Privacy compliance remains of major importance for businesses.  Privacy breaches can have a significant impact on businesses and result in:

  • Business disruption
  • Significant costs in responding to a privacy breach
  • Reputational damage
  • Loss of valuable intellectual property/confidential information
  • Loss of business and revenue
  • Reduction in capital/share value of the business
  • Substantial costs in regaining consumer confidence that the organisation can be trusted with personal information/data
  • Regulatory fines and penalties
  • Compensation claims by individuals/class actions.

The amendments to the Australian privacy law made by the Privacy and Other Legislation Amendment Bill 2024 (‘Bill’) have passed both Houses of Parliament.  The Bill introduces significant changes to the Privacy Act 1988 (Cth) and came into effect on 11 December, 2024 – the day after it received the Royal Assent.  While there are transition periods for commencement of different sections of the Bill, businesses cannot afford to be complacent about privacy complianceIt should be a priority for all organisations and businesses that collect or hold Australians’ personal information.

The ‘Privacy and Other Legislation Amendment Bill 2024’ – How do the changes impact your business?

On 29 November, 2024 the Australian Government passed the Privacy and Other Legislation Amendment Bill 2024 (‘Bill’), with some amendments by the Senate.  The Bill consists of the first tranche of long-awaited privacy reforms to the Privacy Act 1988 (Cth).

The Bill introduces significant measures and strengthens rights for individuals to directly claim compensation and other remedies for privacy breaches including by:-

  1. Introducing a statutory tort for serious invasions of privacy – providing individuals with a route to seek redress (including compensation) through the courts[i].  A plaintiff will need to demonstrate that the ‘countervailing public interest’ in protecting their privacy outweighs any competing public interest raised by the defendant (such as freedom of speech). Specific exemptions from liability under the tort have also been included for journalism, law enforcement bodies, intelligence agencies and minors[ii];
  1. Expanding the range of regulatory, investigatory and enforcement powers and options available to the Australian Information Commissioner (the ‘Information Commissioner) to enforce the Privacy Act. These include new tiers of civil penalties and ability to issue infringement notices for less serious privacy breaches.[iii]

This Bill also:-

  1. requires the Office of the Australian Information Commissioner (OAIC) to develop a Children’s Online Privacy Code which will apply to social media platforms as well as other internet services which are likely to be accessed by children[iv];
  2. introduces a requirement that privacy policies contain information about substantially automated decisions which significantly affect individuals’ rights or interests, including the kinds of decisions and kinds of personal information used[v];
  3. introduces ‘anti-doxxing’ measures[vi] – with a related requirement for the establishment of an independent review of the measures within 24 months of their commencement; and
  4. will support and facilitate international/cross-border data flows and transfers by introducing a new mechanism to prescribe a ‘white list’ of countries[vii] with substantially similar data privacy laws to Australia and binding schemes with adequate privacy protections.

Commencement date of the changes

The Bill received Royal Assent on 10 December, 2024 – with the Bill taking effect on 11 December, 2024 – the day after it received Royal Assent[viii]. There are transition periods for commencement of some of its provisions – including the following:

  • the date for commencement of the statutory tort of serious invasions of privacy and its related provisions will commence within 6 months after the Royal Assent (or an earlier date to be fixed).
  • the requirement that privacy policies be updated to contain information about substantially automated decisions will come into effect 24 months after the Royal Assent.
  • the establishment of an independent review of ‘anti-doxxing’ measures is required within 24 months of the measures’ commencement.

Getting ready for the changes to the Australian privacy law

There is no single solution for the protection of data and compliance with privacy laws. A whole of business approach is requiredPeople are the most important part of the process and solution, followed by technology. 

Some steps that businesses may consider taking now to get ready for the changes to the privacy laws and to minimise the risk of non-compliance include:

  1. Undertaking a review and update of the organisation’s privacy policy to ensure it includes information about substantially automated decisions – as well as preparing for the Bill’s proposed requirements for automated decision-making to ensure compliance.
  2. Undertaking audits of the organisational data collection, purpose of collection and data flow to ascertain the type of data that is collected, managed and held and who is authorised to access this information. Legal advice may also be required.
  3. Undertaking a review of the organisation’s data retention policies and practices and destroying data that is not required by the business and not required to be retained by law. Businesses can minimise the risk by only collecting and holding data that is required.
  4. Having a cybersecurity expert assess and monitor the organisation’s computer system for potential vulnerabilities to cyberattacks and implement appropriate measures to deal with risks.
  5. If the business uses cloud-based computer services and software applications, agreements with third party cloud services providers should be reviewed for privacy compliance, security and data protection.
  6. Reviewing their agreements with third parties to whom data is transferred or disclosed and any agreements with third party data processors for privacy compliance.
  7. Implementation of appropriate security measures for the protection of confidential information/data (including when emailing sensitive personal information). Measures and controls could include encryption, password protection, multi-facet authentication and monitoring data flows.
  8. Implementation of appropriate technological measures to deal with possible cyber threats including viruses, ransomware, malware, hacking and other cyberattacks.
  9. Development and implementations of guidelines for ‘best practice’ for responding to cybersecurity breaches including post-breach communication to affected individuals for reduction of ‘harm’ to both the affected individuals and the business.
  10. Monitoring and keeping up to date with the latest scams and cyber threats including phishing emails and telephone calls requesting passwords and other personal information and keeping management and employees updated.
  11. Undertaking a review of existing non-disclosure agreements and requiring all staff who are to have access to personal information/confidential information to sign non-disclosure agreements.
  12. Providing education and training of management and employees: –
  • about the Bill’s proposed expansion of the Australian Information Commissioner’s range of regulatory, investigatory and enforcement powers and options to enforce the Privacy Act (including ability to issue infringement notices for less serious privacy breaches) as well as the new range of civil penalties for privacy breaches.
  • in relation to best practices for data management and security, privacy compliance, cybersecurity and responding to cybersecurity and privacy breaches – with regular updates and reinforcement of the importance of compliance.

Disclaimer: This legal update is not intended to be a substitute for obtaining legal advice.

© Stephens Lawyers & Consultants – 12 December 2024 – Authored by Rochina Iannella, Consultant, Stephens Lawyers & Consultants. The contribution of Katarina Klaric, Principal, in editing this update is acknowledged.

For further information contact:

Katarina Klaric

Principal

Stephens Lawyers & Consultants

Melbourne Head Office

Suite 205, 546 Collins Street, Melbourne VIC 3000

Phone: (03) 8636 9100   

Sydney Office

Level 29, Chifley Tower, 2 Chifley Square, Sydney, N.S.W. 2000
Phone: (02) 9238 8028

Email: [email protected]

Website: www.stephens.com.au

All Correspondence to:

PO Box 16010
Collins Street West
Melbourne VIC 8007

To register for newsletter updates and to send your comments and feedback, please email [email protected]  


[i] Office of the Australian Information Commissioner (OAIC), “Passing of bill a significant step in Australia’s privacy law”, 29 November, 2024 [ https://www.oaic.gov.au/news/media-centre/pasing-of-bill-a-significant-step-for-australias-privacy-law#:~:text=The%20Office%20of%20the%20Australian,protections%20for%20the%20Australian%20community. ]

[ii] Which are specified in Part 3 of Schedule 2 of the Privacy and Other Legislation Amendment Bill 2024 (Cth).

[iii] Office of the Australian Information Commissioner (OAIC), “Passing of bill a significant step in Australia’s privacy law”, 29 November, 2024 (Op cit.)

[iv] Ibid.

[v] Ibid.

[vi] Attorney General The Hon. Mark Dreyfus KC MP, ‘Second reading speech – Privacy and Other Legislation Amendment Bill 2024’, 12 September, 2024 [  https://ministers.ag.gov.au/media-centre/speeches/second-reading-speech-privacy-and-other-legislation-amendment-bill-2024-12-09-2024 ]  Measures to extend to amending the Criminal Code Act 1995 to introduce new criminal offences to target the harmful practice of releasing personal data in a manner that is menacing or harassing – otherwise known as doxxing – which will carry maximum penalties of 6 years’ and 7 years’ imprisonment, respectively.

[vii] Office of the Australian Information Commissioner (OAIC), “Passing of bill a significant step in Australia’s privacy law”, 29 November, 2024 (Op cit.)

[viii] Privacy and Other Legislation Amendment Bill 2024 (Cth), Section 2 (‘Commencement’)