Privacy Law

Overview

Privacy law in Australia is a complicated area of law involving different levels of government and a mix of regulations, including legislation, common law, and law-based principles. Australian government agencies and most large organisations are subject to a set of national privacy principles , while more specific laws also apply to certain industries or issues, like healthcare or consumer law. Significant reforms in 2024 aimed to modernise these laws to address contemporary privacy challenges, including in the "digital realm", by introducing new avenues for redress and enhanced regulatory powers.

Background

• The Privacy Act 1988 (Cth) is the principal Commonwealth legislation regulating the handling of personal information. It applies to Australian Government agencies and private sector organisations with an annual turnover of more than $3 million, as well as some smaller organisations like private health service providers. It establishes the Australian Privacy Principles (APPs) governing the management of personal information.
• A significant prior reform was the introduction of the Notifiable Data Breaches (NDB) scheme in February 2018, which requires entities covered by the Act to notify individuals and the Office of the Australian Information Commissioner (OAIC) of data breaches likely to result in serious harm.
• Most States and Territories also have their own privacy or information management legislation applicable to their public sectors (see below).
• A comprehensive review of the Privacy Act by the Attorney-General's Department culminated in a February 2023 report containing 116 recommendations. In response, the Government 'agreed' to implement an initial 38 proposals.
• The Privacy and Other Legislation Amendment Act 2024 (Cth) (the "Amendment Act") received Royal Assent on 10 December 2024, implementing the 'Tranche 1' of these reforms.
• Key changes include a new statutory cause of action for serious invasions of privacy (see Schedule 2 of the Amendment Act, which inserts Schedule 2 into the Privacy Act), new 'doxxing' offences (see Schedule 3 of the Amendment Act, which amends the Criminal Code Act 1995), and significantly enhanced penalties and enforcement powers for the OAIC (see Schedule 1, Parts 8, 9 and 14 of the Amendment Act).
• Most amendments commenced on 10 or 11 December 2024. However, the statutory tort for serious invasions of privacy is scheduled to commence by Proclamation or by 10 June 2025 (Amendment Act, s 2(1), table item 8), and new transparency requirements for automated decision-making will commence on 10 December 2026 (Amendment Act, s 2(1), table item 7).

Legal Framework

Privacy Act 1988 (Cth)

The objects of the Privacy Act (s 2A) were updated by the Amendment Act to further "promote the protection of the privacy of individuals" and explicitly "to recognise the public interest in protecting privacy" (s 2A(a) and s 2A(aa) of the Privacy Act as amended by Schedule 1, item 1 of the Amendment Act).

Australian Privacy Principles (APPs)

The Privacy Act applies to Australian government agencies, organisations with an annual turnover of more than $3 million plus private sector health service providers, credit reporting bodies, credit providers, entities that trade in personal information and tax file number (TFN) recipients.

These entities must not breach the 13 Australian Privacy Principles (APPs) contained in Schedule 1 of the Privacy Act. The APPs regulate: the collection, use and disclosure of personal information; an entity's governance and accountability; the integrity and correction of personal information; and the rights of individuals to access their personal information.

APP 1 – Open and transparent management of personal information

• The Amendment Act introduced a requirement (commencing 10 December 2026) for APP entities to include specific information in their privacy policies if they use personal information in "substantially automated decisions" that could "significantly affect" an individual's rights or interests (Privacy Act 1988, Schedule 1, cl 1.7 as inserted by Schedule 1, item 88 of the Amendment Act).
• The policy must specify the kinds of personal information used and the kinds of decisions made.
• Failure to comply with privacy policy requirements under APP 1.3 or APP 1.4, including the new automated decision-making transparency rules (once they commence), is a civil penalty provision (Privacy Act 1988, s 13K(1)(b)(i), (ii) and (iia) as inserted by Schedule 1, items 56 and 87 of the Amendment Act).

APP 8 – Cross-border disclosure of personal information

• The Amendment Act introduced a new exception to APP 8. This allows the disclosure of personal information to an overseas recipient if they are subject to laws or a binding scheme prescribed in regulations ("whitelisted") as providing "substantially similar" privacy protection (Privacy Act 1988, Schedule 1, cl 8.3 as inserted by Schedule 1, item 38 of the Amendment Act).
• Before making such regulations, the Minister must be satisfied that adequate protections and accessible enforcement mechanisms exist for individuals (Privacy Act 1988, s 100(1A) as inserted by Schedule 1, item 36 of the Amendment Act).

APP 11 – Security of personal information

The Amendment Act clarified that the "reasonable steps" required under APP 11 to protect personal information from misuse, interference, loss, and unauthorised access, explicitly include "technical and organisational measures" (Privacy Act 1988, Schedule 1, cl 11.3 as inserted by Schedule 1, item 34 of the Amendment Act).

Notificable Data Breaches (NDB) Scheme

• Under Part IIIC of the Privacy Act 1988, organisations with an annual turnover exceeding $3 million (and private sector health service providers, credit reporting bodies, credit providers, entities that trade in personal information and tax file number (TFN) recipients) are subject to the notifiable data breach scheme. These organisations must promptly inform individuals whose personal information has been affected in a data breach that is likely to cause serious harm.
• A data breach occurs when personal information that an entity holds is subject to unauthorised access or disclosure, or is lost, and a reasonable person would determine this is likely to cause serious harm (or risk thereof) to affected entities.
• An affected organisation must undertake a reasonable and speedy assessment and report its results to the Office of the Australian Information Commissioner within 30 days, and distribute these details to the people at risk of serious harm.
• The Amendment Act added a new framework to facilitate information sharing to prevent or reduce harm following an eligible data breach (Division 5 of Part IIIC of the Privacy Act 1988, inserted by Schedule 1, item 43 of the Amendment Act). The Minister may make an "eligible data breach declaration" (s 26X(1)) if satisfied it is necessary to reduce a risk of harm.
• This declaration authorises specified entities (e.g., financial institutions) to collect, use, or disclose specified personal information for permitted purposes, such as preventing fraud or scam activity (s 26XB(1)).

New and Enhanced Enforcement Regime

The Amendment Act significantly reformed the enforcement landscape for privacy breaches, introducing a tiered penalty structure and expanded powers for the OAIC.

New Civil Penalty Provisions

A tiered penalty regime now exists, creating civil penalty provisions for:

• Any "interference with the privacy of an individual" (not only those that are "serious" or "repeated") (Privacy Act 1988, s 13H as inserted by Schedule 1, item 56 of the Amendment Act ).
• A "serious" interference with privacy, with the Act providing guidance on factors courts may consider in determining if an interference is "serious" (e.g., sensitivity of the information, consequences for the individual, whether the individual is a child or vulnerable) (Privacy Act 1988, s 13G(1B) as inserted by Schedule 1, item 51 of the Amendment Act).

OAIC's Powers

• The OAIC can now issue infringement notices for certain lower-level contraventions, bypassing the courts for initial enforcement (Privacy Act 1988, s 80UB as amended by Schedule 1, item 57 of the Amendment Act).
• The OAIC can issue compliance notices to direct entities to address specific APP breaches. Failure to comply with such a notice is itself a civil penalty provision (Privacy Act 1988, s 80UC as inserted by Schedule 1, item 57A of the Amendment Act).
• The OAIC can conduct public inquiries into systemic privacy matters upon Ministerial direction, with powers to compel information and witnesses (Privacy Act 1988, s 33E through s 33J as inserted by Schedule 1, item 63 of the Amendment Act).

Federal Court Orders

Courts now have explicit powers to make a wide range of orders following a privacy contravention, including orders for compensation or redress for individuals who have suffered loss or damage (Privacy Act 1988, s 80UA as inserted by Schedule 1, item 59 of the Amendment Act).

APP Codes (including Children's Online Privacy Code)

• The Amendment Act enhanced the framework for APP codes. The Minister can now direct the Commissioner to develop an APP code, including an urgent "temporary APP code" (Privacy Act 1988, s 26GA, s 26GB as inserted by Schedule 1, item 5 of the Amendment Act).
• As regards the Children's Online Privacy Code:
  • The Commissioner is mandated to develop and register a Children's Online Privacy Code by 10 December 2026 (Privacy Act 1988, s 26GC as inserted by Schedule 1, item 32 of the Amendment Act).
  • This Code will detail how the APPs apply to the personal information of children (defined as individuals under 18) in the online environment.
  • It will bind online service providers likely to be accessed by children, such as social media services (Privacy Act 1988, s 26GC(5) as inserted by Schedule 1, item 32 of the Amendment Act).

Statutory Tort for Serious Invasions of Privacy

• The Privacy and Other Legislation Amendment Act 2024 establishes a new statutory cause of action for serious invasions of privacy by inserting a new schedule (Schedule 2) into the Privacy Act 1988. This reform had been long contemplated, following recommendations from the Australian Law Reform Commission (ALRC) in its 2014 report, Serious Invasions of Privacy in the Digital Era.
• The statutory tort commenced operation on 10 June 2025 (Amendment Act, s 2(1), table item 8).

Cause of Action (Privacy Act 1988, Schedule 2, cl 7)

An individual plaintiff has a cause of action in tort if the following five elements are met:

1. An invasion of privacy: The defendant must have invaded the plaintiff's privacy by either:

2. Reasonable Expectation of Privacy: A person in the plaintiff's position would have had a reasonable expectation of privacy in all the circumstances (Schedule 2, cl 7(1)(b)). The court may consider factors such as the means used, the purpose of the invasion, the plaintiff's attributes (e.g., age, occupation), the plaintiff's conduct (e.g., inviting publicity), the place of intrusion, and the nature of the information (Schedule 2, cl 7(5)).

3. Intentional or Reckless Fault: The invasion must have been intentional or reckless (Schedule 2, cl 7(1)(c)). "Reckless" has the same meaning as in the Criminal Code (Schedule 2, cl 6(1)). This fault element means the tort does not extend to merely negligent conduct.

4. Serious Invasion: The invasion of privacy must be "serious" (Schedule 2, cl 7(1)(d)). The court may consider the degree of offence, distress, or harm to dignity likely to be caused to a person of ordinary sensibilities, and whether the defendant knew or should have known this was likely (Schedule 2, cl 7(6)). The action is available without proof of damage (Schedule 2, cl 7(2)), recognising that the wrong is the invasion itself.

5. Public Interest Balancing Test: The plaintiff must establish that the public interest in their privacy outweighs any countervailing public interest (Schedule 2, cl 7(1)(e)). Countervailing interests can include freedom of expression, freedom of the media, open justice, public health and safety, national security, and the prevention of crime and fraud (Schedule 2, cl 7(3)).

Defences (Privacy Act 1988, Schedule 2, cl 8)

A defendant may rely on several defences, including that the invasion was:

• Required or authorised by an Australian law or court/tribunal order (cl 8(1)(a)).
• Consented to (expressly or impliedly) by the plaintiff or a person with lawful authority (cl 8(1)(b)).
• Reasonably believed to be necessary to prevent or lessen a serious threat to life, health, or safety (cl 8(1)(c)).
• Incidental to a lawful and proportionate right of defence of persons or property (cl 8(1)(d)).
• If the invasion involved publication, defences that would ordinarily arise in defamation proceedings (e.g., absolute privilege, fair report of public proceedings) may also apply (cl 8(2)).

Exemptions (Privacy Act 1988, Schedule 2, Part 3)

A significant (and controversial) feature of the tort is its broad exemptions, which depart from the ALRC's original recommendations.

• Journalists: The tort generally does not apply to an invasion of privacy involving the collection, preparation, or publication of "journalistic material" by a "journalist" (as defined by being subject to professional standards or codes), their employer, or those assisting them. It is immaterial whether the journalist breached their professional standards or code of practice (cl 15(4)).
• Law Enforcement and Intelligence Agencies: Broad exemptions apply to invasions by specified law enforcement and intelligence agencies, their staff in the performance of their duties, and for information disclosed to or by such agencies (cl 16B, cl 17).
• Minors: The tort does not apply to an invasion of privacy committed by a person under the age of 18 (cl 18).

Remedies (Privacy Act 1988, Schedule 2, Part 2, Division 3)

Courts may grant a range of remedies, including:

• Damages (cl 11), including for emotional distress (cl 11(3)). Aggravated damages are not available (cl 11(2)), but exemplary or punitive damages may be awarded in exceptional circumstances (cl 11(4)). Damages for non-economic loss (plus any exemplary damages) are capped at the same level as damages for non-economic loss in defamation law (cl 11(5)).
• Injunctions (cl 9).
• Other orders, such as an account of profits, a declaration, a correction order, or an order for an apology (cl 12).

Interaction with Other Laws

• The new tort is not intended to exclude or limit the concurrent operation of any State or Territory law, whether written or unwritten (Schedule 2, cl 21). This leaves open the potential for parallel development of the common law tort of invasion of privacy recognised in cases such as Waller (A Pseudonym) v Barrett (A Pseudonym) [2024] VCC 962 (28 June 2024).
• Because Schedule 2 of the Privacy Act is intended to be read separately from the rest of the Act (s 94A(3)), concerns have been raised that exemptions in the main body of the Act (such as the small business and employee records exemptions) may not apply to the statutory tort.

Other Privacy-Related Legislation

• Criminal Code Act 1995 (Cth) – Doxxing Offences

  • The Privacy and Other Legislation Amendment Act 2024 introduced new 'doxxing' offences into the Criminal Code Act 1995 (Schedule 3 of the Amendment Act). These offences commenced on 11 December 2024 (Amendment Act, s 2(1), table item 9).
  • A new offence makes it illegal to use a carriage service to make available, publish, or otherwise distribute personal data of one or more individuals in a way that reasonable persons would regard as being menacing or harassing. The maximum penalty is 6 years imprisonment (Criminal Code, s 474.17C(1) as inserted by Schedule 3, item 1 of the Amendment Act).
  • For these offences, "personal data" includes information that enables an individual to be identified, contacted, or located, such as their name, photograph, phone number, email, online accounts, or address of their home, work, or place of worship (Criminal Code, s 474.17C(2)).
  • An aggravated offence exists if the doxxing conduct is engaged in because of a belief that the targeted individuals belong to a group distinguished by race, religion, sex, sexual orientation, gender identity, intersex status, disability, or national/ethnic origin. This carries a maximum penalty of 7 years imprisonment (Criminal Code, s 474.17D as inserted by Schedule 3, item 1 of the Amendment Act).
  • The operation of these new doxxing offences must be independently reviewed within 24 months of their commencement (Amendment Act, s 4).
• Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth).
• Data-Matching Program (Assistance and Tax) Act 1990 (Cth).
• Healthcare Identifiers Act 2010 (Cth).
• My Health Records Act 2012 (Cth).
• Personal Property Securities Act 2009 (Cth).
• Telecommunications Act 1997 (Cth).

Regulatory and Policy Framework

Office of the Australian Information Commissioner (OAIC)

• The Privacy and Other Legislation Amendment Act 2024 expanded the OAIC's enforcement toolkit to encourage compliance with the Privacy Act 1988. The OAIC's key new and enhanced powers include:
  • Infringement Notices: The OAIC can now issue infringement notices for alleged contraventions of certain civil penalty provisions, such as specific breaches of the APPs (under s 13K) and failure to comply with a compliance notice. This allows the OAIC to take quicker, lower-level enforcement action without going to court (Privacy Act 1988, s 80UB as amended by Schedule 1, item 57 of the Amendment Act).
  • Compliance Notices: The OAIC has a new power to issue a compliance notice to an entity it reasonably believes has contravened certain APP requirements (listed in s 13K). The notice directs the entity to take steps to address the contravention. Failure to comply with the notice is a civil penalty provision (Privacy Act 1988, s 80UC as inserted by Schedule 1, item 57A of the Amendment Act).
  • Public Inquiries: The OAIC can now conduct public inquiries into specified privacy matters upon direction or approval from the Minister. This power is intended to address systemic or industry-wide issues. In conducting these inquiries, the OAIC is not bound by the rules of evidence and can use powers to compel information and witnesses (Privacy Act 1988, s 33E through s 33J as inserted by Schedule 1, item 63 of the Amendment Act).
• The OAIC's general powers have been bolstered by more broadly applying the framework of the Regulatory Powers (Standard Provisions) Act 2014 (Cth). This enhances its ability to monitor compliance with the Privacy Act and other Acts it has oversight of, and to investigate suspected contraventions (Privacy Act 1988, Part VIB, Divisions 1AB and 1AC, as inserted by Schedule 1, item 85 of the Amendment Act).
• The OAIC can make an application to the Federal Court or Federal Circuit and Family Court of Australia for orders against an entity that has contravened a civil penalty provision. These orders can include compensation for individuals who have suffered loss or damage as a result of the contravention (Privacy Act 1988, s 80UA as inserted by Schedule 1, item 59 of the Amendment Act).

Other Relevant Organisations

• Australian Attorney-General's Department (see 'Privacy', Attorney-General's Department (Web Page, 2024)).
• For relevant state and territory agencies, see:
  • Australian Capital Territory - Office of the Australian Information Commissioner (on behalf of ACT).
  • New South Wales - NSW Information and Privacy Commission.
  • Northern Territory - Office of the Information Commissioner Northern Territory.
  • Queensland - Queensland Office of the Information Commissioner.
  • South Australia - South Australia Privacy Committee.
  • Tasmania - Tasmania Ombudsman.
  • Victoria - Office of the Victorian Information Commissioner.
  • Western Australia - Office of the Information Commissioner (WA).

State and Territory Privacy Laws

The Privacy Act does not regulate local, state or territory government agencies, including public hospitals. For privacy legislation regulating States and Territories see 'State and territory privacy legislation', Office of the Australian Information Commissioner (Web Page, 1 July 2024):

• Australian Capital Territory - Information Privacy Act 2014 (ACT).
• New South Wales - Privacy and Personal Information Protection Act 1998 (NSW).
• Northern Territory - Information Act 2002 (NT).
• Queensland - Information Privacy Act 2009 (Qld).
• South Australia - No legislation specific to privacy law exists (but see 'Information Privacy Principles Instruction', Government of South Australia (Web Page, 14 June 2024)).
• Tasmania - Personal Information and Protection Act 2004 (Tas).
• Victoria - Privacy and Data Protection Act 2014 (Vic).
• Western Australia - No legislation specific to privacy law exists.

Inquiries and Consultations

• The Privacy Act Review Report, released by the Attorney-General's Department in February 2023, is the primer document for the current wave of reforms.
• The Privacy and Other Legislation Amendment Act 2024 (Cth) represents only 'Tranche 1' of the Government's response. Many of the more complex or impactful proposals from the Review Report have been deferred for a potential 'Tranche 2' of legislative reform.
• Key reforms that were 'agreed in principle' by the Government but deferred to Tranche 2 include:
  • Introducing an overarching requirement that the collection, use, and disclosure of personal information must be "fair and reasonable" in the circumstances.
  • Removing or substantially amending the small business exemption (which currently exempts businesses with an annual turnover of $3 million or less).
  • Amending the employee records exemption (which largely removes personal information in employee records from the Privacy Act's coverage).
  • Introducing a distinction between "controllers" and "processors" of personal information, similar to the GDPR in Europe.
• Further consultation on these significant Tranche 2 reforms is expected, though the timeline may be influenced by the federal election cycle.
• The OAIC is also expected to issue new guidance on various aspects of the Tranche 1 reforms, including the treatment of new technologies, what constitutes "reasonable steps" for security, capacity and consent, and the scope of the new automated decision-making notification requirements.

See:

• Senate Legal and Constitutional Affairs Legislation Committee, Parliament of Australia, Inquiry into Privacy Amendment (Re-identification Offence) Bill 2016 (Report, 2016).
• 'Review of the Privacy Act 1998', Attorney-General's Department (Web Page, 2024):
  • 'Review of the Privacy Act 1988 — Terms of Reference', Attorney-General's Department (Web Page, 30 October 2020).
  • 'Review of the Privacy Act 1988 — Issues paper', Attorney-General's Department (Web Page, 30 October 2020).

Related Topics

• Torts.
• Computer-Based Crime.
• Telecommunications.
• Cybersecurity Act 2024 (Cth).