Business Insight

Australia's first tranche of privacy reforms – a deep dive and why they matter

Amber shadows

    Article first published on 15 October 2024 to report on the privacy reforms as introduced. It has been updated to reflect the reforms as passed.

    What you need to know

    • The new Privacy and Other Legislation Amendment Act 2024 is now law, receiving assent on 10 December 2024. This change launches a generational shift to Australia's privacy law, the first of two tranches of reforms.
    • Most of the reforms are now in effect. New enforcement and investigation powers should be an immediate focus – we expect to see the Privacy Commissioner seeking to wield them in the new year. The privacy regulator can now issue infringement notices of up to $66,000 (per contravention) and compliance notices that specify how privacy failures must be addressed. Ensure your practices, procedures and systems can demonstrate compliance and manage your risk.
    • Reforms yet to commence include a long-proposed statutory tort for serious invasions of privacy (6 months) and transparency of automated decisions (24 months). More expansive reforms are expected in a second tranche, but these are more likely to be progressed after the Federal election in 2025.
    • The Privacy Commissioner's message has been clear: "businesses - don't take your foot off the gas, because we're going to be looking to take a more enforcement-based approach in the interim."
    • In this article, we explore "what good looks like" in building a risk-informed response to more agile, risk- and harms-focused privacy regulation. We'll then dig deeper into the key tranche 1 privacy reforms, explaining what they are, and why they matter.

    What you need to look out for

    Privacy

     What you need to do

    • Have a defensible position  – Do your practices, procedures, and systems both demonstrate your compliance and manage your risk effectively? If they do, they should provide you with a defensible position in this a tougher enforcement environment. Uplifting your practices, procedures and systems is a no regrets investment.
    • Design and fund your projects now – Greater regulatory risk and new obligations, particularly automated decision transparency, will require significant work. Funding for these projects needs to be secured now. Starting as soon as possible gives you the best opportunity to secure scarce talent and succeed.
    • Ensure appropriate consultation and collaboration – Are your legal, privacy, compliance and cyber teams working together to ensure an aligned process?
    • Prepare your legal and compliance teams – How prepared are you to respond to a motivated regulator, with broader information-gathering powers, tiered penalties and infringement and compliance notices, as well as a risk of individual claims for serious invasions of privacy. 
    • Set the direction and understand what good looks like for you – Ensure leadership and boards have the information needed to set a direction and vision for good privacy risk management. Understand the "go-to" state that the regulator expects of an organisation in your position, your risk appetite, and the risk profile you face.

    An important first step in privacy reforms

    "This bill is an important first step in the government's privacy reform agenda, but it will not be the last."

    Attorney General, The Hon Mark Dreyfus KC MP (second reading speech)

    An important first tranche of privacy reforms was passed by the Australian Parliament on 29 November 2024, receiving assent on 10 December 2024 – the first of two tranches to address the Government's broader privacy reform agenda and a slate of long-running issues papers, proposals and consultations.

    However, with an election likely to be called in the first half of 2025 and many of the tranche 2 reforms subject to consultation and circulation of draft provisions, it is unlikely we will see tranche 2 before the Federal election in 2025.

    For a helicopter view of both tranches 1 and 2 of the reforms that were originally proposed the reforms, see Australia's blueprint for privacy reform– what you need to do today

    What privacy reforms are in tranche 1, and when do they commence?

    Australian Privacy Reforms Dates

    The reforms in tranche 1 address 23 proposals that were "agreed" in the Government Response to the Privacy Act Review Report, out of a total of 116 proposals. Key areas covered by the reforms are enhanced regulatory powers, automated decision transparency, cybersecurity uplifts, code-making powers (beginning with a new Children's Online Privacy Code), simpler international data transfers, a new statutory tort for serious invasions of privacy, and criminal offences for doxxing (exposing data in a way that is menacing or harassing).

    Most reforms have already commenced – with a delay of up to 6 months for the new statutory tort (commencing by proclamation or by 11 June 2025), and a 24 month delay for automated decision transparency requirements (commencing 11 December 2026). The new Children's Online Privacy Code must be developed and registered by 10 December 2026 (within 24 months of assent), and further regulations will need to be passed before organisations can take advantage of simpler international data transfer rules.

    What was changed in the Senate?

    As part of a last-minute flurry of activity a day before the end of the parliamentary term, there were a number of changes proposed and agreed in the Senate. Some of the more controversial proposals (such as changes to the definitions of personal information or consent, the addition of a fair and reasonable test, or the complete removal of the statutory tort) were not accepted, with some of these still expected to appear in tranche 2. The key changes include:

    • Compliance notices – the addition of a new power to issue a discretionary notice to an entity to remedy an alleged breach of specified provisions (the same provisions that may be subject to an infringement notice, as described below).
    • Review of operation of the doxxing offence – an independent review of the doxxing offence must be undertaken after 24 months, with a report due 6 months later.
    • Changes to the statutory tort – a new limb for the statutory tort specifically requiring a balancing of public interest in a plaintiff’s privacy against countervailing public interests (including freedom of expression, political communication, and artistic expression, among others), a right to seek a determination from the court on any exemptions, tweaks to the definition of journalistic material, and a new ‘good faith’ exemption from the statutory tort for government agencies.
    • Other changes – minor amendments to emergency declarations (relating to the ABC and the SBS), the Children’s Online Privacy Code submission timeframe, and eligible data breach declarations (to exclude media organisations, the ABC and the SBS from the ambit of permitted recipients of information under a declaration).

    What reforms are still to come?

    This is only the first part in a broader privacy reform agenda. Tranche 2 will likely cover a much broader spectrum of issues including a new “fair and reasonable” requirement, consent reforms, individual rights, small businesses and employee exemptions, and assessing the privacy impact of high-risk activities.

    Read more about the full suite of 116 recommendations from the Privacy Act Review Report in our earlier publication Australia's blueprint for privacy reform – what you need to do today

    Why do these changes matter? The regulator’s view

    The changes seem modest at first blush, but they set up a number of significant themes, signalling a change in the enforcement landscape, the first steps of automated decision-making and artificial intelligence rules, and deliberate signals that "reasonable steps" to meet cybersecurity requirements will be scrutinised. 

    Privacy Commissioner, Carly Kind, called out before the reforms arrived that the expectations of the Office of Australian Information Commissioner (OAIC) are higher, and the office will be much more enforcement-focused:

    “... don't take your foot off the gas, because we're going to be looking to take a more enforcement-based approach to regulation in the interim, even notwithstanding those reforms.”

    Privacy Commissioner, Carly Kind

     

    Combining a more “risk-based and enforcement and education-focused posture” from the OAIC, with a new set of regulator powers, and new avenues for individuals to bring claims, expectations for organisations will only continue to increase as the reform journey continues.

    A risk-informed response to agile, risk-focused regulation

    Practices, procedures and systems: a sword or a shield

    Tranche 1 shifts the regulatory emphasis – looking to change market behaviours by ensuring appropriate practices, procedures and systems are in place. This is focused on preventing harm to the individual, and can be contrasted with the traditional approach of reactive enforcement after harm (like a data breach) occurs.

    Australian Privacy Principle 1.2 requires entities to take reasonable steps to implement practices, procedures and systems to comply with privacy obligations. Failure to do so can be considered a breach of the Australian Privacy Principles in its own right and may lead to a Commissioner-initiated investigation by the OAIC. 

    The obligations requiring practices, procedures and systems commenced over a decade ago – on 12 March 2014. Entities and agencies covered by the Privacy Act are assumed to have established their practices, procedures and systems over the past decade. The expectation of the regulator will be that you already have demonstrable, defensible, effective and efficient practices, processes and systems are in place. 

    If designed and implemented properly, your practices, procedures, and systems can provide you with a shield from your risks:

    1. a clear understanding of your privacy related risks and controls;
    2. a demonstratable and defensible decision-making process that will stand up to regulatory action, public scrutiny, and claims under the new statutory tort; and
    3. a strong basis to meet new obligations, like AI and automated decisions, or to meet existing obligations, like cybersecurity and destruction of personal information.

    If you do not have adequate practices, procedures, and systems, they can become a sword to be used against you. In addition to a possible breach of APP 1.2, as discussed above, companies may face additional regulatory problems meeting other Australian Privacy Principles.

    What does good look like?

    There's no single defined answer. Your design needs to reflect:

    1. the nature of the entity (including size, maturity, and resources which should be invested in privacy risk);
    2. the amount and type of information you collect, store, and use;
    3. how sensitive that information is; and
    4. the impact of any misuse or unauthorised access of information you are responsible for.

    Practices, procedures and systems need to be designed, reviewed, and updated regularly to keep pace with the risk environment, laws, and the nature of the activities you undertake. 

    The simplest question to ask is how ready are you to respond to a regulator or a class action on privacy today? If you are not ready you need to uplift your practices, procedures, and systems to make sure you are ready.

    What does good privacy management look like?

     Green flags

    Red flags

    Board has articulated and communicated risk appetite, and closed the loop with strong monitoring, reporting and accountability

    Passive, reactive or uninformed board oversight

    Risks and controls continually monitored, with documented results

    Informal or undocumented processes

    Perpetual drafts, or policies never signed off

    Realistic and clear understanding of current maturity, risks to business, organisational risk appetite

    Champagne vision on a beer budget

    A top-down, risk-informed approach that surveys risk landscape, and identifies key risks and critical data assets to focus on first

    Trying to do everything at once, resulting in analysis paralysis

    Clear thresholds, trigger points and mechanisms for escalation to legal, executive and board oversight

    "Fire and forget" policy, without clear escalation

    Strong visibility of key digital assets and data. A focus on high-risk data assets, not just high-value data assets

    Sole focus on operational value of data, with a limited understanding of key digital assets

     

    Enhanced regulatory toolkit

    "To investigate potential privacy breaches in an increasingly complex digital landscape, the Information Commissioner requires modern investigative powers."

    Attorney General, The Hon Mark Dreyfus KC MP (second reading speech)

     

    As one of the key changes in the tranche 1 reforms, the OAIC's regulatory toolkit will be expanded, including by adopting a number of the standard regulatory tools available under the Regulatory Powers (Standard Provisions) Act 2014. 

    The OAIC's new toolkit now includes:

    • Broader monitoring and investigation powers
    • Conduct of public inquiries
    • Expanded scope of OAIC determinations
    • Clarified scope of court orders the OAIC may seek
    • Enhanced code-making powers
    • More infringement notice and civil penalty options
    • New compliance notices (an additional power added in the Senate)

    The broader regulatory toolkit allows the regulator to fulfil its ambition as a pro-active and risk-focused regulator – it will look to prosecute matters that are going to change practices and set a general deterrence effect across the economy and across markets.

    Outside of the new penalty options (discussed below), these new changes include enhancements to existing tools (such as monitoring and investigation, determinations and court orders), as well as adding significant new tools such as regulator-driven code-making powers and the ability to conduct public inquiries into matters relating to privacy, at the direction of the Attorney-General.

    The expansion of code-making powers signals a shift to a regulator-driven regime where the OAIC will be able to identify areas of concern and develop a code at the direction of the Attorney-General, potentially requiring entities to comply with additional privacy obligations outside of the legislative process. New provisions for the development of a Childrens Online Privacy Code have also been introduced. The development of this code will likely operate as a test for the OAIC’s new code-making powers as the Government has promised specific funding for the development of the code. The Privacy Commissioner has also added her voice to the proposal for age restrictions on social media services, stating that the Code will form “part of the puzzle” helping to positively shape the online environment.

    What it means for you

    • Know your biggest risks – The OAIC has said it will strive to take a risk-based and harm-focused approach to regulation, to head this off, assess where your greatest risks lie and what the OAIC’s enforcement priorities are.
    • Action your findings – Action your backlog of identified concerns and build robust monitoring and review processes.
    • Learn from experience with other regulators – While the broader toolkit is new to the OAIC, many of the tools are standard practice for other regulators. Leverage your learnings and processes from dealing with other regulators to adjust your regulatory engagement processes and strategies for the OAIC.

    A new ‘tiered penalty' process and administrative failures

    The OAIC currently has limited enforcement options – it can seek a large civil penalty for a serious or repeated interference with privacy (introduced in the 2022 privacy reforms), or smaller penalties and infringement notices for failures to provide information to the OAIC. 

    The OAIC can also undertake an investigation and give a determination if it identifies a breach of the Australian Privacy Principles. While entities may agree to pay an amount set out in a determination, if they do not, the OAIC must seek enforcement in the Federal Court.

    The tranche 1 reforms enhance the existing penalty regime and introduce new medium-level and lower-level penalties, as well as infringement notices that may be issued by the OAIC directly, without going to court (although entities will have the option to challenge a penalty notice in the Federal Court). This new penalty framework gives the OAIC significantly more options and brings a greater likelihood of smaller and moderate breaches seeing enforcement action.

    For bodies corporate, the revised maximum penalties look like this:

    Serious interference with privacy

    Penalty previously applied to a "serious or repeated" interference. Whether an interference is repeated or continuous will now be one factor to take into account in determining whether an interference is "serious".

    Civil penalty: Greater of:

    • $50 million;
    • three times the benefit;
    • 30% of turnover in the period.

    Interference with privacy

    A new intermediate civil penalty for an interference that is not “serious”.

    Civil penalty: $3.3 million

    Specified administrative failures

    For breaches of specific privacy obligations, such as inadequate privacy policies, direct marketing obligations and statements about notifiable data breaches.

    Civil penalty: $330,000

    Infringement notice: $19,800 (or $66,000 for publicly listed companies)*

    Failure to give information

    An increase to existing penalties and infringement notices for failure to provide information by publicly listed companies.

    Civil penalty: (Basic) $99,000

    Civil penalty: (Multiple) $495,000

    Infringement notice: (Basic) $19,800 (or $66,000 for publicly listed companies)*

    The OAIC can bring court proceedings for civil penalties, and the changes include an adjustment to the “serious interference” threshold to consolidate the test into a single principle (instead of “serious or repeated”), that takes into account various factors. If the “serious interference” threshold is not met, a new mid-range “interference” penalty remains available.

    For the civil penalty provisions, whether or not penalties will be multiplied (for example in a data breach scenario) will rely on existing legal principles, depending on application of the court’s discretion in the context. However, for infringement notices, an express provision allows multiplication of the maximum penalty amount.

    Infringement notices for administrative failures

    Infringement notices may now be issued by the OAIC without going to court, for minor ‘administrative’ failures where failure to meet the requirement can be easily established. 

    These notices are intended to allow the OAIC to seek penalties against entities for minor contraventions, without the need to engage in litigation. Infringement notices can be issued for up to $66,000 for publicly listed companies, but multiple failures may "stack" on top of one another. 

    Examples of issues that might be dealt with by an infringement notice include:

    • inadequate privacy policies (APP 1.3, 1.4)
    • failure to provide ability to interact anonymously or using a pseudonym (where practicable) (APP 2.1)
    • inadequate record keeping of enforcement-related disclosures (APP 6.5)
    • failure to comply with direct marketing requirements – eg inadequate opt-out information or process, failure to provide information on source of direct marketing data when requested (APP 7.2(c), 7.3(c)-(d), 7.7(a)-(b))
    • failure to correct personal information when requested (APP 13.5)
    • inadequate notifiable data breach statement (Section 26WK(3))
    • further APPs prescribed by the regulations

    Unlike compliance notices (discussed below), infringement notices can also be given for failing to provide information when required.

    New compliance notice regime

    A new compliance notice regime was added to the reforms in the Senate – providing the OAIC providing with a discretionary power to issue notice to an entity to remedy an alleged breach before issuing an infringement notice (or pursuing civil penalties).

    Compliance notices may be given for the same types of conduct as infringement notices (except for a failure to provide information).

    A significant difference to the infringement notice regime is that a compliance notice can specify actions or steps to be taken by an entity – and failure to take those steps or actions can of itself be an infringement.

    A compliance notice must state:

    • the action the entity must take, or refrain from taking, to address an alleged contravention; and / or
    • the steps the entity must take to ensure that the conduct is not repeated or continued,

    as well as a reasonable period to comply with the notice.

    The notice may also require the entity to produce evidence they have complied with the notice. This might range from written confirmation from a senior staff member to documentary evidence.

    We expect to see the compliance notice regime used as a low-touch “early intervention” measure, seeking specific changes to the acts or practices of entities that align with the OAIC’s views of what is required under certain Australian Privacy Principles, with a potential infringement notice remedy arising if there is a continued failure to meet those requirements. Much like other regulators, such as the Australian Communications and Media Authority or the Australian Competition and Consumer Commission the OAIC could also couple compliance notices or infringement notices with public announcements as a way to demonstrate actions being taken.

    What it means for you

    • A regulator more ready to take enforcement action – The ability to pursue penalties or compliance or infringement notices for intermediate or lesser breaches will significantly change how the OAIC assesses what to investigate, and what regulatory action to take.
    • Infringement and compliance notices shift the burden to entities – Infringement and compliance notices allow a resource-constrained OAIC to take more enforcement action, but also shift the decision to litigate from the OAIC to recipients – do your regulatory engagement strategies allow you to quickly and strategically decide whether to challenge an infringement or compliance notice or accept the regulator's position? Even if the value of a penalty is comparatively small, being subject to regulatory action can carry significant reputational risk and can disrupt business practices and operational processes.
    • Be ready with practices, procedures and systems – The right practices, procedures and systems (including monitoring and evaluation) can support compliance, provide an early warning system for likely areas of regulatory action, and provide the ability to engage productively with the regulator. 

    Automated decisions and artificial intelligence

    "The bill will provide individuals with transparency about the use of their personal information in automated decisions which significantly affect their interests."

    Attorney General, The Hon Mark Dreyfus KC MP (second reading speech)

     

    Under the new transparency requirement, organisations will need to identify decisions that significantly affect the rights or interests of an individual, and set out in their privacy policies:

    • the kinds of decisions made solely by a computer operation;
    • the kinds of decisions where computer operation is substantially and directly related to making the decision; and
    • the kinds of personal information used to make that decision.

    The Privacy Commissioner has specifically called this requirement out: by pairing the automated decision-making requirement with the infringement notice power for administrative failures (which include content of the privacy policy), the OAIC may be able to bring quick action.

    Acknowledging the complexity of introducing this level of transparency, there will be a delay of 24 months before new automated decision transparency obligations commence. However, there is significant complexity in identifying these automated decisions throughout an organisation or agency, and the timeframe has started.

    Privacy policies must include information about decisions where:

    An entity has arranged for …

    Extends to third party systems and outsourced providers

    … a computer program …

    Broadly interpreted – includes pre-programmed rules-based processes, artificial intelligence, machine learning, spreadsheet automation, scoring or ratings, etc

    … to make a decision …

    … or to do a thing substantially and directly related to making a decision …

    Applies to both wholly and partially automated decisions

    For partially automated, the computer program must be substantially and directly related: it needs to be a key factor in the decision, and directly connected to a decision

    Applies even if there is a human in the loop actually making the decision

    … that significantly affects rights or interests of an individual …

    Concept is impacted by circumstances – eg child or person experiencing vulnerability

    … using personal information

     This concept that may expand further with coming reforms, eg expansion of personal information definition

     

    The framework originally proposed in the Privacy Act Review Report referred to “substantially automated decisions which have a legal or similarly significant effect on an individual’s rights”, a construct similar to the European GDPR. The term substantially automated was used to address the risk of "tokenistic" human involvement.

    A different approach was adopted in the final legislation, extending to a computer program that is both substantially and directly related to the decision-making process, and also expanding the potential effect to rights and interests of the individual (instead of using the GDPR's “legal or similarly significant effect” formulation).

    This new language is closer to the approach explored for use of computer-assisted decisions in the public sector, such as the Canadian Directive on Automated Decision-Making, which extends to systems that support human decision-makers, for example by providing assessments, scores or summaries.

    By way of comparison, a more extensive mechanism is found in the new Privacy and Responsible Information Sharing Act 2024 (WA) (PRIS Act), the first part of which took effect in Western Australia on 6 December 2024. The PRIS Act states that a “significant decision”, is a decision that affects an individual’s rights, entitlements, interests or liabilities or otherwise has a significant effect on an individual’s life circumstances, opportunities, behaviour or wellbeing. Some of the elements of the PRIS Act go beyond the tranche 1 requirements in the Privacy Act, and watching how these play out will be a useful preview of how some of the tranche 2 proposal might apply if they come to pass in the future.

    What about artificial intelligence?

    The new automated decision rules capture artificial intelligence that uses personal information, as well as other computer assisted decisions. The transparency rules can be seen as one of the first cabs off the rank for an ongoing focus on AI, and broader artificial intelligence regulation: 

    • The OAIC has released guidance on how privacy laws and existing privacy guidelines apply to the use of commercially available AI, and to developing and training generative AI.
    • The second tranche of privacy reforms is likely to bring further requirements impacting AI and automated decisions – including privacy impact assessments for high-risk activities (including automated decisions), the need to explain automated decisions, a requirement that data activities be "fair and reasonable" (regardless of consent), and changes to protect more data as "personal information" (impacting the training and use of AI models).
    • The Voluntary AI Safety Standard has been released and the Government has consulted on new AI laws in the form of a proposal paper on introducing mandatory guardrails for AI in high-risk settings.
    • To support the Voluntary AI Safety Standard, the National AI Centre has released an AI Impact Navigator – a framework and template documents to assess and measure impacts and outcomes of AI.

    What it means for you

    • Long lead-time but existing processes are in scope – Although we have two years before the transparency requirements take effect, all computer programs, personal information and processes are in scope. There is no carve-out for existing processes, and entities will be required to assess their existing systems as well as new proposals. 
    • Most businesses in Australia rely on lots of automation – Meaning a lot of business processes need to be risk assessed. Overseas regimes, including the GDPR, focus on legal (or similar significant) impacts on individuals. With a broader focus on “rights or interests” in Australia's proposed regime, more decisions may be in scope. Controversial areas overseas include "gig economy" platforms, fraud probability scores, credit scores, and automated screening of job applications.
    • Complex processes mean multiple systems may be relevant – Many decisions are made using derived or calculated data, including data sourced from supply chains and third parties – like credit scores or capability assessments. Standardised business processes can apply to both high impact and low impact use cases (for example, standard processes might apply for children or people experiencing vulnerability, or might apply to advertising for essential services as well as non-essential services). 

    Cybersecurity uplifts

    "… we are moving into a new era in which our expectations of entities are higher ..."

    Privacy Commissioner, Carly Kind (Notifiable Data Breaches Report: January to June 2024)

     

    Reasonable steps to protect personal information, and to de-identify and destroy information no longer required, will now include technical and organisational measures.

    • Technical measures include things like physical security measures, software and hardware, including access security, encryption, anti-virus, multi-factor authentication and strong passwords.
    • Organisational measures include internal processes in place and governance arrangements, including staff training, operating procedures and policies for securing personal information.

     

    Reasonable steps under Australian Privacy Principles 11.1 and 11.2 (relating to security and the destruction or de-identification of personal information) now include both technical and organisational measures – an uncontroversial position adopting language also used in the GDPR. However, the impact underscores the Government’s increasing expectations that organisations have sufficient practices, procedures and systems in place to ensure cybersecurity and protect against data breaches. 

    Additional cyber security measures in the reforms include an eligible data breach declaration regime, allowing the Attorney-General to make a declaration permitting information sharing to assist in data breach response (for example, sharing information between financial institutions to reduce fraud risks). This new mechanism is similar to a regime under the Telecommunications Regulations 2021, introduced in 2022 in the wake of major cyber incidents.

    What it means for you

    • Security measures are not one-size-fits-all – Your "go-to" state depends on the type, sensitivity and volume of data you are handling, what might go wrong, your size, resources, and business activities – and is heavily informed by your current and desired maturity and capabilities.
    • Keep up to date with regulatory expectations and meet them – Expect further guidance from the OAIC, but also keep across industry engagement from other bodies. Practical insights can be found in the OAIC's regular notifiable data breach reports, and APRA insights on common cyber control weaknesses, not to mention the extensive resources available from cyber.gov.au. Read more about regulator expectations in our recent article Three ways to outpace Australia's new cyber laws - part of our series on Redefining Cyber Readiness.
    • Get your governance right – The Australian Institute of Company Directors, the Cyber Security Cooperative Research Centre and Ashurst published world-first guidance on Governing Through a Cyber Crisis - Cyber Incident Response and Recovery for Australian Directors, which includes important guidance on organisational measures required for a cyber-resilient organisation (including helpful "red flags" to look out for).
    • Data destruction and de-identification is critical – High profile cyber security incidents have driven home the importance of identifying and destroying legacy data – have you made robust data destruction and de-identification part of business-as-usual processes, and not a one-off project?

    Cross-border data flows

    “This will … reduce costs for business when entering into contracts and agreements with overseas entities.”

    Attorney General, The Hon Mark Dreyfus KC MP (second reading speech)

     

    If an overseas recipient is subject to laws or binding scheme prescribed by regulations, then the Australian entity:

    1. does not need to do its own assessment of foreign law, or obtain specific consent for disclosure
    2. does not need to take reasonable steps to ensure overseas recipient doesn't breach Australian privacy laws
    3. is not accountable for overseas acts or practices (because the overseas entity will be able to provide recourse instead)

    Under the Privacy Act, an Australian entity needs to take reasonable steps to ensure an overseas recipient of data complies with Australia's Privacy Principles and can be held accountable for the overseas acts or practices of that overseas recipient.

    There are exceptions to these requirements – for example, where specific informed consent is obtained, or where the Australian entity reasonably believes the laws of a foreign country or binding scheme are equivalent to the Australian Privacy Principles.

    Under the new reforms, the regulations may prescribe a "whitelist" of such countries or binding schemes. Australian entities will no longer need to make their own assessments or carry the risk that their belief is not considered "reasonable", so long as the recipient is bound by a listed law or scheme, and the disclosure meets any relevant conditions. Those conditions could apply to particular entities or types of entities, or to types of information.

    For countries or binding schemes not on the "whitelist", the existing regime will apply, and entities will still be able to use existing mechanisms (by making their own assessment, obtaining consents, or being accountable for compliance overseas).

    What it means for you

    • What will be on the whitelist? In deciding which countries or schemes will be included on the "whitelist", the overall level of protection is important. The European GDPR has a similar “adequacy” regime that other countries benefit from (such as Japan and New Zealand). Importantly, regimes with higher levels of protection such as the European Union or United Kingdom may meet the standard, but others such as the United States may not.
    • Due diligence still required – While the "whitelist" will be a welcome simplification, entities will still need to be comfortable that recipients are in fact subject to those laws or schemes, and that any prescribed conditions are satisfied – and will need to monitor for any changes in business operations or foreign laws and schemes (such as exemptions) over time. Existing measures for offshoring will still apply for non-"whitelisted" countries.

    Statutory tort – individual action for serious invasions of privacy 

    “… providing people with the ability to seek redress through the courts for serious invasions of privacy without being limited to the scope of the Act.” 

    Office of the Australian Information Commissioner

     

    Individuals may take civil action for: intrusion upon seclusion, or misuse of personal information.

    In circumstances where:

    • an individual had a reasonable expectation of privacy
    • invasion was intentional or reckless
    • invasion was serious and
    • public interest in plaintiff's privacy outweighs countervailing public interest (added in Senate)

    Serious” depends on:

    • degree of offence, distress, or harm to dignity likely to be caused to a person of ordinary sensibilities in the plaintiff's position
    • whether the defendant knew or ought to have known actions likely to offend, distress, or harm the plaintiff's dignity
    • whether motivated by malice (if intentional)

    Defences to a claim:

    • consent
    • required or authorised by law or court order
    • necessary to prevent a serious threat to life, health, or safety
    • (Exemptions include journalists, law enforcement, government agencies, State and Territory authorities, and persons under 18 years old)

    Available remedies:

    • damages capped at $478,550 for non-economic loss, exemplary or punitive damages
    • injunction restraining the invasion
    • declaration that privacy has been seriously invaded

    Not linked to Privacy Act compliance

    Action can be brought whether or not conduct is permitted under or subject to the Privacy Act

    No need to establish damage

    … but harm or potential harm will be an important factor in determining whether the invasion was serious

    Significant changes to the statutory tort were introduced in the Senate, including:

    • introducing public interest considerations as an element of the cause of action – meaning public interest of a plaintiff's privacy must be balanced against any countervailing public interests, without placing the onus on the defendant to prove the countervailing public interests. Countervailing public interests could include freedom of expression, freedom of the media, proper administration of government, open justice, public health and safety, national security, and prevention and detection of crime and fraud.
    • additional exemptions, including for Government agencies, State and Territory authorities and law enforcement, subject to a good faith requirement.
    • the ability to seek a determination from the court as to whether exemptions apply early in proceedings, including the “countervailing public interest” exemption – potentially avoiding lengthy trials.

    The Privacy Commissioner has expressed support for the statutory tort as a “different route” for individuals that does not rely on the complaints process (which requires significant resources from the OAIC). This gives the OAIC the opportunity to decide to leave certain matters to an individual bringing a serious invasion claim – selectively using its new powers in the Privacy Act to intervene in proceedings or assist the court as amicus curiae. 

    What it means for you

    • New avenue for class actions – The new right overcomes some challenges for plaintiffs in potential privacy and data breach class actions, but also presents new challenges. The new right may be attractive because there is no requirement to prove damage for an action to be brought. However, the high barriers to liability (both serious and intentional or reckless conduct) may be difficult to establish.
    • A new risk for employee records – While employee records are (for now) excluded from many Privacy Act obligations, the statutory tort is not limited to Privacy Act compliance. Both employee data breaches and authorised and unauthorised uses of employee information might be subject to the new tort.
    • Need to manage big risks and small – We will likely see exploratory use of the statutory tort for high-stakes litigation (including potentially activist litigation), but we may also see unresolved privacy complaints escalated to claims – potentially speculative and made by unrepresented litigants. Privacy and legal teams will need to consider how they can reduce the additional complexity and risk of managing these claims.

    Other changes of note

    Other reforms in tranche 1 include:

    • Criminal penalties for doxxing – The reforms introduces a new criminal offence for the practice of doxxing, referring to the publication or distribution of personal data about an individual in a way that is menacing or harassing. The “personal data” definition is distinct from personal information under the Privacy Act and includes information that enables the individual to be identified, contacted or located. An independent review of the anti-doxxing regime will be undertaken after 24 months (a change adopted in the Senate).
    • Emergency declarations – Similar to the eligible data breach declaration mechanism described above, the existing emergency declaration powers have been updated to allow the Attorney-General to by declaration permit sharing or use of information in response to an emergency or disaster, including to allow for sharing with State or Territory authorities where a declaration has been made. 
    • Changing nature of privacy – The objectives of the Privacy Act have also be revised to address both protection of privacy of individuals and the public interest of privacy, part of a shift towards seeing privacy as a fundamental human right, a shift in perspective we will see more of in tranche 2 reforms.

    Authors: Geoff McGrath, Partner; Leon Franklin, Director, Risk Advisory; Andrew Hilton, Expertise Counsel; Michael Turner, Executive, Risk Advisory; Thomas Suters, Graduate and Michelle Lee, Paralegal.

    When do privacy reforms commence?
    Passed on 29 November 2024, assent on 10 December 2024.

    Enhanced regulator powers – including new search and seizure powers: Applies now
    New tiered penalties and infringement notices: Applies now
    Statutory tort for serious invasion of privacy: By 11 June 2025
    Cyber security uplifts – reasonable security steps include technical and organisational measures: Applies now
    Emergency declarations allowing information sharing: Applies now
    New code-making powers and development of a Childrens Online Safety Code: Applies now, Code registered by 10 December 2026.
    Transparency of automated decisions: 24 months (11 December 2026)
    Simpler international data transfer: Applies now (but needs regulations)
    Anti-doxxing offences: Applies now
    image

    A generational change in privacy regulation in Australia

    We draw on Ashurst's combined legal and risk advisory expertise to help organisations keep pace with the evolving Privacy Act reforms and the actions they can take to position themselves for success.

    Learn more about privacy reform in Australia

    This publication is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, which are part of the Ashurst Group.

    The Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.

    The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.

    For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com

    This material is current as at 18 December 2024 but does not take into account any developments to the law after that date. It is not intended to be a comprehensive review of all developments in the law and in practice, or to cover all aspects of those referred to, and does not constitute legal advice. The information provided is general in nature, and does not take into account and is not intended to apply to any specific issues or circumstances. Readers should take independent legal advice. No part of this publication may be reproduced by any process without prior written permission from Ashurst. While we use reasonable skill and care in the preparation of this material, we accept no liability for use of and reliance upon it by any person.

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.