19 May 2025
11 min read
Published by:
The long-awaited POLA marks the beginning of a step up in privacy laws in Australia and lays the groundwork for businesses to uplift their privacy practices. This is the first tranche of the privacy reform process that began back in 2017 (see timeline at the end of this article), with further tranches expected in 2025 and beyond.
Based on the recommendations in the Privacy Act Review Report, POLA makes several amendments to the Privacy Act 1988 (Cth) (Privacy Act). While it does not cover all the proposed changes, it does include those that are generally more acceptable to Australian businesses, leaving more contentious issues – such as the removal of the small business exemption and the “fair and reasonable” test – to be addressed later.
The majority of the POLA changes took effect upon receiving royal assent on 10 December 2024, with some deferred for various periods, so there is still time for businesses to prepare.
The reform comes as Australia’s current privacy laws are considered out of date and not fit for purpose in a modern digital economy, especially compared to privacy laws in other jurisdictions. The European General Data Protection Regulation (GDPR) is generally regarded as the gold standard for privacy laws, with many countries outside of Europe adopting GDPR-like laws.
Currently, many Australian organisations contracting with global corporations, where data exchange is involved, faces lengthy and complex contractual negotiations around privacy compliance. While this is just one aspect driving the reform, it signals that in addition to the personal and human rights protections for individuals, there are broader economic and trade issues arising from having outdated privacy laws.
Any business that contracts with a large multinational is likely bound by contractual obligations to comply with the GDPR or standards that help the multinational meet its obligations under the GDPR. This means that many Australian businesses are already required, from a commercial and contractual analysis, to comply with privacy obligations that exceed those outlined in the Privacy Act.
While the Privacy Act has long provided an exemption for businesses with annual revenue of less than $3 million, it is still challenging for small businesses if they contract with large organisations and become contractually bound.
It is perhaps self-evident that the Privacy Act is outdated. In the second reading speech introducing POLA, Attorney-General, the Hon Mark Dreyfus, stated that:
The Privacy Act has not kept pace with the adoption of digital technologies. The vast data flows that underpin digital ecosystems have also created the conditions for significant harms – like major data breaches that have revealed the sensitive information of millions of Australians, exposing us to the risk of identity fraud and scams.
These concerns send a clear message that a more modern Privacy Act is needed to adequately respond to the digital economy and the harm that can arise.
The reform process has been a long journey of reviewing the Privacy Act. Given the substantial amount of work involved in the review and the sheer volume of public submissions, it is clear that while POLA only introduces the first tranche of reform, subsequent changes – whether by the current government in its few early sittings scheduled for 2025 or after the next federal election – are likely to align closely with the recommendations from the 2022 Privacy Act Review Report.
Issues paper, report and submissions
Following the release of the initial issues paper, 373 submissions were received and published, with a further 428 responses after the report was issued. These responses came from a broad range of stakeholders, including industry groups, academia, private citizens, government organisations, and civil society.
In February 2023, the government published a report listing 116 specific proposals in response to the volume and depth of submissions. Seven months later, the government indicated that 38 of those proposals were agreed, 68 were agreed in principle and 10 were simply noted. Not all recommendations required legislation as many called for guidance from the Office of the Australian Information Commissioner (OAIC). Under POLA, the government considers 23 of the 25 legislative proposals agreed upon in its response have been implemented.
Below, we outline a selection of the POLA changes, the change in the structure of the OAIC and potential future changes that may prompt Australian businesses to significantly improve their privacy procedures and processes in 2025.
Additional requirements for security – 'reasonable steps'
POLA strengthens Australian Privacy Principle (APP) 11, which requires businesses to take reasonable steps to protect information, by now including an obligation for organisations to have in place both technical and organisational measures as part of their reasonable steps to keep information secure.
Organisations will need to demonstrate that they have taken steps to employ technical measures (such as multifactor authentication and storing sensitive data in encrypted or other forms) and organisational measures (such as access privilege structures and deactivating accounts when employees leave), as part of their security processes.
It is fair to say that some of the more recent large-scale breaches had, among their root causes, failures to include basic technical protections and/or organisational protections, in particular not enabling multi-factor authentication or deactivating user accounts when individuals leave the organisation.
Recognising the public interest in protecting privacy
This small change to the objects of the Privacy Act provides a platform to expand the operation, and consequently the administration or regulation of the Act. We see that expansion very clearly in the framing of the new statutory tort and may also see it in the approach taken by the Commissioner in exercising its regulatory powers. It also underpins one rationale for the doxing provisions, which were a late addition to the reform process.
New rights for individuals – a statutory tort
A shortcoming of the Privacy Act has long been the fact that there is no immediate redress for individuals who suffer a privacy harm.
The development of the common law has been slow, and it was only in a decision published in October 2024 that a Magistrates Court in Victoria sought to establish a statutory tort for invasion of privacy in Waller v Barrett.1
POLA sets out tests for a serious invasion of privacy that may give rise to damages. There needs to be both a serious invasion of privacy and a misuse of personal information, with a balance set between the interest in protecting privacy and the public interest. This new tort will come into operation within 6 months of Royal Assent.
Damages for non-economic loss are proposed to be capped at the limits applicable for defamation, which could have a significant deterrent effect on businesses, particularly in the event of a major data breach. “No win no fee” lawyers would also be able to treat this in a similar way to a class action, which may push businesses to take greater care with sensitive information.
The framing of the tort follows to some degree principles used in defamation and it will be interesting to see how this develops and is used by individuals and the Commissioner, who will be able to participate in such proceedings.
While this tort may not have implications for businesses in an accidental data breach, when considered together with the additional obligations to keep information secure, individuals’ rights to potentially make claims are enhanced.
Automated decision-making
POLA imposes a requirement for organisations to include details in their privacy policies about automated decision making that may have a negative impact on individuals. Organisations will also need to explain the use of that automated decision making. This potential change could place a significant burden on businesses where the extent of the automation is not understood. However, this new obligation will not take effect until December 2026, so businesses have 2 years to prepare.
Classic explainability questions that have been raised in the past include, for example, where algorithms are used in relation to credit scoring is, what could the individual have done differently or changed in their application that would have generated a different outcome. If organisations are going to use automated decision making, they will need to be able to provide this degree of explainability and transparency.
New enforcement powers for the OAIC
POLA introduces a civil penalty regime for general interference with an individual’s privacy, regardless of whether that interference is serious or not. These provisions are operative now and the fines for companies are $3,300,000 and can be issued directly, bypassing the courts as was previously required. Infringement notices can be issued for certain prescribed breaches of the APPs including, among others:
The prospect of fines for these relatively simple administrative matters should focus lawyers and risk managers on reviewing the organisation’s policies and marketing settings.
The OAIC also has power to conduct public inquiries to call-out corporate behaviour that, while not unlawful, warrants public attention.
While there has been considerable discussion about these new infringement laws, the fact is that if the regulator can impose fines quickly without needing to approach the court, they can enforce immediately and against a broader range of organisations. This could potentially have a deterrent effect, compared to negotiating implausible undertakings or going to court.
Other changes in POLA
Separate issues which are beyond the scope of this article are the proposal for a criminal sanction for doxing and the imposition of an online children’s privacy code, which forms part of a much broader set of government proposals to protect children’s online privacy. What is relevant for business however is an increasing community awareness by individuals of their rights to privacy and an increasing appetite the part of government at all levels to respond to that with new law.
While law reform is one thing, the actions of the regulator are another key aspect of reform. While the OAIC has been acknowledged as underfunded for a number of year and continues in the opinion of many to remain so, significant changes occurred in 2024.
In May, the OAIC moved from a single to a three-Commissioner model. Prior to May, one individual held the role of Privacy Commissioner, Freedom of Information Commissioner and the Information Commissioner in charge of running the OAIC. In May, those roles were split between three individuals. One consequence of that is that the Privacy Commissioner can now focus attention solely on Privacy Act enforcement.
Notably a new Privacy Commissioner, Carly Kind, took up that role in February 2024 and has brought, with the benefit of the three-Commissioner model a new energy to that role that has been marked by a number of key public statements, such as in May a preliminary investigation into TikTok’s use of pixels and other surveillance tools that was abandoned the Commissioner identified that our out of date laws meant it was unlikely any law had been breached. Later in the year, we saw the determinations into Bunnings use of facial recognition technology2 and the Property Lovers scraping of materials and putting it to a use for which it was not intended.3 It is clear that 2025 will bring more activity by the privacy Commissioner, now armed with new enforcement powers.
As consumer sentiment for greater privacy protection continues to grow, privacy has become an important focus in the digital economy. At the same time, businesses are facing greater accountability in managing personal data, prompting the government to take significant steps toward modernising Australia’s privacy laws.
In 2025, we may see at least some of the remaining 58 proposals make their way onto the legislative agenda. If the “fair and reasonable test” for the collection and use of personal information is introduced, along with an expanded definition of personal information, the risks for businesses that fail to take privacy seriously are likely to escalate significantly.
Businesses can also expect an active Privacy Commissioner armed with new enforcement powers.
If you have any questions regarding this article or need assistance in reviewing and updating your privacy policy, please get in touch with a member of our team below.
Disclaimer
The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this newsletter is accurate at the date it is received or that it will continue to be accurate in the future.
Published by:
