Navigating Data Protection Reforms: A Comparative Analysis of UK and Australia
12 December 2024
12 December 2024
The regulatory landscape for data protection and cyber security is evolving rapidly, with Australia introducing significant legislative changes aimed at enhancing privacy and cyber security and the UK currently considering reforms to its laws on the same topics.
The UK is reforming its data protection laws to address emerging technologies and privacy concerns. The Data (Use and Access) Bill (DUA Bill), introduced on 23 October 2024, shifts focus from reducing compliance burdens to optimising data for economic growth and public service improvements. The forthcoming Cybersecurity and Resilience Bill, announced in July 2024, aims to expand regulatory scope, enhance reporting obligations, and strengthen enforcement of cybersecurity standards.
Privacy and cyber security have been a key regulatory priority following a series of major data breaches in the past few years. With a federal election expected in 2025, the Australian Government accelerated its reform agenda, passing important reforms in the closing Parliamentary sitting weeks of 2024:
We have summarised below three aspects from the reforms in the UK and Australia which were discussed at our recent event at in the Australian High Commission in London and we believe are likely to have a business impact for organisations operating in both jurisdictions. A comprehensive summary of the proposed reforms in the UK can be found here, and you can read more about the generational change in privacy regulation in Australia and what cyber and critical infrastructure reforms mean for redefining cyber readiness.
The DUA Bill relaxes restrictions on solely automated decision-making by narrowing them to "significant decisions" made without meaningful human involvement and based entirely or partly on special category data. Most automated decisions using non-special category data are permitted if safeguards are implemented, including:
Business Impact: The reforms make it easier for UK businesses to deploy AI powered automated decisions for broader use cases in most circumstances, provided safeguards are met. The changes would open the door for organisations to consider relying on the lawful basis of legitimate interest which offers more flexibility in comparison to other lawful bases such as consent and performance of a contract which currently have to be relied on for automated decisions falling under the scope of article 22 UK GDPR.
A new transparency principle under Australia's privacy reforms requires organisations to explain in privacy policies computer-enabled decisions that significantly affect individual rights or interests using personal information.
The regime is broad – extending to:
These transparency measures get the ball rolling – further obligations will apply to automated decisions in a coming "Tranche 2" of reforms – for example, greater privacy impact assessment requirements. At the same time, in Western Australia, the recently passed Privacy and Responsible Information Sharing Bill 2024 (WA) already provides for additional requirements for State Government entities in Western Australia, including initial risk assessments, periodic evaluations, and the provision of a mechanism to seek human intervention in the decision-making process.
Business Impact: Reforms will commence on a date to be specified, within 24 months. With the scale of business-as-usual computer-assisted decision-making in modern business, and limited visibility of computer-assisted decision-making processes, 24 months will be a challenging timetable for many businesses. Businesses should therefore pro-actively review all existing and future automated processes, update privacy policies, and implement robust accountability measures in preparation.
The Bill introduces several key changes and provisions related to cookie consent rules, and enforcement actions under the Privacy and Electronic Communications Regulations (PECR).
Business Impact: The enforcement landscape fundamentally changing for organisations deploying cookies and similar tracking technologies in the UK. This has been an area of active regulatory activity by the UK over the past 24 months but there have been no significant fines imposed to date. These reforms will bring the UK into line with other EU jurisdictions such as France where there have been multi-million euro fines for online advertising and tracking relating compliance issues. In light of this, organisation may want to consider allocating part of their 2025 privacy budgets to undertaking a cookie audit to establish their compliance position.
The OAIC has clarified in fresh guidance how the Australian Privacy Act 1988 (Cth) (Privacy Act) applies to tracking technologies like third-party pixels used for advertising, engagement, and measuring return on investment, taking into account existing guidelines on applicable principles.
Key recommendations for businesses:
Business Impact:
Planned for 2025, the Cyber Security and Resilience Bill will enhance cross-sectoral cybersecurity laws, updating the NIS Regulations and aligning with the EU's NIS2 Directive.
Key Proposals:
Business Impact: The UK Government has highlighted the evolving cyber threat faced by organisations, citing recent attacks on the NHS and Ministry of Defence, as well as concerns raised by the UK National Cyber Security Centre about the cyber capabilities of China and Russia. Combined with stricter incident reporting and increased regulatory scrutiny and scope, businesses will need to invest in stronger cybersecurity practices, enhance their risk management systems, and ensure compliance with new regulations to avoid penalties.
The Tranche 1 reforms clarify that reasonable steps required to safeguard personal information must include both technical and organisational measures – emphasising an increased focus on organisational practices, procedures and systems, and aligning closer to equivalent terminology used in the EU and UK General Data Protection Regulations. Addressing pain-points in addressing recent mass data breaches incidents, a new data breach declaration regime allows information sharing in incident response – for example, to help banks prevent fraud.
The Cyber Security Act 2024, the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 and the Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024. These reforms form part of the 2023-2030 Australian cyber security strategy.
Key takeaways from the new Cyber Security Legislative Package include:
Business Impact: While understanding and operationalising new legal obligations is essential, simply reacting to the new rules will not be enough to outpace cyber risk, or regulatory and public expectations around how cyber risks are managed. Three key measure to outpace cyber risk are:
The upcoming legislative changes in the UK and Australia signal a shift toward stricter data protection and cybersecurity obligations. Businesses must act now to prepare for these reforms and consider leveraging increasing synergies to create unified, effective and global privacy and cyber security compliance strategies. By doing so, they can more effectively navigate regulatory complexity, pro-actively mitigate risks, and capitalise on opportunities in a rapidly evolving digital landscape.
If you would like to discuss any of these issues with our UK and Australian teams, please get in touch.
Authors: Tom Brookes, Senior Associate, Nilesh Ray, Junior Associate and Andrew Hilton, Expertise Counsel.
The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.