On 29 November 2024, the Federal Parliament passed the Privacy and Other Legislation Amendment Act 2024 (Cth), thereby making a series of amendments to the Privacy Act 1988 (Cth) and seven other statutes – including the Criminal Code 1995 (Cth) by creating the new crime of doxxing. These amendments affect the way that businesses and the Commonwealth manage, collect, and protect the personal information they collect. Many of these amendments have already taken effect, while others will enter into force within the next two years.
The amendments require the creation of a ‘Children’s Online Privacy Code,’ which will adapt the existing privacy law to specifically address the handling of children’s personal information online.
The Code will apply to organisations dealing with children’s personal information that provide a social media service, relevant electronic service, or designated information service where that service is likely to be accessed by children. The Code will not apply if the organisation provides a health service.
Though the specifics of the Code have not yet been made public, organisations that will be impacted should stay alert to new developments relating to the privacy and personal information of children.
The Privacy Act requires that entities which store personal information must take reasonable steps to protect that information from misuse, interference, loss and from unauthorised access, modification, or disclosure.
These reasonable steps must include technical and organisational measures. If your organisation handles personal information, it is crucial that such measures have been deployed to protect that information.
Technical measures can include:
Organisational measures can include:
From 10 December 2026, an organisation’s privacy policy must acknowledge and disclose certain information if the organisation uses a person’s information as an input to automated decision-making concerning that person’s rights or interests.
Strongly consider revising your organisation’s privacy policy if your organisation uses or is considering using an automatic decision-making system which bases its decisions, wholly or partly, on personal information.
The statutory tort for serious invasions of privacy will come into effect within 6 months of 10 December 2024.
This will enable individuals to make a claim for damages where they believe their privacy has been seriously invaded. A serious invasion can constitute:
For the claim of serious invasion of privacy to be successful, the actions of the accused person must amount to a serious, reckless, or intentional invasion of privacy.
Where an individual is found to have committed a serious invasion of another’s privacy, they may be required to pay damages to the victim. Courts can also make orders to require an individual to take (or cease taking) certain actions.
On 11 December 2024, doxxing – a term used to describe intentional publishing of another individual’s personal information for the purpose of menacing or harassing that individual – was made a criminal offence under the Criminal Code Act 1995 (Cth).
Doxxing an individual can incur a criminal penalty of up to 6 years’ imprisonment. Doxxing an individual because of that individual's race, gender or membership in some other group can result in a criminal penalty of up to 7 years’ imprisonment being applied.
In an effort to make cross-border transfers of personal information less onerous, the Government will maintain a list of countries to whom Australian entities can transfer personal information without going through the processes currently required by the Privacy Act when transferring information to other countries.
These countries must have regulations regarding the management and collection of personal information that are similar to Australia’s own. So far, the Government has not published a list of countries.
It is likely that the list will include a number of EU countries, as many of the amendments to the Privacy Act were modelled off EU privacy legislation (General Data Protection Regulation). Organisations engaging in high-volume international data transfers may benefit from regularly monitoring the Government’s whitelist once it is published.
The amendments to the Privacy Act empower the Minister to take or authorise action that would otherwise be prohibited by the Privacy Act. This can only be done where doing so would prevent serious harm from occurring.
For example, where a data breach has occurred resulting in banking information being maliciously accessed, the Minister may make a declaration allowing a bank to divulge certain personal information to law enforcement.
The action you and your organisation should take in respect of these changes will depend on the kind of personal information you deal with and the manner in which you deal with it.
Aldermane will follow developments in the Privacy Act and monitor wider changes to Australian privacy law that occur as part of the Government’s drive to regulate the collection and management of personal information more tightly.
If you have any questions or would like specific advice on the amendments to the Privacy Act and how they might affect your organisation’s activities, we would be pleased to hear from you.
Authors:
Rory Alexander, Managing Partner
Veer Shrivastava, Graduate