By: Kieran Doyle, Nicole Gabryk and Rakhee Dullabh


At a glance

  • Most parts of the Privacy and Other Legislation Amendment Bill 2024 (Cth) start the day after Royal Assent. However, APP1 changes for automated decision-making take effect in 24 months, and the new statutory tort for serious invasions of privacy starts within 6 months or on a proclaimed date.
  • Updates include extending the consultation period for the Children’s Online Privacy Code to 60 days, granting the OAIC new powers to issue penalties for serious privacy breaches, and adding exemptions for government agencies and law enforcement under the statutory tort provisions.
  • For more information on the changes introduced by the Privacy Amendment Bill, view our Cyber, Privacy and Technology Report here, or register for our upcoming webinar here.


On 28 November 2024 the Senate passed the Privacy and Other Legislation Amendment Bill 2024 (Cth). After Royal Assent is received, it will be an Act of Parliament. Most of the provisions in the Bill, will commence the day after Royal Assent is received, however, in some cases such as the amendments to APP1 in relation to automated decisions will only commence 24 months after Royal Assent is given, and Schedule 2 dealing with the statutory tort for serious invasions of privacy will comments on the earlier of a date proclaimed or 6 months after Royal Assent is given.

This closely follows the passing of the Cyber Security Act 2024 (Cth) this week. View our article here.

Passed amendments to the draft bill

During the parliamentary process a number of amendments to the draft bill were proposed which have passed. These include, among others:

  • 24 months after the commencement of Schedule 3 (Doxxing offences) the Minister must cause an independent review of these amendments. A report of the review must be provided within 6 months of the commencement of the review
  • The consultation period for the Children’s Online Privacy Code will be extended from 30 days to 60 days
  • The power of the OAIC to issue compliance notices for breaches of section 13K (i.e. the civil penalty provisions arising from a breach of the Australian Privacy Principles (APPs)). A failure to comply with a compliance notice will result in the imposition of civil penalties (up to $66,000) or infringement notice powers
  • Updates to the statutory tort provisions to include additional exemptions for agencies, State and Territory territories, their staff members and law enforcement bodies.

Access our report and webinar

For more information about the changes introduced by the Privacy Amendment Bill see Issue 9 of our Cyber, Privacy and Technology Report accessible here.

Otherwise, please join us in our webinar on Thursday, 5 December 2024 at 12pm (AEDT) where we will discuss 10 things to know about the new Privacy Amendment Bill. Register here.