The Senate passed the The Privacy and Other Legislation Amendment Bill 2024 (Cth) (Bill) on the 28 November 2024.

The Bill is currently awaiting Royal Assent and once that occurs it will be an Act of Parliament with the majority of the provisions commencing the day after the Royal Assent.

Updating privacy policies to include automated decision making will commence 24 months after the Royal Assent and the provisions relating to the new tort of serious invasions of privacy will commence within 6 months after the Royal Assent on a date to be advised.

What does this mean for Australian Businesses?

These reforms are significant and build on the change to Australian Privacy Law following the 2014 reforms when the Australian Privacy Principles (APP) were introduced.

These changes give greater enforcement, investigative powers new penalty provisions, to the Office of the Australian Information Commissioner (OAIC) allowing it to investigate and penalise companies that mismanage personal information.

This will apply to all private sector businesses and organisations with an annual turnover of $3 million or more.

However regardless of turnover the following will have to comply with the requirements:

• a health service provider
• trading in personal information
• a contractor that provides services under a Commonwealth contract
• an operator of a residential tenancy database
• a credit reporting body
• a reporting entity for the purposes of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006
• employee associations registered or recognised under the Fair Work (Registered Organisations) Act 2009
• a business that conducts protection action ballots
• a business accredited under the Consumer Data Right system
• related to a business the Privacy Act covers
• a business prescribed by the Privacy Regulation 2013
• a business that has opted in to be covered by the Privacy Act

What is new with the privacy laws?

The key reforms that are being introduced:

• Privacy policies must include information about any automated decision-making processes
• Technical and organisational measures must be implemented to show that reasonable steps have been taken to protect the security of personal information
• A new tort of ‘serious invasions of privacy’
• a new criminal offence of ‘doxxing’ which is the releasing of personal data using a carriage service in a manner that would reasonably be regarded as menacing or harassing
• New civil penalty provisions for interfering with the privacy of individuals
• The power for the OAIC to issue infringement notices and compliance notices
• The OAIC must develop a Children’s Online Privacy Code
• New Ministerial powers to ‘whitelist’ countries that provide substantially similar privacy protections, in order to assist entities disclosing personal information overseas.

Federal Court of Australia and Family Court of Australia will have the power to issue any order it sees fit, including orders directing:

• any reasonable act to be performed to redress the loss or damage suffered
• damages to be paid by way of compensation
• a statement regarding the contravention to be published or communicated.

The Penalties are significant and range from $660,000 for individuals to $3.3 million for bodies corporate, depending on the severity and nature of the breach.

How can FC Lawyers help?

Our team can assist with ensuring your businesses is ready for the changes and your policies and procedures comply with the impending changes.

If you would like to discuss any of your privacy issues or concerns, contact our team of business and commercial lawyers today.