Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Australia: Privacy and Other Legislation Amendment Bill 2024 passes both Houses of Parliament

On November 29, 2024, the Privacy and Other Legislation Amendment Bill 2024 passed both Houses of Parliament after the House of Representatives agreed to the Senate's amendments to the bill. The bill passed its third reading in the Senate on November 28, 2024.

The bill amends the Privacy Act 1988 (No. 119, 1988) (as amended) (the Privacy Act) to strengthen the enforcement powers of the Office of the Australian Information Commissioner (OAIC) and introduce provisions related to children's online privacy, automated decision-making, and data breaches. The bill also establishes a statutory tort for serious invasions of privacy and amends the Criminal Code Act 1995 to create new privacy-related criminal offenses.

What are the main provisions of the bill?

Among other things, the bill:

  • requires the OAIC to develop a Children's Online Privacy Code which will apply to social media and other internet services that are likely to be accessed by children;
  • introduces provisions allowing organizations to share personal information during emergencies or following data breaches to prevent harm;
  • grants the OAIC enhanced powers to investigate potential privacy breaches, including search and seizure powers under warrant;
  • empowers courts to order compensation to individuals for loss or damage suffered due to privacy breaches;
  • introduces a mechanism to allow the transfer of personal information across borders to countries with substantially similar privacy protections to Australia; and
  • requires organizations using automated decision-making systems that significantly affect individuals to disclose in their privacy policies how personal data is used in these decisions.

Privacy offenses

Notably, the bill introduces a statutory tort for serious invasions of privacy, such as unauthorized surveillance, physical intrusion, or the misuse of personal information. However, the bill provides specific exemptions from liability under the tort, including for journalism, enforcement bodies, and intelligence agencies. The bill also makes it a criminal offense to publish personal data in a manner intended to harass or menace a practice defined as 'doxxing.' For doxxing, the bill imposes a penalty of up to six years imprisonment, or up to seven years if the doxxing targets individuals based on attributes such as race, religion, or sexual orientation.

Next steps

The bill will become law after receiving Royal Assent, except for the provisions creating statutory tort which will come into effect on a date fixed by proclamation, or if no such date is fixed, six months after the bill receives Royal Assent.

You can read the bill as introduced here and track its progress here.