Skip to content

Privacy Reforms 2025 – Are You Ready?

3 minutes read time

The most significant reforms to Australian privacy law in over a decade passed both Houses of Parliament during the final sittings of the 2024 Parliamentary year.  The bulk of the changes are to be found in amendments to the Privacy Act 1988 (Cth) (Privacy Act). Although not yet gazetted, it is recommended that you ensure that you are compliant and have in place any necessary protections as soon as possible. This is particularly so as the changes broaden the scope for penalties for non-compliance and increase the likelihood and risks of litigation.

 

New Penalties

For the first time there is a tiered approach to penalties, by way of infringement notices at the lower end, and substantial penalties for serious or repeat offenders, who are prosecuted at the top end.

In the case of administrative breaches, such as a failure to have a privacy policy, or where the content of the policy is deficient, the Office of the Australian Information Commissioner (OAIC) has been given the power to issue infringement notices.  Penalties are set by reference to the current points system found in the Criminal Code Act 1995 (Cth).  Currently, a penalty point equates to $330.00 and the maximum OAIC can impose is 200 penalty points ($66,000.00).  OAIC has the power to issue a compliance notice (with no immediate penalty) before issuing an infringement notice, however this is discretionary.

For more serious offences, such as “interference with privacy” (see section 13 of the Privacy Act) a range of penalties can now be imposed. This includes penalties of up to $2.5M for individuals and $50M for corporations .

 

Civil Action

There will now also be a new right to sue for certain breaches of privacy. Parliament has created what is termed a “Statutory tort for serious invasions of privacy” which can be actioned. In circumstances where a party had a reasonable expectation of privacy and that was breached, either intentionally or recklessly, and the breach was serious, that party can institute proceedings and seek damages (without proving actual loss).  As a corollary, actions by way of injunctions, declarations, apologies and delivery up of contravening material are also available.

What this means in the case of a large-scale breach is that we will potentially see an increase in class actions and other litigation for other breaches. Before these reforms, the right to sue for privacy breaches was much more limited and difficult. These reforms address that and broaden rights to sue to protect privacy and obtain compensation for breaches of privacy rights. It materially broadens the risk to organisations in managing private information.

There are limited legislated protections/defences, such as in the case of journalistic material, necessity and publications required by law (and law enforcement agencies).

 

Are You Ready?

It would be opportune for those who fall under the umbrella of the Privacy Act (i.e. organisations with a turnover of more than $3M) to:

  • review their privacy policy;
  • audit their risk management processes to ensure that they are adequate and enforced;
  • ensure that any plans for remedial action in the case of a breach are in place so as to minimise any damage; and
  • review their insurance portfolio to ensure that you are fully protected in the case of a breach, not only for the cost of dealing with the breach itself, but also for any consequential financial outcome.

(NOTE: penalties in the case of infringements or fines may not be covered by insurance.)

This Alert is intended as general information only. It does not purport to be comprehensive advice or legal advice. Readers must seek professional advice before acting in relation to these matters.