Changes to Australian privacy laws now in force

This is just a quick update – for those who might have missed it – to let you know that some of the recent changes to Australian privacy laws have now commenced. 

The Privacy and Other Legislation Amendment Bill 2024 (Cth) passed both Houses of Parliament on 29 November 2024 and received Royal Assent on 10 December 2024.

The key changes, which came into effect on 11 December 2024, are:

1. New powers for the OAIC to issue infringement notices and compliance notices:
   1. The OAIC has a new power to issue infringement notices for breaches of specified APPs (such as failure to have a privacy policy which meets the requirements of APP 1.4) or a non-compliant notifiable data breach statement without having to engage in protracted litigation, allowing it to resolve matters more efficiently. Infringement notices for each contravention of any of these provisions can be for up to $19,800 for a body corporate (other than a publicly listed corporation) and $66,000 for a publicly listed company.
   2. The OAIC may also give an entity a compliance notice if the OAIC reasonably believes that the entity has contravened any of the provisions for which infringement notices can be issued. The pecuniary penalty for a failure to comply with a compliance notice is $330,000 for a body corporate.
2. Civil penalties:
   1. Existing maximum civil penalty for serious interference with privacy (the greater of $50 million; three times the value of the benefit obtained from the conduct; or, if the benefit cannot be determined, 30 per cent of adjusted turnover) is unchanged but the Privacy Act refers to a serious interference with privacy (instead of a serious or repeated interference with privacy) and clarifies what conduct constitutes “serious interferences with privacy”.
   2. New civil penalty for interferences with privacy that are not a serious interference, being a maximum of $3.3 million for a body corporate.
   3. New civil penalty for a contravention of any of the specified APPs or a non-compliant notifiable data breach statement, being a maximum of $330,000 for a body corporate.
3. New powers to ‘whitelist’ overseas jurisdictions for the purposes of overseas disclosure of personal information: The Governor-General is now able to prescribe countries and binding schemes as providing substantially similar protection to the APPs and having mechanisms that the individual can access to enforce those protections. However, at this stage no ‘whitelist’ exists.
4. Information security obligations clarified: A new APP 11.3 clarifies that entities’ pre-existing obligations to take reasonable steps to protect personal information from misuse, interference and loss, and unauthorised access, modification or disclosure under APP 11.1 and destroy or de-identify personal information it no longer needs for any purpose for which the information may be used or disclosed and is not legally required to retain under APP 11.2, include technical and organisational measures.
5. A new regime under which, in the wake of a notifiable data breach, a Minister can permit by way of declaration certain collections, uses and disclosures of personal information (that would otherwise breach privacy laws, duties of confidence or some statutory secrecy provisions) where the Minister is satisfied that the declaration is necessary to prevent or reduce the risk of harm to individuals affected by the data breach. 

Other key changes that will come into effect later are the requirements to include specific information in the entity’s privacy policy about automated decision making (scheduled to commence on 10 December 2026) and the new cause of action in tort for serious invasions of privacy (commencement date to be confirmed by a proclamation but no later than 10 June 2025).