Commonwealth of Australia Explanatory Memoranda Commonwealth of Australia Explanatory Memoranda[Index] [Search] [Download] [Bill] [Help]
2022-2023-2024
THE PARLIAMENT OF THE COMMONWEALTH OF AUSTRALIA
SENATE
PRIVACY AND OTHER LEGISLATION AMENDMENT BILL 2024
ADDENDUM TO THE EXPLANATORY MEMORANDUM
(Circulated by authority of the
Attorney-General, the Hon Mark Dreyfus KC MP)
PRIVACY AND OTHER LEGISLATION AMENDMENT BILL 2024
This addendum provides additional clarifying material in response to:
• comments made by the Senate Standing Committee for the Scrutiny of Bills in
Scrutiny Digest No. 13, dated 9 October 2024
• submissions and evidence to the Senate Legal and Constitutional Affairs Legislation
Committee's inquiry into the Privacy and Other Legislation Amendment Bill 2024
(the Bill), and
• the report of the Senate Legal and Constitutional Affairs Legislation Committee's
inquiry into the Bill dated 14 November 2024.
This addendum also addresses minor errors in the original Explanatory Memorandum, and
clarifies information on the value of penalty units.
CORRECTIONS TO STATEMENT OF COMPATIBILITY WITH HUMAN RIGHTS
1. The contents of paragraphs 14 to 8 of this Addendum to the Explanatory Memorandum
below address minor drafting errors in the Statement of Compatibility with Human
Rights in the original Explanatory Memorandum, and clarify information on the value of
penalty units.
2. On page 7, in paragraph 2(i) replace '(Parts 10 and 11)' with '(Part 10)'.
3. On page 12, in paragraph 30 omit 'and the powers available to the FCA or the FCFCOA
to order remedies for unlawful interference with privacy.'
4. On page 14, replace paragraph 44 with, 'It is necessary to include this power, as it would
enable authorised persons executing a monitoring warrant to facilitate access onto the
premises if the occupier is not in attendance or is non-compliant. The power would also
permit an authorised person to open locked doors, cabinets and other similar objects, as
well as electronic equipment, that the authorised person reasonably suspects contain
things or information that would provide evidence demonstrating:
a. whether a provision or matter subject to monitoring has not been, or is not being,
complied with, or
b. the correctness of information subject to monitoring that has been given in
compliance, or purported compliance, with a provision requiring information to be
given.
5. The amount of the civil penalties in dollar figures in paragraph 83 on page 20 and
paragraphs 88 and 91 on page 21 reflects the monetary value of a penalty unit for
offences committed on or after 7 November 2024 rather than at the time of introduction
of the Bill. This is because the Crimes and Other Legislation Amendment (Omnibus No.
1) Bill 2024 as introduced was to increase the value of a penalty unit to $330 from 1 July
2024, but was not passed by this date and was later amended to increase the value of a
penalty unit to $330 from 7 November 2024 instead (the 14th day after it received Royal
Assent). The amendments in paragraphs 6 and 7 below address this.
2
6. On page 20, in paragraph 83, and page 21, in paragraph 88, replace all references to
'which, on the penalty unit value at the time of introduction of this Bill' with 'which on
the penalty unit value at the time of the addendum to the Explanatory Memorandum to
the Bill'.
7. On page 21, in paragraph 91 replace all references to 'which, on the current penalty unit
value' with 'which on the penalty unit value at the time of the addendum to the
Explanatory Memorandum to the Bill'.
8. None of the changes to this section impact the compatibility of the Bill with the human
rights and freedoms recognised or declared in the international instruments listed in
section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.
NOTES ON CLAUSES
SCHEDULE 1 - Privacy reforms
Privacy Act 1988
Part 2 - APP Codes
Item 5 - After section 26G
9. The amendments in paragraphs 10 to 12 below address minor drafting errors in the
'Notes on Clauses' in the original Explanatory Memorandum.
10. On page 33, in paragraph 26 relating to section 26GB, after 'if the Minister is satisfied
that' omit 'it is in the public interest to develop the code and for the Information
Commissioner to develop the code, and for the code to be developed urgently' and
replace with 'the code should be developed urgently, and that it is in the public interest to
develop the code and for the Information Commissioner to develop the code'.
11. On page 33 in paragraph 30 after 'the Minister must be satisfied that' omit 'it is in the
public interest to develop the temporary APP code and for the Information
Commissioner to develop the code urgently.' and replace with 'the code should be
developed urgently, and that it is in the public interest to develop the temporary APP
code and for the Information Commissioner to develop the code'.
12. On page 34, in paragraph 38(b) after 'the Minister must be satisfied that' omit 'it is in the
public interest to develop the code and the Information Commissioner should develop the
code urgently' and replace with 'the code should be developed urgently, and that it is in
the public interest to develop the code and for the Information Commissioner to develop
the code'.
13. The amendments in paragraphs 14 and 15 of this Addendum to the Explanatory
Memorandum provide additional information about the need to exempt temporary APP
Codes from disallowance in response to comments of the Senate Standing Committee for
the Scrutiny of Bills.
14. On page 34, in paragraph 37 omit 'It is necessary to exempt the instrument from
disallowance to ensure that decisive action can be taken in urgent situations or where
3
circumstances are rapidly evolving. This would establish an immediate, clear and certain
legal basis for entities to handle personal information in accordance with the temporary
APP code. Without an exemption, entities may be discouraged from meeting temporary
APP code requirements, and not set up new processes or systems or change their
practices until the disallowance period has concluded.'
15. On page 34, after paragraph 37 insert the following new paragraphs:
37A An exemption is necessary to ensure temporary APP codes achieve their
intended policy objective as soon as they are operational. Temporary APP codes are
intended to respond to urgent and exceptional situations where it is in the public interest
to provide clarity and certainty on the requirements of the APPs. A temporary APP code
may be developed to assist with the response to an emergency situation in which entities
require clarity on how to comply with the APPs. An example cited in the Privacy Act
Review Report of where a temporary APP code could have been employed was to
instruct entities on how to comply with the APPs while collecting contact-tracing
information during the COVID-19 pandemic. In an emergency or disaster situation, a
temporary APP code may complement an emergency declaration which authorises
certain personal information handling in an emergency situation.
37B The prospect of an instrument being subject to disallowance may discourage
entities from shifting their information handling practices to comply with the instrument
until the timeframe for dealing with a Disallowance Motion has passed. Given each of
the instruments may only operate for up to 12 months from commencement, if entities
delay complying with a temporary APP code until the timeframe for disallowance has
passed (regardless of whether disallowance eventuates), this would substantially
undermine the practical impact of an APP code. This would not be consistent with the
policy intent, as the instruments are specifically intended to respond to urgent and
exceptional scenarios.
37C If the instrument was disallowed, this would also cause significant inequities
for those entities that had re-structured their information handling practices in reliance on
the temporary APP code. Implementing new processes or systems involves monetary and
staffing resources and time, as would reverting back to the original process if an
instrument is disallowed. Certainty is needed for businesses to ensure they do not endure
additional costs, particularly in the urgent and exception circumstances in which a
temporary APP code would be made.
16. On page 35, in paragraph 39 omit '26G, 26GA,' and replace with '26GA and'. This
corrects an incorrect cross reference.
Part 3 - Emergency declarations
Items 10 and 12
17. The amendments in paragraphs 18 and 19 below provide additional information about
the need to exempt emergency declarations from disallowance in response to comments
of the Senate Standing Committee for the Scrutiny of Bills.
4
18. On page 35, in paragraph 44 omit 'the instruments from disallowance to ensure that
decisive action can be taken during an emergency or disaster. This would establish an
immediate, clear and certain legal basis for entities to handle personal information in
accordance with the emergency declaration. Without an exemption, entities may be
discouraged from disclosing information where this may be time critical to prevent harm
or render assistance to individuals at risk of harm.' and replace with 'the emergency
declarations instruments from disallowance to:
a. ensure emergency declarations achieve their intended policy objective as soon
as they are operational. An emergency declaration is intended to enhance
information exchange between Australian Government agencies, State and
Territory authorities, private sector organisations, non-government
organisations and others, in an emergency or disaster situation. It does this by
establishing a clear and certain legal basis for the management of the
collection, use and disclosure of personal information in emergency situations,
such as managing information about deceased, injured and missing individuals
involved in an emergency or disaster, whether in Australia or overseas.
b. An emergency declaration ensures that entities can make clear and timely
decisions on information exchange in order to deliver support and assistance
to individuals through effective emergency management and response.
c. The prospect of an instrument being subject to disallowance may discourage
entities from making decisions about information exchange or from shifting
their information handling practices to enable exchange of information until
the timeframe for dealing with a Disallowance Motion has passed. This is
likely to have a negative impact on individuals, particularly those who are
reliant on the emergency declaration for support or to access services or
payments during an emergency or disaster.
d. Given that an emergency declaration may only operate for up to 12 months
from commencement, if entities delay information exchange until the
timeframe for disallowance has passed (regardless of whether disallowance
eventuates) this would substantially undermine the policy intent and practical
impact of an emergency declaration.
e. If the instrument was disallowed, this would also cause significant inequities
for those entities that had adjusted their information handling practices to
facilitate information sharing in reliance on the emergency declaration.
Implementing new processes or systems involves monetary and staffing
resources and time, as would reverting back to the original process if an
instrument is disallowed. Certainty is needed for businesses to ensure they do
not endure additional costs, particularly during an emergency or disaster
situation.
44A Examples of other instruments not subject to disallowance include National
Emergency Declarations made under the National Emergency Declaration Act 2020
(Cth) in response to emergencies that could cause nationally significant harm in
Australia.
5
19. On page 35, in paragraph 45 omit 'Further, a declaration has safeguards in the
development process including:' and replace with 'In recognition of the need to ensure
adequate checks and balances on the limitation of the personal rights and liberties of
individuals who may be subject to emergency-related delegated legislation, the
framework contains rigorous safeguards that apply to the development of a declaration
including:'
Item 28 - After paragraph 80Q(2)(a)
20. The amendments in paragraphs 21 to 22 below clarify and provide additional information
about how reversing the evidential burden of proof in subsection 80Q(2) complies with
the Attorney-General's Department's Guide to Framing Commonwealth Offences,
Infringement Notices and Enforcement Powers in response to comments of the Senate
Standing Committee for the Scrutiny of Bills.
21. On page 39, in paragraph 69 omit 'the offence does not prohibit States or state officers
from disclosing information that is' and replace with 'secondary disclosures by States or
state officers are authorised where they are'.
22. On page 39, after paragraph 70 insert the following new paragraphs:
70A Paragraphs 80Q(2)(b) and 80Q(2)(ba) are additional circumstances in which
secondary disclosure of personal information received under Part VIA is authorised.
70B A defendant bears the evidential burden of establishing any of the exceptions
listed in subparagraph 80Q(2). This is because of the operation of subsection 13.3(3) of
the Criminal Code which provides that a defendant who wishes to rely on any exception
provided by the law creating an offence bears an evidential burden in relation to that
matter. It is appropriate for the defendant to bear the evidential onus of proving these
matters as they are matters that, by their nature, are peculiarly within the knowledge of
the defendant.
70C The purposes for a secondary disclosure of personal information received
under Part VIA by a person seeking to rely on subparagraph 80Q(2)(b) or (ba), in
particular whether it was disclosed for the purposes of carrying out a State's
constitutional functions, powers or duties or to obtain legal advice as to the operation of
Part VIA, are within the knowledge of the person who made the disclosure.
70D Consistent with subsection 13.3(3) of the Criminal Code and the Guide to
Framing Commonwealth Offences, proving the application of paragraph 80Q(2)(b) or
(ba) so as to authorise a secondary disclosure of personal information received under Part
VIA imposes only an evidential burden of proof on the defendant. It does not impose any
legal burden. It requires the defendant to adduce or point to evidence that suggests a
reasonable possibility that the purpose of the secondary disclosure was for an authorised
purpose. An evidential burden is easier for a defendant to discharge, and does not
completely displace the prosecutor's burden (it only defers that burden). For these
reasons, it is appropriate for the defendant to bear the evidential burden of proving the
defences.
6
Part 6 - Overseas data flows
23. The amendments addressed in paragraphs 24 to 25 provide additional information about
the purpose and intended effect of prescribing a country or binding scheme subject to
conditions and limiting the authorisation under APP 8.3 to disclosures where these
conditions are satisfied. This responds to comments of the Senate Standing Committee
for the Scrutiny of Bills requesting a justification for the inclusion of conditions in
delegated legislation rather than in primary legislation.
24. On page 45 after paragraph 110, insert the following new paragraph:
110A The use of regulations to prescribe a country or binding scheme recognises
that assessing whether another countries' laws provide substantially similar protections
to those provided by the Australian Privacy Principles and whether there are accessible
enforcement mechanisms is a technical determination. The use of regulations is also
justified by the need for flexibility to ensure that prescriptions can be made and adjusted,
to reflect changes in other countries' laws and binding schemes, without undue delay.
25. On page 45, in paragraph 111 omit 'For example, if a law or scheme only regulates
certain types of entities, the regulations may limit disclosures to only these entities.' and
replace with 'This recognises that the laws of a country and binding schemes may vary in
relation to certain entities or classes of entities (e.g. insurers) or in relation to certain
kinds of information (e.g. health information). For example, if a law or scheme only
regulates certain types of entities, the regulations may limit disclosures to only these
entities.
Part 7 - Eligible data breaches
Item 43 - At the end of Part IIIC
26. On page 46, in paragraph 122 omit '26XD' and replace with '26XB'. This corrects an
incorrect cross reference.
27. The amendments in paragraph 28 below provide additional information about the need to
exempt eligible data breach declarations from disallowance to respond to comments of
the Senate Standing Committee for the Scrutiny of Bills on this issue in the context of
emergency declarations.
28. On page 48, in paragraph 135 omit 'It is necessary to exempt the instrument from
disallowance to ensure that decisive action can be taken in the event of an eligible data
breach. This will establish an immediate, clear and certain legal basis for entities to
handle personal information in accordance with the declaration. Without an exemption,
entities may be discouraged from disclosing information where this may be time critical
to prevent or reduce harm to individuals at risk from the eligible data breach.' and insert
the following paragraphs:
135A. It is necessary to exempt eligible data breach declarations from disallowance to:
a. ensure eligible data breach declarations achieve their intended policy objective as
soon as they are operational. Eligible data breach declarations are intended to
7
support the Commonwealth's coordination of responses to significant data
breaches by enabling information exchange between Australian Government
agencies, State and Territory authorities, private sector organisations, non-
government organisations and others to prevent or reduce the risk of harm to
individuals following a data breach.
b. An eligible data breach declaration ensures personal information can be
exchanged for the purpose of implementing harm prevention and mitigation
measures for individuals whose information has been compromised in a data
breach. For example, the entity that has experienced the data breach may provide
information about the identity of an individual whose personal information has
been subject to the data breach to a financial institution to enable it to take steps to
detect and prevent any fraudulent activity on the individuals' bank accounts.
c. The prospect of a declaration being subject to disallowance may discourage
entities from shifting their information handling practices to enable exchange of
information or implementing harm prevention and mitigation measures until the
timeframe for dealing with a Disallowance Motion has passed. This is likely to
have a negative impact on individuals at risk of harm arising from misuse of their
personal information involved in a data breach, given the importance of a timely
response.
d. Given that an eligible data breach declaration may only operate for up to
12 months from commencement, if entities delay information exchange until the
timeframe for disallowance has passed (regardless of whether disallowance
eventuates) this would substantially undermine the policy intent and practical
impact of an eligible data breach declaration.
e. If an eligible data breach declaration were disallowed, this would curtail the
ability of the Commonwealth executive to coordinate a response to a data breach
that relied on the timely sharing of personal information to assist impacted
individuals. It would also cause significant inequities for those entities that had
adjusted their information handling practices to facilitate information sharing in
reliance on the declaration. Implementing new processes or systems involves
monetary and staffing resources and time, as would reverting back to the original
process if an instrument is disallowed. Certainty is needed for businesses to ensure
they do not endure additional costs, particularly while responding to potential
harm arising from a data breach when response teams are already under time
pressure.
29. The amendments in paragraphs 30 and 31 below clarify the exceptions in subsection
26XC(2) to the offence provision subsection 26XC(1) and provide additional information
about how reversing the evidential burden of proof in subsection 26XC(2) complies with
the Criminal Code and the Attorney-General's Department's Guide to Framing
Commonwealth Offences, Infringement Notices and Enforcement Powers in response to
comments of the Senate Standing Committee for the Scrutiny of Bills.
30. On pages 50-51, omit subparagraphs a - h of paragraph 148 and replace with the
following subparagraphs:
8
a. made by an APP entity where it is permitted by an APP, a registered APP code
that binds the entity or a rule pertaining to tax file number information issued
under section 17,
b. made for the purposes of carrying out a State's constitutional functions,
powers or duties,
i. This ensures secondary disclosures by States or state officers are
authorised where they are necessary for the performance of State
constitutional functions or functions that are inherently connected to
the government of the State.
ii. The relevant State privacy protections (if any) would apply to the
further use and disclosure of the information by the State.
c. made for the purposes of obtaining or providing legal advice in relation to the
operation of Division 5, Part IIIC,
i. For example, this would allow an entity to seek legal advice on either
the operation of the declaration or in relation to a contravention of the
offence in subsection 26XC(1).
d. authorised by the declaration under s26XB,
e. made with the consent of the individual to whom the information relates,
f. made to the person to whom the information relates,
g. made to a court, and
h. prescribed by the regulations.
31. On page 51, in paragraph 149 omit 'The details of the evidential burden are contained in
subsection 13.3(3) of the Criminal Code. It is appropriate for the defendant to bear the
onus of proving these matters as they are matters that, by their nature, are peculiarly
within the knowledge of the defendant.' and replace with the following new paragraphs:
149A A defendant bears the evidential burden of establishing any of the exceptions
listed in subparagraph 26XC(2). This is because of the operation of subsection 13.3(3) of
the Criminal Code, which provides that a defendant who wishes to rely on any exception
provided by the law creating an offence bears an evidential burden in relation to that
matter. It is appropriate for the defendant to bear the evidential onus of proving these
matters as they are either matters that, by their nature, are peculiarly within the
knowledge of the defendant or where proof by the prosecution of a particular matter
would be extremely difficult or expensive whereas it could be readily and cheaply
provided by the accused.
149B The purposes for a secondary disclosure of personal information received
under Division 5, Part IIIC by a person seeking to rely on subparagraph 26XC(2) are
within the knowledge of the person who made the disclosure or can be readily or cheaply
provided by them. This is in contrast to the prosecution. The matters listed in section
9
26XC(2) are broad such that requiring the prosecution to disprove that any of the
circumstances existed would require the prosecution to go to significant lengths to
identify whether any of those circumstances existed. Placing the evidential burden of
proof on the person who disclosed the personal information helps narrow the scope of the
issue.
149C Consistent with subsection 13.3(3) of the Criminal Code and the Guide to
Framing Commonwealth Offences, proving the application of subparagraph 26XC(2) so
as to authorise a secondary disclosure of personal information received under Division 5,
Part IIIC imposes only an evidential burden of proof on the defendant. It does not impose
any legal burden. It requires the defendant to adduce or point to evidence that suggests a
reasonable possibility that the purpose of the secondary disclosure was for an authorised
purpose. An evidential burden is easier for a defendant to discharge, and does not
completely displace the prosecutor's burden (it only defers that burden). For these
reasons, it is appropriate for the defendant to bear the evidential burden of proving the
defences.
Part 9 - Federal court orders
Item 59 - At the end of Division 1 of Part VIB
32. On page 57, in paragraph 192 after 'Subsection 80UA(1) provides the' insert 'FCA and'.
This corrects a minor error in the Explanatory Memorandum.
Part 10 - Commissioner to conduct public inquiries
Item 63 - After Division 3A of Part IV
33. On page 61, in paragraph 219(b) omit '47' and replace with '67'. This corrects a minor
error in the Explanatory Memorandum.
Part 14 - Monitoring and investigation
Item 85 - Before Division 1 of Part VIB
34. The amendments in paragraphs 35 to 36 below correct minor errors in the Explanatory
Memorandum.
35. On page 72, replace paragraph 299 with, 'The use of force against things remains
necessary in this context, as it would enable authorised persons executing a monitoring
warrant to facilitate access onto the premises if the occupier is not in attendance or is
non-compliant. The power would also permit an authorised person to open locked doors,
cabinets and other similar objects, as well as electronic equipment, that the authorised
person reasonably suspects contain things or information that would provide evidence
demonstrating:
a. whether a provision or matter subject to monitoring has not been, or is not
being, complied with, or
10
b. the correctness of information subject to monitoring that has been given in
compliance, or purported compliance, with a provision [requiring information
to be given.'
36. On page 75, at the end of paragraph 318 omit 'are authorised applicants'.
Part 15 - Automated decisions and privacy policies
Item 88 - At the end of clause 1 of Schedule 1
37. The amendment in paragraph 38 below responds to concerns raised by submitters and
recommendation 5 of the Senate Legal and Constitutional Affairs Legislation Committee
in its report following the inquiry into the Bill.
38. On page 79, after paragraph 341(c) insert the following new paragraph:
341A APP 1.7 is intended to increase transparency about the use of personal
information in the operation of computer programs which solely make decisions, or
which substantially and directly make decisions, that could reasonably be expected to
significantly affect individuals' rights or interests. The obligation on entities to include
information in their privacy policy about the kinds of personal information used in such
computer programs and the kinds of such decisions is not expected to include
commercial-in-confidence information about automated decision-making systems.
SCHEDULE 2 - Serious invasions of privacy
Item 10
39. The amendments in paragraph 40 below respond to concerns raised in submissions to the
Senate Legal and Constitutional Affairs Legislation Committee about the broad scope of
the definition of 'misusing information.'
40. On page 84, in paragraph 380, after 'Storing, interfering with or modifying information
could also be ways in which information may be misused.' insert 'Not every collection,
use or disclosure of information about an individual (or other information handling
activity) will constitute an actionable invasion of privacy. However, privacy may be
invaded by or in the course of misusing information, provided all the elements of the
cause of action are established (see paragraph 386).'
41. On page 86, in paragraph 396 omit '10(5)(d)' and replace with '7(5)(d)'. This corrects an
incorrect cross reference.
42. On page 86, in paragraph 398, after 'The listed factors in this paragraph are inherently
private (for example, intimate, health or family information).' insert 'However, the tort
would be unlikely to affect the proper activities of healthcare providers given all the
elements, high thresholds and defences included.'
43. On page 86, in paragraph 400, after 'Matters that are relevant to determining whether the
plaintiff has a reasonable expectation of privacy may also be considered as part of the
balancing of public interests, or be the subject of a separate defence.' insert 'The
elements of the tort should ensure that legitimate practices, such as medical care and
11
research, do not attract liability. For example, it would be highly unlikely an individual
could establish they had a reasonable expectation of privacy and there was no
countervailing public interest in relation to their medical history, in the context of its use
when engaging with a healthcare provider to support the diagnosis and treatment of a
family member. Similarly, it would be expected that the strong public interest in broadly
beneficial medical research, if conducted appropriately, would outweigh a single
individual's interest in their own privacy.'
44. On page 88, replace paragraph 419 with, 'The list is not intended to be exhaustive; other
important countervailing public interests not included in the list may be engaged in the
circumstances of a particular case. For example: the public interest in the protection of
vulnerable persons, including children.'
45. On page 89, in paragraph 430, replace the words 'directly entailed by a law' with
'necessary to give effect to a statutory scheme'.
SCHEDULE 3 - Doxxing offences
Item 1
46. The amendments in paragraphs 45 and 46 below respond to concerns raised in
submissions to the Senate Legal and Constitutional Affairs Legislation Committee about
the potential broad scope of the doxxing offences.
47. On page 99 after paragraph 496, insert the following new paragraphs:
496A This offence is not intended to criminalise legitimate conduct such as media
reporting, political commentary or public debate on matters of public interest, for
example, which routinely involve journalists and commentators identifying key figures
and sharing information about their movements and engagements. This is because such
conduct is not typically done so in a manner that reasonable persons would regard as
being menacing or harassing. The offence will not criminalise legitimate protest activity
that would be consistent with the implied right of freedom of political communication.
496B While the new offence may capture personal data that is already public
(doxxing conduct can involve both public and private information), this offence is also
not intended to criminalise the legitimate reposting of personal data. The mere reposting
of such data that is not done in a menacing or harassing manner should not be
criminalised. For example, a person makes available personal data, such as the name of
an individual and contact information, for an Australian business or place of worship
online, in a manner that would not constitute menacing or harassing behaviour.
48. On page 102 after paragraph 511, insert the following new paragraphs:
511A This offence is not intended to criminalise legitimate conduct such as media
reporting, political commentary or public debate on matters of public interest, for
example, which routinely involve journalists and commentators identifying key figures
and sharing information about their movements and engagements. This is because such
conduct is not typically done so in a manner that reasonable persons would regard as
being menacing or harassing. The offence will not criminalise legitimate protest activity
that would be consistent with the implied right of freedom of political communication.
12
511B While the new offence may capture personal data that is already public
(doxxing conduct can involve both public and private information), the offence is also
not intended to criminalise the legitimate reposting of personal data. The mere reposting
of such data that is not done in a menacing or harassing manner should not be
criminalised. For example, an offence should not be committed where a person
distributes personal data (such as a telephone number, work or business address, email
address or image) online of an elected representative to support the community for the
purposes of engagement or political campaigning, where the distribution of that data
does not constitute menacing or harassing behaviour.
13