On November 29, 2024, the Privacy and Other Legislation Amendment Bill 2024 passed both Houses of Parliament after the House of Representatives agreed to the Senate's amendments to the bill. The bill passed its third reading in the Senate on November 28, 2024.

The bill amends the Privacy Act 1988 (No. 119, 1988) (as amended) (the Privacy Act) to strengthen the enforcement powers of the Office of the Australian Information Commissioner (OAIC) and introduce provisions related to children's online privacy, automated decision-making, and data breaches. The bill also establishes a statutory tort for serious invasions of privacy and amends the Criminal Code Act 1995 to create new privacy-related criminal offenses.

What are the main provisions of the bill?

Among other things, the bill:

• requires the OAIC to develop a Children's Online Privacy Code which will apply to social media and other internet services that are likely to be accessed by children;
• introduces provisions allowing organizations to share personal information during emergencies or following data breaches to prevent harm;
• grants the OAIC enhanced powers to investigate potential privacy breaches, including search and seizure powers under warrant;
• empowers courts to order compensation to individuals for loss or damage suffered due to privacy breaches;
• introduces a mechanism to allow the transfer of personal information across borders to countries with substantially similar privacy protections to Australia; and
• requires organizations using automated decision-making systems that significantly affect individuals to disclose in their privacy policies how personal data is used in these decisions.

Privacy offenses

Notably, the bill introduces a statutory tort for serious invasions of privacy, such as unauthorized surveillance, physical intrusion, or the misuse of personal information. However, the bill provides specific exemptions from liability under the tort, including for journalism, enforcement bodies, and intelligence agencies. The bill also makes it a criminal offense to publish personal data in a manner intended to harass or menace a practice defined as 'doxxing.' For doxxing, the bill imposes a penalty of up to six years imprisonment, or up to seven years if the doxxing targets individuals based on attributes such as race, religion, or sexual orientation.

Next steps

The bill will become law after receiving Royal Assent, except for the provisions creating statutory tort which will come into effect on a date fixed by proclamation, or if no such date is fixed, six months after the bill receives Royal Assent.

You can read the bill here and track its progress here.