Reforms to Australia’s privacy laws agreed and passed

After an extensive four-year review process, the amended Privacy and Other Legislation Amendment Bill 2024 (Cth) (POLA Bill) was passed on 29 November 2024 and represents the first tranche of amendments to the Privacy Act 1988 (Cth) arising from the Privacy Act review.

The legislation, which was first introduced to Australia’s parliament in September, is aimed at enhancing privacy rights and ensuring greater accountability in data handling practices. While the Australian privacy principles (APPs) remain largely intact, specific amendments to three of the APPs – one, eight, and 11 – together with the strengthened enforcement regime, require entities to take steps to be able demonstrate their compliance.  

The amendments will mostly take effect once the POLA Act receives Royal Assent, although it is not yet clear when this will be.   

The following additional amendments were included in the final version of the POLA Bill, largely in response to the recommendations of the Senate Legal and Constitutional Affairs Legislation Committee. 

Enforcement 

• Power to issue compliance notices: in addition to the new power to issue infringement notices, the commissioner and Office of the Australian Information Commissioner (OAIC) officers will also have the power to instead issue discretionary compliance notices in the form prescribed to remedy alleged breaches of one or more of the provisions in section 13K of the Privacy Act;  

• Entities can be asked to produce evidence of compliance, before an infringement notice is issued and they can apply to the Federal Court for a review of the compliance notice;  

• Failure to comply with a compliance notice will be subject to a penalty of up to 200 penalty units. 

Children’s Online Privacy Code

• Extended consultation period: the minimum consultation period for the Children's Online Privacy Code was extended from 40 to 60 days. 

• Consultation requirement: the addition of relevant ‘industry bodies’ as entities that the commissioner is able to consult with when developing the Code. 

Doxxing offences

• Doxxing review: an independent review of the operation of the doxing offences must be undertaken 24 months after they come into effect and the report must be reviewed by the minister and tabled in parliament.  

Statutory tort

• Application of exemptions, including new public interest considerations: courts may now determine at any time, either on application or on their own motion, whether any of the exemptions listed in Part 3 of what will be the new Schedule 2 of the Privacy Act applies to the invasion of privacy. A new element for the cause of action has also been added which required that the public interest in the plaintiff’s privacy must outweigh any ‘countervailing’ public interest. There is a non-exhaustive list of these including freedom of expression, freedom of the media, open justice, public health and safety and national security; 

• Media exclusion: the exclusion of media organisations accessing personal information during declared emergencies was extended to also apply to national broadcasters like the ABC and SBS; 

• Injunctive powers: the amendments clarify that the power conferred on a court to issue an injunction in relation to the statutory tort is not limited to an 'interim' injunction; 

• Journalism exemption: the amendments clarify that the journalism exemption also extends to a person involved in the publication or distribution of journalistic material prepared for publication by a journalist and to persons engaging with or assisting journalists; 

• Definition of journalistic material: the concept of 'journalistic material' for the purposes of the tort includes 'editorial' material relating to news, current affairs or a documentary; 

• New exemption for government agencies and law enforcement bodies: a new exemption has been added for state and territory authorities and law enforcement bodies with certain conditions to be met to qualify. 

Our view

While it appears that the OAIC will continue to face inadequate funding, the privacy commissioner, Carly Kind, has signified her intention to take a proactive enforcement approach and use all the regulatory powers and tools available to her to issue guidance, work with entities and take action where breaches occur. She has recently released a range of guidance and determinations on topics such as artificial intelligence, facial recognition technology, the use of third-party pixels, and data scraping. In addition, individuals will now have a direct right to bring court action if they believe entities have seriously invaded their privacy. 

Therefore, it is important that entities take proactive steps of the kind we previously outlined to ensure compliance with the fundamental requirements of the APPs, take all reasonable measures to protect personal information, and be ready to deal with infringement activity, as well as consider where any data processing activities could put them at risk of a compliance or infringement notice or even a claim for a serious invasion of privacy.  

While the passage of the POLA Act marks a significant step forward, there is still more work to be done to achieve the privacy reforms needed for business, government, and the community – which are also important to support other regulatory frameworks, such as the Digital Identity Act 2024 (Cth), which will commence on 1 December 2024, and the insertion of the social media minimum age in the Online Safety Act 2021 (Cth).  

The Attorney-General’s Department has indicated it plans to begin consulting on the second tranche of privacy reforms in December 2024, to which the government has agreed or agreed in principle. With an election looming, the timing and content of the next phase of the reforms remains to be seen.