OAIC Priorities for 2024

The OAIC outlined that its priorities for 2024 will be centred on:

• the security of personal information;
• Artificial Intelligence;
• Consumer Data Rights; and
• privacy law reform.

Particular emphasis will be placed on assisting regulated entities to prepare for the upcoming privacy reforms. AI regulation is likely to continue to be a key regulatory area for 2024.
​
​Back to the Three-Commissioner Model

Starting in February 2024, the three-Commissioner model will be re-introduced to the OAIC. This change is an important signal that privacy is centre stage and reforms are coming.

Angelene Falk, who took up the combined roles of Privacy Commissioner and Australian Information Commissioner in August 2018, has signalled that she will not seek another term. Commissioner Falk will remain as Information Commissioner, heading up the OAIC, until the end of her current term in August 2024. The Attorney-General's Department has commenced the search for her successor.
​
​On 19 February 2024, Ms Elizabeth Tydd will commence her role as Freedom of Information (FOI) Commissioner. Ms Tydd has been the Information Commissioner and CEO of the NSW Information and Privacy Commission since 2013.

On 26 February 2024, Ms Carly Kind will commence her role as Privacy Commissioner. Since 2019, she has been the inaugural Director of the London-based Ada Lovelace Institute. Ms Kind is a human rights lawyer and leading authority on the intersection of technology policy, privacy, and human rights. She has advised widely on issues relating to digital rights, privacy and data protection, and corporate accountability.

From a privacy perspective, the appointment of Ms Kind may signal a further intention to focus more strongly on privacy compliance and enforcement of digital rights of individuals. However, it is unlikely that we will see frequent or substantial OAIC enforcement actions, particularly actions against SME entities before the Privacy Act reforms make their way through Parliament. The OAIC is likely to continue to apply a softer touch, collaborative enforcement strategy for at least the majority of 2024.

The OAIC goes to the Federal Court: First of its kind enforcement action

The Office of the Australian Information Commissioner (OAIC) started its first major move into enforcement in 2023 bringing an action relating to data breach response and compliance with APP 11 (Security of Personal Information). The OAIC commenced Federal Court proceedings against Australian Clinical Labs (ACL) in November 2023.
​
​The Commissioner has alleged that ACL seriously interfered with the privacy of millions of Australians from May 2021 to September 2022 and failed to take reasonable steps in line with their obligations under APP 11. The Commissioner has further alleged that ACL's actions constitute:

• breaches of Australian Privacy Principle (APP) 11.1(b) - requiring entities to take reasonable steps to protect personal information it holds from unauthorised access;
• contravention of section 26WH(2), requiring entities to carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe an eligible data breach has occurred to complete the assessment within 30 days; and
• contravention of section 26WK(2), requiring an entity to notify the OAIC of an eligible data breach as soon as practicable after becoming aware of reasonable grounds to believe that there has been an eligible data breach.

Commissioner Falk noted that “As a result of their information being on the dark web, individuals were exposed to potential emotional distress and the material risk of identity theft, extortion and financial crime.” The concise statement (redacted) can be read here.

The OAIC is asking for a penalty of $2.2 million per breach. In future breaches, companies could be fined under the Privacy Act's new penalty regime legislated at the end of 2022 raising the previous maximum civil penalty for companies from $2.2 million to the greater of:

• 1. a.$50 million dollars;
  2. b.3x the value of benefits obtained or attributable to the breach (if quantifiable); or
  3. c.30% of the corporations' adjusted turnover during the 'breach turnover period' (if the court cannot determine the value of the benefit obtained or attributable to the breach, subject to a minimum breach turnover period of 12 months (and no maximum).

Privacy Act review and modernisation process continues

The Government is continuing the process to substantially modernise the Privacy Act with support to, among many other things, to:

• 1. a.broaden the scope of the definition of “personal information”, including adding IP addresses;
  2. b.change the current exemptions including removing the Small Business Exemption and either removing or modifying the Employee Records Exemption;
  3. c.increase obligations around transparency and consent, including a requirement to include explicit data purpose statements and minimum/maximum retention periods in privacy policies;
  4. d.introduce new requirements to ensure that the collection, use and disclosure of personal information is undertaken in a “fair and reasonable” manner;
  5. e.introduce stricter requirements to anonymise data rather than merely de-identify personal information;
  6. f.implement strict new obligations and codes of practice where personal information relates to children modelled on the UK Children's Code (or Age appropriate design code);
  7. g.introduce a new Tort in Privacy and open the door to class-actions in privacy;
  8. h.legislate new individual rights including:
     1. i.the Right to Object to the collection, use or disclosure of their information; and
     2. ii.Right to be Forgotten - with some limitations; and
     3. iii.an unqualified right for individuals to object to any collection, use or disclosure of personal information for direct marketing purposes.

Outlook for 2024

The amendment of the Privacy Act, while likely to make its way through Parliament in 2024, is unlikely to take effect until 2025, most likely mid-year. It is highly likely that the Government will provide for the immediate effectiveness of some provisions while including a delayed implementation of more economically challenging provisions, such as the removal of the Small Business Exemption. This will give organisations a window of opportunity to lift their business practices and compliance before facing a new tiered administrative penalty regime that could see financial penalties applied broadly across Australian entities of all sizes and expand the OAIC's powers to assess penalties without the requirement to bring an action in the Federal Court.

Many organisations are likely to find it challenging to prepare for changes to the Privacy Act without substantially re-thinking their current risk management practices and undertaking holistic compliance projects. Organisations that want to ensure a smooth privacy maturity uplift process and spread the compliance costs over multiple years have the opportunity to start early in 2024 by taking some key preparation steps:

1. 1.conduct a review of all business activities that collect, process or use, and disclose personal information;
2. 2.develop and maintain a Record of Processing Activities (ROPA);
3. 3.work with privacy professionals to identify privacy impacts of business activities and opportunities to incorporate privacy-by-design and minimise privacy risks;
4. 4.map out existing legal obligations and the legitimate basis for possessing all personal information held by the organisation and the minimum and maximum retention periods;
5. 5.review contracts and ensure they incorporate adequate data protection and cyber breach clauses; and
6. 6.provide privacy training for all staff, Directors and the Board.

Developed countries, notably with the exception of Australia, have been further developing and harmonising Standard Contractual Clauses (SCCs) that allow organisations to enable data to flow cross-border. SCCs have become a key component of international commerce involving non-adequacy third countries such as Australia and even where using Cloud-based services hosted in third countries.

ASEAN recently published a Joint Guide to the ASEAN Model Contractual Clauses and EU Standard Contractual Clauses to help organisations navigate the differences in the two models and implementations for Controller to Controller transfers and Controller to Processor transfers helping to lower the cost to compliance for businesses in ASEAN member states and the Union.

Given the timeframe for amending the Privacy Act and likely phased implementation, it is unlikely that Australia will achieve a Data Protection adequacy status anytime in 2024 or even 2025. This means businesses looking to facilitate data flows between Australia and most developed countries will continue to need additional safeguards, such as entering into Standard Contractual Clauses (SCCs), or regional equivalents, before data can begin to flow. This will continue to present a barrier to international commerce and increased compliance cost to Australian businesses.

New South Wales and Queensland have moved forward with substantial legislative changes to implement mandatory breach notification schemes.

The NSW Mandatory Breach Notification scheme commenced in November 2023. State agencies will now be required to notify the Information and Privacy Commission of breaches.

Similar to NSW, Queensland agencies will be required to notify the Office of the Information Commissioner and affected individuals of data breaches. The Queensland reforms are expected to commence on 1 July 2025. Local governments will have a 12 month transitional period.

Both schemes operate on the basis of a likely risk of harm assessment mechanism.

Outlook for 2024

State level data breach notification laws are likely to be examined by more States and Territories in coming years. For 2024, it is likely that private entities providing products and services to the NSW and Queensland Governments may face contractual flow down effects of these notification regimes and increased costs in responding to data breach incidents.

ASIC chair Joe Longo has issued a very clear warning to all directors that they can face potential enforcement action by ASIC if they do not act with reasonable care and diligence in relation to cyber security. During a cyber conference in Sydney, he stated that "If boards do not give cyber security and cyber resilience sufficient priority, this creates a foreseeable risk of harm to the company and thereby exposes the directors to potential enforcement action by ASIC, based on the directors not acting with reasonable care and diligence.”

Boards and directors are expected to take measures that are proportional to the nature, scale and complexity of their organisations and the sensitivity of key assets the organisation holds. These measures should include reassessment of cyber security risks on an ongoing basis, based on threat intelligence and vulnerability identification. This sentiment was echoed by the Australian Government in proposing the introduction of new cybersecurity laws, including the proposed development of a small business cyber health check scheme.

Longo went on to stress that ASIC expects boards and directors to include oversight of risk in digital supply chains, including taking an active role in assessing third-party cyber risk.

Outlook for 2024

ASIC's continued warnings on the duties owed by Directors relating to cybersecurity is strongly echoed internationally - particularly in the United States where the Securities and Exchange Commission has issued Final Rules relating to mandatory cybersecurity disclosures that includes details of Board oversight and management capabilities. It is likely that we will see more enforcement action by ASIC against Director's of companies that are found to have inadequate oversight and management of cybersecurity risks.

Regulatory action in 2024 is far more likely to be focused on the upper end of the market, publicly traded companies, heavily regulated entities such as financial services (AFSL and ACL holders in particular), and in any breach in which large numbers of Australians or shareholders are harmed or likely to experience serious harm. Notwithstanding this, we could see the link between Director's duties and cybersecurity play a pivotal role in future litigations and civil actions for negligence following cyber breaches that result in third-party losses, such as funds diversion frauds following a business email compromise incident.
​
​Overall, the message is clear: it doesn't matter how big or small your company is, if you're a Director, you have a duty to act with care and diligence that covers cybersecurity.

The Australian Government has begun consultation processes on proposals to further enhance the Security of Critical Infrastructure Act (SOCI) to:

• 1. a.clarify obligations to protect data storage systems that store 'business critical data';
  2. b.introduce last resort consequence management powers for the Minister for Home Affairs;
  3. c.consolidate security requirements for the telecommunications sector;
  4. d.simplify information sharing mechanisms; and
  5. e.provide a power for the Secretary of Home Affairs or a relevant regulator to direct critical infrastructure entities to address deficiencies in risk management programs.

Outlook for 2024

The Government is very likely to continue their focus on critical infrastructure throughout 2024 with a view to clarifying the regulations and obligations, ensuring business critical data is captured, and critical infrastructure supply chain security is effectively managed. It is very likely that we will see a much more active role for the Minister and National Cyber Security bodies in responding to any attack on critical infrastructure.

Proposed new Cyber Security Laws

The Australian Government has begun consultation processes on proposals to further enhance Cyber Security Laws to:

• 1. a.require secure-by-design standards for Internet of Things devices;
  2. b.mandatory, no-fault Ransomware payment reporting obligations, with substantial carve-outs;
  3. c.limit the use of information provided to the Australian Signals Directorate and the National Cyber Security Coordinator;
  4. d.establish a Cyber Incident Review Board;
  5. e.create a Cyber health check scheme for small business;
  6. f.introduce an App store code of practice;
  7. g.introduce incident response code of practice; and
  8. h.develop industry data classification models.

Digital Identification takes a step forward

The Digital ID Bill and Digital ID (Transitional and Consequential Provisions) Bill 2023 were introduced in November 2023 as a major step forward for Australia's digital ID program. The program, unlike past iterations, proposes voluntary schemes for individuals. The program will introduce a voluntary Digital ID system that can be used to verify one's identity without having to provide copies of identity documents such as a passport or driver's licence each time an entity needs to conduct an ID verification check.

Outlook for 2024

It is likely that 2024 will bring with it a substantial re-alignment of Australia's federal laws applicable to cyber security along with an influx of industry specific codes of practice, particularly around higher risk cyber activities such as AI. Where possible, the Government is likely to leverage existing laws rather than introduce new legislation, in-line with their past approach to expanding existing law into emerging areas. However, we are likely to see new legislation covering cyber security threats in areas poorly served by existing laws such as artificial intelligence, ransomware response, Internet of Things, and small business cyber resiliency.

While the Government has hotly debated mandating ransomware notification, with the current consultation focused on a no-fault ransomware payment reporting obligation, there are likely to be substantial carve-outs. Current proposals would limit the no-fault reporting obligation by implementing a reporting threshold in line with the Tax Code's definition of a Small Business (aggregate turnover less than A$10 million). However, this would limit the reporting obligation to less than 2% of registered entities resulting in statistically insignificance of any data collected on ransomware trends.

We are likely to see continued, if not heavily expanded, application of Australia's autonomous cyber sanctions regime, as was used in January 2024 against a Russian individual linked to the Medibank attack. It is highly likely that Federal resources will continue to be focused on taking the cyber fight to the criminals through both autonomous action and international law enforcement cooperation. As Australia's sanctions regime is more widely applied to cyber attacks, the complexity of responding to ransomware incidents is likely to increase. If an organisation intends to pay a ransom (we strongly advocate against paying ransoms), increased application of domestic and international sanctions against individuals associated with ransomware groups complicate required due diligence and increase the cost of responding to the ransomware incidents. This is particularly challenging where ransomware incident attribution is technically difficult.

2024 will likely see increased cyber regulation in key sectors such as healthcare and financial services. We anticipate that ASIC and APRA will pay closer attention to regulated entity cyber security readiness increasing the complexity of compliance programs.

Development of one-stop-shop Digital ID schemes will continue as legislation progresses through Parliament enabling organisations to meet legal obligations while allowing individuals to, voluntarily, manage their personal information and protect their identities. This scheme, if successful, will help to reduce toxic data that puts organisations at risk while maintaining compliance with legal obligations such as those under anti-money laundering laws.

Artificial Intelligence (AI) is almost certainly going to become more pervasive in our daily and professional lives in 2024. A Forrester noted a prediction that Bring your own AI (BYOAI), using AI as part of their job delivery, will grow to as much as 60% of workers in 2024. If this prediction holds, we are likely to see both positive and negative impacts. While productivity may increase, so will the legal, security, and privacy risks necessitating strong regulation. While regulation specific to AI is still in early discussion in Australia, the effort is ramping up both domestically, and more substantially on the international stage with extraterritorial applications that can impact on Australian businesses.

The Department of Industry, Science and Resources concluded its Safe and Responsible AI in Australia Discussion Paper for consultation in mid-2023. In January 2024, the Government published their interim response to the consultation. The interim response outlines details on what action the government will take in 2024 and in the longer term. The government stated an intention to ensure the design, development and deployment of AI in legitimate high-risk settings is safe and reliable while aiming to ensure low-risk AI is not impeded.

The government stated an intention to:

• using testing, transparency and accountability measures as a means of prevent harms from high-risk AI;
• further clarifying and strengthening laws to safeguard citizens from the adverse effects of AI; and
• working internationally to support safe development and deployment practices relating to AI.

Outlook for 2024

AI will remain the hot topic for 2024 and a central part of legislative and regulatory reform globally. The pending amendment of the Australian Privacy Act will also likely include some impacts on the use of AI technologies. A key focus of AI regulation proposals has been on developing increased transparency and accountability for organisations that use AI technologies to handle personal information, as well as enhanced enforcement powers the Office of the Australian Information Commissioner.

It is anticipated that 2024 will see a stronger focus on industry codes of practice and guidance. However, it should be noted that many countries, in particular the European Union, are developing AI laws with substantial extraterritorial reach that could easily impact on Australian businesses designing, developing, or using AI.

The Australian Communications and Media Authority (ACMA) has been very active in taking enforcement action and assessing penalties under the Spam Act amounting to over $9 million in 2023.

Compliance with the, often poorly understood, Spam Act continues to be a substantial challenge for many businesses resulting in financial penalties and will likely see more investigations and penalties in 2024.

The activities that attracted penalties in 2023 was most commonly:

• sending marketing emails;
• sending SMS without consent;
• sending marketing emails or SMS without contact details of the sender; and
• sending marketing emails or SMS without a functional unsubscribe facility.

Outlook for 2024

The ACMA is very likely to continue to assess large penalties against organisations for breach of the Spam Act. The rules set out in the Spam Act, while appearing simple, can be challenging for some organisations to understand and implement. It is very likely Spam is going to ramp up heavily from both fraudsters and companies thinking they are complying or failing to adequately review content before sending it.

Throughout 2023, we saw an increased frequency of civil actions relating to cyber security incidents and data breaches. This doesn't just include the well publicised class-actions arising from the Optus and Medibank breaches.

Small businesses are being sued by their customers that lose money as a result of funds redirection frauds (invoices with altered payment details). These types of cyber frauds often occur as part of a business email compromise incident and are an extremely common type of cyber attack for small to medium businesses who often don't have as strong cyber defences as larger businesses.

It is becoming more common for customers, and their insurers, to pursue damages from companies that fail to take reasonable measures to protect personal information and the cybersecurity of systems. 2024 is likely to see substantially more cases looking to test the waters of a company, and Director's, duty of care in relation to cybersecurity.