skip navigation
Manchester Digital
skip mega-menu

Quick Links

Get Involved
What We Do Join the Community Our Newsletter #MDTechCommunity Slack Channel Industry Events Partner Opportunities
Support
Research and Insights Manifesto for the Northern Tech Economy Startup Support Sectors Relocate Member Offers
Programmes
Apprenticeships Digital Her Startup Activator Skills Festival Sector Insights Training

Who We Are

The Team
The Board

About

News

Events

Directory

Jobs

Join

Programmes

Startups

Apprenticeships

Get in Touch

Posts
Add Post

Reforms to Australia’s privacy laws agreed and passed

#privacy
View Profile
View More Posts

Changes to Australian privacy legislation have been passed by the Australian parliament in a move that marks a significant, if modest, milestone in Australia’s progress towards privacy laws fit for digital age.

After an extensive four-year review process, the amended Privacy and Other Legislation Amendment Bill 2024 (Cth) (POLA Bill) was passed on 29 November 2024 and represents the first tranche of amendments to the Privacy Act 1988 (Cth) arising from the Privacy Act review.

The legislation, which was first introduced to Australia’s parliament in September, is aimed at enhancing privacy rights and ensuring greater accountability in data handling practices. While the Australian privacy principles (APPs) remain largely intact, specific amendments to three of the APPs – one, eight, and 11 – together with the strengthened enforcement regime, require entities to take steps to be able demonstrate their compliance.  

The amendments will mostly take effect once the POLA Act receives Royal Assent, although it is not yet clear when this will be. 

The following additional amendments were included in the final version of the POLA Bill, largely in response to the recommendations of the Senate Legal and Constitutional Affairs Legislation Committee. 

Enforcement:

Power to issue compliance notices: in addition to the new power to issue infringement notices, the commissioner and Office of the Australian Information Commissioner (OAIC) officers will also have the power to instead issue discretionary compliance notices in the form prescribed to remedy alleged breaches of one or more of the provisions in section 13K of the Privacy Act;  

Entities can be asked to produce evidence of compliance, before an infringement notice is issued and they can apply to the Federal Court for a review of the compliance notice;  
Failure to comply with a compliance notice will be subject to a penalty of up to 200 penalty units.

Children’s Online Privacy Code:

  • Extended consultation period: the minimum consultation period for the Children's Online Privacy Code was extended from 40 to 60 days. 
  • Consultation requirement: the addition of relevant ‘industry bodies’ as entities that the commissioner is able to consult with when developing the Code. 

Doxxing offences:

  • Doxxing review: an independent review of the operation of the doxing offences must be undertaken 24 months after they come into effect and the report must be reviewed by the minister and tabled in parliament.  

Statutory tort:

  • Application of exemptions, including new public interest considerations: courts may now determine at any time, either on application or on their own motion, whether any of the exemptions listed in Part 3 of what will be the new Schedule 2 of the Privacy Act applies to the invasion of privacy. A new element for the cause of action has also been added which required that the public interest in the plaintiff’s privacy must outweigh any ‘countervailing’ public interest. There is a non-exhaustive list of these including freedom of expression, freedom of the media, open justice, public health and safety and national security; 
  • Media exclusion: the exclusion of media organisations accessing personal information during declared emergencies was extended to also apply to national broadcasters like the ABC and SBS; 
  • Injunctive powers: the amendments clarify that the power conferred on a court to issue an injunction in relation to the statutory tort is not limited to an 'interim' injunction; 
  • Journalism exemption: the amendments clarify that the journalism exemption also extends to a person involved in the publication or distribution of journalistic material prepared for publication by a journalist and to persons engaging with or assisting journalists; 
  • Definition of journalistic material: the concept of 'journalistic material' for the purposes of the tort includes 'editorial' material relating to news, current affairs or a documentary; 
  • New exemption for government agencies and law enforcement bodies: a new exemption has been added for state and territory authorities and law enforcement bodies with certain conditions to be met to qualify.

Our view:

While it appears that the OAIC will continue to face inadequate funding, the privacy commissioner, Carly Kind, has signified her intention to take a proactive enforcement approach and use all the regulatory powers and tools available to her to issue guidance, work with entities and take action where breaches occur. She has recently released a range of guidance and determinations on topics such as artificial intelligence, facial recognition technology, the use of third-party pixels, and data scraping. In addition, individuals will now have a direct right to bring court action if they believe entities have seriously invaded their privacy. 

Therefore, it is important that entities take proactive steps of the kind we previously outlined to ensure compliance with the fundamental requirements of the APPs, take all reasonable measures to protect personal information, and be ready to deal with infringement activity, as well as consider where any data processing activities could put them at risk of a compliance or infringement notice or even a claim for a serious invasion of privacy.  

While the passage of the POLA Act marks a significant step forward, there is still more work to be done to achieve the privacy reforms needed for business, government, and the community – which are also important to support other regulatory frameworks, such as the Digital Identity Act 2024 (Cth), which will commence on 1 December 2024, and the insertion of the social media minimum age in the Online Safety Act 2021 (Cth).  

The Attorney-General’s Department has indicated it plans to begin consulting on the second tranche of privacy reforms in December 2024, to which the government has agreed or agreed in principle. With an election looming, the timing and content of the next phase of the reforms remains to be seen. 

Related Posts

Add Post View All
Posted by Phoenix Digital Ltd
That's the way the cookie crumbles
Posted by Edge Testing
Eurofins SAFER@WORK™
Posted by In Touch
Why honing your digital knowledge will make you a valuable asset for any SME Business
Posted by NHS Shared Business Services
New framework to help protect NHS and public sector against cyber threats
Posted by Information Commissioner's Office
Data protection considerations and the NHS COVID-19 app
Posted by Information Commissioner's Office
Information Commissioner, Elizabeth Denham named one of the most influential women in UK tech
Posted by SOCIAL JAGUAR
In The Spotlight - Social Jaguar
Posted by Datum Datacentres
US Tech Company Partners with Leading UK Cloud Computing Provider Teledata to “Offer Most Secure Technology Available” for its UK and European Customers
Posted by Foresight Mobile
Ralph Lauren uses mobile technology against counterfeiters
Posted by Information Commissioner's Office
Understanding the Age Appropriate Design Code (Children’s Code) webinar

Subscribe to our newsletter

Sign up here