EY blockchain building

Tax and Compliance Alert Privacy and Other Legislation Amendment Bill 2024 passed in both Houses of Parliament


At a glance

  • Privacy Amendment Bill passed in both Houses of Parliament.
  • The changes will take into effect on Royal Assent which we expect will be before Christmas 2024 or in early 2025.
  • Key changes have been made to the Bill since it was introduced.
  • What the changes mean.
  • Actions to consider.
  • How EY can help.

On 29 November 2024, the Privacy and Other Legislation Amendment Bill 2024 (Cth) (the Bill) was passed by both Houses of Parliament to introduce a range of measures to protect the privacy of individuals with respect to their personal information.

The passage of the Bill continues a four-year long process encompassing a review of the Privacy Act 1988 (Cth) (Privacy Act) by the Attorney General’s Department, stakeholder consultation and the Government's response, all targeted at strengthening and modernising the Privacy Act.

For more information on the Bill’s development, please refer to our September 2024 Tax and Compliance Alert.

The Bill’s acceptance is the next step in making Tranche 1 of updates to the Privacy Act into law. These Tranche 1 updates cover:

  • Expanding the Office of the Australian Information Commissioner’s (OAIC) powers regarding enforcement, monitoring, and investigation of non-compliance with the Privacy Act.
  • Strengthening privacy safeguards for children by requiring the development of a Children’s Online Privacy Code (COPC) by the OAIC, capturing both social media platforms and any online services likely accessed by children.
  • Providing protections for overseas disclosures of personal information, by requiring the Governor General to stipulate a list of countries with sufficient privacy protections and enforcement mechanism to facilitate cross-border data transfers.
  • Facilitating emergency declarations to enhance information sharing in emergency situations or following eligible data breaches.
  • Introducing new tiered civil penalties for entities that seriously interfere with the privacy of an individual, supported by infringement notices, undertakings to comply, and injunctions.
  • Requiring cyber security uplifts by requiring that “reasonable security steps” for the purposes of Australian Privacy Principle (APP) 11 includes both technical and organisational measures.
  • Mandating transparency about automated decisions using personal information by requiring privacy policies to contain information about automated decision-making (ADM) systems that significantly affect the rights or interests of individuals.
  • Establishing a right for individuals to sue for serious privacy breaches, including defences, remedies and exceptions to the cause of action.
  • Criminalising the act of doxxing to deter the sharing of personal information online in a menacing or harassing manner.

Download this tax alert