Privacy & Information Security Law Blog

Patrick Gunning of King & Wood Mallesons reports that on November 29, 2024, the Australian Parliament passed more than 30 bills on the final sitting day for the calendar year. Among the flurry of legislative activity were the Privacy and Other Legislation Amendment Act 2024 and the Online Safety Amendment (Social Media Minimum Age) Act 2024. 

Privacy Amendment Act

The Privacy Amendment Act represents the initial stage of the Australian government’s response to a long-running reform process, with the government indicating that if it is re-elected in 2025, a second tranche of amendments will be proposed. We highlight some of the 2024 amendments.

Broader Enforcement Powers for the Australian Information Commissioner

This includes changes to:

• Clarify when “serious” contraventions (which can result in fines of A$50 million or more) occur.
• Enable the regulator to bring civil penalty proceedings for contraventions that do not meet the “serious” threshold, but are deserving of court action to deter others (with a maximum fine of up to A$3.3 million).
• Enable the regulator to issue an “infringement notice” for breaches of certain less serious requirements of Australian privacy law. If a regulated entity chooses to pay the penalty set out in the infringement notice (up to A$330,000 per specified contravention), the regulator cannot commence court proceedings in respect of those contraventions unless the regulator withdraws the infringement notice and returns the fine. Alternatively the regulated entity can choose to not pay the fine, in which case the regulator has the discretion to take a different form of enforcement action (such as commencing civil penalty proceedings in a court, where the maximum fine is ten times greater than available under the infringement notice regime).

The current Privacy Commissioner, Carly Kind, was appointed in 2024. She has signalled an intention to more actively enforce the law than her predecessors. The new enforcement powers in the 2024 amendments will give her tools to achieve that objective.

New Statutory Tort of Invasion of Privacy

The Privacy Amendment Act introduces a new statutory tort for serious invasions of privacy involving intrusion upon seclusion and/or misuse of information, where:

• the plaintiff has a reasonable expectation of privacy;
• the conduct by the defendant is intentional or reckless;
• the invasion of privacy is serious; and
• the public interest in the plaintiff’s privacy outweighs any countervailing public interest.

While it remains to be seen how widely the statutory tort of invasion of privacy will be litigated, expectations are that most cases will be brought against media defendants by well-resourced high-profile individuals. While the regulator will have the right to make submissions in such a case, the regulator will not have standing to bring a statutory tort claim on behalf of any individual. Class actions are, however, a possibility if a single event affects multiple individuals. However, a typical cyber incident is not likely to qualify as a serious invasion of privacy, because the conduct of a defendant organization that has been hacked by a malicious third party is rarely intentional or reckless, even if it may involve negligence.

Automated Decisionmaking

In addition to the changes related to enforcement, the Act also provides greater transparency for individuals when regulated entities use personal information for automated decisionmaking. Regulated entities will now be required to include in their privacy notices details about what information is involved and what types of decisions are made using automated decisionmaking technology.

Children’s Online Privacy Code

The Act also directs the Commissioner to develop a Children’s Online Privacy Code, as discussed further below. The Act includes minimal parameters for the Code, however, beyond applicability and consultation provisions.

Social Media Minimum Age Act

The Australian Parliament enacted the Social Media Minimum Age Act only eight days after its introduction. The Act amends the Online Safety Act 2021 by requiring providers of an “age-restricted social media platform” to take reasonable steps to prevent Australian children under the age of 16 from having an account. Providers who fail to do so will be subject to civil penalties of up to A$49.5 million. The eSafety Commissioner will be responsible for administering the new requirements to be imposed on age-restricted social media platforms.

The Act defines an ”age-restricted social media platform” is as a platform that:

• allows users to post material;
• allows users to interact with other end-users; and
• enables social interactions between two or more end-users (as the platform’s sole or significant purpose).

Some forms of messaging services will be covered by this definition, in addition to platforms that would generally be considered social media platforms.

Providers of age-restricted social media platforms will have 12 months to implement age assurance techniques. The Act is not prescriptive about the techniques that may be implemented, but does impose limits on a provider’s right to collect government-issued identifiers and digital IDs for the purpose of enforcing the minimum age requirement.

It is possible that by the time that these age-restriction requirements take effect, the Privacy Commissioner will have developed an enforceable Children’s Online Privacy Code, which also will apply to providers of age-restricted social media platforms, as well as to others that deal with children online (such as e-commerce businesses).

The age-restriction requirements do not apply to platforms where ”none of the material on the service is accessible to, or delivered to, one or more end-users in Australia”. However, given the global nature of most social media platforms, it seems inevitable that some platform providers will regard this law as a legislative overreach by the Australian Parliament. For example, X Corp recently resisted the Australian eSafety Commissioner’s order to remove video footage of a violent attack in an Australian church from the platform. X Corp argued successfully in the Federal Court of Australia that it had taken all reasonable steps to remove the content from its platform by geo-blocking users with Australian IP addresses. As the initial injunction expired, the Australian eSafety Commissioner dropped the court case to pursue administrative action, having lost her argument that X Corp should have removed the content from its platform entirely because Australians using VPNs could circumvent the geo-blocking measures. Similar enforcement difficulties are likely to arise under the Social Media Minimum Age, as Australian children under the age of 16 may also use VPN services that allow them to circumvent whatever measures are put in place to restrict their ability to have an account on an age-restricted platform.

For further detail on these Australian reforms, visit KWM’s insights on data and privacy developments.