Alert: reforms to the Privacy Act

On 29 November 2024, the Federal Parliament passed the Privacy and Other Legislation Amendment Act 2024 (Cth), thereby making a series of amendments to the Privacy Act 1988 (Cth) and seven other statutes – including the Criminal Code 1995 (Cth) by creating the new crime of doxxing. These amendments affect the way that businesses and the Commonwealth manage, collect, and protect the personal information they collect. Many of these amendments have already taken effect, while others will enter into force within the next two years.

‍

What you need to know

• The reforms to the Privacy Act – stronger protections for the personal information of individuals, and stronger enforcement mechanisms for breaches of the Privacy Act – are largely based on the recommendations set out in the Privacy Act Review Report 2022, which was prepared by the Commonwealth Attorney-General’s Department, and published on 16 February 2023. 
• Most significantly, the Privacy Act has been amended to deal more comprehensively with:
  • Children’s online privacy: the Office of the Australian Information Commissioner will create the ‘Children’s Online Privacy Code,’ concerning online privacy for children, which will specify how online services accessed by children must comply with the Australian Privacy Principles.
  • Technical and operational measures to prevent data breaches: organisations that store personal information are now required to have adequate technical and organisational infrastructure in place to protect against data breach.
  • Automated decision-making: where an organisation uses personal information as an input to automated decision-making systems, the organisation must make this clear in its privacy policy. 
• Some of the changes deal directly with the enforcement and penalty regimes surrounding infringement of privacy and the enforcement of the Privacy Act:
  • Statutory  tort for serious invasions of privacy: the amendments introduce a claim that individuals can make to seek damages from people who invade their privacy or misuse information relating to them.
  • Doxxing offences: publishing personal information for a malicious purpose now carries a criminal penalty.
• Conversely, some amendments alleviate the regulatory burden associated with using or transferring personal information in certain circumstances:
  • Overseas data flows: the Government will maintain a list of countries with similar laws governing the management of personal information. Regulations for data transfers between Australia and these countries will be eased, allowing for easier and quicker flows of information.
  • ‍Eligible data breach declarations: the amendments grant the Minister the power to make an ‘eligible data breach declaration,’ allowing the Privacy Act to be bypassed to prevent or reduce the risk of harm.

What you need to do

• If your organisation deals with children’s personal information, ensure that you stay informed on the development of the Children’s Online Privacy Code.
• Consider reviewing your organisation’s data security technical infrastructure, as well as the governance structures you have in place to prevent and appropriately manage the risk of any data breaches.
• If applicable, ensure your organisation’s privacy policy makes clear the manner in which your organisation uses personal information to inform automated decision-making processes.
• If your organisation regularly carries out overseas data flows, ensure you are aware of updates to the list of countries with similar information protection regimes.
• Visit the website of the Office of the Australian Information Commissioner, which is regularly updated with information on all of these matters.

Detailed Insights

Children's privacy online

The amendments require the creation of a ‘Children’s Online Privacy Code,’ which will adapt the existing privacy law to specifically address the handling of children’s personal information online.

The Code will apply to organisations dealing with children’s personal information that provide a social media service, relevant electronic service, or designated information service where that service is likely to be accessed by children. The Code will not apply if the organisation provides a health service.

Though the specifics of the Code have not yet been made public, organisations that will be impacted should stay alert to new developments relating to the privacy and personal information of children.

Technical and operational measures to prevent data breaches

The Privacy Act requires that entities which store personal information must take reasonable steps to protect that information from misuse, interference, loss and from unauthorised access, modification, or disclosure.

These reasonable steps must include technical and organisational measures. If your organisation handles personal information, it is crucial that such measures have been deployed to protect that information.

Technical measures can include:

• Employing sufficiently secure data storage and management software.
• Ensuring access to personal information is monitored and only granted when necessary.
• Employing sophisticated technologies to prevent malicious actors from accessing systems that store personal information.

Organisational measures can include:

• Regularly reviewing your organisation’s data management practices and infrastructure.
• Building strong chains of communication including appropriate oversight between staff that monitor databases and senior leadership and ICT professionals.
• Ensuring that your organisation is staffed with qualified ICT professionals that are available to immediately respond to data breaches or other similar incidents.

Automated decision-making

From 10 December 2026, an organisation’s privacy policy must acknowledge and disclose certain information if the organisation uses a person’s information as an input to automated decision-making concerning that person’s rights or interests.

Strongly consider revising your organisation’s privacy policy if your organisation uses or is considering using an automatic decision-making system which bases its decisions, wholly or partly, on personal information.

Statutory tort for serious invasions of privacy

The statutory tort for serious invasions of privacy will come into effect within 6 months of 10 December 2024. 

This will enable individuals to make a claim for damages where they believe their privacy has been seriously invaded. A serious invasion can constitute:

• Physically intruding into a person’s private space.
• Watching, listening to, or recording a person's private activities or affairs.
• Misusing personal information relating to a person.

For the claim of serious invasion of privacy to be successful, the actions of the accused person must amount to a serious, reckless, or intentional invasion of privacy. 

Where an individual is found to have committed a serious invasion of another’s privacy, they may be required to pay damages to the victim. Courts can also make orders to require an individual to take (or cease taking) certain actions.

Doxxing to be a crime

On 11 December 2024, doxxing – a term used to describe intentional publishing of another individual’s personal information for the purpose of menacing or harassing that individual – was made a criminal offence under the Criminal Code Act 1995 (Cth).

Doxxing an individual can incur a criminal penalty of up to 6 years’ imprisonment. Doxxing an individual because of that individual's race, gender or membership in some other group can result in a criminal penalty of up to 7 years’ imprisonment being applied.

Overseas data flows

In an effort to make cross-border transfers of personal information less onerous, the Government will maintain a list of countries to whom Australian entities can transfer personal information without going through the processes currently required by the Privacy Act when transferring information to other countries.

These countries must have regulations regarding the management and collection of personal information that are similar to Australia’s own. So far, the Government has not published a list of countries. 

It is likely that the list will include a number of EU countries, as many of the amendments to the Privacy Act were modelled off EU privacy legislation (General Data Protection Regulation). Organisations engaging in high-volume international data transfers may benefit from regularly monitoring the Government’s whitelist once it is published.

Eligible data breach declarations

The amendments to the Privacy Act empower the Minister to take or authorise action that would otherwise be prohibited by the Privacy Act. This can only be done where doing so would prevent serious harm from occurring. 

For example, where a data breach has occurred resulting in banking information being maliciously accessed, the Minister may make a declaration allowing a bank to divulge certain personal information to law enforcement.

Further Information

The action you and your organisation should take in respect of these changes will depend on the kind of personal information you deal with and the manner in which you deal with it.

Aldermane will follow developments in the Privacy Act and monitor wider changes to Australian privacy law that occur as part of the Government’s drive to regulate the collection and management of personal information more tightly.

If you have any questions or would like specific advice on the amendments to the Privacy Act and how they might affect your organisation’s activities, we would be pleased to hear from you.

‍

Authors:

Rory Alexander, Managing Partner

Veer Shrivastava, Graduate