Privacy and Other Legislation Amendment Act 2024

The Privacy and Other Legislation Amendment Act 2024 is a Commonwealth Act that is in force and recorded on the Federal Register of Legislation with a date of 10 December 2024. Its published structure shows a broad reform package rather than a single narrow amendment. The Act includes schedules dealing with privacy reforms, serious invasions of privacy, and doxxing offences.

Within Schedule 1, the published part headings point to changes across the Privacy Act framework in areas including objects of the Act, APP codes, emergency declarations, children’s privacy, security, retention and destruction, overseas data flows, eligible data breaches, penalties for interference with privacy, federal court orders, public inquiries by the Commissioner, determinations following investigations, annual reports, external dispute resolution, monitoring and investigation, and automated decisions and privacy policies.

That means businesses should treat this Act as a whole-of-system privacy reform. It is not just about one new notice requirement or one new offence. It potentially affects governance, customer communications, internal controls, incident response, vendor arrangements, and the way personal information is handled across the life cycle.

The safest reading is that any business or organisation already dealing with Privacy Act compliance should review this Act closely. The schedule headings also make it clear that some reforms are especially relevant to businesses that operate online, handle children’s information, transfer data overseas, respond to data breaches, or use automated systems that affect individuals.

At the same time, this page does not assume that every Australian business is now covered in the same way. The published headings do not, by themselves, confirm the exact reach of every amendment, any revised exemptions, or the detailed trigger points for each obligation. That is particularly important for businesses that have historically relied on a limited Privacy Act exposure or an exemption position.

If you are unsure whether your business is in scope, start by checking three things. First, what is your current position under the Privacy Act and related laws. Second, which parts of this Act amend the laws that already apply to you. Third, whether your business activities fall into one of the reform areas clearly identified by the Act, such as children’s privacy, overseas data flows, eligible data breaches, or automated decisions.

The Act headings give a practical map of the situations that should trigger a legal review. If your business is dealing with any of the areas below, you should assume the reform package may affect your current settings and documents.

One trigger point is children’s privacy. If your products, services, content or user base involve children, or could reasonably attract children, you should review collection practices, notices, consent pathways and product design choices. Another trigger point is security, retention and destruction. If your business keeps personal information for long periods, has legacy databases, or lacks a clear deletion process, this reform area is directly relevant.

Overseas data flows are another obvious trigger. If personal information is stored, accessed, processed or supported outside Australia, even through ordinary cloud arrangements, you should review those arrangements. Eligible data breaches are also a trigger point. If your business has no tested breach response plan, no escalation process, or no clear responsibility for notifications, this Act should prompt immediate work.

The headings on automated decisions and privacy policies also matter. If software, algorithms or rules engines are used to assess, rank, approve, reject or otherwise affect individuals, your privacy documentation and internal governance may need attention. Finally, the doxxing offences and the serious invasions of privacy schedule mean businesses should review staff conduct rules, complaint handling, access controls and publication practices involving personal information.

Because the published material here is high level, the most useful business approach is to focus on operational obligations that are clearly signposted by the Act’s structure. First, review your privacy policy and related notices. The Act expressly points to automated decisions and privacy policies, and more broadly to reforms across the Privacy Act framework. If your policy is generic, outdated, or disconnected from actual business practices, it should be updated after checking the exact amendments.

Second, review information security, retention and destruction settings. The Act specifically identifies this as a reform area. Businesses should know what personal information they hold, why they hold it, where it sits, who can access it, and when it is securely deleted or destroyed.

Third, review overseas data arrangements. If personal information moves offshore through vendors, hosting, support, analytics or group entities, map those flows and check whether your contracts and controls still match the amended law.

Fourth, review breach response capability. The Act includes a part on eligible data breaches, so businesses should make sure they can identify an incident, assess it quickly, escalate it internally, preserve evidence, and decide whether notification steps are required.

Fifth, review governance around investigations, inquiries and enforcement. The Act headings refer to public inquiries by the Commissioner, determinations following investigations, federal court orders, external dispute resolution, and monitoring and investigation. That means privacy compliance is not just about prevention. It is also about being able to respond properly if a complaint, inquiry or investigation arises.

Sixth, review staff conduct and access controls. The doxxing offences schedule and the serious invasions of privacy schedule are a reminder that misuse of personal information can create serious legal exposure. Businesses should limit access to personal information, train staff on acceptable use, and have clear disciplinary pathways for misuse.

Some parts of the Act are especially important because they point to higher-risk business activities. Children’s privacy is one of them. If your business runs an app, platform, game, education service, health service, community service or online product that may involve children, you should not assume that a standard adult-facing privacy approach is enough. Review how information is collected, what notices are given, and whether your product design creates extra privacy risk.

Automated decisions are another area that deserves close attention. The Act specifically links automated decisions with privacy policies. Businesses using automated tools should identify where those tools affect individuals in a meaningful way, what information is used, what outputs are produced, and how those processes are described externally. Even where a tool only supports a human decision, it is worth checking whether your documentation and governance are accurate and complete.

The Act also includes emergency declarations, APP codes, external dispute resolution, and monitoring and investigation. These headings suggest that businesses should not limit their review to customer-facing notices alone. Industry codes, regulator engagement, complaint pathways and internal accountability may all need attention depending on the business model.

The Act is listed as in force on the Federal Register of Legislation and carries the date 10 December 2024. That is the key public date available from the published record used for this page.

Businesses should still check the commencement section and the operation of each schedule before assuming that every amendment started on the same day or applies in the same way. Amendment Acts often contain different commencement rules for different parts. If a particular reform area matters to your business, such as children’s privacy, eligible data breaches or doxxing offences, confirm the exact commencement position in the legislation itself.

The Act also includes a provision for review of the operation of amendments made by Schedule 3. That is relevant to the doxxing offences schedule and indicates that this reform area has its own review mechanism.

This page is a practical overview, not a substitute for reading the legislation. Before relying on it, businesses should verify the exact text of the amendments that matter to them. That includes checking whether a provision has commenced, whether it applies to your type of entity, and whether there are definitions, exceptions or procedural requirements that change the practical outcome.

You should also compare the Act against your current privacy compliance position. In practice, that means checking your privacy policy, collection statements, contracts with service providers, data maps, retention schedules, breach response plan, complaint handling process, and internal access controls. If your business operates in a regulated sector such as health, education, digital identity or government-adjacent services, you should also check whether amendments to other Acts affect your position.

If you need certainty on penalties, exemptions, complaint pathways, regulator powers, or the exact legal tests for any new right, offence or obligation, read the legislation directly and obtain advice on your specific facts.

This overview is drawn from the public legislative record for the Privacy and Other Legislation Amendment Act 2024, including its status as in force, its date, and the published schedule and part headings. It is designed to help businesses identify likely impact areas and the internal reviews they should prioritise.

Because this page does not set out every amended section, it does not give exact penalty amounts, detailed exemption thresholds, or a complete explanation of every procedural step. Businesses should use it as a starting point for issue spotting, then confirm the legal detail in the Act itself.