Data Privacy: Australia Privacy Act Reform passes Houses of Parliament

After nearly five years of consultation - both industry and public - Australia's first set of reforms to the Privacy Act 1988 was passed on 29th November 2024. This is a first step to broader reforms, and draft legislation for Tranche 2 is expected over the next few months. Here’s a brief summary of the key points of the Australian Privacy and Other Legislation Amendment Bill 2024.

The Office of the Australian Information Commissioner (OAIC) has been granted new investigative and enforcement powers, including:
o  mid-tier and low-level civil penalties for privacy breaches
o  power to issue compliance notices requiring  entities to remedy privacy breaches before taking enforcement action.

The OAIC is tasked with developing a new Children’s Online Privacy Code to protect children's privacy online, especially when using digital platforms. The OAIC has three years to complete the code, and AU$3 million funding.

The Act includes reforms to simplify Cross-Border Data Transfers for business by introducing a mechanism for the Governor General to create a 'white list' of countries with adequate privacy protections.

It requires transparency in Automated Decision-Making. There are new requirements for disclosing how personal information is used in automated decisions. Organisations will need to update their privacy policies accordingly. For example, to include types of decision made, and – similar to the GDPR – to indicate how the relevant algorithms work. In addition, a DPIA will be required where the processing activity carries a high privacy risk.

Security - not dissimilar to GDPR, "reasonable steps" now includes "technical and organisational measures".

Statutory Tort for Privacy Invasions - individuals can seek redress for acts of omission / reckless or intentional acts that cause serious privacy invasions. The Reform also includes new criminal offences for doxing (where personal information about an individual is provided publicly - normally on the internet - without consent and with malicious intent – either through criminal or fraudulent means or through aggregation of the information from public databases and social media websites. The term is believed to have developed as a short form of “dropping documents (dox)”).

Timetable - the bill has now passed. Once formally signed into law by Royal Assent, will generally - with the exception of the statutory tort (likely 6 months after Royal Assent) and automated decision provisions (2 years after Royal Assent) - come into effect immediately. 

Any questions, or if you need more detail - please contact us dc@datacompliant.co.uk

Victoria Tuffill – 13th September 2024