Hogan Lovells - Asia-Pacific Data, Privacy and Cybersecurity Guide 2025 - Flipbook - Page 48
48
Hogan Lovells
Australia
2024 marked the initial phase of Australia’s
long-anticipated privacy law reforms, following
the government review of the Privacy Act 1988
(Privacy Act) in 2023.
In December 2024, the Privacy and Other
Legislation Amendment Bill 2024 (Cth)
(the Privacy Amendment Bill), as passed
by the Senate in November 2024, received
Royal Assent. The Privacy Amendment
Bill introduced major amendments to the
Privacy Act, some of which had already come
into effect.
Notable amendments to the Privacy Act
under the Privacy Amendment Bill include,
amongst others:
· A brand-new statutory tort for series
invasions of privacy: this would allow
individuals to commence legal proceedings
against individuals or organisations for
serious invasions of privacy where the
alleged conduct under question was
intentional or reckless.
· A new criminal offence for doxxing: it will be
illegal to share personal information of any
person with the intention to harm,
punishable by up to 7 years’ imprisonment.
· Sanctions for other privacy breaches: civil
penalties will range from AUD 330,000 to
AUD 50 million depending on the
seriousness of the breach.
· Setting the scene for a Children’s Online
Privacy Code: the Office of the Australian
Information Commissioner (“OAIC”) is
statutorily required to develop a code to
address privacy concerns for children online.
· Transparency obligations for automated
decision-making: organisations will be
required to update their privacy policies to
disclose the making of decisions which used
automated processes.
In late November 2024, the Cyber Security Act
2024 (Cth) (CSA) received Royal Assent as well,
further implementing the 2023-2030 Australian
Cyber Security Strategy.
The key features of the CSA include:
· Ransomware reporting: where a ransomware
payment is paid, there are mandatory
requirements to make reports to the
Department of Home Affairs.
· Cyber Review Board: significant
cybersecurity incidents will be reviewed by
the Cyber Review Board on a no-fault basis.
· Limited use exception: to foster collaboration
between the government and industry
stakeholders during cyber incidents, the
CSA includes provisions which restrict
the use of information provided to certain
governmental departments on a
voluntary basis.
· Security standards for smart devices: the
CSA imposes obligations on manufacturers
and suppliers of smart devices to ensure
such devices meet certain security standards
where there is intention to make them
available in Australia. Examples of these
obligations include the production of a
statement of compliance to confirm that the
devices do meet certain requirements under
the relevant standards.
In 2024, there had been continued emphasis on
AI as it interacts with privacy and data security.
Notably, on October 21, 2024, the Office of the
Australian Information Commissioner (“OAIC”)
published two guidelines:
· Guidance on privacy and developing and
training generative AI models (Developer AI
