Understanding the Australia Privacy Act 1988 and the 2024 Amendments: What Businesses Need to Know

Disclaimer: This article is intended for general informational purposes only and does not constitute legal advice. The content provided should be used as a guide to understanding recent changes in privacy legislation, but it may not address the specific circumstances of your business. I strongly recommend seeking professional legal advice to ensure your organisation is fully compliant with applicable laws. TBIS is available to support businesses in reviewing and updating their privacy policies, as well as implementing robust information security procedures to safeguard personal data.

The Privacy Act 1988 (Cth) is Australia’s principal legislation governing the handling of personal information by government agencies and private sector organisations. It sets out how personal data must be collected, stored, used, and disclosed, and is built around the 13 Australian Privacy Principles (APPs). These principles cover transparency, consent, data security, access rights, and more.

In 2024, the Australian Government passed the Privacy and Other Legislation Amendment Act 2024 (Cth), introducing sweeping reforms to modernise the Privacy Act. These changes aim to align Australia’s privacy framework with international standards such as the EU’s GDPR, and to address emerging risks in the digital economy.

Below is a breakdown of the key amendments, grouped by their applicability.

Changes Applicable to All Businesses

Regardless of size or sector, any organisation that collects or handles personal information must comply with the following reforms:

1. Right to Erasure (Right to Be Forgotten)

Individuals now have the right to request deletion of their personal data when it is no longer necessary, consent has been withdrawn, or the data was unlawfully collected. Businesses must implement procedures to assess and respond to such requests promptly.

2. Stricter Consent Requirements

Consent must be:

• Freely given

• Specific and informed

• Unambiguous

Pre-ticked boxes, vague language, or bundled consent are no longer acceptable. Organisations must review all consent mechanisms, especially those related to marketing, third-party data sharing, and sensitive data collection.

3. Mandatory Breach Notification

Under the Notifiable Data Breaches (NDB) scheme, businesses must notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as soon as practicable following a data breach involving personal information. Timely reporting is essential to avoid enforcement action and reputational damage.

4. Transparency in Automated Decision-Making

Organisations must disclose when decisions are made using automated processes. This requirement will come into effect on 10 December 2026 and aims to ensure individuals understand how their data is being used in algorithmic decision-making.

5. Doxxing Offence

Sharing someone’s personal information with the intent to harm is now a criminal offence, punishable by up to seven years’ imprisonment. This measure addresses growing concerns around online harassment and privacy violations.

6. Children’s Online Privacy Code

The OAIC is mandated to develop a code addressing online privacy for children. This code must be developed and registered by 10 December 2026, and will impose specific obligations on organisations that target or interact with children online.

7. Clarification on ‘Reasonable Steps’

The Act now explicitly requires organisations to take ‘reasonable steps’ to protect personal information, including implementing technical and organisational measures such as encryption, access controls, and breach response protocols.

8. Overseas Dataflows and Whitelist Powers

Ministerial powers have been introduced to whitelist countries with comparable privacy protections, facilitating compliant cross-border data transfers. This change supports international business operations while maintaining privacy standards.

Changes Applicable to Businesses with Turnover Over $3 Million

These amendments apply specifically to entities classified as APP entities, which generally include organisations with annual turnover exceeding $3 million.

1. Increased Penalties for Serious Breaches

The OAIC can now impose penalties of up to $50 million or 30% of the business’s turnover during the relevant period, whichever is greater. This significant increase in financial penalties is intended to deter non-compliance and encourage investment in data protection.

2. Expanded Enforcement Powers for OAIC

The OAIC has been granted new powers to issue infringement notices and compliance notices, conduct public inquiries, and make determinations following investigations. These powers enhance the regulator’s ability to enforce compliance and respond to breaches effectively.

3. Direct Right of Action for Individuals

Individuals now have a statutory cause of action for serious invasions of privacy. This includes intrusions into personal seclusion or misuse of personal information. The provision is expected to commence by 10 June 2025 and allows individuals to seek compensation through the courts.

4. Data Portability and Access Rights

Consumers can now request access to their data, ask for corrections, and transfer their data to another provider. These rights support consumer autonomy and competition in digital markets.

5. Obligations for Third-Party Data Handling

Businesses remain responsible for how customer data is handled by third-party providers, including overseas software vendors. Contracts must reflect these responsibilities, and organisations must ensure third-party compliance with the Privacy Act.

Obligations and Exemptions for Small Businesses

Small businesses, defined as those with annual turnover of $3 million or less, are generally exempt from the Privacy Act. However, there are important exceptions and obligations that may still apply.

Exemptions

Most small businesses are not covered by the Privacy Act unless they fall into one of the following categories:

• Health service providers

• Businesses trading in personal information

• Contractors providing services under a Commonwealth contract

• Operators of residential tenancy databases

• Credit reporting bodies

• Reporting entities under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006

• Employee associations registered under the Fair Work (Registered Organisations) Act 2009

• Businesses conducting protection action ballots

• Businesses accredited under the Consumer Data Right system

• Businesses prescribed by the Privacy Regulation 2013

• Businesses that have opted in to be covered by the Privacy Act

Obligations if Covered

If a small business is covered by the Privacy Act, it must comply with the Australian Privacy

Principles (APPs). This includes:

• Ensuring transparency in data collection and usage

• Providing access and correction rights to individuals

• Implementing reasonable security measures

• Notifying the OAIC and affected individuals in the event of a data breach

Additional obligations may apply under:

• Part IIIA of the Privacy Act (consumer credit information)

• The Privacy (Tax File Number) Rule 2015 (handling of tax file number information)

  
  

Enforcement and Complaints

If a small business covered by the Privacy Act breaches its obligations, individuals may lodge complaints with the OAIC. The OAIC can investigate, conciliate, and make determinations. It may also initiate investigations independently.

The 2024 amendments to the Privacy Act 1988 represent a significant shift in Australia’s privacy landscape. All businesses must now take privacy compliance seriously, with new rights for individuals and stronger enforcement powers for regulators. While small businesses may be exempt in many cases, those that fall within specific categories must ensure they meet their obligations under the Act.

Whether you’re a startup, a mid-sized enterprise, or a large corporation, now is the time to review your privacy policies, update internal procedures, and ensure your team is trained to handle personal data responsibly. Privacy is no longer just a legal issue, it’s a core component of business trust and resilience.