Important Legislation Alerts

Update

On 10 December 2024 the Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Amendment Act 2024 received Royal Assent. The Act amends the AML/CTF Act 2006. (More to come soon). 

In considering the AML/CTF bill tabled, there were three major areas the proposed law aims to address:

1. To extend the Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) regime to certain higher-risk services provided by real estate professionals, professional service providers including lawyers, accountants and trust and company service providers, and dealers in precious stones and metals (Tranche 2 entities).
2. To improve the effectiveness of the AML/CTF regime by making it simpler and clearer for businesses to comply with their obligations.
3. To modernise the regime to reflect changing business structures, technologies and illicit financing methodologies.

As of 8 September, the Crimes Legislation Amendment (Combatting Foreign Bribery) Act 2024 has come into effect.

Under the Combatting Foreign Bribery Act 2024, companies will now be held directly liable for the foreign bribery activities of their employees, external contractors, agents and subsidiaries, unless the business can demonstrate that they had adequate procedures in place.

The Australian Government has introduced the first phase of reforms to the Privacy Act 1988 (Cth) through the Privacy and Other Legislation Amendment Bill 2024, tabled on 12 September 2024. This is the initial response to the Attorney-General Department's review, which proposed 116 recommendations for reform. The Bill addresses 23 of the 38 proposals that the Government agreed to implement in 2023.

Key Points of the Bill:

1. Automated Decision-Making (ADM): Businesses using ADM must notify individuals if decisions significantly affect their rights or interests.
2. Children's Online Privacy Code: A new code will be developed focusing on children's online privacy. This is particularly relevant to digital businesses amid discussions on social media age verification.
3. Enforcement Powers and Penalties: The Office of the Australian Information Commissioner (OAIC) will have expanded enforcement powers, including issuing civil penalty infringement notices. The Bill introduces a statutory tort for serious invasions of privacy and a new offence of "doxxing" into the Criminal Code.

Implications for Businesses:

• Compliance Obligations: The Bill introduces additional compliance obligations, particularly around ADM and children's privacy, but does not overhaul the existing privacy framework.
• Penalties and Enforcement: Increased penalties and broader enforcement powers for the OAIC provide a strong incentive for organisations to review and update their privacy compliance.
• Overseas Data Flows: The Bill proposes whitelisting countries with equivalent privacy protections, aligning with the EU's GDPR and simplifying data transfers.

Small Business Exemptions: The current Bill does not address the removal of the small business exemption, which was proposed in the review. This exemption currently applies to businesses with an annual turnover of $3 million or less. Although not included in this first tranche, the potential removal of this exemption remains on the horizon as part of broader reforms under consideration. Businesses currently relying on this exemption should prepare for the possibility of future changes, which could significantly impact their compliance obligations.

What’s Missing?

Notably absent from the Bill are comprehensive reforms such as stronger consent models, the "fair and reasonable" test for information handling, and ad-tech regulation. Other agreed proposals, like the journalism exemption thresholds and provisions for broad consent in research, are also not included.

Next Steps:

• The Bill's passage is uncertain, with debate adjourned, potentially delaying implementation until 2025.
• The OAIC will issue guidance to support the amendments, including ADM and the Children’s Online Privacy Code.
• A second tranche of reforms is anticipated, though with no set timeline.

Businesses, including small businesses currently exempt from the Privacy Act, should assess their privacy practices and consider implementing operational changes in anticipation of future reforms. With increased penalties and enforcement powers, maintaining a robust privacy compliance framework is essential to mitigate potential risks.