Statutory cause of action for serious invasion of privacy to take effect on 10 June 2025, a little over 2 months away. Other amendments will come into effect later. Amendments which give the Privacy Commissioner greater powers came into effect on 10 December 2024.
April 3, 2025 |
As I have posted previously on 10 December 2024 the Privacy and Other Legislation Amendment Bill 2024 (Cth), received Royal Assent. Under the Privacy and Other Legislation Amendment Act 2024 (Cth) (Amendment Act), it introduces several significant amendments to the Privacy Act 1988 (Cth) (Privacy Act), many of which came into effect immediately upon assent. Others come into effect later.
The changes:
- Statutory Cause of Action for Serious Invasions of Privacy: Comes into effect on a 10 June 2025.
Under the tort Individuals can take legal action against organisations or individuals for serious invasions of privacy. The two bases are intrusions into personal seclusion or misuse of personal information. It is quite a complex tort. The limitations period is 1 year from date the intrusion occurred or was discovered.
- Automated Decision-Making: Comes into effect on 10 December 2026
New transparency obligations require organisations to update their privacy policies to disclose when decisions are made using automated processes.
- Doxxing Offence: Came into effect on 11 December 2024.
It is illegal to share someone’s personal information with the intent to harm. This offence is punishable by up to 7 years’ imprisonment.
- Children’s Online Privacy Code: Code to be developed and registered by 10 December 2026
The Office of the Australian Information Commissioner (OAIC) is required to develop a code addressing online privacy for children. There will be a consultation period of 60 days.
- Overseas Dataflows, Whitelist Powers: Came into effect on 11 December 2024.
The Minister has powers to ‘whitelist’ countries that provide substantially similar privacy protections, to assist entities disclosing personal information overseas.
- Civil Penalty and Powers to Issue Infringement and Compliance Notices: Came into effect on 11 December 2024.
The Privacy Commissioner now has the powers to issue infringement notices and compliance notices for breaches of specific Australian Privacy Priniciples. A failure to comply with a compliance notice can give rise to civil penalties. This is a much more time effective way of dealing with breaches. Previously the Commissioner would have to undertake own motion investigations or civil penalty proceedings. Both of which are long and involved.
- Clarification on Required Steps to Protect Personal Information: Came into effect on 11 December 2024.
This amendment to the Privacy Act requires that ‘reasonable steps’ must be taken to protect the security of personal information. This now includes implementing ‘technical and organisational measures’.