security will become a defining factor for both compliance and business success in the future.
Revio Cyber Security – Leading the Way to Cyber Preparedness
As cyber security is becoming increasingly challenging for organisations worldwide, it is very important to be aware and up to date on new legislation that impacts Privacy to ensure compliance and data protection.
Revio is a leader in the cyber security industry in Australia. We are committed to providing advanced technologies to improve the overall security posture of major organisations, financial institutions and listed companies.
Kommentare