Australian Privacy Law Reforms Take Effect: New Powers, New Obligations
-
January 29, 2025
-
After a long and winding journey — four years of proposals, discussions and drafts — Australia’s Privacy and Other Legislation Amendment Act 2024 received Royal Assent on 10 December 2024.1 In parallel, Australia’s Privacy Act 1988 (Cth) (Privacy Act) is undergoing its first substantive amendments since 2012, which are expected to be an initial tranche of broader future reforms.2 Data privacy expert Tim de Sousa summarises the new reforms in this article.
Privacy Law Reforms Now in Force
Penalty Notice Powers
The Office of the Australian Information Commissioner (‘OAIC’) now has a mid-tier option for civil penalties, related to “interferences with privacy” that are not “serious.” This will make it easier for the OAIC to seek a civil penalty order in Federal Court, which is set at 2,000 penalty units (AUD660,000) for persons and 10,000 penalty units (AUD3.3 million) for companies.3
The OAIC’s new penalty notice powers are also now in force. The OAIC can now issue penalty notices for up to 200 penalty units (AUD66,000) for certain administrative “interferences with privacy,” including:
- Failing to have a compliant privacy policy (Australian Privacy Principle (APP 1))
- Failing to allow people to interact anonymously or pseudonymously (APP 2)
- Failing to comply with direct marketing requirements (APP 7)
- Failing to comply with requirements for effecting correction requests (APP 13)
The penalty is calculated per contravention, so multiple issues will result in a larger total fine.4
APP 11: Technical and Organisational Measures
This provision explicitly states that entities covered by the Privacy Act (APP entities) must take “reasonable steps” to keep personal information and includes “technical and organisational measures.”5 This means organisations will require both documented policy and governance and technical measures that implement those policy objectives in the operation of their business.
APP 8: Whitelisted Countries for International Data Transfers
The Governor General may now whitelist countries for the purpose of APP 8 and overseas data flows. APP entities will be permitted to transfer personal information to whitelisted countries without needing to comply with additional measures. However, no countries have yet been whitelisted. The initial set of approved jurisdictions are expected to be posted in the coming months.6
Children’s Privacy
The OAIC will need to start development on the Children’s Online Privacy Code, which will provide additional binding regulation on how the APPs apply to the handling of personal information of children. This code will specifically address “social media service, relevant electronic service or designated internet service.”7 These codes typically take 12 months to develop and are therefore expected in December 2025.
Doxxing
The criminal offence of releasing personal information for the purpose of menacing or harassing, known as doxxing, is now in force.
Privacy Law Reforms on the Horizon
Statutory Tort for Serious Invasions of Privacy
Taking effect by or before 10 June 2025, this provision will open the door for successful privacy class actions. Individuals will have the right to take action against those alleged to have intruded upon their seclusion or misused their personal information in the following circumstances:
- There was a reasonable expectation of privacy
- The misuse or intrusion was intentional or reckless
- The invasion of privacy was serious
- The public interest in the plaintiff(s) privacy outweighed any countervailing public interest (such as freedom of expression, public health and safety and national security)
“Misuse” is purposely broad and not limited to inappropriate use. It can include over-collection, inappropriate disclosure or storing, interfering with or modifying personal information, amongst other violations. Intrusion or misuse can relate to a person’s physical being (i.e., surveillance) or their personal information (i.e., records).
Notably, plaintiffs will not need to show damage when bringing action, a point of contention in previous privacy class action attempts. However, defences are available. These include where the action was authorised by Australian law, the individuals consented to the alleged interference or the action was necessary to prevent a threat to life.
Automated Decision-Making Transparency
The reforms introduce transparency requirements for the use of automated decision making (the use of computer systems and/or artificial intelligence to make decisions without human intervention). APP entities will need to ensure their privacy policies disclose:
- Instances of personal information used within automated decision-making systems
- Decisions made solely by computers without human intervention
- Decisions for which systems do something substantially and directly related to the decision (APP 1.8)
To comply, APP entities will need to understand how they use automated decisioning throughout their organisations and the information consumed by them and have a view on which meet these requirements. With the rapid proliferation of artificial intelligence across business use cases, this may be a challenge. While this requirement isn’t scheduled to take effect until December 2026, given the increasing public concern and risk to public trust, and the potential logistical challenge, APP entities are strongly recommended to be proactive about addressing this issue.
For help navigating Australia’s new privacy law reforms, contact Tim de Sousa.
Footnotes:
1: “Privacy and Other Legislation Amendment Bill 2024,” Parliament of Australia, 10 December 2024.
2: “Long Awaited First Tranche of Amendments to the Privacy Act 1988 (Cth) Tabled,” Tim de Sousa, FTI Consulting, 1 October 2024.
3: “Privacy and Other Legislation Amendment Bill 2024,” Parliament of Australia, 10 December 2024.
4: Ibid.
5: Ibid.
6: Ibid.
7: Ibid.
Related Insights
Related Information
Published
January 29, 2025
Key Contacts
Managing Director