Privacy Act Tranche 1 Amendments Finally Passed
The long-awaited amendments to the Australian Privacy Act were pushed through on 29 November 2024 the final day of parliamentary sittings for 2024. So, what does that mean for Australian organisations?
Background
In this post, we looked at the then-proposed changes including:
- New statutory tort for serous invasions of privacy;
- Increased OAIC enforcement powers;
- Criminalisation of doxing
Other proposed changes include:
Increased transparency for automated decision-making
Organisations using personal information in automated decision-making systems that significantly affect individual rights must:
- Disclose in privacy policies the types of personal information used in automated decisions
- Explain the kinds of decisions these systems make that could impact individuals’ rights, such as granting or refusing benefits or services.
Children’s Online Privacy Code
The OAIC will develop a Children’s Online Privacy Code within 24 months of the Bill taking effect.
We reviewed the status of the amendment Bill here, which included reference to changes proposed by the Greens which did not get included in the legislation passed. We also covered the 10 recommended changes made by the Senate Legal and Constitutional Affairs Legislation Committee’s Report, which again were not included in the final legislation.
Amendments Introduced
The Bill when passed included the changes as covered in our review of the draft Bill. However, there were some further amendments:
Compliance Notice
A new compliance notice regime is introduced, which allows for the OAIC to issue of compliance notices prior to sending an infringement notice. Compliance notices can be issued in regard to certain breaches and will require an entity to either take steps, or refrain from certain conduct to address the relevant privacy breach, or ensure the breach is not repeated or continued. Failure to comply can result in a civil penalty of up to AU$330,000 for corporations.
Exemptions and Defences to the Statutory Tort
The proposed statutory tort for breach of privacy was amended by adding new exemptions to liability:
- Journalistic materials prepared for publication by a journalist or editorial content relating to news, current affairs or a documentary
- State and Territory agencies and authorities, where the invasion of privacy is in the performance or exercise of the agency or authority’s function or power.
Other changes include:
- 24 months after the commencement of Schedule 3 (Doxxing offences) the Minister must cause an independent review of these amendments. A report of the review must be provided within 6 months of the commencement of the review
- The consultation period for the Children’s Online Privacy Code will be extended from 30 days to 60 days
When do the changes come into effect?
Most of the provisions of the Bill come into effect immediately after the Bill receives Royal Assent.
However, in some cases there will be a delay.
The amendments to APP1 in relation to automated decisions will only commence 24 months after Royal Assent is given, and Schedule 2 dealing with the statutory tort for serious invasions of privacy will commence at a date to be fixed by proclamation, but no later than six months after Royal Asset, meaning the statutory tort will be in place by mid-2025 at the latest.
What should you do?
We set out recommendations on some of the things organisations should do to prepare for the proposed amendments here.
These include:
To prepare for the new statutory tort of invasion of privacy
- Review and update internal policies and procedures to ensure they address not only data breaches but also broader privacy concerns, including physical privacy
- Train staff on what constitutes intentional or reckless privacy invasions and ensure they are aware of how to minimise these risks
- Conduct regular privacy impact assessments, particularly when launching new projects or systems involving personal information
To prepare for increased transparency of automated decision-making
- Assess your processing activities to ensure you identify all situations where automated decision making that may have a significant impact occurs
- Disclose in privacy policies the types of personal information used in automated decisions
- Explain the kinds of decisions these systems make that could impact individuals’ rights, such as granting or refusing benefits or services
- Ensure you have guard rails in place to identify new initiatives that might involve automated decision making so that appropriate assessments and updates to your privacy notices can be made.
To prepare for increased OAIC enforcement powers
- Establish a robust privacy program. This should include clear policies, data breach notification procedures, and regular audits to ensure compliance with the APPs
- Ensure your privacy practices are fully documented, and that you are actively monitoring and responding to compliance gaps
- Prioritise data governance. If your organisation hasn’t yet embedded strong data governance and privacy compliance frameworks, now is the time to act. Failure to have effective systems in place may lead to higher penalties.
To prepare for the new Children’s Online Privacy Code, if your organisation handles children’s data (i.e., data of an individual who has not reached 18 years)
- Review your data handling processes
- Assess whether consent mechanisms for children need updatingEnsure your privacy policies and procedures are ready to adapt to the new Code once it’s published.