The first tranche of Privacy Act reforms have passed – What to do now

Key takeaway points

• The first tranche of reforms to the Privacy Act 1988 (Cth) delivered by the Privacy and Other Legislation Amendment Bill 2024 (Cth) has been passed.
• The reforms commenced the day after receiving Royal Assent on (11 December 2024), with the exception of the requirement to update privacy policies with information about automated decision-making and the new statutory tort for serious invasions of privacy.
• Enforcement powers of the Office of the Information Commissioner (OAIC)have been enhanced, such that the OAIC can issue infringement notices(with civil penalties) for relatively minor infringements of the Privacy Act, including non-compliant privacy policies and data breach notices.
• APP entities should conduct a ‘gapanalysis’ to identify gaps betweencurrent privacy practices andrequirements at law. In light of theOAIC’s new enforcement powers,steps should be taken to address non-compliance immediately and shouldnot be delayed until the secondtranche of reforms.

Overview

The Privacy and Other Legislation Amendment Bill 2024 (Cth) (Bill) received Royal Assent on 10 December 2024, delivering the first tranche of reforms to the Privacy Act 1988 (Cth). We have previously provided commentary on the Bill in our insight, ‘Privacy Act Reforms Unveiled with Important Omissions’ released on 17 September 2024. The key reforms which have now been passed include:

1. a requirement for privacy policies to contain information about the use of personal information for automated decision-making;
2. new OAIC powers to issue infringement notices carrying civil penalties;
3. clarifying that organisations are required to implement ‘technical and operational measures’ to protect personal information in accordance with Australian Privacy Principle 11(APP 11); and
4. a new tort for serious invasions of privacy.

The reforms commenced the day after the Bill received Royal Assent (11 December 2024), except:

1. the requirement to update privacy policies to reflect automated decision-making, which will commence 24 months after Royal Assent (11 December 2026); and
2. the new tort for serious invasions of privacy, which will commence on a day yet to be determined, but within six months of Royal Assent.

The Government is currently in consultation regarding a secondtranche of reforms expected in 2025.

This insight provides commentary on each of the four reformsidentified above, and practical steps APP entities should take tocomply. Given the Information Commissioner’s new enforcementpowers, APP entities should be taking immediate steps to identifynon-compliance with the Privacy Act and should avoid delayinguntil the second tranche of reforms.

Privacy policies to contain information about automated
decision-making

Privacy Policies will be required to include information about the kinds of personal information used in, and types of decisions made by, computer programs that use personal information to make automated decisions that could significantly affect the rights or interests of an individual.

This reform has a grace period of two years from Royal Assent, meaning organisations have until 10 December 2026 to implement the relevant changes to their privacy policies. It is best practice however that organisations take immediate steps to amend their privacy policies to include the required information about automated decision-making.

New civil penalty provisions for relatively minor contraventions of the Privacy Act

Whereas previously the Information Commissioner was only able to seek civil penalties for the most serious or egregious interferences with privacy, the reforms introduce a tiered civil penalty system allowing ‘lower-threshold’ civil penalties to apply commensurate with the seriousness of the interference with privacy. The new tiered penalty system is as follows:

1. Serious breaches: $50 million or three times the value of any benefit obtained through the contravention;
2. Non-serious breaches: up to 2000 penalty units (currently $660,000) for individuals and 10,000 penalty units for bodies corporate (currently $3.3 million); and
3. Administrative breaches: up to 200 penalty units (currently
   $66,000) and 1,000 penalty units for bodies corporate (currently $330,000).

Importantly, the OAIC now has the ability to directly issueinfringement notices for breaches of specific privacy obligationswithout the need to apply to a Court.

This includes for example (but is not limited to):

1. failure to have a privacy policy;
2. having a privacy policy that is non-compliant;
3. failing to provide a simple means to opt-out of directmarketing communications; and
4. failure to action and appropriately respond to accessrequests.

Infringement notices may be issued for up to 12 penalty units(currently$3,960) and 60 penalty units for bodies corporate(currently $19,800). Listed corporations can be issued infringement notices of up to 200 penalty units (currently$66,000).

The Information Commissioner is also empowered to issuecompliance notices if they ‘reasonably believe’ that an entityhas contravened the Privacy Act, requiring the entity to takesteps to rectify the contravention within a certain time period.

Organisations to implement technical and operational measures to promote APP 11

APP 11 requires APP entities to take ‘reasonable steps’ toprotect personal information it holds from misuse, interference,loss as well as unauthorised access, modification anddisclosure. The Bill introduces some clarification around whatconstitutes ‘reasonable steps’ (previously undefined) to include‘technical and operational measures.’ Technical andoperational measures could include for example encryption,strong passwords, and other IT and physical securityprecautions. The Explanatory Memorandum to the Billsuggests that an operational measure could include employeetraining on data protection. It is anticipated that the OAIC willrelease further guidance regarding those technical andoperational measures.

New tort for serious invasions of privacy

The reforms introduce a new statutory cause of action in tort for serious invasions of privacy. This cause of action will empower an individual to sue another individual or entity for serious invasions of their privacy, either by intrusion into their seclusion or by misuse of information relating to them. The tort only applies where there is a reasonable expectation of privacy and where the invasion was intentional or reckless. No proof of damage is required. Importantly, any individual or entity can be sued under this statutory tort. The defendant does not need to be an APP entity to be liable to this cause of action.

Next steps

APP entities should take the first tranche of Privacy Reforms as an opportunity to audit privacy compliance and maturity. This can be achieved via a ‘gap analysis’, which is the process of identifying all applicable privacy laws and identifying any practices that do not comply with those standards. In light of the Information Commissioner’s new enforcement powers and ability to issue infringement notices, organisations should undertake steps to address non-compliance immediately and should not delay until the introduction of the second tranche of reforms. If you have any questions about the reforms to the Privacy Act or your privacy practices in general, please contact our Corporate Advisory and Governance experts.