As Australian Privacy Commissioner Carly Kind emphasised, ‘2025 is going to be a big year for privacy and enforcement action’.
Most of the new provisions commenced on 10 or 11 December 2024, but two significant changes will roll out later:
- The tort for serious invasions of privacy will commence by 10 June 2025.
- Transparency requirements for automated decision-making will apply from 10 December 2026, giving businesses time to adapt.
In this article (the second in a series beginning with our first article), we outline five practical steps businesses can take to prepare.
- Update your Privacy Policy
Your privacy policy is a formal statement about how your organisation manages personal information. It must be ‘clearly expressed and up to date’; and with the new requirements around automated decision-making, transparency is key.
Use this opportunity to:
- Accurately capture your current data handling practices.
- Clearly explain what personal data you collect, how it’s used, and any reliance on automated decision-making (point 4 of this article).
- Use plain language – avoid jargon to make the policy accessible to customers.
- Comprehensive Data Audit
Understanding your data ecosystem is key to compliance. A data audit allows you to:
- Identify all personal information collected, stored, and processed.
- Determine if the data is necessary or if it can be minimised.
- Evaluate the security measures protecting this data.
- Strengthen Data Security Measures
There is new emphasis on the need for robust technical and organisational safeguards to protect personal data. Steps to strengthen security include:
- Training employees on data privacy and cybersecurity best practices.
- Implementing strong encryption, secure passwords, and access controls.
- Regularly testing systems for vulnerabilities and promptly addressing issues.
- Developing and rehearsing a data breach response plan.
- Automated Decision-Making
In order to properly update their privacy policy, businesses will need to be clear on where and to what extent the personal information they collect will be used by a computer program to make decisions that ‘could reasonably be expected to significantly affect the rights or interests of an individual’.
Businesses should:
- Audit their current systems to identify where automated decision-making is used.
- Document these processes.
- Update privacy policies to explain how the systems work, what data they use, and their potential impacts on customers.
Although compliance isn’t required until 10 December 2026, starting now will give you ample time to align your practices with global standards, such as the GDPR.
- Strengthen Protections for Children Online
The introduction of a Children’s Online Privacy Code (the Code) will create specific rules for handling children’s data. This will apply to services like social media, apps, and gaming platforms.
To prepare:
- Identify services or products likely to be accessed by children.
- Implement privacy-by-default settings and age verification tools.
- Avoid practices like targeted advertising or manipulative techniques aimed at children.
The Code is expected to align with international standards, such as the UK’s Age-Appropriate Design Code, and will take effect over the next two years.
What’s Next?
The timeline for key reforms is as follows:
- 10-11 December 2024: Most provisions took effect.
- 10 June 2025: The tort for serious invasions of privacy commences.
- 10 December 2026: Transparency requirements for automated decision-making take effect; privacy policies must be updated accordingly.
The Attorney-General’s Department has signalled consultations for a second tranche of privacy reforms, which may include:
- Removal or reduction of the employee records exemption and small business exemption.
- New individual rights, such as the right to erasure.
- Distinction between data controllers and processors, aligning with the EU’s GDPR.
If implemented, these reforms could facilitate an EU adequacy decision, enabling seamless data transfers between the EU and Australia without additional safeguards.
The privacy reforms mark a pivotal moment for Australian privacy law.
The road to compliance is not just about avoiding penalties; it’s an opportunity to build trust with customers and future-proof your business in an increasingly privacy-conscious world.
Panetta McGrath can assist you with privacy audits, updates to your privacy policy, other preparations and ongoing compliance with Australia’s changing privacy laws.
Written by Ryan Callanan & David McMullen