Australia is implementing significant reforms to its Privacy Act 1988 (the Privacy Act), driven by concerns over data security following high profile breaches at Medibank, Optus, Latitude, and HWL Ebsworth. These incidents exposed the personal information of millions of Australians, including sensitive health records, identification documents, and financial details. The breaches underscored the urgent need for stronger privacy protections and corporate accountability.
The Privacy and Other Legislation Amendment Act 2024 (the Amendment Act) was passed on 29 November 2024 and received Royal Assent on 10 December 2024, reinforcing the government’s commitment to strengthening privacy protections. While the reforms impact all businesses already subject to the Privacy Act, some proposed changes, such as the removal of employee records exemption and the small business exemption did not proceed. However, the government has indicated that further privacy reforms may be introduced in the future.
Key Changes
- Expanded Enforcement Powers for the OAIC
The OAIC now has greater authority to investigate and penalise organisations mishandling personal data. The maximum penalty for serious breaches is now $50 million, three times the benefit gained, or 30% of adjusted turnover, whichever is greater. The expanded enforcement powers came into effect on: 10 December 2024.
- Introduction of a Privacy Tort (Right to Sue for Serious Invasion of Privacy)
Individuals can now sue for serious invasions of privacy, increasing litigation risks for businesses. Potential for class-action lawsuits against companies for privacy breaches. Effective date: 10 June 2025.
- Automated Decision Making (ADM) Transparency Requirements
Organisations using AI, algorithms, or automated decision-making systems must:
- (a) Disclose how personal data is used in ADM
- (b) Provide individuals with explanations of significant decisions made via ADM mechanisms.
Effective from: 10 December 2026 (2-year grace period).
- Strengthened Obligations for Handling Personal Data
Businesses must update privacy policies and security frameworks to meet stricter data protection requirements. Additional obligations for organisations regarding data retention, access requests, and security measures. Given the Amendment Act received Royal Assent on 10 December 2024, businesses should have already initiated the necessary updates to align with these strengthened obligations.
Interpretation Challenges & Compliance Insights
- What constitutes an ADM? – under the Amendment Act, ADM refers to decisions made solely through automated processes, without human involvement, that significantly impacts individuals. The Amendment Act introduces stricter rules for ADM, ensuring transparency, fairness, and accountability, and provides individuals the right to contest such decisions, especially in sensitive areas like credit and employment.
- Extent and Timing of ADM Disclosures – the Amendment Act requires that individuals be informed about the use of ADM processes at the time their personal data is collected. Disclosures must include details on how ADM is used, its purpose, and the potential consequences for the individual, ensuring transparency and fairness in decision making.
- Serious Invasion of Privacy – the Amendment Act introduces a statutory tort for serious invasion of privacy, covering:
- (a) Intrusion upon seclusion – unauthorised access to personal affairs or private spaces
- (b) Misuse of private information – unauthorised use or disclosure of confidential data.
- To succeed in a claim, the invasion must be intentional or reckless, involve a reasonable expectation of privacy, and be serious in nature.
- OAIC’s Investigative Powers – the Amendment Act enhances the OAIC’s investigative powers, providing it with new tools such as entry, search, and seizure authority, the ability to conduct public inquiries, and the power to compel the production of documents. It also introduces a tiered penalty framework, allowing the OAIC to issue compliance notices and enforce civil penalties for privacy breaches, ensuring stronger protection of personal information.
- Further Privacy Reforms – apart from the Amendment Act, the Government is planning further privacy reforms, including the Online Safety Amendment Act (Social Media Minimum Age) Act 2024, which restricts access to social media for individuals under 16 and requires platforms to implement age verification measures. These changes aim to strengthen privacy protections and safeguard users, particularly minors, online.
Top 5 Actions Businesses Should Take Now
- Review and Update Privacy Policies – ensure policies align with new ADM transparency and serious invasion of privacy requirements.
- Strengthen Data Security – implement robust security measures to reduce litigation and regulatory risk.
- Conduct a Privacy Impact Assessment – evaluate how your organisation uses automated decision making and personal data.
- Train Employees on New Privacy Obligations – ensure staff understand their role in preventing breaches.
- Review and stress test your Information Security Framework – assess how you could prevent a serious data breach involving personal data and/or sensitive information.
Why this matters
These reforms are not just about compliance, they are about building trust with your customers. Data privacy is becoming a competitive advantage, and businesses that prioritise it will strengthen relationships and avoid costly penalties.
Now is the time to assess your privacy practices and ensure you are meeting your compliance obligations. If you need help navigating the new regulations, we are here to support you.
Need expert guidance? Get in touch with PFS today to discuss how these changes impact your business. Ask for Madeleine Mattera, Jane Byrne, Daniel Frank, or Shara Reid for tailored support.
