+61 3 8600 6000
Aitken

Legal partners for life

Contact Info

Level 28, 140 William Street, Melbourne Victoria 3000 Australia
Call: +61 3 8600 6000 info@aitken.com.au

Quicklinks

Follow Us

Privacy Act Update 2025

Business Law: 13 January 2025

LinkedIn Twitter Facebook

Author: Rod Lindquist - Our People

Key Reforms: The key reforms of the Bill are set out below.

Tort for Serious Invasion of Privacy

An individual can sue another person where that person has invaded the individual’s privacy by intruding on their seclusion or misusing information relating to them. The individual has to prove the following:

  • An invasion of privacy by intrusion upon their seclusion (physical intrusion on their private space) or the misuse of information;
  • The person has a reasonable expectation of privacy in all circumstances;
  • There is an element of fault. The invasion must be intentional or reckless, rather than merely negligent;
  • The invasion of privacy was serious; and
  • The public interest in the person’s privacy outweighs any countervailing public interest (freedom of expression or freedom of the media).

The person does not have to prove they have suffered damage.

Only a natural person can sue under this tort and the defendant need not be an APP entity (that is an entity subject to the Australian Privacy Principles).

Remedies include injunctions, declarations, ordered apologies and compensation.

Defences include, authorised by law, preventing or lessening a serious threat to the life, health or safety of a person, or the invasion was impliedly or expressly consented to. There are also defences similar to those that are applied in defamation law and journalists and publishers are exempt in the course of preparation or publication of journalistic material.

Exemptions apply to law enforcement bodies, intelligence agencies, persons under the age of 18 and Commonwealth and State and Territory agencies in good faith performance of duties.

The provisions relating to the Tort of Serious Invasions of Privacy will take effect on a day to be fixed, but within 6 months of Royal Assent.

Doxxing a Criminal Offence

Doxxing is the use of a carriage service to make available, publish or distribute personal data, in a manner reasonable persons would regard as menacing or harassing. In simpler terms it is the intentional exposure of a person’s personal information or data online. Once the amendments are enacted doxing will be a criminal offence.

There is also a separate doxxing offence where one or more members of a group is targeted due to a belief that the group is distinguished by race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality or national or ethnic origin.

APP 11 Security of Personal Information

APP 11 has been expanded such that reasonable steps to protect personal information from misuse, interference and loss, as well as unauthorised access, modification or disclosure includes ‘technical and organisational measures’ which mirrors the European General Data Protection Regulation.

Overseas Data Flows

A Ministerial “white list” will be introduced to prescribe countries with substantially similar privacy laws to assist entities to assess whether to disclose person l information to an overseas recipient.

Automated Decision-Making Decisions

Privacy policies will need to be updated to include additional information where personal information will be used by a computer program to make a decision that could reasonably expected to significantly affect the rights or interests of an individual.

If a decision is substantially made or influenced by AI or another automated decision-making system it will need to be disclosed in the entity’s Privacy Policy.

This will take effect 24 months after the Bill receives Royal Assent.

Civil Penalties and Enforcement Powers

New civil penalties commensurate with the seriousness of the interference with privacy will apply. Seriousness will be determined by factors such as sensitivity of the personal information and the consequences of the interference to the privacy of the individual.

The Office of the Australian Information Commissioner (OAIC) is given enhanced enforcement mechanisms to issue infringement notices for minor contraventions and has the power to issue compliance notices.

Accordingly, we can expect the OAIC to put greater focus on enforcement.

These new powers will take effect the day the Bill receives Royal Assent.

Additional Powers for the OAIC and the Information Commissioner

The Bill empowers the OAIC to use investigation and monitoring powers for entry and inspection, subject to judicial authorisation, in the absence of consent.

The Information Commissioner can hold Public Inquiries with the direction or approval of the Minister. Rules of Evidence will not apply, and the Information Commissioner will have power to require the production of documents and information as well as the power to examine witnesses.

The Information Commissioner will have enhanced powers to create codes on application and compliance with the APPs by entities to which they apply.

Children’s Online Privacy Code (COP Code)

The Information Commissioner must develop the COP Code within 2 years of Royal Assent of the Bill.

The COP Code will set out how to comply with APP’s in relation to the online privacy of children.

Emergencies

Previously broad sharing of personal information was allowed in a declared emergency or disaster.

Emergency declarations are now required to set out:

  • The kinds of personal information that may be handled;
  • The entities that may handle the information; and
  • The permitted purposes of the collection, use or disclosure.

Takeaway

All organisations subject to the Privacy Act should review their Privacy and Data Protection arrangements.

Articles - Our People
Design by: Cabria Design. Site by: Flux Creative