On 10 December 2024, the Privacy and Other Legislation Amendment Bill 2024 (Cth) – the first stage of Australia's long-awaited privacy law reforms – received Royal Assent. Now known as the Privacy and Other Legislation Amendment Act 2024 (Cth) (Amendment Act), it introduces several significant amendments to the Privacy Act 1988 (Cth) (Privacy Act), many of which came into effect immediately upon assent.
MinterEllison has prepared a detailed overview of these amendments, Privacy Milestone: First Tranche of Privacy Reforms Passed.
Below is a summary of the key changes to the Privacy Act introduced by the Amendment Act, along with their commencement dates:
- New Statutory Cause of Action for Serious Invasions of Privacy:
Individuals can take legal action against organisations or individuals for serious invasions of privacy. This includes intrusions into personal seclusion or misuse of personal information.
Effective on a date to be fixed on or by 10 June 2025.
- Automated Decision-Making:
New transparency obligations require organisations to update their privacy policies to disclose when decisions are made using automated processes.
Effective on 10 December 2026.
New measures have been introduced to combat doxxing, making it illegal to share someone’s personal information with the intent to harm. This offence is punishable by up to 7 years’ imprisonment.
The amendments have been proposed in the Amendment Act but the doxxing offence is not yet effective. The new measures will undergo an independent review, and a report of this review must be provided within 6 months of the review’s commencement. The exact date for the review’s start has not yet been specified.
- Children's Online Privacy Code:
The Office of the Australian Information Commissioner (OAIC) is required to develop a code addressing online privacy for children. There will be a consultation period of 60 days.
Children’s Online Privacy Code to be developed and registered by 10 December 2026.
- Overseas Dataflows, Whitelist Powers:
Ministerial powers to 'whitelist' countries that provide substantially similar privacy protections, to assist entities disclosing personal information overseas. As of yet, no official white list has been announced.
Effective on 11 December 2024.
- New Civil Penalty and Powers to Issue Infringement and Compliance Notices:
The OAIC has been granted new powers to issue infringement notices and compliance notices. A failure to comply with a compliance notice may result in the imposition of civil penalties.
Effective on 11 December 2024.
- Clarification on Required Steps to Protect Personal Information:
The Privacy Act requires that ‘reasonable steps’ must be taken to protect the security of personal information. The Amendment Act has clarified that this includes implementing ‘technical and organisational measures'.
Effective on 11 December 2024.
These amendments signal a transformative shift in Australia's privacy law regime, ushering in substantially enhanced privacy protections. For Australian organisations, as well as for overseas entities that carry on business in Australia, this evolving landscape presents an opportunity to reassess privacy policies and practices – not merely to ensure compliance, but to lead in the lawful and ethical handling of personal information.
MinterEllison provides full-service IT legal and consultancy services with extensive experience in privacy and data protection and cyber security. Please contact us if you would like assistance in understanding these changes and how they may affect your organisation.