Major Privacy Law Changes: UK Data Bill, Australia’s New Privacy Tort, and Norway DPA on tracking pixels

Want to receive these privacy recaps in your inbox each week? Subscribe here.

Europe

UK Data Bill Passes

The UK House of Lords passed the Data (Use and Access) Bill , which will take effect once it receives Royal Assent by the King, expected in the coming days or weeks.

TAKEAWAY

The law reflects several changes to the UK data protection framework, including: (a) further clarity (including examples) on use of legitimate interest as a legal basis, (b) opt out (rather than opt in) for charity communications, (c) exemptions to cookie consent for strictly necessary purposes, internal statistical analysis, improving functionality, security updates and emergency assistance, (d) allowing for low risk automated decision-making (such as product recommendations and segmentation) where individuals are informed about the decision, can make representations, and can obtain human review or contest the outcome, (e) allowing for codes of conduct under PECR and the UK GDPR to be incorporated into the same document; (f) repurposing to the ICO to consider the public interest in promoting innovation and competition alongside privacy and data protection, (g) applying legal privileges previously reserved for academic research to any market research, product development, technological innovation, or other statistical purposes where the resulting information is anonymized and not used to make decisions about individuals, (h) increase of potential penalties under PECR to align with the UK GDPR (i.e., up to £17.5 million or 4% of global turnover), and (i) defining “direct marketing” in both the UK GDPR and PECR as “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”. 

global

Australia Tort for Invasion of Privacy Takes Effect

The Office of the Australian Information Commissioner announced that the statutory tort for invasion of privacy has taken effect, allowing individuals a private right of action against other individuals or businesses that invade their privacy. Specifically, an individual has a cause of action if the defendant either intruded upon the plaintiff’s seclusion or misused information relating to the individual, there was a reasonable expectation of privacy, the invasion was intentional or reckless, the invasion was serious, and the public interest in the individual’s privacy outweighed any countervailing public interest. No proof of damage is necessary to recover as long as those elements are met. To aid in interpretation of the elements, the law provides examples of a countervailing public interest and factors to consider when determining a user’s reasonable expectation of privacy and whether an invasion of privacy is “serious”.

TAKEAWAY

The invasion of privacy tort is just one aspect of the broader Privacy and Other Legislation Amendment Act 2024 , which passed last year and will take effect in phases. Most of the provisions of the Act (including expanded powers of the Information Commissioner, parameters around adequacy decisions for overseas transfers, and requirements for technical and organizational methods for securing personal information) came into effect immediately as of 10 December 2024, and some provisions related to automated decision-making will take effect 10 December 2026. Overall, the Act reflects a major reform of the Privacy Act 1988 and, in many respects brings the law more in line with European (GDPR) standards, but further reform may be on the horizon to fill in additional gaps as Australia moves toward an adequacy decision with the EU. 

A LITTLE MORE PRIVACY, IF YOU PLEASE

• Norway DPA fines one, reprimands five, companies over use of tracking pixels

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.