In the six years since the EU’s General Data Protection Regulation (“GDPR”) took effect, governments around the world have updated their data protection laws to reflect the seismic changes in data processing that were created with the introduction of the smartphone. Having been in place for nearly 40 years, Australia’s Privacy Act (1988) has been a notable outlier – but that is now changing, with significant reforms to the country’s data protection regime being introduced in the latter half of 2024.

On 12 September 2024, the Privacy and Other Legislation Amendment Bill 2024 (the “POLA Bill”) was introduced to Parliament, which implements a number of proposed reforms set forth by the Australian Attorney-General in February 2023 following a review of the Privacy Act (1988). The reforms are to be set out in two “tranches,” with the POLA Bill constituting the first tranche. The Bill passed both Houses of Parliament on 29 November 2024. On the same day, the Online Safety Amendment (Social Media Minimum Age) Bill 2024 was also approved, implementing a ban on children under the age of 16 using social media.

Key Reforms

The POLA Bill proposes 23 reforms to Australia’s data protection regime, with some of the most notable being:

  • Automated decision-making. The Bill requires increased transparency in relation to the use of automated decision-making, bringing Australia’s regime closer to the GDPR. Privacy notices will need to set out information about the use of automated decision-making tools where personal data is being used and the tools could be reasonably expected to have a legal or similarly significant affect on the rights of individuals. Importantly, this will cover AI tools that use personal data in this way.
  • Serious invasions of privacy. The Bill introduces a new statutory civil cause of action in tort for “serious invasions of privacy,” which will be actionable without proof of damage. The cause of action applies where the plaintiff would have a reasonable expectation of privacy or the defendant’s conduct was intentional or reckless.
  • Enforcement reforms. The Bill includes additional enhancements to the enforcement powers of the Office of the Australian Information Commissioner (“OAIC”), including by adding a new civil penalty for breaches of the Australian Privacy Principles (e.g. in relation to privacy notices, direct marketing, or failing to promptly notify affected individuals in the event of a data breach). The Bill also enables the OAIC to issue infringement notices with varying set financial penalties for these breaches.
  • International transfers. The Bill introduces a mechanism to designate countries as providing substantially similar levels of protection for personal data in a similar way to the EU’s adequacy regime. This will facilitate easier transfers of personal data to these designated countries. Standard contractual clauses will also be introduced for transferring personal data outside of Australia.
  • Children’s privacy code. The Bill requires the OAIC to implement various codes, starting with a Children’s Online Privacy Code. The Code will have a particular focus on online and digital harms and protecting children’s privacy in online environments.
  • Cybersecurity. The Bill bolsters data breach reporting obligations and also requires businesses to take reasonable steps to protect personal data, including by taking technical and organisational measures. This concept adopts the wording used in the equivalent provision in the GDPR.

The Online Safety Amendment (Social Media Minimum Age) Bill 2024 (the “SMMA Bill”) further demonstrates Australia’s steps towards more stringent privacy and data protection regulation, with a particular focus on protection of children. Indeed, a standalone Children’s Online Privacy Code will be implemented under the POLA Bill. Beginning in late 2025, the SMMA Bill will require social media platforms to implement controls to prevent children who are under 16 from using them – a requirement that has made significant headlines globally in recent weeks. The SMMA Bill proposes fines of up to AUS$ 49.5 million for social media platforms that fail to do so.

Next Steps

Both the POLA Bill and the SMMA Bill have now passed both the Senate Committee and House of Representatives and will take effect following Royal Assent. The obligations in the SMMA Bill are expected to come into force in approximately 12 months’ time after receiving Royal Assent.

Some provisions of the POLA Bill will take effect immediately upon signing, and others are anticipated to take effect between six months (e.g. for the tort of serious invasions of privacy) and two years (e.g. for the provisions on automated decision-making transparency requirements) following this.

The second tranche of reforms to Australia’s data protection regime will now become a priority for the Australian Attorney-General, who indicated that they plan to begin consulting on the issue this month (December 2024). This tranche is expected to include reforms to data retention, direct marketing, impact assessments, and individual rights. The OAIC is also expected to release guidance on the use of AI in relation to data privacy in the coming months.

Taken together, this year’s reforms are designed to align Australia’s regime more closely with the European approach – although it remains to be seen whether they will be sufficient to earn Australia an adequacy decision from the European Commission. In any event, organisations that operate in Australia should be prepared to spend time and attention in 2025 addressing the Bills’ requirements.

For more information on PLI’s new edition of its cyber law treatise, Cybersecurity: A Practical Guide to the Law of Cyber Riskclick here.