Privacy milestone: First tranche of privacy reforms passed

On 29 November 2024, the Senate passed the Privacy and Other Legislation Amendment Bill 2024 (Cth) (Bill) implementing a first tranche of recommendations from the Attorney-General’s Privacy Act Review Report of 16 February 2023.

At a glance

The Bill implements 23 privacy reforms that were agreed to by the Commonwealth Government in its Response to the Attorney-General’s Privacy Act Review Report.

Most amendments introduced by the Bill will commence on the day after the Bill receives Royal Assent, save for:

• the new statutory tort for serious invasions of privacy, which will commence on a day to be fixed by Proclamation or otherwise within six months after the Bill receives Royal Assent; and
• the APP1 changes for automated decision-making, which will take effect 24 months after the Bill receives Royal Assent.

Amendments to the Bill since it was first introduced into Parliament include:

• extending the consultation period for the Children’s Online Privacy Code to 60 days
• introducing certain exemptions for government and law enforcement agencies to the new statutory tort to address serious invasions of privacy, and
• granting the Office of the Australian Information Commissioner (OAIC) stronger enforcement powers, including new tiers of civil penalties and the ability to issue infringement notices.

Key reforms

Notable reforms introduced by the Bill include:

• a new statutory tort to address serious invasions of privacy giving individuals a route to seek redress for privacy harms in the courts. Certain exemptions apply for Commonwealth agencies, state and territory authorities, law enforcement bodies, intelligence agencies, and persons under the age of 18
• a mandate for the Information Commissioner to develop a Children’s Online Privacy Code (Code) that covers online services likely to be accessed by individuals under the age of 18 years. A draft of the Code must be made available by the Information Commissioner for public consultation for a minimum period of 60 days before the Code is finalised and registered
• greater transparency for individuals affected by automated decisions. Specifically, APP entities will need to update their privacy policies to include specified information where the APP entity uses a computer program to make a decision that could reasonably be expected to significantly affect the rights or interests of an individual, and personal information about the individual is used in the operation of the computer program to make the decision
• a new mechanism for the Minister to prescribe a "white list" of countries and binding schemes with adequate privacy protections to better facilitate cross-border data transfers. Notably, the laws or binding scheme of the overseas country must have the effect of protecting personal information in a way that is substantially similar to the way the Australian Privacy Principles protect the information, and there must be a mechanism under the laws or binding scheme for individuals to enforce that protection
• stronger enforcement powers for the OAIC, including new tiers of civil penalties and the ability to issue infringement notices
• new criminal offences to outlaw doxing, with serious penalties of up to seven years' imprisonment. Doxing, which can refer to a number of different practices, generally involves the intentional online exposure of an individual’s identity, private information or personal details without their consent.

To read more on recent developments in privacy in Australia, view our Privacy Review 2023-2024.

For guidance on your organisation's obligations under the first tranche of privacy reforms, please contact a member of our Digital Economy team.