Privacy and Other Legislation Amendment Act 2024 (Cth)

Privacy and Other Legislation Amendment Act 2024 No. 128, 2024 An Act to amend the law in relation to privacy and the criminal law, and for related purposes Contents 1 Short title 2 Commencement 3 Schedules 4 Review of operation of amendments made by Schedule 3 Schedule 1—Privacy reforms Part 1—Objects of the Act Privacy Act 1988 Part 2—APP codes Privacy Act 1988 Part 3—Emergency declarations Privacy Act 1988 Part 4—Children's privacy Privacy Act 1988 Part 5—Security, retention and destruction Privacy Act 1988 Part 6—Overseas data flows Privacy Act 1988 Part 7—Eligible data breaches Privacy Act 1988 Part 8—Penalties for interference with privacy Data Availability and Transparency Act 2022 Digital ID Act 2024 Identity Verification Services Act 2023 Privacy Act 1988 Part 9—Federal court orders Privacy Act 1988 Part 10—Commissioner to conduct public inquiries Privacy Act 1988 Part 11—Determinations following investigations Privacy Act 1988 Part 12—Annual reports Australian Information Commissioner Act 2010 Part 13—External dispute resolution Privacy Act 1988 Part 14—Monitoring and investigation Competition and Consumer Act 2010 Crimes Act 1914 Data‑matching Program (Assistance and Tax) Act 1990 National Health Act 1953 Privacy Act 1988 Part 15—Automated decisions and privacy policies Privacy Act 1988 Schedule 2—Serious invasions of privacy Privacy Act 1988 Schedule 3—Doxxing offences Criminal Code Act 1995 Privacy and Other Legislation Amendment Act 2024 No. 128, 2024 An Act to amend the law in relation to privacy and the criminal law, and for related purposes [Assented to 10 December 2024] The Parliament of Australia enacts: 1 Short title This Act is the Privacy and Other Legislation Amendment Act 2024. 2 Commencement (1) Each provision of this Act specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms. Commencement information Column 1 Column 2 Column 3 Provisions Commencement Date/Details 1. Sections 1 to 4 and anything in this Act not elsewhere covered by this table The day this Act receives the Royal Assent. 10 December 2024 2. Schedule 1, Parts 1 to 7 The day after this Act receives the Royal Assent. 11 December 2024 3. Schedule 1, items 45 and 46 Immediately after the commencement of the provisions covered by table item 5. 11 December 2024 4. Schedule 1, item 47 The later of: 11 December 2024 (a) immediately after the commencement of the provisions covered by table item 5; and (paragraph (a) applies) (b) immediately after the commencement of the Digital ID Act 2024. 5. Schedule 1, items 48 to 58 The day after this Act receives the Royal Assent. 11 December 2024 6. Schedule 1, Parts 9 to 14 The day after this Act receives the Royal Assent. 11 December 2024 7. Schedule 1, Part 15 The day after the end of the period of 24 months beginning on the day this Act receives the Royal Assent. 10 December 2026 8. Schedule 2 A single day to be fixed by Proclamation. However, if the provisions do not commence within the period of 6 months beginning on the day this Act receives the Royal Assent, they commence on the day after the end of that period. 9. Schedule 3 The day after this Act receives the Royal Assent. 11 December 2024 Note: This table relates only to the provisions of this Act as originally enacted. It will not be amended to deal with any later amendments of this Act. (2) Any information in column 3 of the table is not part of this Act. Information may be inserted in this column, or information in it may be edited, in any published version of this Act. 3 Schedules Legislation that is specified in a Schedule to this Act is amended or repealed as set out in the applicable items in the Schedule concerned, and any other item in a Schedule to this Act has effect according to its terms. 4 Review of operation of amendments made by Schedule 3 (1) The Minister must cause an independent review to be undertaken of the operation of the amendments made by Schedule 3 to this Act. (2) The review must commence as soon as practicable after the end of the period of 24 months starting at the commencement of that Schedule. (3) The persons who undertake the review must give the Minister a written report of the review within 6 months of the commencement of the review. (4) The Minister must cause a copy of the report of the review to be tabled in each House of the Parliament within 15 sitting days of that House after the report is given to the Minister. Schedule 1—Privacy reforms Part 1—Objects of the Act Privacy Act 1988 1 Paragraph 2A(a) Repeal the paragraph, substitute: (a) to promote the protection of the privacy of individuals with respect to their personal information; and (aa) to recognise the public interest in protecting privacy; and 2 Paragraph 2A(h) Omit "obligation", substitute "obligations". Part 2—APP codes Privacy Act 1988 3 Subsection 6(1) Insert: temporary APP code: see section 26GB. 4 Section 26G (at the end of the heading) Add "—following a request". 5 After section 26G Insert: 26GA Development of APP codes by the Commissioner—at the direction of the Minister Minister may give direction (1) The Minister may, in writing, direct the Commissioner to develop an APP code if the Minister is satisfied that it is in the public interest: (a) to develop the code; and (b) for the Commissioner to develop the code. (2) Without limiting subsection (1), a direction under that subsection may: (a) specify one or more matters that the code must deal with; and (b) specify the APP entities, or a class of APP entities, that are to be bound by the code. (3) A direction under subsection (1) is not a legislative instrument. Commissioner must develop and register code (4) The Commissioner must develop and register an APP code if the Minister has given the Commissioner a direction under subsection (1) to develop the code. Matters covered by code (5) Despite paragraph 26C(3)(b), the APP code must not cover an act or practice that is exempt within the meaning of subsection 7B(1), (2) or (3). Consultation etc. (6) In developing the APP code, the Commissioner may consult any person the Commissioner considers appropriate. (7) Before registering the APP code under section 26H, the Commissioner must: (a) make a draft of the code publicly available; and (b) invite the public to make submissions to the Commissioner about the draft within a specified period (which must run for at least 40 days); and (c) give consideration to any submissions made within the specified period. 26GB Development of APP codes by the Commissioner—temporary APP codes Minister may give direction (1) The Minister may, in writing, direct the Commissioner to develop an APP code (a temporary APP code) if the Minister is satisfied that: (a) it is in the public interest: (i) to develop the code; and (ii) for the Commissioner to develop the code; and (b) the code should be developed urgently. (2) Without limiting subsection (1), a direction under that subsection may: (a) specify one or more matters that the code must deal with; and (b) specify the APP entities, or a class of APP entities, that should be bound by the code. (3) A direction under subsection (1) is not a legislative instrument. Commissioner must develop and register code (4) The Commissioner must develop and register a temporary APP code if the Minister has given the Commissioner a direction under subsection (1) to develop the code. Matters covered by code (5) However, despite paragraph 26C(3)(b), the temporary APP code must not cover an act or practice that is exempt within the meaning of subsection 7B(1), (2) or (3). Consultation etc. (6) In developing the temporary APP code, the Commissioner may consult any person the Commissioner considers appropriate. Period code is in force (7) The period set out for the temporary APP code for the purposes of paragraph 26C(2)(c) must not be longer than 12 months. Note: Paragraph 26C(2)(c) deals with the period during which the code is in force. Disallowance (8) Section 42 (disallowance) of the Legislation Act 2003 does not apply to a temporary APP code that is a registered APP code. Note: A registered APP code is a legislative instrument: see subsection 26B(2). 6 Paragraph 26H(1)(b) Omit "section 26G", substitute "section 26G, 26GA or 26GB". Part 3—Emergency declarations Privacy Act 1988 7 Subsection 80G(1) Insert: entity includes the following: (a) a person; (b) an agency; (c) an organisation. 8 Section 80H Repeal the section. 9 Subsections 80J(1) and (2) After "Minister may", insert ", by writing,". 10 At the end of section 80J Add: (3) A declaration under this section is a legislative instrument, but section 42 (disallowance) of the Legislation Act 2003 does not apply to the declaration. 11 Subsection 80K(1) After "Minister may", insert ", in writing,". 12 At the end of section 80K Add: (3) A declaration under this section is a legislative instrument, but section 42 (disallowance) of the Legislation Act 2003 does not apply to the declaration. 13 After section 80K Insert: 80KA Matters covered by declarations Matters that must be specified (1) Without limiting section 80J or 80K, an emergency declaration must specify the following matters: (a) the kind or kinds of personal information to which the declaration applies; (b) the entity or class of entities that may collect, use or disclose the personal information; (c) the entity or class of entities that the personal information may be disclosed to; (d) one or more permitted purposes of the collection, use or disclosure. Note: See section 80P (authorisation of collection, use and disclosure of personal information). Specified entities (2) An entity or class of entities specified for the purposes of paragraph (1)(c): (a) may include a State or Territory authority; and (b) must not be or include a media organisation, the Australian Broadcasting Corporation or the Special Broadcasting Service Corporation. Specified permitted purposes (3) A permitted purpose specified for the purposes of paragraph (1)(d) must be a purpose that directly relates to the Commonwealth's response to an emergency or disaster in respect of which an emergency declaration is in force. (4) Without limiting subsection (3), any of the following may be specified as a permitted purpose in relation to an emergency or disaster: (a) identifying individuals who: (i) are or may be injured, missing or dead as a result of the emergency or disaster; or (ii) are or may be at risk of injury, going missing or death as a result of the emergency or disaster; or (iii) are or may be otherwise involved in or affected by the emergency or disaster; or (iv) are or may be at risk of otherwise being involved in or affected by the emergency or disaster; (b) assisting individuals involved in or affected by the emergency or disaster to obtain services such as repatriation services, medical or other treatment, health services and financial or other humanitarian assistance; (c) assisting individuals who are or may be at risk of being involved in or affected by the emergency or disaster to obtain services such as repatriation services, medical or other treatment, health services and financial or other humanitarian assistance; (d) assisting with law enforcement in relation to the emergency or disaster; (e) coordination or management of the response to the emergency or disaster; (f) ensuring that responsible persons for individuals who are, or may be, involved in the emergency or disaster are appropriately informed of matters that are relevant to: (i) the involvement of those individuals in the emergency or disaster; or (ii) the response to the emergency or disaster in relation to those individuals; (g) ensuring that responsible persons for individuals who are or may be at risk of being involved in or affected by the emergency or disaster are appropriately informed of matters that are relevant to: (i) the involvement of or effect on those individuals in the emergency or disaster; or (ii) the response to the emergency or disaster in relation to those individuals. (5) Without limiting subsection 33(3A) of the Acts Interpretation Act 1901, or any other provision of this Act, an emergency declaration may provide differently for: (a) different kinds of personal information; and (b) different entities or classes of entities; and (c) different permitted purposes. 14 Sections 80L and 80M Repeal the sections. 15 Section 80N (heading) Omit "cease to have effect", substitute "cease to be in force". 16 Section 80N Omit "ceases to have effect at the earliest of", substitute "ceases to be in force at the earliest of the following". 17 Paragraph 80N(a) Omit "cease to have effect", substitute "cease to be in force". 18 Paragraph 80N(a) Omit "or". 19 Paragraph 80N(b) Omit "revoked; or", substitute "repealed;". 20 Paragraph 80N(c) Repeal the paragraph, substitute: (c) the start of the day after the end of the period of 12 months beginning on the day the declaration commences. 21 Paragraphs 80P(1)(b) to (e) Repeal the paragraphs, substitute: (b) the collection, use or disclosure is for a permitted purpose specified in the declaration; and (c) the information is information of a kind specified in the declaration; and (d) the information is disclosed by an entity specified in the declaration, or an entity included in a class of entities specified in the declaration; and (e) the information is disclosed to an entity specified in the declaration, or an entity included in a class of entities specified in the declaration; and (f) if a matter mentioned in paragraph (b), (c), (d), or (e) is specified in the declaration subject to conditions—those conditions are satisfied. 22 Subsection 80P(7) (paragraph (a) of the definition of designated secrecy provision) After "18B,", insert "34GF, 35P,". 23 Subsection 80P(7) (paragraph (a) of the definition of designated secrecy provision) After "92A", insert ", and subsection 34GE(4),". 24 Subsection 80P(7) (after paragraph (a) of the definition of designated secrecy provision) Insert: (aa) section 15LC of the Crimes Act 1914; 25 Subsection 80P(7) (paragraph (c) of the definition of designated secrecy provision) Omit "and 41 of", substitute "and 41 of, and clause 9 of Schedule 1 to,". 26 Subsection 80P(7) (after paragraph (ca) of the definition of designated secrecy provision) Insert: (cb) sections 22, 22A and 22B of the Witness Protection Act 1994; 27 Subsection 80P(7) (definition of entity) Repeal the definition. 28 After paragraph 80Q(2)(a) Insert: (b) a disclosure for the purposes of carrying out a State's constitutional functions, powers or duties; (ba) a disclosure for the purposes of obtaining or providing legal advice in relation to the operation of this Part; 29 Application of amendments (1) The amendments of sections 80J, 80K, 80N and 80P, the repeal of sections 80H, 80L and 80M, and the insertion of section 80KA, of the Privacy Act 1988 made by this Part apply in relation to declarations made on or after the commencement of this item. (2) The amendments of section 80Q of the Privacy Act 1988 made by this Part apply in relation to the disclosure of information by a person on or after the commencement of this item, whether the information was first disclosed to that person before or after that commencement. Part 4—Children's privacy Privacy Act 1988 30 Subsection 6(1) Insert: child means an individual who has not reached 18 years. Children's Online Privacy Code: see section 26GC. 31 After subsection 26C(4) Insert: (4A) Without limiting subsection 33(3A) of the Acts Interpretation Act 1901, an APP code may provide differently for different: (a) classes of entities; and (b) classes of personal information; and (c) classes of activities of entities. 32 Before section 26H Insert: 26GC Development of APP codes by the Commissioner—Children's Online Privacy Code Children's Online Privacy Code (1) The Commissioner must develop an APP code (the Children's Online Privacy Code) about online privacy for children. (2) The other provisions of this Division (including section 26C) apply in relation to the Children's Online Privacy Code subject to this section. Note: Section 26C deals with requirements for APP codes generally. Matters covered by code (3) For the purposes of paragraph 26C(2)(a), the Children's Online Privacy Code must set out how one or more of the Australian Privacy Principles are to be applied or complied with in relation to the privacy of children. (4) For the purposes of subsections 26C(3) and (4), the Children's Online Privacy Code may provide for one or more of the matters mentioned in those subsections in relation to the privacy of children. However, despite paragraph 26C(3)(b), the code must not cover an act or practice that is exempt within the meaning of subsection 7B(1), (2) or (3). Note: Codes may provide differently for different things: see subsection 26C(4A). Entities bound by code (5) Subject to subsection (7), an APP entity is bound by the Children's Online Privacy Code if: (a) all of the following apply: (i) the entity is a provider of a social media service, relevant electronic service or designated internet service (all within the meaning of the Online Safety Act 2021); (ii) the service is likely to be accessed by children; (iii) the entity is not providing a health service; or (b) the entity is an APP entity, or an APP entity in a class of entities, specified in the code for the purposes of this paragraph. Note: In relation to subparagraph (a)(ii), see subsection (11). (6) Paragraph 26C(2)(b) does not apply in relation to the Children's Online Privacy Code. Specified entities not bound by code (7) Despite subsection (5), an APP entity is not bound by the Children's Online Privacy Code if the entity is an APP entity, or an APP entity in a class of entities, specified in the code for the purposes of this subsection. Requirements (8) In developing the Children's Online Privacy Code, the Commissioner may: (a) consult with: (i) children; and (ii) relevant organisations or bodies concerned with children's welfare; and (iia) industry organisations or bodies representing the interests of one or more entities that may potentially be bound by the Code; (iii) the eSafety Commissioner; and (iv) the National Children's Commissioner; and (b) consult any other person the Commissioner considers appropriate. (9) Before registering the Children's Online Privacy Code under section 26H, the Commissioner must: (a) make a draft of the code publicly available; and (b) invite the public to make submissions to the Commissioner about the draft within a specified period (which must run for at least 60 days); and (c) give consideration to any submissions made within the specified period; and (d) consult with: (i) the eSafety Commissioner; and (ii) the National Children's Commissioner. Time by which code must be made (10) The Commissioner must develop and register the Children's Online Privacy Code within the period of 24 months beginning on the day the Privacy and Other Legislation Amendment Act 2024 receives the Royal Assent. Services likely to be accessed by children (11) The Commissioner may make written guidelines to assist entities to determine if a service is likely to be accessed by children for the purposes of subparagraph (5)(a)(ii). (12) The Commissioner may publish any such guidelines on the Commissioner's website. (13) Guidelines under subsection (11) are not a legislative instrument. 33 After paragraph 26H(1)(b) Insert: ; or (c) the Commissioner develops a Children's Online Privacy Code under section 26GC; Part 5—Security, retention and destruction Privacy Act 1988 34 At the end of clause 11 of Schedule 1 Add: 11.3 For the purposes of subclauses 11.1 and 11.2, without limiting those subclauses or any other provision of this Act, such steps include technical and organisational measures. 35 Application of amendment The amendment of clause 11 of Schedule 1 to the Privacy Act 1988 made by this Part applies in relation to information held after the commencement of this Part, regardless of whether the information was acquired or created before or after that commencement. Part 6—Overseas data flows Privacy Act 1988 36 After subsection 100(1) Insert: (1A) Before the Governor‑General makes regulations for the purposes of Australian Privacy Principle 8.3 prescribing a country or binding scheme, the Minister must be satisfied that: (a) the laws of the country, or the binding scheme, has the effect of protecting personal information about an individual in a way that, overall, is at least substantially similar to the way in which the Australian Privacy Principles protect the information; and (b) there are mechanisms that the individual can access to take action to enforce that protection. (1B) The regulations may prescribe a country or binding scheme for the purposes of Australian Privacy Principle 8.3 subject to: (a) conditions in relation to a specified entity or class of entities; and (b) conditions in relation to a specified kind or kinds of personal information. 37 After paragraph 8.2(a) of Schedule 1 Insert: (aa) subclause 8.3 applies in relation to the disclosure of the information; or 38 At the end of clause 8 of Schedule 1 (after the note) Add: 8.3 This subclause applies in relation to the disclosure of personal information (the relevant personal information) about an individual by an APP entity to an overseas recipient if: (a) the recipient of the relevant personal information is: (i) subject to the laws of a country that is prescribed by the regulations; or (ii) a participant in a binding scheme that is prescribed by the regulations; and (b) if the country or binding scheme is prescribed subject to conditions—those conditions are satisfied. Note: There are prerequisites that must be satisfied before the matters mentioned in this subclause are prescribed: see subsection 100(1A). 39 Application of amendments The amendments of clause 8 of Schedule 1 to the Privacy Act 1988 made by this Part apply in relation to information disclosed after the commencement of this Part, regardless of whether the information was acquired or created before or after that commencement. Part 7—Eligible data breaches Privacy Act 1988 40 Subsection 6(1) Insert: eligible data breach declaration means a declaration under subsection 26X(1). 41 Section 26WA (heading) Repeal the heading, substitute: 26WA Guide to this Part 42 At the end of section 26WA Add: • This Part also deals with the collection, use and disclosure of personal information involved in eligible data breaches. 43 At the end of Part IIIC Add: Division 5—Dealing with personal information involved in eligible data breaches Subdivision A—Eligible data breach declaration 26X Eligible data breach declaration Minister may make eligible data breach declaration (1) The Minister may, by writing, make a declaration under this subsection if: (a) there is an eligible data breach of an entity; and (b) the Minister is satisfied that making the declaration is: (i) necessary or appropriate to prevent; or (ii) necessary or appropriate to reduce; a risk of harm arising from a misuse of personal information about one or more individuals following unauthorised access to, or unauthorised disclosure of, that personal information from the eligible data breach of the entity. Note: A declaration under this subsection is relevant for the operation of section 26XB (authorisation of collection, use and disclosure of personal information) and related provisions. Matters covered by declaration (2) Without limiting subsection (1), the declaration must specify the following matters: (a) the kind or kinds of personal information to which the declaration applies; (b) the entity or class of entities that may collect, use or disclose the personal information; (c) the entity or class of entities that the personal information may be disclosed to; (d) one or more permitted purposes of the collection, use or disclosure. Specified entities (3) An entity or class of entities specified for the purposes of paragraph (2)(c): (a) may include a State or Territory authority; and (b) must not be or include a media organisation, the Australian Broadcasting Corporation or the Special Broadcasting Service Corporation. Specified permitted purposes (4) A permitted purpose specified for the purposes of paragraph (2)(d) in relation to an eligible data breach must be a purpose that is directly related to preventing or reducing a risk of harm mentioned in paragraph (1)(b) to one or more individuals at risk from the eligible data breach. (5) Without limiting subsection (4), any of the following things may be specified as a permitted purpose in relation to an eligible data breach, to the extent that it is directly related to preventing or reducing a risk of harm mentioned in paragraph (1)(b): (a) preventing a cyber security incident (within the meaning of the Security of Critical Infrastructure Act 2018), fraud, scam activity or identity theft; (b) responding to a cyber security incident, fraud, scam activity or identity theft; (c) responding to the consequences of a cyber security incident, fraud, scam activity, identity crime and misuse, financial loss, emotional and psychological harm, family violence and physical harm or intimidation; (d) addressing malicious cyber activity. (6) Without limiting subsection 33(3A) of the Acts Interpretation Act 1901, or any other provision of this Act, an eligible data breach declaration may provide differently for: (a) different kinds of personal information; and (b) different entities or classes of entities; and (c) different permitted purposes. Conditions (7) The declaration may specify a matter mentioned in subsection (2) subject to conditions. Consultation (8) Before the Minister makes a declaration under subsection (1), the Minister may consult with any person or body, including the Commissioner and the Director‑General of the Australian Signals Directorate. (9) Despite subsection 29(1) of the Australian Information Commissioner Act 2010 and any provision of this Act, the Commissioner may disclose information to the Minister for the purposes of consultation under subsection (8). Declaration is a legislative instrument (10) A declaration under subsection (1) is a legislative instrument, but section 42 (disallowance) of the Legislation Act 2003 does not apply to the declaration. 26XA When declarations cease to be in force An eligible data breach declaration ceases to be in force at the earliest of the following: (a) if a time at which the declaration will cease to be in force is specified in the declaration—at that time; (b) the time at which the declaration is repealed; (c) the start of the day after the end of the period of 12 months beginning on the day the declaration commences. Subdivision B—Provisions dealing with the collection, use and disclosure of personal information 26XB Authorisation of collection, use and disclosure of personal information (1) At any time when an eligible data breach declaration is in force in relation to an eligible data breach, an entity may collect, use or disclose personal information about an individual if: (a) the entity reasonably believes that the individual may be at risk from the eligible data breach; and (b) the collection, use or disclosure is for a permitted purpose specified in the declaration; and (c) the information is information of a kind or kinds specified in the declaration; and (d) the information is disclosed by an entity specified in the declaration, or an entity included in a class of entities specified in the declaration; and (e) the information is disclosed to an entity specified in the declaration, or an entity included in a class of entities specified in the declaration; and (f) if a matter mentioned in paragraph (b), (c), (d) or (e) is specified in the declaration subject to conditions—those conditions are satisfied. (2) An entity is not liable to any proceedings for contravening a secrecy provision in respect of a use or disclosure of personal information authorised by subsection (1) unless the secrecy provision is a designated secrecy provision (see subsection (6)). (3) An entity is not liable to any proceedings for contravening a duty of confidence in respect of a disclosure of personal information authorised by subsection (1). (4) An entity does not breach an Australian Privacy Principle, a registered APP code that binds the entity or a rule issued under section 17 (rules relating to tax file number information) in respect of a collection, use or disclosure of personal information authorised by subsection (1). (5) A collection, use or disclose of personal information by an officer or employee of an agency in the course of duty as an officer or employee is authorised by subsection (1) only if the officer or employee is authorised by the agency to collect, use or disclose the personal information. (6) In this section: designated secrecy provision means any of the following: (a) sections 18, 18A, 18B, 34GF, 35P, 92 and 92A, and subsection 34GE(4), of the Australian Security Intelligence Organisation Act 1979; (b) section 15LC of the Crimes Act 1914; (c) section 34 of the Inspector‑General of Intelligence and Security Act 1986; (d) sections 39, 40C, 40D and 41 of, and clause 9 of Schedule 1 to, the Intelligence Services Act 2001; (e) sections 42 and 44 of the Office of National Intelligence Act 2018; (f) sections 22, 22A and 22B of the Witness Protection Act 1994; (g) a provision of a Commonwealth law prescribed by the regulations for the purposes of this paragraph; (h) a provision of a Commonwealth law of a kind prescribed by the regulations for the purposes of this paragraph. secrecy provision means a provision of a Commonwealth law (including a provision of this Act) that prohibits or regulates the use or disclosure of personal information, whether t