In Short
- The reforms to Australia’s Privacy Act impact how businesses handle personal data.
- Companies must update privacy policies and practices to comply with new regulations.
- Increased penalties for non-compliance highlight the importance of staying informed and proactive.
Tips for Businesses
Review and update your privacy policies to align with the upcoming reforms. Ensure all staff are trained on new data handling procedures. Regularly audit your data practices to identify areas for improvement, and consider seeking legal advice to avoid potential penalties. Staying informed is crucial for compliance.
Australian privacy law has undergone major changes to bring it into the digital age, improve clarity for businesses, transparency and individual rights, and strengthen enforcement mechanisms. These reforms result from significant amendments to the Privacy Act, reflecting recommendations from the Attorney-General’s Department’s Privacy Act Review Report 2022.
The new privacy law changes commenced on 10 December 2024. As a result, it is essential that your business understands the changes and complies as required. This article explains the changes, how they affect your business, and what actions you should take.
What are the Proposed Privacy Changes?
The following summarises six key reforms:
1. Changes to Civil Penalties
The Privacy and Other Legislation Amendment Act 2024 (Cth) introduces new and stronger financial penalties for privacy breaches. It clarifies what counts as a “serious” privacy breach and introduces new penalties for less serious breaches. For example, not having a proper privacy policy could result in fines of up to $66,000 for individuals or $330,000 for companies. The Information Commissioner can issue on-the-spot fines for some breaches, so ensuring your privacy documents are compliant and current is essential.
2. Children’s Online Privacy Code (COP Code)
A Children’s Online Privacy Code will respond to government calls for greater protections for children online. The Australian Information Commissioner is required to develop and register the code within 24 months. It will apply to social media platforms and websites that anyone under 18 is likely to access, including social media platforms, apps, and websites that children often use. The code will explain how these services should handle children’s personal information to comply with privacy laws. For example, it might require child-friendly privacy notices or stricter rules about collecting children’s data.
3. Automated Decision Making
The Privacy Act now requires increased transparency around automated decision-making. For many businesses embracing AI in day-to-day operations, this is an important change to be aware of. If an organisation uses automated systems to make decisions that could significantly impact someone’s rights or interests, they must explain this in their privacy policy. This explanation needs to include the kinds of personal information these systems use, what types of decisions they make, and how they are involved in the decision-making process. The goal is to help people understand when and how automated systems use their personal information to make decisions about them.
4. Legal Action For Serious Invasions of Privacy
Individuals can now sue for serious invasions of privacy. This applies to two main types of privacy breaches: intrusion upon seclusion (for example, by spying on someone) and misusing private information. To make a claim, a person must show that:
- their privacy was invaded;
- they had a reasonable expectation of privacy;
- the invasion was intentional or reckless;
- the invasion was serious; and
- protecting their privacy outweighs any public interest in the invasion.
If successful, an individual could seek compensation or an injunction to stop the invasive behaviour. Businesses have some defences available, such as if the action was legally required or done with consent.
This new right aims to give people more control over their privacy and a way to seek justice if their privacy is seriously violated.
5. Overseas Disclosure
International data sharing is now more straightforward, with an official list of countries and privacy schemes considered to have privacy protections similar to Australia’s. This “whitelist” makes it easier for Australian organisations to share personal information with overseas recipients in these approved countries or schemes. Organisations now have less work to check if the overseas recipient has sufficient privacy protections. The goal is to make international data sharing simpler and safer while still protecting people’s privacy.
6. Criminal Offence for Doxxing
The intentional malicious exposure of an individual’s personal data online, known as ‘doxxing’, is now a criminal offence. It is illegal to use the internet or phone services to publish or distribute someone’s personal data (like their address, phone number, or photo) in a way that a reasonable person would consider threatening or harassing. There is an even stronger penalty if this is done to target someone because of their race, religion, gender, sexuality, or other protected characteristics. These new laws aim to protect people from the serious harms that can come from having their private information exposed online, such as harassment, stalking, or threats to their safety.
What Does This Mean for My Business?
To ensure you comply, we recommend you:
- audit your data and privacy processes and:
- undertake an audit of your information collection processes. Check how your business collects, stores, uses, discloses, and monitors personal information;
- identify any obvious gaps in your processes and implement policies and procedures to fill them;
- check how compliant you are with your existing privacy obligations; and
- ensure your employees understand the correct procedures and implement training if required.
- Check your Privacy Toolbox for currency and compliance. Ensure you have:
- a privacy collection notice;
- a privacy policy;
- a data breach response plan;
- a privacy compliance handbook; and
- annual staff training.
The Australian Government is changing the law to protect consumer privacy after a series of high-profile data breaches and to bring the law into line with the safer and more protective laws in other regions. This fact sheet outlines what is expected in 2024.
Key Takeaways
The new privacy reforms impose more substantial penalties for breaches, with fines up to $330,000 for companies. A new Children’s Online Privacy Code will enhance protections for minors, and businesses must disclose the impact of automated decision-making on individual rights. Individuals can now sue for serious invasions of privacy, and doxxing is a criminal offence. Businesses should audit their data processes, update privacy documentation, and train staff as soon as possible.
If you need help understanding the Privacy Act reforms, our experienced privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today at 1300 544 755 or visit our membership page.
Frequently Asked Questions
The reforms introduce stronger penalties for privacy breaches, create a new Children’s Online Privacy Code, and require businesses to increase transparency around automated decision-making. They also criminalise doxxing and simplify international data sharing.
Businesses should audit their data collection and privacy processes, update privacy documents, and train staff on compliance. These actions will help meet the new requirements and avoid penalties.
We appreciate your feedback – your submission has been successfully received.
