On the final Parliamentary sitting day of 2024, the long-awaited first tranche of privacy reforms was finally passed by the Parliament in the Privacy and Other Legislation Amendment Act 2024 (Cth). This first tranche of reforms implements 23 of the 25 proposals the Government agreed to in its September 2023 Response to the Privacy Act Review. However, the Privacy Act Review Report 2022 made 116 recommendations for reform, including 89 legislative change proposals. A further tranche of reforms is anticipated in 2025.
In summary, the reforms concern information security, automated decisions, overseas disclosure of personal information, children’s privacy, civil penalties, and enforcement powers. They also include a new statutory tort for serious invasions of privacy and targeted criminal offences to respond to doxxing.
The amendments to the Privacy Act 1988 (Cth) introduce a series of measures to increase transparency and certainty regarding the handling of personal information for individuals and entities by:
- clarifying that reasonable steps to protect information in APP 11 include technical and organisational measures,
- introducing a mechanism to prescribe countries and binding schemes as providing substantially similar protection to the APPs, to assist entities in assessing whether to disclose personal information to an overseas recipient, and
- requiring entities to include information in privacy policies about automated decisions that significantly affect the rights or interests of an individual.
The Office of the Australian Information Commissioner (OAIC) now has access to a broader range of enforcement options, as well as new functions and capabilities. Importantly, these include two new provisions to ensure civil penalties can be tailored appropriately to the level of seriousness of the privacy breach. Additionally, the Information Commissioner has enhanced code-making powers. To strengthen and protect the privacy of children online, the Information Commissioner is required to develop and register a Children’s Online Privacy Code (COP Code) within two years of the commencement of the relevant provisions.
Access the Privacy and Other Legislation Amendment Act 2024 (Cth) here and access the latest version of the Privacy Act 1988 (Cth) here.