Australia’s 2024-25 Privacy law reboot: Rewiring data protection, security and enforcement
5 mins reading time
Australia has progressed the first part of a significant overhaul of its privacy laws, with the Privacy and Other Legislation Amendment Act 2024 (Cth) now in effect marking a transformative shift in Australia’s approach to data protection. Australian companies and Foreign owned subsidiaries alike are encouraged to watch this space, with the first tranche of reform aiming to address long-standing issues and enhance the security and privacy of personal information. As AI and technology continue to rapidly advance, further changes may be on the horizon.
Overseas dataflows
The Government has the ability to ‘whitelist’ countries that provide substantially similar privacy protections, facilitating safer and more straightforward international data transfers.
Whilst no countries have been ‘whitelisted’ as yet, the Regulations provide for the Government to be able to do this in future.
Start date: In force as of 11 December 2024.
‘Technical and organisational’ measures
The requirement in Australian Privacy Principle 11 to take “reasonable steps” to protect an individual’s privacy, now specifically clarifies that the relevant assessment includes consideration of the ‘technical and organisational’ measures adopted by the organisation.
Businesses need to ensure their privacy practices include a range of suitable controls:
- technical (physical) measures – alarms, locks, firewalls, encryption, firewalls, passwords, etc
- organisational (instruction) measures – policies, protocols, staff training, etc.
Start date: In force as of 11 December 2024.
Civil penalties
New penalties apply for various interferences with a person’s privacy, or the misuse of their personal information.
Serious interference with privacy
Up to the greater of:
- $50M
- 3 x the benefit received from the contravention
- 30% corporate group annual
‘Standard’ interference with privacy
Up to approx. $660K – $3.3M, depending on the contravention.
Examples:
- Breach of the tax file number
- Failure to assess and/or report eligible data breaches under the Notifiable Data Breach scheme.
Administrative Breaches / Infringement Notices
Up to approx. $20K to $330K, depending on the contravention.
Examples:
- Failure to have an up-to-date and compliant Privacy
- Failure to provide anonymity or pseudonymity.
- Failure to provide and facilitate marketing opt-outs.
- Failure to respond to correction requests.
Start date: In force as of 11 December 2024.
Code development
The Office of the Australian Information Commissioner (OAIC) can develop mandatory Industry Codes for business compliance.
- Temporary Codes – to operate for 12
- Permanent Codes – with public
The OAIC must develop a Children’s Online Privacy Code – due to be completed and registered by 10 December 2026.
Start date: In force as of 11 December 2024.
Ministerial declarations for data breaches
The Government has authority to mandate particular information sharing in response to significant data breaches.
This will be time limited, eg:
- operate only for the time period specified, or
- 12
Penalties can apply for subsequent disclosure / misuse of the relevant information:
- $20K, and/or
- 1 year
Start date: In force as of 11 December 2024.
Emergency declarations
The Government has authority to allow the collection, use and disclosure of personal information in response to emergencies and disasters.
The Government can authorise:
- Which entities can collect, use and disclose personal
- Which entities can receive
- What the permitted purposes are.
Start date: In force as of 11 December 2024.
Greater regulator powers
The OAIC and the Courts have also been granted a wider range of powers, such as:
- public enquiries / consultations / reports
- investigative / monitoring powers
- Court
Start date: In force as of 11 December 2024.
Doxxing
New offences for “Doxxing” have been introduced into the Criminal Code Act 1995 (Cth).
Doxxing is the targeted release of personal information, in a malicious manner, by way of a carriage service:
- that is menacing or harassing towards an individual; or
- that relates to one or more members of a group, due to the offender’s belief that the group is distinguished by race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality or ethnic origin.
This is a criminal offence:
- 6 years jail – “personal data”.
- 7 years jail – “sensitive data”.
Start date: In force as of 11 December 2024.
Statutory Tort: “Serious Invasions of Privacy”
Individuals now have the right to take direct legal action against organisations or individuals for “serious invasions of privacy“, including for intentional or reckless intrusion into personal seclusion or misuse of personal information, where the person had a ‘reasonable expectation’ of privacy in the circumstances.
Maximum compensation will be $500K.
Start date: In force as of 10 June 2025.
Automated decision-making
Organisations that use automated decision-making in their business will be required to disclose key information in their privacy policy, including:
- What kinds of personal information are used in the automated decision-making programs.
- What kinds of decisions are made solely by the use of the automated decision-making programs.
- What kinds of decisions are made by humans. But with substantial and direct assistance from the automated decision-making programs.
Failure to have a compliant privacy policy could result in penalties starting from $63K.
Start date: Upcoming 11 December 2026
Impact on Businesses and Individuals
These reforms represent a comprehensive update to Australia’s privacy laws, emphasising the protection of personal data and the rights of individuals. Businesses will need to review and update their privacy policies and practices to comply with the new requirements, ensuring transparency, accountability, and enhanced security measures.
Looking ahead
As these changes come into effect, both organisations and individuals will need to adapt to the evolving landscape of privacy protection.
With the second tranche of reform being developed and expected to be ready this year, it is crucial to stay vigilant about the new privacy law measures.
If you would like to have a confidential chat about the more robust Privacy regime and what it means for your business, please contact our experienced Trade team and Privacy law experts.
The information contained in this article is general in nature and cannot be relied on as legal advice nor does it create an engagement. Please contact one of our lawyers listed above for advice about your specific situation.
more
insights
What reasonable opportunity for a return on investment in a franchise means to the ACCC
Macpherson Kelley Legal Practice Director Paul Kirton named Chair of International Legal Network Multilaw
Generative AI: How to protect your business from copyright infringement
stay up to date with our news & insights
Australia’s 2024-25 Privacy law reboot: Rewiring data protection, security and enforcement
Australia has progressed the first part of a significant overhaul of its privacy laws, with the Privacy and Other Legislation Amendment Act 2024 (Cth) now in effect marking a transformative shift in Australia’s approach to data protection. Australian companies and Foreign owned subsidiaries alike are encouraged to watch this space, with the first tranche of reform aiming to address long-standing issues and enhance the security and privacy of personal information. As AI and technology continue to rapidly advance, further changes may be on the horizon.
Overseas dataflows
The Government has the ability to ‘whitelist’ countries that provide substantially similar privacy protections, facilitating safer and more straightforward international data transfers.
Whilst no countries have been ‘whitelisted’ as yet, the Regulations provide for the Government to be able to do this in future.
Start date: In force as of 11 December 2024.
‘Technical and organisational’ measures
The requirement in Australian Privacy Principle 11 to take “reasonable steps” to protect an individual’s privacy, now specifically clarifies that the relevant assessment includes consideration of the ‘technical and organisational’ measures adopted by the organisation.
Businesses need to ensure their privacy practices include a range of suitable controls:
- technical (physical) measures – alarms, locks, firewalls, encryption, firewalls, passwords, etc
- organisational (instruction) measures – policies, protocols, staff training, etc.
Start date: In force as of 11 December 2024.
Civil penalties
New penalties apply for various interferences with a person’s privacy, or the misuse of their personal information.
Serious interference with privacy
Up to the greater of:
- $50M
- 3 x the benefit received from the contravention
- 30% corporate group annual
‘Standard’ interference with privacy
Up to approx. $660K – $3.3M, depending on the contravention.
Examples:
- Breach of the tax file number
- Failure to assess and/or report eligible data breaches under the Notifiable Data Breach scheme.
Administrative Breaches / Infringement Notices
Up to approx. $20K to $330K, depending on the contravention.
Examples:
- Failure to have an up-to-date and compliant Privacy
- Failure to provide anonymity or pseudonymity.
- Failure to provide and facilitate marketing opt-outs.
- Failure to respond to correction requests.
Start date: In force as of 11 December 2024.
Code development
The Office of the Australian Information Commissioner (OAIC) can develop mandatory Industry Codes for business compliance.
- Temporary Codes – to operate for 12
- Permanent Codes – with public
The OAIC must develop a Children’s Online Privacy Code – due to be completed and registered by 10 December 2026.
Start date: In force as of 11 December 2024.
Ministerial declarations for data breaches
The Government has authority to mandate particular information sharing in response to significant data breaches.
This will be time limited, eg:
- operate only for the time period specified, or
- 12
Penalties can apply for subsequent disclosure / misuse of the relevant information:
- $20K, and/or
- 1 year
Start date: In force as of 11 December 2024.
Emergency declarations
The Government has authority to allow the collection, use and disclosure of personal information in response to emergencies and disasters.
The Government can authorise:
- Which entities can collect, use and disclose personal
- Which entities can receive
- What the permitted purposes are.
Start date: In force as of 11 December 2024.
Greater regulator powers
The OAIC and the Courts have also been granted a wider range of powers, such as:
- public enquiries / consultations / reports
- investigative / monitoring powers
- Court
Start date: In force as of 11 December 2024.
Doxxing
New offences for “Doxxing” have been introduced into the Criminal Code Act 1995 (Cth).
Doxxing is the targeted release of personal information, in a malicious manner, by way of a carriage service:
- that is menacing or harassing towards an individual; or
- that relates to one or more members of a group, due to the offender’s belief that the group is distinguished by race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality or ethnic origin.
This is a criminal offence:
- 6 years jail – “personal data”.
- 7 years jail – “sensitive data”.
Start date: In force as of 11 December 2024.
Statutory Tort: “Serious Invasions of Privacy”
Individuals now have the right to take direct legal action against organisations or individuals for “serious invasions of privacy“, including for intentional or reckless intrusion into personal seclusion or misuse of personal information, where the person had a ‘reasonable expectation’ of privacy in the circumstances.
Maximum compensation will be $500K.
Start date: In force as of 10 June 2025.
Automated decision-making
Organisations that use automated decision-making in their business will be required to disclose key information in their privacy policy, including:
- What kinds of personal information are used in the automated decision-making programs.
- What kinds of decisions are made solely by the use of the automated decision-making programs.
- What kinds of decisions are made by humans. But with substantial and direct assistance from the automated decision-making programs.
Failure to have a compliant privacy policy could result in penalties starting from $63K.
Start date: Upcoming 11 December 2026
Impact on Businesses and Individuals
These reforms represent a comprehensive update to Australia’s privacy laws, emphasising the protection of personal data and the rights of individuals. Businesses will need to review and update their privacy policies and practices to comply with the new requirements, ensuring transparency, accountability, and enhanced security measures.
Looking ahead
As these changes come into effect, both organisations and individuals will need to adapt to the evolving landscape of privacy protection.
With the second tranche of reform being developed and expected to be ready this year, it is crucial to stay vigilant about the new privacy law measures.
If you would like to have a confidential chat about the more robust Privacy regime and what it means for your business, please contact our experienced Trade team and Privacy law experts.