Reforms to Australian privacy law: What Australian businesses need to know

The Privacy and Other Legislation Amendment Act 2024 (Cth) (Amendment Act) marks the most significant reform to Australia’s privacy laws in over a decade. Receiving Royal Assent on 10 December 2024, this legislation introduces a range of new obligations under the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs), with significant implications for Australian businesses.

The Amendment Act strengthens privacy protections in Australia, with a focus on enhancing data security, expanding regulatory powers, and introducing new avenues for individuals to seek legal recourse for breaches of their privacy.

As the amended privacy legislation imposes stricter data security requirements, businesses must now exercise greater caution in collecting, storing, and managing personal information to avoid heightened risks of fines, lawsuits, and regulatory scrutiny.

The Amendment Act serves as a timely reminder for businesses to ensure their privacy policies are current, data handling practices are secure, and internal processes align with regulatory expectations, in order to mitigate potential risks and reputational damage in light of these crucial privacy law reforms.

More information on other key changes brought about by the reforms to the Australian Privacy law can be found in an earlier Lavan publication titled New Privacy Tort, Doxxing Offence And More – What To Expect From The Privacy and Other Legislation Amendment Bill 2024.

Background

The Amendment Act follows the Attorney-General’s Privacy Act Review Report of February 2023 (Privacy Report), and the Australian Government’s response to it in September 2023, marking what has been termed ‘the first tranche’ of reforms to Australian privacy laws. A second tranche of reforms is anticipated in late 2025.

The Privacy Report sought to assess and modernise Australia’s privacy laws in response to the evolving digital landscape and increasing privacy risks. The Report proposed 116 recommendations to strengthen the protection of personal information, enhance individual control over their data, and improve transparency and accountability for organisations handling personal information.

The Government ‘agreed’ to 38 of the 116 proposals in the Report, with a further 68 proposals being ‘agreed in-principle’.

The Amendment Act implements 23 of the 25 ‘agreed’ proposals from the Privacy report, being the proposals that were specifically directed at legislative change.

Key Changes to Australia’s Privacy Laws

Stronger Data Security Expectations

The Amendment Act introduces more robust requirements for businesses to protect personal information.

While APP 11.1 requires entities to take ‘reasonable steps’ to prevent misuse, loss, unauthorised access, and modification of personal data, the new amendment goes further by introducing APP 11.3. APP 11.3 explicitly states that the mandated ‘reasonable steps’ must include both technical and organisational measures to ensure the security of personal information.

The explanatory memorandum explained that:

1. Technical measures may include encrypting data, using anti-virus software, implementing strong password protocols, and ensuring physical security of systems.
2. Organisational measures, involve establishing clear processes, such as providing staff with data protection training and creating comprehensive privacy policies to safeguard personal information.
3. This update brings Australia’s privacy standards in line with international regulations, like the European General Data Protection Regulation.

Increased Regulatory Powers

The Amendment Act enhances the enforcement powers of the Office of the Australian Information Commissioner (OAIC) by introducing lower threshold civil penalties. These penalties are designed to reflect the severity of the privacy breach, allowing for more proportional consequences based on the level of harm caused.

Pursuant to the Amendment Act, the OAIC now has the authority to issue infringement notices for minor violations of the Privacy Act. This means businesses could face penalties for relatively small contraventions, such as having an outdated privacy policy or failing to issue the required data breach notifications. These changes provide the OAIC with more tools to ensure compliance and hold businesses accountable for their privacy obligations.

New Tort for Serious Invasions of Privacy

A significant change introduced by the Amendment Act is the creation of a new tort for serious invasions of privacy. This legal provision allows individuals to sue anyone who has intruded upon their privacy by either invading their seclusion or misusing their personal information. Notably, this tort is available only to individuals—companies cannot sue under this provision.

While the tort is part of the Privacy Act, it is not limited to APP entities—meaning any individual or organisation, regardless of whether they are bound by the Privacy Act, can be sued. The Amendment Act also outlines several factors that courts will consider when determining whether privacy expectations were reasonable, including the severity of the invasion, and whether there are any public interest considerations. Importantly, plaintiffs do not need to demonstrate actual damage in order to bring a claim.

From a business perspective, there are a few concerns regarding the broad scope of this tort. For example, it does not apply solely to “personal information” as defined by the Privacy Act but extends to any “information that relates to the plaintiff.” This broad definition significantly increases the range of information that could potentially lead to a lawsuit. Additionally, the tort defines “misusing information” to include actions like collecting, using, or disclosing personal data, which means even minor misuses could trigger legal action.

This tort becomes especially relevant in the event of a data breach. Businesses must be prepared to respond efficiently to breaches, addressing the situation promptly and directly communicating with affected individuals to reduce the likelihood of consumers pursuing claims under this new tort.

Transparency in Automated Decision-Making

Companies that use automated systems to make decisions using personal data—particularly those that could significantly affect an individual’s rights or interests—must now disclose this in their privacy policies. This includes outlining in the privacy policy what data is used, how decisions are made, and the potential impact on individuals, by the automated decision-making system.

Lavan Comment

The Amendment Act comes as a timely reminder that in the evolving digital landscape, privacy and data security is a core business risk and responsibility.

With individuals now empowered to take legal action for serious invasions of privacy, and regulators equipped with enhanced enforcement tools, businesses must take a proactive and strategic approach to data protection.

Australian businesses should take the time to ensure their privacy policies are current, data handling practices are secure, and internal processes align with regulatory expectations.

Investing in strong privacy governance is not just about compliance—it is about business resilience in an increasingly data-driven and data-conscious world.

For any advice on the above Amendment Act, Australian privacy law or your privacy policy, please contact Iain Freeman, Partner in Lavan’s Litigation, Dispute and Resolution team.

Disclaimer

The information contained in this publication does not constitute legal advice and should not be relied upon as such. You should seek legal advice in relation to any particular matter you may have before relying or acting on this information. The Lavan team are here to assist.

Footnotes