The Privacy and Other Legislation Amendment Bill 2024 (Cth) received Royal Assent in December 2024, introducing new obligations and considerations for businesses. This Bill is only the first tranche of policy reforms to the Privacy Act 1988 (Cth) (Privacy Act), which has been subject to a range of reviews to ensure legislative relevance in the digital age. This essential guide aims to provide an overview of the key amendments and how they impact your business, specifically exploring the new compliance requirements.
Some of the key reforms which now appear in the Privacy Act are:
Statutory tort for serious invasions of privacy
The reforms create a new cause of action for individuals to enforce their concerns about privacy breaches through civil proceedings. This specifically relates to any individual or entity intentionally or recklessly intruding upon a person’s seclusion[7] or misusing information that relates to them in circumstances where a reasonable expectation of privacy exists. One crucial change is the introduction of a public interest consideration which means the public interest of a plaintiff’s privacy must be balanced against any countervailing public interests.
The crucial consequence of the statutory tort for businesses is that it extends the reach of the Privacy Act beyond those select entities currently bound by it. While the majority of the Privacy Act will predominantly apply to “APP entities”[8], this measure has the specific purpose of acting upon individuals and entities more broadly. This broadness means that entities such as small businesses (with an annual turnover under $3 million) that are not currently bound by the Act at all, are potentially liable for a breach of this particular tort.
To avoid potential liability, businesses should review their current practices, procedures and systems to consider whether further measures should be implemented to create a more defensible position against potential claims.
COP code
The development of the new COP Code will apply to APP entities that provide online or electronic services which are likely to be accessed by children and other APP entities listed within the COP Code (once developed). While the amendments impose an obligation for the Office of Australian Information Commissioner (OAIC) to develop a COP Code, the specifics of what obligations the COP Code will contain are not yet certain. The reforms provide the OAIC up until 10 December 2026 to develop the COP Code, which is likely to align with similar regulatory instruments in other jurisdictions such as the United Kingdom.
The main target appears to be social media services who deal with the personal information of children and designated internet services, as defined under the Online Safety Act 2021.[9] However, the OAIC has the opportunity to list other APP entities to be bound by the COP Code as part of its development.
If your business is a provider of any of these online services, or your business handles children’s personal information specifically, you should start assessing how children and teenagers interact with your platform/business so you are prepared to respond to the COP Code once details are published.
Inclusion of automated decision-making details
The amendment to APP 1 requiring entities to include details relating to automated decision-making in their privacy policies is a clear attempt to address recent developments in AI technology, and to start governing how these models utilise personal information.
Under this new requirement, businesses will have to set out specifically what personal information is used as part of an “automated decision” (more than just the use of AI), the kinds of decisions they make, and anything the program does that is directly related to making its final decision. This information must only be included if the automated decision could reasonably be expected to affect an individual’s rights and interests, and if personal information is used to do so.
Businesses should assess whether any of their automated functions or AI features meet the above criteria. Notably, the amendment does not require businesses to change the way they use automated systems or AI, they just require businesses to be transparent about what decisions their computer programs make, and what information they use in doing so.
Technical and organisational measures
APP 11 requires entities to take all reasonable steps to protect personal information held by them. The recent reforms include a new APP 11.3 to specifically include an obligation on entities to take “technical and organisational measures” as part of these required reasonable steps.
Technical measures are those that can be physically or technologically implemented such as security locks, anti-virus measures, and multi-factor authentication. Organisational measures are the processes and policies you put in place to manage the collection, use and handling of personal information – who can access information, training of staff.
If your business is already compliant with the best practice standards set out by OAIC regarding ‘reasonable steps’, this new requirement should not pose a major disruption. If anything, the effect of this amendment is to codify and make binding the best practices already implemented by many businesses in line with OAIC’s recommendations.[10] Nevertheless, it is important to note that what were once optional measures implemented in line with recommendations will now become obligations to remain compliant with the Act.
This reform establishes a mechanism for determining which foreign laws align substantially with the APPs. Before the reforms, APP 8 outlined that Australian entities were prohibited from sharing data with countries that do not have the same privacy protection standards that we do under the APP without informed consent from the individuals. Now, instead of allowing the entity itself to make this judgement, a ‘whitelist’ will be developed; reducing costs on businesses involved in researching and determining what foreign laws comply, thereby reducing any potential liability they could incur by doing so.
The reforms also introduce new enforcement measures which will likely result in a higher degree of OAIC enforcement activity. In considering the enhanced regulatory nature of the reforms outlined below, businesses should review their current compliance levels and identify solutions to address potential gaps, specifically in relation to the APPs.
Power to conduct public inquiries
The OAIC will now have the power to conduct public inquiries into specified matters, either directed or approved by the Minister, relating to privacy. The OAIC will be able to assess any acts or practices that may negatively impact or create issues for public privacy. In contrast to their previous investigative powers, this amendment aims to target broader public issues such as systemic problems rather than particular businesses’ practices. The consequence of a public inquiry will be the publishing of a report of the OAIC’s findings. This provision applies retrospectively, meaning conduct that can be subject to an OAIC inquiry includes anything that occurs prior to the amended Act’s commencement.
New investigative and monitoring powers
The amendments in the reforms also provide the OAIC with far more robust and forceful investigative powers. Notable new powers include:
This provides the OAIC with a more concrete means of enforcing privacy protections and uncovering unlawful conduct from businesses and other entities alike. Declarations have the effect of providing a temporary suspension of the restrictions on information sharing and disclosure under the Act.
New tiered penalty regime and court powers
There has also been an introduction of a tiered approach to civil penalties that significantly broadens the range of conduct that can be penalised under the Act. Previously, the highest civil penalty imposed on businesses under the Act applied to serious and repeated breaches of privacy, incurring a fine of up to $50 million. Under the new tiered regime, this is the highest available penalty and now attaches to a much broader category of conduct – such as serious interferences with privacy. This imposes a much lower threshold for incurring the highest level of penalty.
Two lower tier penalties, each amounting to approximately $600,000, now exist for interferences of privacy deemed not serious, and for particular breaches of an administrative nature. For the latter, the OAIC does not need to apply to a court and can issue an infringement notice directly.
The Courts also have new powers to make orders relating to these penalties, including ordering the payment of damages and requiring an entity to redress the damage or loss it has caused. However, the most notable change is that individuals are now able to apply for these orders themselves (rather than relying on the OAIC to make them on its own initiative). Clearly, this creates far more potential opportunities for a business’s conduct to come under scrutiny or be penalised under the new regime.
Tranche 2 of the Privacy Act reforms are expected later this year or in 2026 with potential amendments in the following areas:
The heightened capacity for individuals to enforce their rights to privacy, and the expansion of the OAIC’s powers, means that non-compliance with the Act is far more likely to come under scrutiny and attract penalties.
To ensure your privacy policies and internal processes satisfy the latest reforms, please get in touch with the Business & Commercial team on 02 6274 0999.
[1] Schedule 2 of the Privacy Act.
[2] Section 26GC of the Privacy Act.
[3] Schedule 1, Clause 1 of the Privacy Act.
[4] Section 26GA and 26GB of the Privacy Act.
[5] Schedule 1, Clause 8 of the Privacy Act.
[6] Sections 13G-K and Division 1B, Sections 80UD and 58 of the Privacy Act.
[7] An intrusion into seclusion might be physically entering someone’s private space or unauthorised surveillance).
[8] APP entity refers to an agency (federal government entity and/or office holder) or organisation (including an individual, body corporate, partnership, unincorporated association or trust). (Part II, Division 1, clause 6(1)).
[9] Sections 13, 13A and 14 of the Online Safety Act 2021.
[10] https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/more-guidance/privacy-management-framework-enabling-compliance-and-encouraging-good-practice#step-3-evaluate-your-privacy-practices-procedures-and-systems-to-ensure-continued-effectiveness.