Major reform to Australian privacy laws calls for privacy prioritisation

A close-up of a metal padlock hanging on a teal-coloured door.

In response to recent high-profile data breaches in Australia, the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Act) was fast-tracked and received royal assent on 12 December 2022. The Act implements the most significant reforms to Australia's privacy laws since the commencement of the Notifiable Data Breaches scheme in 2018.

The Act amends the law in relation to privacy by:

  • expanding the extraterritorial reach of the Privacy Act 1988 (Cth) (Privacy Act)
  • significantly increasing penalties for serious or repeated interferences with privacy
  • strengthening the Notifiable Bata Breaches scheme
  • introducing new information sharing powers for the Office of the Australian Information Commissioner (OAIC) and the Australian Communications and Media Authority (ACMA); and
  • enhancing the powers of the OAIC to investigate and resolve privacy breaches

As a result of the above changes and increasing regulatory scrutiny of the privacy practices of APP entities, organisations are urged to review and strengthen processes and systems to ensure compliance with the Privacy Act and related legislation.

With additional privacy reform on the Australian Government's agenda for 2023, the new year is the perfect time for organisations to review privacy practices and reset, ready for a year of further anticipated reform. This includes understanding what data you hold; where your data is stored, and de-identifying or destroying personal information that is no longer needed.

Key changes and their implications

Expansion of the extraterritorial reach of the Privacy Act

An overseas business is bound to comply with the Privacy Act if the business has an "Australian link". Previously, to establish an "Australian link" the overseas business would need to:

  • carry on business in Australia or an external territory; and
  • collect or hold personal information in Australia or an external territory

The Act removes the second requirement, with the effect that foreign organisations that do not collect or hold Australian personal information directly from a source in Australia are now subject to the Privacy Act if they carry on business in Australia.

The Australian Information and Privacy Commissioner, Angelene Falk considers this change a beneficial simplification of the extraterritoriality provisions, commenting that "the simplification mitigates against overseas companies avoiding the jurisdiction based on complex structural and technical matters".

The change also reflects the data collection practices adopted by businesses in a digital economy. For example, foreign businesses may collect personal information of Australians from digital platforms that do not have servers in Australia and therefore are not considered to be "in Australia". Under the new definition of the "Australian link", the foreign business will be bound by the Privacy Act, even if it has collected Australians' personal information from a digital platform.

Significantly increased penalties for serious or repeated interferences with privacy

The Act increases the civil penalty for serious or repeated interferences with privacy:

  • for a person other than a body corporate, to $2.5 million; and
  • for a body corporate, to an amount not exceeding the greater of:
    • $50 million,
    • three times the value of the benefit obtained from the conduct constituting the serious or repeated interference with privacy, if the court can determine this value, or
    • if the court cannot determine the value of the benefit, 30% of the body corporate's adjusted turnover in the relevant period

The new penalties far exceed previously flagged penalties under the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021. The Commissioner has said the updated penalties will help to incentivise compliance and "bring Australian privacy law into closer alignment with competition and consumer remedies and international penalties under Europe’s General Data Protection Regulation”.

Strengthened Notifiable Data Breaches scheme

The Act strengthens the existing Notifiable Data Breaches scheme by empowering the Commissioner to request information and documents from an APP entity about an actual or suspected eligible data breach and conduct assessments of an entity's compliance with the scheme.

The information or documents requested may relate to:

  • whether the entity is required to comply with one or more of those requirements
  • the conduct or events that led to, or may have led to, the application of one or more of those requirements to the entity
  • the actions taken by the entity to comply with one or more of those requirements
  • the actual or suspected eligible data breach that has, or may have, happened
  • the particular kind or kinds of information involved in the actual or suspected eligible data breach; or
  • the steps taken to notify individuals affected by the actual or suspected eligible data breach

An entity is not required to disclose information or documents to the Commissioner if the Attorney-General issues a certificate certifying that providing such information or documents to the Commissioner would be contrary to the public interest.

New information sharing powers

For the Commissioner

The Act allows the Commissioner to share information and documents with other authorities (enforcement bodies, alternative complaint bodies, state or territory authorities or foreign privacy authorities) to enable the Commissioner or the other authority to exercise its powers or perform its functions or duties.

The Commissioner may also publicly disclose information acquired by it in the course of exercising powers or performing functions or duties if it is in the public interest to do so, following consideration of a number of factors including but not limited to:

  • the rights and interests of any complainant or respondent
  • whether the disclosure will, or is likely to, prejudice any investigation the Commissioner is undertaking
  • whether the disclosure will, or is likely to, disclose the personal information of any person
  • whether the disclosure will, or is likely to, disclose any confidential commercial information
  • whether the Commissioner reasonably believes that the disclosure would be likely to prejudice one or more enforcement-related activities conducted by or on behalf of an enforcement body


The Australian Communications and Media Authority (ACMA), whose responsibilities include enforcing the Spam Act 2004 (Cth) and the Do Not Call Register Act 2006 (Cth), has existing power to disclose information to a prescribed list of government authorities to enable or assist those authorities to perform or exercise any of their functions or powers.

The Act expands this power to allow ACMA to disclose information to non-corporate Commonwealth entities responsible for enforcing Commonwealth laws, which would include the OAIC.

Enhanced enforcement powers

The Act provides the Commissioner with a number of enhanced enforcement powers including with respect to determinations following the investigation of complaints. The Commissioner can now require that the person or entity engage an independent adviser to review the acts or practices that were the subject of the complaint, and may also require the person or entity to prepare and publish a statement setting out various details in relation to the conduct and any steps taken to remediate an interference with privacy.

The Commissioner also has the ability to issue infringement notices for failures to provide information without a reasonable excuse and issue penalties for systemic failures to provide information.

Contact us

Our team has deep privacy and data protection expertise. Please contact our team of experienced privacy practitioners if you require assistance in managing your privacy compliance program.

Image by Kaffeebart on Unsplash

All information on this site is of a general nature only and is not intended to be relied upon as, nor to be a substitute for, specific legal professional advice. No responsibility for the loss occasioned to any person acting on or refraining from action as a result of any material published can be accepted.