Now is the time for organisations to review and uplift their privacy compliance frameworks. The Privacy and Other Legislation Amendment Bill 2024 (Cth) (the Bill), amending the Privacy Act 1988 (Cth) (the Privacy Act) and various other acts to enhance individuals’ privacy protections, was passed on 29 November 2024 and has now been enacted into law. It received Royal Assent on 10 December 2024.
Key Changes
The Bill is the first step in Australia’s broader privacy law reforms. We have previously addressed in detail here the key changes introduced by this first tranche of amendments. As the Bill has now passed, these items should be high on organisations’ agendas, both to ensure compliance and to address the significant step up in litigation, regulatory and enforcement risks that they represent.
Most amendments came into force from 11 December 2024, the day after the Bill received Royal Assent, with some effective grace periods provided.
The key changes, together with their commencement dates, are as follows:
Privacy Policies Organisations using personal information in automated decision-making (including decisions made, or substantially and directly contributed to, by AI or any computer program), where the decision could reasonably be expected to significantly affect the rights or interests of an individual, must update their privacy policies to disclose their use of automated decision-making. When: In effect from 11 December 2026 (24 month grace period) |
Statutory Tort A new statutory tort for serious invasions of privacy has been introduced, providing individuals with a right to sue for damages for serious breaches of their privacy (for example, data hacks or dissemination of information, where sufficiently serious). Recklessness or intent will be required, but claims can be brought without proof of loss (e.g. for emotional distress). When: In effect from a date to be fixed, but no later than 10 June 2025 |
Data security, retention and destruction The reasonable steps organisations must take to protect, secure, destroy and/or de-identify personal information under APP 11 now include both technical and organisational measures. When: In effect from 11 December 2024 |
Federal Court Orders Individuals will also have the right to apply for orders, including damages awards, where a Federal Court finds that an organisation has contravened a civil penalty provision of the Privacy Act. When: In effect from 11 December 2024 |
Cross-Border Data Transfers A certification-style mechanism will be introduced to enable free flows of data to prescribed countries and binding schemes. It is expected that (at least) the UK and the EU will be ‘white listed’ in this way. When: In effect from 11 December 2024 (countries and binding schemes are yet to be prescribed) |
Penalties and Enforcement Tools Expanded OAIC investigation and enforcement tools and a new tiered civil penalty system have been introduced, with a range of penalties for both serious and mid-tier privacy interferences, as well as new penalties and OAIC powers to issue infringement notices and compliance notices for more minor breaches of the Privacy Act. When: In effect from 11 December 2024 |
Doxxing The practice of doxxing has been criminalised, with new offences for online disclosures of personal data in a way that is menacing or harassing. When: In effect from 11 December 2024 |
Children’s Privacy A Children’s Online Privacy Code will be developed, stipulating how the APPs are to apply in the context of children’s privacy. When: To be developed by 10 December 2026 |
Final Amendments to the Bill
The Bill passed through the Senate with several relatively minor changes, the most notable of which we canvass below:
Compliance Notices
Compliance notices have been introduced as a new discretionary mechanism to address breaches of various of the Australian Privacy Principles (APPs), as an alternative route to infringement notices or enforceable undertakings. The Office of the Australian Information Commissioner (OAIC) may issue a compliance notice directing an APP entity to remedy an alleged breach. Such a notice is intended to provide an entity with an opportunity to address their breach, through practical and measurable steps. Failure to comply with a compliance notice will result in exposure to an infringement notice or a civil penalty (not exceeding 200 penalty units; currently $330,000 for a body corporate). Where an APP entity complies with the notice, they will not be taken to have breached, or admitted a breach of, the relevant APP.
Statutory Tort for Serious Invasions of Privacy
The Bill was amended to incorporate an additional element to the new statutory tort for serious invasions of privacy. In short, the public interest in the plaintiff’s privacy must outweigh any countervailing public interest. A non-exhaustive list of what may constitute a “countervailing public interest” is prescribed, including:
- freedom of expression (including political communication and artistic expression);
- freedom of the media;
- the proper administration of government;
- open justice;
- public health and safety;
- national security; and
- the prevention and detection of crime and fraud.
The Supplementary Explanatory Memorandum to the Bill makes clear that these amendments are intended to promote the right to freedom of expression and to ensure that balancing public interest is an “essential element of the cause of action in every case, rather than only in those cases in which the defendant has adduced evidence of a public interest in the invasion of privacy”.1
Certain further exemptions from the statutory tort were also incorporated, including for State and Territory agencies and authorities and journalistic materials.
Next Steps
Now that the amendments have passed into law, organisations should be prioritising compliance across their business with the uplifted privacy requirements.
In particular:
- If they have not already, organisations should conduct a review of their privacy and data governance frameworks and systems, to assess compliance with the Privacy Act and identity any areas requiring uplift, having regard to both continuing and new obligations.
- Privacy policies, collection notices, data breach notification procedures and other inward and outward facing policies and procedures should be reviewed. Organisations should assess whether their representations with respect to data handling and protection practices are accurate, compliant and not misleading.
- Any APP entity which incorporates, or is considering incorporating, automated decision-making using personal information should make any necessary updates to its privacy policy in line with the incoming obligations.
- Organisations should take active steps to ensure that they are implementing appropriate technical and organisational measures to protect, secure, destroy and de-identify the personal information they handle. Such measures may include, for example, robust data protection policies and systems, retention and destruction policies, data encryption, access restrictions and staff training.
- Fulsome records should be kept to demonstrate compliance, care and diligence, with ongoing oversight and monitoring to rectify any compliance gaps.
Further, boards should reassess their organisations’ risk levels in relation to privacy in view of the increased scope for litigation and regulatory action arising from this first round of reforms. Heed should be taken of the statutory tort, enhanced Federal Court powers and the new range of penalties and enforcement tools. These changes mark an important escalation in the legal, financial and reputational consequences for those organisations who fall short in their privacy practices.
While this initial suite of reforms is significant, yet measured, the progress and timing of the next tranche of privacy law reforms remains to be seen pending the 2025 federal election.
Key Takeaways:
- On 10 December 2024 the first tranche of reforms to the Privacy Act 1988 (Cth) (Privacy Act) received Royal Assent.
- APP entities will need to immediately ensure that they are undertaking both technical and organisational measures to protect, secure, destroy and/or de-identify personal information under APP 11.
- A statutory tort for serious invasions of privacy has been introduced and will take effect on or before 10 June 2025.
- APP entities will have until 11 December 2026 to update their privacy policies to disclose the use of automated decision-making processes.
- APP entities should be mindful that a new tiered penalty system and the right for individuals to apply for a damages award and other orders against APP entities for breaches of the Privacy Act has been introduced with immediate effect.
- Following the release of a list of “prescribed countries” (expected to include the UK and EU), the cross-border transfer of personal information to a prescribed country will be simplified.
- Doxxing, that is, disclosing personal data in a way that is menacing or harassing, is now a criminal offence.
- A Children’s Online Privacy Code will be developed by 10 December 2026.
Footnotes:
- The “public interest” test in the original version of the Bill required a defendant to adduce evidence of a public interest in the invasion of privacy, with the onus then placed on the plaintiff to establish that this was outweighed by the public interest in protecting the plaintiff’s privacy.