Australia Privacy Act Compliance (2024 Amendments)
Overview
Australia's Privacy Act 1988 (Cth) is the primary federal data protection legislation, administered and enforced by the Office of the Australian Information Commissioner (OAIC). The Privacy Act applies to Australian Government agencies, private sector organisations with an annual turnover of more than AUD 3 million, and certain other organisations regardless of turnover (health service providers, organisations trading in personal information, credit reporting bodies).
The Australian Government's 2024 Privacy Act Reform Amendments (building on the Attorney-General's Department Privacy Act Review Report of February 2023) introduced significant reforms including a statutory tort for serious invasions of privacy, enhanced individual rights, automated decision-making transparency obligations, a children's privacy code, and strengthened enforcement powers.
Australian Privacy Principles (APPs)
The 13 APPs
| APP |
Subject |
Key Requirement |
| APP 1 |
Open and transparent management |
Maintain a clear privacy policy; take reasonable steps to implement practices that ensure compliance |
| APP 2 |
Anonymity and pseudonymity |
Give individuals the option of dealing anonymously or under a pseudonym where practicable |
| APP 3 |
Collection of solicited personal information |
Collect only information reasonably necessary for functions/activities; collect sensitive information only with consent |
| APP 4 |
Dealing with unsolicited personal information |
If unsolicited information could not have been collected under APP 3, destroy or de-identify it |
| APP 5 |
Notification of collection |
Notify individuals of: identity, purpose, third-party disclosures, overseas disclosures, access/correction rights, complaint mechanism |
| APP 6 |
Use or disclosure |
Use or disclose only for the purpose of collection or a directly related secondary purpose within reasonable expectations |
| APP 7 |
Direct marketing |
May use for direct marketing if individual would reasonably expect it and opt-out is provided; sensitive information requires consent |
| APP 8 |
Cross-border disclosure |
Before disclosing overseas, take reasonable steps to ensure the overseas recipient complies with the APPs |
| APP 9 |
Adoption, use, or disclosure of government identifiers |
Must not adopt a government identifier as own identifier; limited use and disclosure |
| APP 10 |
Quality of personal information |
Take reasonable steps to ensure information is accurate, up-to-date, complete, and relevant |
| APP 11 |
Security of personal information |
Take reasonable steps to protect from misuse, interference, loss, and unauthorised access; destroy or de-identify when no longer needed |
| APP 12 |
Access to personal information |
On request, give individuals access to their personal information |
| APP 13 |
Correction of personal information |
Take reasonable steps to correct if inaccurate, out-of-date, incomplete, irrelevant, or misleading |
2024 Reform Amendments
Automated Decision-Making Transparency
| Element |
Detail |
| Scope |
Organisations using personal information in substantially automated decisions that significantly affect individual rights or interests |
| Transparency obligation |
Must provide meaningful information about the automated decision-making process including: the fact that an automated decision has been made, the types of personal information used, and how the decision was reached |
| Right to human review |
Individuals may request human review of automated decisions that significantly affect them |
| Impact assessment |
Organisations must assess the impact of automated decision-making systems on privacy before deployment |
| Record-keeping |
Maintain records of automated decision-making systems, including the logic involved and data inputs |
Children's Privacy Code
| Element |
Detail |
| Scope |
Social media services, online platforms, and other services likely to be accessed by children |
| Definition of child |
Under 18 years (aligned with the definition in the Online Safety Act 2021) |
| Best interests principle |
The best interests of the child must be a primary consideration in all actions concerning children's personal information |
| Age assurance |
Organisations must implement appropriate age assurance mechanisms |
| Restrictions |
Prohibition on using children's personal information for targeted advertising; restrictions on profiling; data minimisation requirements specific to children |
| Code development |
OAIC to develop and register the code; industry consultation required |
Enhanced Individual Rights
| Right |
2024 Status |
Detail |
| Right of access |
Enhanced (APP 12) |
Clarified scope; reduced grounds for refusal |
| Right to correction |
Enhanced (APP 13) |
Strengthened obligation to correct upon request |
| Right to erasure |
New |
Right to request deletion of personal information where it is no longer necessary for the purpose of collection, consent is withdrawn, or information was unlawfully collected |
| Right to de-identification |
New |
Alternative to erasure where deletion is impracticable |
| Right to object to direct marketing |
Strengthened |
Clearer opt-out obligations; unsubscribe must be actioned within 5 business days |
| Right to request explanation |
New |
Right to request explanation of how personal information was used in an automated decision |
Statutory Tort for Serious Privacy Invasions
| Element |
Detail |
| Cause of action |
Individual may bring proceedings for a serious invasion of privacy |
| Threshold |
Invasion must be serious; court considers the nature of the privacy and the means of invasion |
| Remedies |
Damages (including for emotional distress), injunctions, account of profits, apology orders |
| Limitation period |
1 year from when the individual became aware (or ought to have become aware) of the invasion |
| Defence |
The invasion was in the public interest |
Strengthened Enforcement
| Enhancement |
Detail |
| Civil penalty increase |
Maximum civil penalty increased to the greater of: AUD 50 million, three times the value of the benefit obtained, or 30% of adjusted turnover in the relevant period |
| Infringement notices |
OAIC may issue infringement notices for specified contraventions |
| Enforceable undertakings |
Strengthened regime for enforceable undertakings |
| Public interest determinations |
Enhanced OAIC power to make public interest determinations |
Cross-Border Disclosure (APP 8)
Requirements
Before disclosing personal information to an overseas recipient, the organisation must:
- Take reasonable steps to ensure the overseas recipient does not breach the APPs (APP 8.1)
- The organisation remains accountable for the overseas recipient's handling of the information
- Exceptions: individual consent after being informed the APPs may not apply; required by Australian law; enforcement of criminal law; necessary to lessen a serious threat
2024 Enhancement
The reforms strengthen APP 8 by:
- Requiring organisations to maintain records of overseas disclosures
- Introducing a prescribed list of countries with substantially similar privacy protections (to be developed by the Attorney-General)
- Allowing transfer to prescribed countries without the APP 8.1 reasonable steps requirement
Zenith Global Enterprises Cross-Border Register
| Transfer Flow |
Destination |
APP 8 Compliance |
Mechanism |
| Customer data → EU HQ |
Germany |
Reasonable steps (contractual safeguards) |
Data processing agreement with APP-equivalent obligations |
| Employee data → Regional HR |
Singapore |
Reasonable steps (contractual safeguards) |
Intra-group data sharing agreement |
| Logistics data → APAC |
Japan |
Reasonable steps (contractual safeguards) |
Service agreement with privacy schedule |
Notifiable Data Breaches (Part IIIC)
Eligible Data Breach Criteria
A breach is eligible (notifiable) if:
- Unauthorised access to, disclosure of, or loss of personal information
- A reasonable person would conclude the breach is likely to result in serious harm to any individual
Notification Requirements
| Element |
Requirement |
| OAIC notification |
As soon as practicable (not later than 30 days after the entity becomes aware) |
| Individual notification |
As soon as practicable after preparing the statement |
| Statement content |
Description of breach, information involved, recommended steps for individuals |
| Assessment period |
30 days from reasonable grounds to suspect a breach |
Enforcement Actions
OAIC v. Australian Information Commissioner v. Clearview AI (2021)
- Determined that Clearview AI breached APPs 2, 3, 5, and 10 by scraping Australians' biometric data from the internet
- Ordered to cease collection and destroy existing data
- Significance: Established OAIC jurisdiction over overseas entities processing Australian personal information
Australian Information Commissioner v. Facebook (Meta) (2022-ongoing)
- Civil penalty proceeding regarding Cambridge Analytica data sharing affecting Australian users
- Federal Court proceedings for breaches of APP 6 and APP 11
- Significance: Testing the enhanced civil penalty regime
Compliance Programme
| Component |
Detail |
| Privacy Officer (Australia) |
Sarah Mitchell, Privacy and Compliance Lead — Sydney office |
| APP 1 privacy policy |
Published at zenithglobal.com.au/privacy |
| APP 3 collection |
Minimal collection; consent for sensitive information |
| APP 7 direct marketing |
Opt-out mechanism; 5 business day unsubscribe processing |
| APP 8 cross-border |
Contractual safeguards with all overseas recipients |
| APP 11 security |
ISO 27001 certification; annual penetration testing |
| APP 12-13 access/correction |
Privacy portal with 30-day response target |
| Part IIIC breach notification |
30-day assessment + notification workflow |
| Automated decision-making |
Impact assessment conducted for credit scoring; human review available |
| Children's code readiness |
Monitoring OAIC code development; no direct child services |
Australia
·
data-protection
