The Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021, expected to be introduced to Parliament and passed by the end of 2022, increases both online privacy protection for individuals and consumers and the penalties for breaches.

With ongoing COVID restrictions, there has been an exponential growth in the amount of work, education, shopping and social interaction occurring online – with a corresponding increase in the amount of personal information becoming available to be collected, stored, disclosed and traded online – which has resulted in increased privacy risks for individuals.

The Australian Federal Government has released[i] an Exposure Draft of its proposed Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (‘the Bill’) together with a Discussion Paper. The Bill is intended to address the on-line privacy risks and “protect Australians online and ensure that Australia’s privacy laws remain fit for purpose in the digital age[ii] by strengthening individuals’ protections of personal information in the online space “without unduly impeding innovation within the digital economy[iii].

The Bill is being developed in parallel with the broader review of the Privacy Act 1988 (Cth.) which commenced in December 2019.  It is anticipated that the Bill will be presented to Parliament and become law within the next 12 months.

Key measures

Some of the key measures to be introduced by the Bill are:-

a)   Informed consent – Increasing obligations on social media and other online platforms to provide notice to individuals about collection of personal information and to seek consent to the collection, use and disclosure of personal information, by strengthening how certain Australian Privacy Principles (APPs) will apply[iv];

b)   New Online Privacy code of conduct (‘OP code’) – Introduction of a new and binding Online Privacy code of practice for social media and other online, digital platforms and online data brokerage services (referred to as ‘OP organisations’[v]) which will be co-developed by the Australian Information Commissioner and industry.

The Bill sets out some of the additional protections which must be introduced and included in the OP code.  These additional protections include:-

  • specific protections for children and other vulnerable groups of people not capable of making their own privacy decisions including a new requirement that social media platforms be required to take all reasonable steps to verify their users’ age, give primary consideration to the best interests of the child when handling children’s personal information; and obtain parental/guardian or representative consent for children under the age of sixteen [vi];
  • a new requirement that OP organisations take reasonable steps to cease using or disclosing an individual’s personal information upon that individual’s request.

c)   Increased Penalties for Privacy Breaches – Penalties under the Privacy Act 1988 (Cth) will be increased so as to more closely align the amount of privacy breach penalties with penalties for breach of the Australian Consumer Law[vii] including:-

  • By increasing the financial civil penalty for a serious and/or repeated interference with privacy to a maximum of $532,800 for a natural person (based on the current penalty unit values) and a maximum of $10,000,000 for a body corporate.
  • By creating a new infringement notice provision for failing to provide information or answer a question or provide a document or record when required to do so as part of an investigation, for which the maximum financial civil penalties will be $13,320 for individuals (based on the current penalty value) and a maximum of $66,000 for a body corporate
  • By creating a new criminal penalty for multiple instances of non-compliance, with the maximum financial penalty being increased to a maximum of $66,600 for a body corporate (based on the current penalty unit value).

d)   Extraterritorial application of Privacy Act 1988 (Cth) clarified by removing the condition that an organisation has to collect or hold personal information from sources inside of Australia[viii] with the result being that “foreign organisations who carry on a business in Australia must meet the obligations under the Privacy Act, even if they do not collect or hold Australians’ information directly from a source in Australia”[ix].


Authored by Rochina Iannella, Lawyer, Stephens Lawyers & Consultants

© Stephens Lawyers & Consultants.  3 February 2022

This update is not intended to be a substitute for obtaining legal advice. 

For further information contact:

Katarina Klaric
Principal
Stephens Lawyers & Consultants

Suite 205, 546 Collins Street
Melbourne VIC 3000
Phone: (03) 8636 9100
Fax: (03) 8636 9199
Email: [email protected] 
Website: www.stephens.com.au  

All Correspondence to:
PO Box 16010
Collins Street West
Melbourne VIC 8007


[i] The Exposure Draft of the ‘Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill’ 2021.was released by the Australian Government on 25 October 2021

[ii] Ibid.

[iii] Explanatory paper ‘Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021’ (October 2021) at pg 4

[iv] Explanatory paper ‘Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021’ (October 2021) at pg 9 – i.e. APP 1.4(c) about privacy policies; APP 5 about providing notice to individuals about collection of personal information; and APP 3 and 6 about seeking consent for collection, use and disclosure of personal information

[v] For definition of ‘OP organisation’ see Sec 6W of Exposure Draft of the ‘Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021

[vi] Explanatory paper ‘Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021’ (October 2021) at pp 10, 11

[vii]Higher penalties to help protect Australians’ privacy’, Media Release of the Office of the Australian Information Commissioner, 25 October 2021

[viii] Explanatory paper ‘Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021’ (October 2021) at pp 22-23

[ix] Ibid.at pg 23