[Data privacy] laws: What you need to know

2nd October 2024

Cybersecurity

Share this article?

A few weeks ago, the Federal Government introduced a new bill containing some much-anticipated amendments to the Privacy Act.

While the ultimate scale of these changes is far less than was originally anticipated and called for by industry, the government has described them as a ‘first tranche’, signaling there will be more amendments to come.

This marks the beginning of a sincere and significant shift in the way Australian legislation works to protect the privacy of its citizens in a new digital age.

Read on to learn more about these changes and what they could mean for event managers.

Why are data privacy changes needed?

According to recent statistics released by the Australian privacy watchdog, there were more than 520 data breaches between January and June of this year.

This represents a whopping 9% increase from the second half of 2023 and a continuation of a worrying trend.

The privacy commissioner said this increase demonstrates that there are significant threats to be concerned about, many of which have the potential to put Australians at serious risk of harm.

What’s more, more than half of the breaches reported were cyber attacks targeting information systems, networks, computer infrastructure or PCs.

The new privacy laws aim to update legislation to meet the reality of our new online world, including providing more accurate descriptions of the steps organisations need to take to ensure data privacy is protected.

What are the new data privacy laws?

The government has said the first raft of changes has been designed to close loopholes and address specific cybersecurity and data privacy concerns.

Here are some of the key changes to be aware of.

AI transparency

Under the new laws, organisations must include information on their privacy policies about automated decision-making that could impact an individual’s rights or interests.

Notably, this law is designed to provide transparency alone. Under the current changes, individuals do not have the right to be excluded from automated processing decisions or to request information about how these decisions are made.

Statutory tort and doxxing

In an important change for cybersecurity, the Privacy Act now includes a statutory tort. This allows individuals to seek compensation if their privacy is impacted by a serious breach.

With this change, individuals can sue for misuse of information or even intrusion of seclusion, which might include being filmed in a private place.

The new changes have also outlawed the practice known as ‘doxxing’ or ‘doxing’, which is the malicious and intentional release of personal information or private details without their consent.

Those found guilty of doxxing can now face up to seven years in jail.

Handling of personal information

The new laws have also updated the ‘reasonable steps’ an organisation is expected to take to protect data privacy.

This now includes both technical and organisational measures, meaning businesses need to have governance structures in place to protect data alongside cybersecurity protections.

Overseas information

Another key change aims to facilitate disclosure of private information overseas.

The government will designate specific countries with whom data can be shared without the need to comply with APP 8. The countries to which this applies will be required to have similar data laws and protections to our own.

This aims to make it easier for Australian organisations to enter into contracts with overseas organisations and allow for private information to be shared more rapidly among trusted groups.

You can learn more about the amendments on the Department of the Attorney-General website.

Compliance is key

We don’t have to look far to see why noncompliance is not an option.

Of course, failing to adhere to regulations can leave you unnecessarily exposed, which can increase your risk of being breached. This puts your organisation and your customers — in danger.

What’s more, companies who fail to meet regulations could be subject to investigation by the Information Commissioner.

Under powers approved in May 2022, the Information Commissioner can hand down a fine of whichever is greater: $50 million, triple the value gained through information misuse or 30% of a company’s turnover in the relevant period.

For businesses, the risk can even be existential.

MediSecure, which was the victim of a ransomware data breach earlier this year, went into administration just weeks after the attack, unable to recover from the financial and reputational damage.

With this in mind, now is a great time for organisations of all shapes and sizes to check their compliance with data privacy laws to secure their customers and themselves into the future.

Third-party considerations

While securing your own data is vital, it’s perhaps equally important to ensure that of your third party and partner organisations as well.

For instance, if you use event management software to run events, a customer relationship management (CRM) system to handle your sales data or even an email marketing platform to handle your communications, it’s likely that they will have access to some of your data.

To mitigate risk, it’s a good idea to only work with trusted vendors who are open and transparent about their cybersecurity and data privacy practices.

Unlike some other event management software providers, evexus prides itself on keeping all of your client’s data safe and secure.

One way we do this is by seeking the express consent of every attendee, ensuring they each individually opt-in to privacy policies, terms and conditions and any other necessary forms.

In contrast, many other systems allow a main registrant, such as someone completing a group registration, to opt in on their attendee’s behalf. This presents an unacceptable risk, as it is non-compliant with global privacy laws.

What’s more, while we put privacy first, we don’t allow it to make your life hard. To make sure our registration process remains seamless, we allow you to send automatic consent opt-in emails to each attendee after a booking has been made so you can still reap the rewards of offering group registration.