Regulatory Update - Privacy reforms

On 29 November 2024, the Privacy and Other Legislation Amendment Act 2024 (Cth) was passed by the Australian Parliament and received Royal Assent on 10 December 2024. These amendments represent the first phase of long-awaited reforms aimed at modernising Australia’s privacy framework and aligning it more closely with international standards.

Key reforms include:

• New transparency requirements surrounding the use of automated decision-making (ADM) systems
• A new children’s online privacy code, and generally, enhanced code-making powers for the Information Commissioner
• Establishment of a statutory tort for serious invasions of privacy
• Criminalisation of malicious releases of personal data (doxxing), and
• Enhanced investigative and monitoring powers for the Office of the Australian Information Commissioner (OAIC).

Transparency Requirements on the use of ADM Systems

The new transparency obligations will require organisations to disclose when ADM systems use personal information to make decisions significantly affect individuals’ rights or interests. These obligations apply when:

• a computer program makes or perform tasks directly related to decision-making
• the decision could reasonably significantly affect an individuals’ rights or interests, or
• personal information is used in the operation of the computer program.

This reform take effect on 11 December 2026, giving organisations a two-year grace period to review ADM systems and update their privacy policies. These updates must include:

• the types of personal information used
• the kinds of decisions made solely by ADM systems, and
• the kinds of decisions where ADM systems plays a substantial and direct role.

These reforms are particularly relevant for businesses adopting AI-driven ADM systems, as they aim to improve transparency and accountability.

Statutory tort for serious invasions of privacy

On 10 June 2025, Australia introduced a statutory tort for serious invasions of privacy under Schedule 2 of the Privacy Act. This reform provides individuals with a direct legal pathway to seek redress for significant breaches of their privacy rights.

Elements of a Claim

To establish liability, a claimant must demonstrate:

• an invasion of privacy, either through intrusion upon seclusion or misuse of personal information
• a reasonable expectation of privacy in the circumstances
• that the conduct was intentional or reckless
• that the invasion was serious in nature, and
• that the public interest in protecting the claimant’s privacy outweighs any competing public interest.

Available defences

Defences may apply where:

• the conduct was authorised by law or a court/tribunal order
• the claimant provided express or implied consent
• the defendant reasonably believed the conduct was necessary to prevent a serious threat to life, health or safety, or
• the invasion was incidental to lawful self-defence and proportionate.

Defamation law defences, including absolute privilege, publication of public documents, and fair reporting, may also apply where the invasion involves the publication of information.

Remedies

Courts are empowered to award a range of remedies including:

• injunctions to restrain further invasions of privacy, with consideration given to the public interest in publication
• summary judgment, where the claim lacks reasonable prospect of success
• damages, including compensation for emotional distress and, in exceptional cases, exemplary or punitive damages (subject to a statutory cap aligned with defamation law of $478,550), and
• other remedies, being apologies, correction orders, destruction or return of misused material, and declarations of wrongdoing.

On 25 November 2024, the Federal Parliament enacted the Cyber Security Act, establishing a comprehensive framework to safeguard Australia’s national security and economic interests against the evolving cyber threat landscape.

• The Cyber Security Act will introduce the following:
  powers to set minimum security standards for certain smart
  devices
• mandatory reporting of ransomware and cyber extortion
  payments within 72 hours to the Department of Home Affairs
  and the Australian Signals Directorate
• greater protections for entities voluntarily sharing information
  with the National Cyber Security Coordinator, and
• the establishment of a new Government Cyber Incident Review
  Board.

The Cyber Security Act introduces a new layer of compliance for Australian businesses, particularly those involved in smart device manufacturing, importing, and sales. These entities must now meet minimum security standards. Larger organisations and operators of critical infrastructure are subject to mandatory ransomware incident reporting. While these obligations require operational adjustments, the Cyber Security Act adopts a collaborative stance, encouraging voluntary information sharing and offering protections
to support proactive engagement. This reflects the Government’s broader commitment to strengthening Australia’s cyber resilience.