INFORMED FLIGHT
Articles
Flying into Compliance: What the New Privacy Reforms Mean for the Drone Industry.
Published: 8 January 2025
INTRODUCTION
Significant changes to Australia’s privacy laws arrived in December 2024.
A new piece of privacy legislation, the Privacy and Other Legislation Amendment Act 2024 (Cth) (“Act“) came into play on 10 December 2024.
This article aims to summarise the key points as they relate to drone operations. It is not a comprehensive rundown of all the amendments. However, please be in touch if you do want to discuss the amendments more broadly.
This article will consider 2 main issues.
1. A summary of some of the key changes to Australia’s privacy laws as created by the Act and;
2. How a Data Protection & Privacy Impact Assessment (DPPIA) may be used as a compliance and risk mitigation tool as part of a drone operators strategy in meeting their privacy obligations.
PRIVACY LAW AMENDMENTS
This new Act introduces several key reforms aimed at enhancing the protection of personal information and holding entities accountable for privacy breaches.
Structurally, it’s a patchwork Act because it amends 10 different pieces of legislation (see note [1] at end of article). That is, it is not a neat piece of self-sufficient legislation because all it does is provide words to add or subtract from those other pieces of legislation.
However, we will provide some guidance on the key changes.
The new ability to sue or be sued for serious invasions of privacy.
One of the most significant changes is the ability for someone to sue for serious invasions of privacy. Surprisingly, this will be the first time in Australia that someone can directly sue for a breach of privacy. There has been round-about ways to do this but this is the first time such a right is specified in legislation.
Practically speaking, the Complainant can sue the Intruder where the Intruder has intruded upon the Complainant’s seclusion, or misusing information relating to the Complainant.
Intruding upon the seclusion of the Complainant can happen where the Intruder physically intrudes into the Complainant’s private space; or watches, listens to, or records the Complainant’s private activities or private affairs.
Interestingly, the person suing must be a natural person that is, a human being. This means that companies cannot sue under this action; but companies can be sued under the Act.
Also, while many of the privacy laws under the Privacy Act apply only to “APP entities” (rule of thumb being organisations with more than $3m annual turnover), this right to sue for a serious invasion of privacy is not limited to applying to APP entities. That is, any individual or organisation can be sued under this new claim.
Importantly, the Complainant does not have to prove that they have suffered any damage in order to bring an action.
If proven, the Court can award injunctions, declarations, order apologies and compensation. The Court may award damages for emotional distress, and exemplary or punitive damages in exceptional circumstances. Damages awarded for non-economic loss; and any exemplary or punitive damages are capped at the greater of (a) $478,550; and (b) the maximum amount of damages for non-economic loss that may be awarded in defamation proceedings.
In short – this is no slap on the wrist, this stuff has teeth and should not be ignored.
Notably, this law is not in effect straight away. It will kick in at the earlier of:
(a) being formally announced – “Proclamation”; and
(b) 10 June 2025.
New penalty provisions and powers of the Office of the Australian Information Commissioner
Just when you thought you only had to answer to CASA, enter stage right – the Office of the Australian Information Commissioner (OAIC).
As you’re probably aware, CASA’s remit does not include privacy, its focus is on aviation safety. Privacy is regulated by the OAIC.
The Act creates new civil penalty provisions for interfering with the privacy of individuals and new OAIC powers to issue infringement notices and compliance notices.
This section is breached if you commit an act, or engage in a practice, that constitutes serious interference with the privacy of an individual.
In determining whether an interference with privacy is serious, a court may have regard to any of the following matters:
(a) the particular kind or kinds of information involved in the interference with privacy;
(b) the sensitivity of the personal information of the individual;
(c) the consequences, or potential consequences, of the interference with privacy for the individual;
(d) the number of individuals affected by the interference with privacy;
(e) whether the individual affected by the interference with privacy is a child or person experiencing vulnerability;
(f) whether the act was done, or the practice engaged in, repeatedly or continuously;
(g) whether the contravening entity failed to take steps to implement practices, procedures and systems to comply with their obligations in relation to privacy in a way that contributed to the interference with privacy;
(h) any other relevant matter.
With these new powers, we can expect to see a greater focus by the OAIC on enforcement-led activities.
These new powers took effect on 11 December 2024.
The Act itself is accessible here.
The take-away is that these amendments emphasise the importance of taking a privacy-by-design approach, a principle that prioritises privacy in the development and operation of a drone mission. One tool that can assist in taking a privacy-by -design approach, and to mitigate the risk exposure in the new privacy laws is a Data Protection & Privacy Impact Assessment.
DATA PROTECTION & PRIVACY IMPACT ASSESSMENT (DPPIA)
These new legislative obligations mean that organisations are wise to to adopt proactive measures to ensure privacy compliance and to avoid potential penalties or reputational damage. A Data Protection & Privacy Impact Assessment (DPPIA) is a tool for this purpose.
What is a DPPIA?
A DPPIA is a systematic evaluation of a mission or project that:
1. Identifies how data and personal information will be collected, used, and stored; and
2. Analyses potential impacts on privacy; and
3. Allows users to uncover strategies to mitigate risks and enhance privacy protections.
A DPPIA is not just about ticking compliance boxes. It’s part of a privacy-by-design approach, ensuring that projects align with community expectations and legal requirements.
DPPIA in practice
Ideally, a DPPIA is prepared for each project during the mission planning stage.
Failing to assess privacy impacts of an operation can lead to:
– Legal non-compliance: risk of penalties or exposure to being sued.
– Reputation damage: loss of client trust due to data breaches.
– Operational costs: late-stage fixes to privacy issues are often more costly than being dealt with upfront.
The benefits of assessing privacy impacts at the mission planning stage offers benefits including:
– Legal compliance: assists alignment with privacy laws, including the new amendments.
– Risk Mitigation: Identifies potential risks early, reducing the likelihood of costly data breaches or non-compliance penalties. When determining whether an interference with privacy is serious, the Court may have regard for whether the contravening entity failed to take steps to implement practices, procedures and systems to comply with their obligations in relation to privacy in a way that contributed to the interference with privacy. A DPPIA aims to directly address this criteria thereby proactively mitigating this risk.
– Transparency and trust: demonstrates a commitment to safeguarding personal information, building client and public confidence.
CLOSING COMMENTS
These privacy law amendments are fundamental. Between a new exposure to being sued for breaching privacy, and the enhanced OAIC powers, these risks should be mitigated to the extent that your resources permit.
The first step in this process is to conduct a DPPIA, which not only addresses immediate risks but also positions your organisation as a leader in privacy best practices.
We have prepared a drone specific DPPIA which can be used for all missions, as part of your mission planning, which can be purchased through this page here.
If you want a free way to help manage the privacy risk in your operations, the Australian Government Department of Infrastructure, Transport, Regional Development, Communications and the Arts released a paper titled, ‘Don’t pry when you fly: Privacy considerations for drone use’ in 2023 which provides best practice Drone Privacy Principles (DPPs). While these do not take into account the Act, this paper can assist in mitigating your exposure to privacy related issues. We wrote an article on this paper which is accessible here, and which also contains a link to the paper itself.
Fly Free!
The Drone Lawyer
The lawyers in your corner of the sky
8 January 2025
[1] The 10 pieces of legislation amended by the Act: Privacy Act 1988; Data Availability and Transparency Act 2022; Digital ID Act 2024; Identity Verification Services Act 2023; Australian Information Commissioner Act 2010; Competition and Consumer Act 2010; Crimes Act 1914; Data-matching Program (Assistance and Tax) Act 1990; National Health Act 1953; Criminal Code Act 1995.