Australian Government announces fast-track of doxxing reforms

Articles Written by Sophie Dawson (Partner), Jennifer Dean (Partner), Emily Lau (Senior Associate)
image of camera lens

The Australian Government has announced it will bring forward legislation to prohibit doxxing and amend the Privacy Act 1988 (Cth) (Privacy Act) in August 2024. News of the change in timing came in a joint media release, ‘Tackling online harms’, and speech by the Attorney-General, The Hon Mark Dreyfus KC MP. The Government has not made it clear whether the legislation will be introduced or passed in August 2024 or what will be included in the legislation, but based on a recent consultation process, it could include:

  • a statutory tort;
  • new rights to access, object, erase, correct and de-index personal information;
  • a criminal offence for malicious re-identification of de-identified information; or
  • a combination of the above.

What is doxxing?

Doxxing is when a person intentionally discloses an individual’s personal information online without their consent. The media release has referred to doxxing as the release of private information online with an “intent to cause harm”. Doxxing can put individuals in danger of multiple harms such as reputational damage and distress and can be associated with identity theft and cyberstalking.

Examples of doxxing given by the Government include:

  • identification of someone who has used a pseudonym;
  • disclosure of contact or location information about an individual; and
  • revelation of information which de-legitimises someone (such as private medical, legal or financial records, or personal messages and photos usually kept out of view).

What is the background to the announcement?

This announcement follows a consultation run by the Attorney-General’s Department in March 2024 (Doxxing Consultation) on how to address doxxing through civil remedies, including the Privacy Act. The Doxxing Consultation sought responses as to whether:

  • existing measures sufficiently address doxxing;
  • a proposed statutory tort for serious invasions of privacy would improve options for individual victims; and
  • there are any other options (legislative or non-legislative) in responding to doxxing.[1]

When introducing the Doxxing Consultation, the Attorney-General’s Department stated that the proposed privacy protections in response to the Privacy Act Review that could be used to address doxxing include:

  • a new statutory tort for serious invasions of privacy such that individuals could take court action for doxxing; and
  • more control and transparency over personal information, such as enhanced or new individual rights to access, object, erase, correct, and de-index personal information.

The Doxxing Consultation comes in the context of a broader review of the Privacy Act, which has been the subject of consultation since 2020 and for which the Australian Government published its response to the report in September 2023.[2]

The idea of a tort for serious invasions of privacy has been heavily contested. For example, media organisations have submitted in the Privacy Act Review consultations that there is no need for such a tort as existing measures including relevant obligations and restrictions are sufficient. Existing measures include obligations under the broadcasting codes of practice and press council standards, and a large number of statutory restrictions on publication.

Current state of play

Currently, the Australian Privacy Principles in the Privacy Act do not apply to the collection, use or disclosure of personal information, or personal information held by an individual, only for their personal affairs,[3] or to acts by persons who are not “APP entities” (as defined in the Privacy Act). This means that individuals have no recourse under the Privacy Act if they are a victim of doxxing by a non-APP entity. The measures to be proposed by the Government will presumably change this position.

There are some existing protections in place. The Online Safety Act 2021 (Cth) (Online Safety Act) aims to protect individuals from illegal or harmful online content or behaviour. For example, individuals who are victim to doxxing can make complaints under the Adult Cyber Abuse Scheme operated by eSafety under the Online Safety Act. Specifically, a complaint can be made if an individual has first reported the cyber abuse to the relevant online service provider and circumstances exist such that a reasonable person would conclude that:

  • the doxxing conduct is intended to cause serious harm to a particular Australian adult; and
  • the material is menacing, harassing or offensive.

If satisfied of these matters, the e-Safety Commissioner can issue a notice to a relevant service provider requiring that the material be taken down within 24 hours. Similar remedies are available in respect of non-consensual sharing of intimate images and in respect of cyber abuse directed at children.[4]

What the reforms may look like

The announcement does not provide any details as to what the legislation to prohibit doxxing may include. 

The proposal that is most relevant to doxxing (and which has been agreed in the Government’s Response to the Privacy Act Review) is the introduction of a criminal offence for malicious re-identification of de-identified information where there is an intention to harm another or obtain an illegitimate benefit, subject to appropriate exceptions. The introduction of such criminal offence appears to be one of the simplest options available to the Government in this area, in that it is targeted and specific (though issues in relation to its construction and breadth would still arise).

Other potential reforms highlighted in the Doxxing Consultation and the Privacy Act Review (such as the right to request search engines to de-index particular online search results and right to erasure of personal information) may also be included in the draft legislation.

Based on the topics of discussion in the Doxxing Consultation, a proposed statutory tort for serious invasions of privacy may be one of the measures being considered. In particular, the Office of the Australian Information Commissioner’s submission in response to the Doxxing Consultation stated that the proposed statutory tort for serious invasions of privacy would mean that individuals could obtain compensation and other remedies through the courts for some serious instances of doxxing under the ‘misuse of private information’ limb of the tort, where the balancing of other interests such as freedom of expression and public interest in media reporting does not result in a finding for the respondent.[5] The Law Council of Australia argued that any regulatory framework designed to address doxxing needs to carefully balance addressing harm to individuals by illegitimate doxxing behaviours and protecting public interest journalism which may necessitate the publication of some private information.[6]

Any cause of action would have broader ramifications for internet publication, the media and the public more generally and we expect that this proposal will continue to be heavily debated.

Constitutional considerations will also come into play. In Australia, there is an implied constitutional freedom of expression in relation to government and political matters which will be relevant to construing the legislation (potentially narrowly[7]) and could be used by defendants to argue the legislation is invalid. Where it applies, it is necessary to take this into account in order to construe laws as there is a presumption that each law was intended to be constitutionally valid and to be construed accordingly. The success of such challenges will turn on three questions.

  1. First, whether the law effectively burdens the freedom in its terms, operation and effect. That part is likely to be satisfied here as the laws affect what can lawfully be said, including in relation to government and political matters.
  2. Second, whether the purpose of the law and the means adopted to achieve that purpose are legitimate, in the sense that they are compatible with the maintenance of the constitutionally prescribed system of representative government (referred to as compatibility testing).
  3. Third, whether the law is reasonably appropriate and adapted to advance that legitimate object. Thus, it is very important for the Government to take a measured approach.

Given that the Doxxing Consultation invited participants to provide other options to address doxxing, the legislation could include other remedies. For example, the Law Council of Australia, in its submission, argued that an individual victim seeking an apology, or a takedown, would be more feasible than seeking damages or compensation. There are existing takedown provisions in the Online Safety Act which will apply in some circumstances (as described above).[8]

The extent of the e-Safety Commissioner’s powers to make takedown orders with global effect is currently being tested in Federal Court Proceedings in which X has challenged a removal notice given by the e-Safety Commissioner to X in respect of footage of a stabbing at Wakely in Sydney which the e-Safety Commissioner contends is Class 1 material (material which has been, or is likely to be, refused classification).

The balance to be struck will not be clear until the exposure draft provisions are released.

We will provide a further update when the Attorney-General’s Department engages in further consultation and/or releases draft legislation.

[1] The Law Council of Australia listed the questions in this letter, ‘Doxxing and privacy reforms’ (10 April 2024.

[3] Section 16.

[5]Statutory tort for serious invasions of privacy’ section of ‘The Office of the Australian Information Commissioner’s (OAIC) submission to the Australian Government’s consultation on doxing and privacy reform’.

[6] The Law Council of Australia listed the questions in this letter, ‘Doxxing and privacy reforms’ (10 April 2024.

[7] As occurred in Monis v The Queen [2013] HCA 4, where the term “offensive” was construed narrowly.

[8] Online Safety Act 2021 (Cth), section 7.

Important Disclaimer: The material contained in this article is comment of a general nature only and is not and nor is it intended to be advice on any specific professional matter. In that the effectiveness or accuracy of any professional advice depends upon the particular circumstances of each case, neither the firm nor any individual author accepts any responsibility whatsoever for any acts or omissions resulting from reliance upon the content of any articles. Before acting on the basis of any material contained in this publication, we recommend that you consult your professional adviser. Liability limited by a scheme approved under Professional Standards Legislation (Australia-wide except in Tasmania).

Related insights Read more insight

JWS deepens TMT capability with appointment of Sophie Dawson

Leading independent Australian law firm Johnson Winter Slattery has appointed Sophie Dawson as Partner in its IP & Technology team. Sophie will be based in the firm’s Sydney office and joins JWS...

Digital Bytes – cyber, privacy & data update

2024 is off to brisk start in the cyber, privacy and data space – regulatory developments in cyber security and artificial intelligence (AI) continue at pace.

Payment times reports due 31 March 2024

An increase in enforcement action by the Regulator under the Payment Times Reporting Act 2020 (Cth) (PTR Act) has been happening over the last 12 months. Companies covered as reporting entities...