Legal development

Navigating Data Protection Reforms: A Comparative Analysis of UK and Australia

spiral background

    The regulatory landscape for data protection and cyber security is evolving rapidly, with Australia introducing significant legislative changes aimed at enhancing privacy and cyber security and the UK currently considering reforms to its laws on the same topics.

    The UK is reforming its data protection laws to address emerging technologies and privacy concerns. The Data (Use and Access) Bill (DUA Bill), introduced on 23 October 2024, shifts focus from reducing compliance burdens to optimising data for economic growth and public service improvements. The forthcoming Cybersecurity and Resilience Bill, announced in July 2024, aims to expand regulatory scope, enhance reporting obligations, and strengthen enforcement of cybersecurity standards.

    Privacy and cyber security have been a key regulatory priority following a series of major data breaches in the past few years. With a federal election expected in 2025, the Australian Government accelerated its reform agenda, passing important reforms in the closing Parliamentary sitting weeks of 2024:

    • The Privacy and Other Legislation Amendment Act 2024 – a first tranche of important privacy reforms (Tranche 1), – part of an ongoing generational change in privacy law. Further significant reforms expected in a second tranche (Tranche 2), which might be delayed until after federal elections; and
    • Australia's first Cyber Security Act 2024, as well as reforms to critical infrastructure and related legislation – to achieve Australia's ambition to be world leader in cyber security by 2024.

    We have summarised below three aspects from the reforms in the UK and Australia which were discussed at our recent event at in the Australian High Commission in London and we believe are likely to have a business impact for organisations operating in both jurisdictions. A comprehensive summary of the proposed reforms in the UK can be found here, and you can read more about the generational change in privacy regulation in Australia and what cyber and critical infrastructure reforms mean for redefining cyber readiness.

    1. Automated Decision-Making

    UK:

    The DUA Bill relaxes restrictions on solely automated decision-making by narrowing them to "significant decisions" made without meaningful human involvement and based entirely or partly on special category data. Most automated decisions using non-special category data are permitted if safeguards are implemented, including:

    • Allowing individuals to contest decisions.
    • Providing avenues for representation.
    • Requiring human intervention upon request.

    Business Impact: The reforms make it easier for UK businesses to deploy AI powered automated decisions for broader use cases in most circumstances, provided safeguards are met. The changes would open the door for organisations to consider relying on the lawful basis of legitimate interest which offers more flexibility in comparison to other lawful bases such as consent and performance of a contract which currently have to be relied on for automated decisions falling under the scope of article 22 UK GDPR.  

    Australia:

    A new transparency principle under Australia's privacy reforms requires organisations to explain in privacy policies computer-enabled decisions that significantly affect individual rights or interests using personal information.

    The regime is broad – extending to:

    • a broad notion of computer programs (which includes AI, machine learning, spreadsheet automation, etc.);
    • wholly and partly automated decisions – even where there is a "human in the loop" – (where computer operations are substantially and directly related to the decision-making); and
    • third party systems and outsourced providers relied on to undertake automated decisions.

    These transparency measures get the ball rolling – further obligations will apply to automated decisions in a coming "Tranche 2" of reforms – for example, greater privacy impact assessment requirements. At the same time, in Western Australia, the recently passed Privacy and Responsible Information Sharing Bill 2024 (WA) already provides for additional requirements for State Government entities in Western Australia, including initial risk assessments, periodic evaluations, and the provision of a mechanism to seek human intervention in the decision-making process. 

    Business Impact: Reforms will commence on a date to be specified, within 24 months. With the scale of business-as-usual computer-assisted decision-making in modern business, and limited visibility of computer-assisted decision-making processes, 24 months will be a challenging timetable for many businesses. Businesses should therefore pro-actively review all existing and future automated processes, update privacy policies, and implement robust accountability measures in preparation.

    2. Cookies, Tracking Technologies and Direct Marketing

    UK:

    The Bill introduces several key changes and provisions related to cookie consent rules, and enforcement actions under the Privacy and Electronic Communications Regulations (PECR).

    • Cookie Consent Rules: Rules now cover individuals who "instigate" data storage or access, enabling the ICO to enforce against website publishers, not just ad-tech vendors.
    • Exemptions: Consent is not required for low-risk activities, such as analytics aimed at improving the website or service, optimising content display, and activities strictly necessary for security, fraud prevention, and maintaining user preferences.
    • Enforcement Powers: PECR penalties in relation to cookie and electronic marketing will align with UK GDPR, increasing the cap to £17.5 million or 4% of global turnover for breaches, from the previous £500,000.

    Business Impact: The enforcement landscape fundamentally changing for organisations deploying cookies and similar tracking technologies in the UK. This has been an area of active regulatory activity by the UK over the past 24 months but there have been no significant fines imposed to date. These reforms will bring the UK into line with other EU jurisdictions such as France where there have been multi-million euro fines for online advertising and tracking relating compliance issues. In light of this, organisation may want to consider allocating part of their 2025 privacy budgets to undertaking a cookie audit to establish their compliance position. 

    Australia:

    The OAIC has clarified in fresh guidance how the Australian Privacy Act 1988 (Cth) (Privacy Act) applies to tracking technologies like third-party pixels used for advertising, engagement, and measuring return on investment, taking into account existing guidelines on applicable principles. 

    Key recommendations for businesses:

    • Understand pixel functionality in the organisational context, including the categories of information being collected, their use cases and what can be activated or de-activated.
    • Use a privacy-by-design approach, including conducting privacy impact assessments and adopting a data minimisation approach.
    • Implement safeguards and avoid a "set and forget" mindset, ensuring ongoing compliance.

    Business Impact: 

    • The OAIC's guidance on tracking pixels is part of its broader effort to equip organisations with extensive resources for privacy compliance, including recent materials on generative AI, based on the existing requirements under the Privacy Act.
    • The Privacy Commissioner is continuing to release similar guidance to assist organisations and to flag particular areas of enforcement focus, while proposed 'Tranche 2' changes to the Privacy Act are being progressed by the Government. 
    • We expect to see additional enforcement action in these key areas from the Privacy Commissioner, particularly given that reforms to the Privacy Act have granted the Privacy Commissioner with greater enforcement powers, including the ability to issue infringement notices for 'administrative failures' such as a failure to have a compliant privacy policy, or a failure to provide individuals with an 'opt out' mechanism in relation to certain direct marketing. 

    3. Cybersecurity Obligations

    UK:

    Planned for 2025, the Cyber Security and Resilience Bill will enhance cross-sectoral cybersecurity laws, updating the NIS Regulations and aligning with the EU's NIS2 Directive.

    Key Proposals:

    • Broaden coverage to include more digital services and supply chains.
    • Introduce stricter reporting, including ransomware incidents.
    • Empower regulators with cost recovery mechanisms and proactive investigation powers.

    Business Impact: The UK Government has highlighted the evolving cyber threat faced by organisations, citing recent attacks on the NHS and Ministry of Defence, as well as concerns raised by the UK National Cyber Security Centre about the cyber capabilities of China and Russia. Combined with stricter incident reporting and increased regulatory scrutiny and scope, businesses will need to invest in stronger cybersecurity practices, enhance their risk management systems, and ensure compliance with new regulations to avoid penalties.

    Australia:

    Tranche 1 privacy reforms

    The Tranche 1 reforms clarify that reasonable steps required to safeguard personal information must include both technical and organisational measures – emphasising an increased focus on organisational practices, procedures and systems, and aligning closer to equivalent terminology used in the EU and UK General Data Protection Regulations. Addressing pain-points in addressing recent mass data breaches incidents, a new data breach declaration regime allows information sharing in incident response – for example, to help banks prevent fraud.

    Cyber Security Legislative Package

    The Cyber Security Act 2024, the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 and the Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024. These reforms form part of the 2023-2030 Australian cyber security strategy.

    Key takeaways from the new Cyber Security Legislative Package include:

    • Mandatory Ransomware Reporting: Report payments within 72 hours, with exemptions for smaller businesses.
    • Cyber Incident Review Board: Conducting "no-fault" reviews of significant incidents.
    • "Limited Use" Regime: Encourages closer cooperation between business and cyber agencies by limiting how certain cyber incident information received by agencies may be used and disclosed.
    • Smart Device Standards: Mandates compliance certificates for secure smart devices.
    • Critical Infrastructure Security: A range of reforms, including to ensure that systems that hold business-critical data are protected in the same way as critical infrastructure assets they support.

    Business Impact: While understanding and operationalising new legal obligations is essential, simply reacting to the new rules will not be enough to outpace cyber risk, or regulatory and public expectations around how cyber risks are managed. Three key measure to outpace cyber risk are:

    • De-risk ransom – Mandatory ransom reporting does not legalise ransom payments, ameliorate a ransom attack or meet heightened policy and public expectations. De-risk the ransom threat with a carefully considered and thoroughly tested risk-based approach to ransom payment decision-making and planning.
    • Limited use provisions are not a "safe harbour" – New restrictions on how cyber agencies use information inform just one part of cyber crisis communications strategy. Build and test your capability to confidently communicate with cyber agencies, regulators, government, the media, customers, and the public, without creating further down-stream reputation or legal risks.
    • Outpace regulator expectations – Managing cyber risk is now a normal part of doing business – this means understanding that a breach is a case of "when", not "if". Understand the evolving expectations of regulators, and measure your cyber maturity against them.

    Conclusion

    The upcoming legislative changes in the UK and Australia signal a shift toward stricter data protection and cybersecurity obligations. Businesses must act now to prepare for these reforms and consider leveraging increasing synergies to create unified, effective and global privacy and cyber security compliance strategies. By doing so, they can more effectively navigate regulatory complexity, pro-actively mitigate risks, and capitalise on opportunities in a rapidly evolving digital landscape.

    If you would like to discuss any of these issues with our UK and Australian teams, please get in touch.  

    Authors: Tom Brookes, Senior Associate, Nilesh Ray, Junior Associate and Andrew Hilton, Expertise Counsel.

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.