New Privacy Law Reforms in effect: what you need to know
Posted on February 11, 2025
The Privacy and Other Legislation Amendment Act 2024 (Cth) (Amendment Act) passed on 28 November 2024, introduces several significant changes to the Privacy Act 1988 (Cth) (Privacy Act). Some changes became effective on 10 December 2024, whilst others are due to come into effect over the next two years.
The major change is the creation of a new statutory cause of action whereby individuals can take legal action against organisations or individuals where there has been a serious invasion of privacy through misuse of personal information. The effective date of this change will be announced prior to 10 June 2025.
The new criminal offence of ‘doxing’ has also been created. Doxing involves sharing someone’s personal information ‘with intent to harm’. The penalties for doxing include up to 7 years’ imprisonment. However, this is subject to independent review which is yet to commence. Once commenced, the independent review board will produce a report within 6 months.
The following amendments are effective from 11 December 2024:
- Overseas Dataflows: Ministerial powers have been increased to enable the creation of a ‘whitelist’ of overseas countries that have similar privacy laws to Australia, which will assist entities disclosing personal information overseas. No whitelist has been published as yet.
- Clarification of Reasonable steps: The Amendment Act clarifies that reasonable steps to protect personal information requires that an organisation must implement technical and organisational measures.
- New OAIC Powers: The Office of the Australian Information Commissioner (OAIC) now has the power to issue infringement notices and compliance notices. Failure to comply with these notices can result in civil penalties being imposed.
Coming into effect from 10 December 2026:
- New Children’s Online Privacy Code which is currently being developed; and
- Disclosure of automated decision-making processes: New compliance measure requiring businesses to update their privacy policies to disclose when they use automated decision-making processes (including AI) in the assessment of cyber threats.
Key takeaways
These reforms are the first of many to come in Australia’s privacy protection landscape. As the world moves towards widespread adoption of AI and collection of personal data, it is now more important than ever for businesses to ensure that their privacy policies and procedures are compliant, so as to avoid significant penalties that no doubt will be imposed on organisations that fail to observe the updated reforms, and cause loss to individuals through data breaches and misuse of personal information.
