The Privacy Act Gets Its Teeth: What the 2024 Reforms Mean for Notifiable Data Breaches

This is an IT operator’s perspective on the Privacy and Other Legislation Amendment Bill 2024, which passed the Senate on 29 November 2024 and is expected to receive Royal Assent shortly. It isn’t legal advice or a privacy-law opinion. Whether any particular handling of personal information satisfies the amended Privacy Act is your privacy counsel’s or the OAIC’s call. We implement the technical controls. They sign off on the legal interpretation.

The Privacy Act has been under reform since the 2022 review, and for the first time since 2017 the legislation is about to genuinely move. The Bill passed the Senate late on 29 November, is expected to receive Royal Assent in the next two weeks, and brings three things that change the calculus for any Australian mid-market business holding personal information. A new mid-tier civil penalty of up to AUD 3.3 million for a body corporate. Infringement-notice powers that let the OAIC act on smaller breaches without going through the Federal Court. And a statutory tort of serious invasion of privacy, commencing mid-2025, that lets individuals sue directly without going through the OAIC at all.

The 2024 reforms are less radical than the 2022 review proposed, but they meaningfully tighten the consequences of mishandling personal information. The mid-tier penalty in particular closes a long-standing enforcement gap. Under the pre-amendment regime, the OAIC had the nuclear option (penalties for “serious or repeated” interferences with privacy) or nothing. It now has a graduated response that matches the severity of most breaches we see in mid-market incident work.

What does the 2024 Privacy Act amendment actually change?

Five things matter for CCP-sized businesses. First, the civil-penalty framework gains a mid-tier for “interference with privacy” that is not serious or repeated, capped at 2,000 penalty units (around AUD 660,000) for an individual and 10,000 penalty units (around AUD 3.3 million) for a body corporate. Second, the OAIC gains infringement-notice and compliance-notice powers, allowing it to act without Federal Court proceedings. Third, a statutory tort of serious invasion of privacy commences on a date to be proclaimed, and no later than six months after commencement (so by around 10 June 2025). Fourth, amendments clarify the OAIC’s investigative powers and extend the breach-notification regime in various technical ways. Fifth, obligations around automated decision-making are introduced with a two-year transition period ending 10 December 2026.

The combination matters more than any single change. The OAIC now has the tools to bring enforcement action that is proportionate to the actual breach, which means mid-market businesses that would previously have received a stern letter might now receive a civil penalty. And the statutory tort opens a completely new pathway for individuals to recover where a breach has caused them real harm.

What does this mean for the Notifiable Data Breaches scheme?

The Notifiable Data Breaches (NDB) scheme itself has been in effect since February 2018. The 2024 amendments do not rewrite it. What they change is the consequence tree when an entity handles an NDB event badly.

Under the pre-amendment regime, an entity that failed to notify a breach, notified late, or did not adequately investigate after notification might face an OAIC investigation, potentially a Federal Court action if the conduct was serious, and reputational consequences. In practice, most non-catastrophic breaches resulted in OAIC engagement, a remediation requirement, and a published determination. The penalty regime was hard to deploy for merely poor handling.

Under the amended regime, the OAIC can issue an infringement notice where it forms the view that a civil penalty applies, without going to Federal Court first. It can issue a compliance notice requiring specific remediation, with penalties flowing if the notice is not complied with. The mid-tier civil penalty is available for interferences with privacy that are not at the top end of seriousness.

The practical effect is that the consequences of mishandling an NDB event have sharpened. Where previously a mid-market business might reasonably have expected that an honest mistake handled responsibly would attract a remediation conversation, the same facts might now attract an infringement notice with a financial penalty attached. The tolerance for poor preparation has narrowed.

Does the amendment change who has to notify?

No. The core NDB obligations (notify the OAIC and affected individuals of an “eligible data breach”, within 30 days of becoming aware of circumstances that would constitute one, and take reasonable steps to address it) remain the same. The 2024 amendments do not extend notification obligations to new entity categories, and do not lower the threshold for what counts as an eligible data breach.

The small-business exemption (turnover under AUD 3 million, with carve-outs for health service providers and certain other categories) also remains, though the government has signalled it is under ongoing review. A business that relies on the small-business exemption today should expect that reliance to become more contentious over time.

Who is exposed to the new statutory tort?

The statutory tort applies to any person who engages in conduct that constitutes a serious invasion of another person’s privacy, either by intruding on their seclusion or by misusing information relating to them. It is not limited to entities covered by the Privacy Act; individuals, unincorporated bodies, and small businesses can be sued. Damages are available, as are aggravated damages in appropriate cases.

For a mid-market Australian business, the practical exposure comes from three places. A data breach that exposes personal information in a way that causes real harm to affected individuals. Employment-related data handling that goes badly wrong (surveillance disputes, improperly accessed records, misuse of information about former employees). And deliberate or reckless use of personal information in a way a reasonable person would find offensive or distressing.

The tort does not require proof of financial loss. Distress, humiliation, or interference with private life can ground damages. That is a different exposure profile to traditional breach-of-contract claims, and one that insurance policies are only beginning to respond to.

When does the statutory tort start?

On a date to be proclaimed, and no later than six months after commencement. Given the Bill is expected to receive Royal Assent in December 2024, the tort will commence no later than around 10 June 2025. Businesses should treat first-half 2025 as the transition window.

What should a mid-market business do with six months of runway?

Three things. Review the personal information the business actually holds, with a focus on information that would cause real harm if exposed or misused. Update the incident-response plan to consider the tort-law dimension of a breach in addition to the regulatory notification dimension, including early legal advice on whether an incident creates tort exposure. And tighten operational practices around employee data handling and internal monitoring, both of which are the kind of conduct most likely to ground a tort claim short of a headline breach.

Technical controls (access management, logging, encryption, breach detection) continue to do most of the work on the regulatory side. The tort is primarily a governance and legal issue, but the technical controls reduce the incidence of events that become legal issues in the first place.

What do OAIC infringement notices actually look like?

Infringement notices under the amended Act are a new enforcement tool for the OAIC. The mechanism is analogous to ACCC infringement notices: the OAIC forms the view that a civil penalty applies, issues a notice specifying the penalty amount, and the recipient either pays or disputes the notice in proceedings. Paying the notice is not an admission of liability but does close the matter.

For CCP-sized businesses, the expected effect is that the OAIC will resolve many mid-severity matters through infringement notice rather than Federal Court action. That is more efficient for the regulator and arguably more proportionate for the respondent, but it also means more cases resolve with a financial penalty attached where previously none would have applied.

The practical implication is that the quality of an entity’s breach response now matters more. A responsibly-handled breach with credible technical evidence of preparation may still result in OAIC engagement but is less likely to result in a penalty. A poorly-handled breach with thin evidence of preparation is a natural candidate for an infringement notice.

What systems and controls does the amended regime actually demand?

The regime does not prescribe controls. It requires entities to take reasonable steps to protect personal information and to respond appropriately to breaches. What counts as reasonable moves with the state of the art and the sensitivity of the information.

The practical baseline that matches current regulatory expectation for a mid-market business handling personal information is broadly familiar. Identity and access controls that enforce least privilege. Logging sufficient to reconstruct what happened in a breach. Encryption of personal information both in transit and at rest. A backup and recovery posture that can restore operations without paying a ransom. Patching and vulnerability management on a documented cadence. An incident-response plan that has been tested. Vendor management for third parties handling personal information on the entity’s behalf.

For most mid-market businesses we work with, the gap is not in knowing what to do. It is in having documented evidence that the controls were actually operating when the breach occurred. The amended regime’s enforcement tools will increasingly rely on that evidence gap.

Do the amendments change the data-retention equation?

Indirectly. The amendments do not change retention obligations. They do sharpen the consequences of over-retention. Personal information that is held past the point of legitimate business need is an uncompensated liability under the amended regime in a way it was not before. The statutory tort in particular exposes long-retention postures: information held for years after it ceased to be needed is information that can still cause harm if exposed.

The trend across well-advised privacy programs through 2024 has been to reduce the volume of personal information held, not to increase it. The 2024 amendments are consistent with that trend.

What CCP does on Privacy Act readiness

We don’t give privacy advice. We set up the IT environment a business needs to operate under the amended Privacy Act credibly, and we keep it running.

For a mid-market client preparing for the amended regime, our involvement typically falls into three areas. The controls environment: access management, encryption, logging, endpoint security, backup, vulnerability management, the Essential Eight baseline that does most of the technical work. The breach-response plumbing: detection, investigation capability, evidence preservation, and the integration with legal and executive response that turns an incident into a contained matter rather than a crisis. And the retention-and-minimisation posture: making sure personal information is being held because there is a legitimate reason, not because nobody built a retention process.

The privacy-law interpretation, the notification decisions, and the legal response to an OAIC enquiry or a tort-law claim remain with the business’s privacy counsel and executive leadership. Our boundary is explicit. We run the machinery. They run the interpretation.

Businesses that want to understand where they currently sit before the amended regime takes full effect can start with our Essential Eight self-assessment. It is not a privacy-specific tool but the controls it assesses underpin the technical obligations the amended Privacy Act will enforce more sharply through 2025.

Primary sources

• Privacy and Other Legislation Amendment Bill 2024, Parliament of Australia Bill page. Accessed 28 November 2024.
• Office of the Australian Information Commissioner, OAIC’s regulator site for current guidance and notifiable data breach resources. Accessed 28 November 2024.
• Privacy Act 1988 (Cth), as amended, available via Federal Register of Legislation.