Updates to the Privacy Act and Australian Privacy Principles

On 10 December 2024, the Privacy and Other Legislation Amendment Act 2024 (Cth) received Royal Assent introducing significant amendments to the Privacy Act 1988 (Cth) (Privacy Act) and the Australia Privacy Principles (APPs).

The four major amendments that may affect your business include:

• updating the requirements for overseas entities holding or using personal information;
• considering organisational and technical measures for protection against personal information misuse, interference, loss, unauthorised access, modification or disclosure;
• development of a Children’s Online Privacy Code; and
• introduction of privacy principles and disclosure related to the use of AI.

The amendment act also introduces new crimes for doxxing and a tort for the serious invasion of privacy.

The APPs generally apply to businesses that turnover over AU$3 million annually, requiring them to take steps to protect any personal information they collect from clients and other users of the business services or goods. The APPs also apply to certain other businesses. These steps are focused on protecting personal information from misuse, interference or loss and preventing and preparing for data breaches.

Personal information is defined in the Privacy Act as any information or opinion about an individual who is either identified or reasonably able to be identified. It does not matter whether the information or opinion is true or not, or the format in which the information is recorded (such as words, audio, video, images, or physical items such as DNA).

Some personal information is categorised as sensitive personal information and includes information about a person’s health, race, political opinion, ethnicity, religious beliefs, sexual orientation or criminal record. Sensitive personal information has stricter requirements as to care and use.

Updating the requirements for overseas holding or use of personal information

APP 8 requires that businesses consider whether the information they collect will be held or used by an overseas recipient. The use or holding of personal information overseas is given a broad meaning, including:

• any third-party providers;
• IT services; or
• where the server holding your information is located outside of Australia.

If the personal information collected is held by an overseas recipient, reasonable steps must be taken to ensure the overseas recipient will comply with and not breach the APPs. Depending on the type of relationship maintained with the overseas recipient, it can be difficult to measure or enforce their compliance with the APPs.

The addition of APP 8.3 means that businesses are no longer required to ensure the compliance of the overseas recipient if they are bound by the laws of another country or a participant in a binding scheme that is listed in the Privacy Regulations (Regulations).

If one of the categories applies, the recognised laws or binding schemes are considered to offer equal or greater protection than the APPs.

It is the responsibility of the business to check if overseas recipients fall into any of the categories in the Regulations and determine whether further steps need to be taken to ensure compliance with the APPs.

Organisational and technical measures to protect personal information

APP 11.1 requires an entity that holds personal information, to take reasonable steps to protect that information from misuse, interference, loss, unauthorised access, modification or disclosure.

APP 11.2 explains how an entity must destroy or de-identify personal information it collects and no longer needs unless the information is contained in a Commonwealth record or is required to be held by law.

The inclusion of APP 11.3 has strengthened the compliance requirements for APP 11.1 and 11.2 by requiring organisational and technical measures to have reasonable steps to secure the personal information that is dealt with by APP 11.1 and 11.2. Organisational and technical measures are not defined by the APP. However, the Office of the Australian Information Commissioner (OAIC) Guidelines briefly describe these measures to include an entity’s structure, technology, resources and security systems for protecting and destroying information.

Businesses should review their organisational and technical measures to ensure they are compliant with the strengthened APPs in this field.

Developing a Children’s Online Privacy Code

The inclusion of section 26GC of the amended Privacy Act requires the OAIC to develop a Children’s Online Privacy Code (Children’s Code) outlining the standards and application of the APPs for the privacy of children.

Entities who will be bound by the Children’s Code include:

• APPs entities (unless they are excluded in the Children’s Code);
• social media services, relevant electronic services or designated internet services within the meaning of the Online Safety Act 2021;
• services likely to be accessed by children;
• entities not providing health services; or
• an entity otherwise specified in the Children’s Code.

The OAIC is currently undertaking consultation as part of phase 1 of developing the Children’s Code, with consultation from children, parents and relevant organisations focused on children’s welfare. It will be enforceable by the OAIC from 10 December 2026.

Businesses that deal with information about children and fall outside the limits of the APP should stay alert for the implementation of the Children’s Code to ensure their privacy policy and procedures are compliant with this code.

Privacy principles and disclosure of the use of AI

From 10 December 2026, changes to APP 1 will include disclosure requirements for the use of AI.

The inclusion of APP 1.7 will require entities to include in the privacy policy if:

• they use AI to make, or do a thing that is substantially and directly related to making a decision;
• the decision could reasonably be expected to significantly affect the rights or interests of an individual; and
• personal information about the individual is used in the operation of the AI to make the decision or do the thing that is substantially and directly related to making the decision.

Additionally, under APP 1.8, entity’s privacy policies must explain the kind of:

• personal information used in the operation of the AI;
• decisions made solely by the operation of the AI; and
• decisions for which a thing, that is substantially and directly related to making the decision, is done by the operation of the AI.

Businesses that currently use or plan to use AI in their business should start considering and preparing to amend their privacy policy, collection notice or procedures to ensure compliance with disclosing their use of AI.

Contact us

If you are an Australian business or individual requiring advice or a review of your current privacy policy or processes to meet these recent amendments, please contact a member of our Privacy & Data Protection team.