Privacy Act 1988
PART III
-
INFORMATION PRIVACY
Division 1
-
Interferences with privacy
SECTION 13K
CIVIL PENALTY PROVISION FOR WHICH INFRINGEMENT NOTICES OR COMPLIANCE NOTICES CAN BE ISSUED
Civil penalty provision for breaching Australian Privacy Principles
13K(1)
An entity contravenes this subsection if: (a) the entity does an act, or engages in a practice; and (b) the act or practice breaches any of the following Australian Privacy Principles:
Civil penalty provision for non-compliant eligible data breach statement
13K(2)
An entity contravenes this subsection if: (a) the entity prepares a statement under section 26WK (eligible data breaches); and (b) the statement does not comply with subsection 26WK(3) .
Civil penalty provisions
13K(3)
Subsections (1) and (2) are civil penalty provisions.
Maximum pecuniary penalty
13K(4)
The amount of the penalty payable by a person in respect of a contravention of subsection (1) or (2) must not exceed 200 penalty units.
View history note
Hide history noteCivil penalty provision for breaching Australian Privacy Principles
13K(1)
An entity contravenes this subsection if: (a) the entity does an act, or engages in a practice; and (b) the act or practice breaches any of the following Australian Privacy Principles:
(i) Australian Privacy Principle 1.3 (requirement to have APP privacy policy);
(ii) Australian Privacy Principle 1.4 (contents of APP privacy policy);
(iii) Australian Privacy Principle 2.1 (individuals may choose not to identify themselves in dealing with entities);
(iv) Australian Privacy Principle 6.5 (written notice of certain uses or disclosures);
(v) Australian Privacy Principle 7.2(c) or 7.3(c) (simple means for individuals to opt out of direct marketing communications);
(vi) Australian Privacy Principle 7.3(d) (requirement to draw attention to ability to opt out of direct marketing communications);
(vii) Australian Privacy Principle 7.7(a) (giving effect to request in reasonable period);
(viii) Australian Privacy Principle 7.7(b) (notification of source of information);
(ix) Australian Privacy Principle 13.5 (dealing with requests);
(x) any other Australian Privacy Principle prescribed by the regulations.
Note:
Conduct that contravenes this section may also contravene section 13G or 13H .
[ CCH Note: S 13K(1) will be amended by No 128 of 2024, s 3 and Sch 1 item 87, by inserting para (b)(iia), effective 10 December 2026. Para (b)(iia) will read:
]
(iia) Australian Privacy Principle 1.7 (contents of APP privacy policy - automated decisions);
Civil penalty provision for non-compliant eligible data breach statement
13K(2)
An entity contravenes this subsection if: (a) the entity prepares a statement under section 26WK (eligible data breaches); and (b) the statement does not comply with subsection 26WK(3) .
Civil penalty provisions
13K(3)
Subsections (1) and (2) are civil penalty provisions.
Note:
Section 80U deals with civil penalty provisions in this Act.
Maximum pecuniary penalty
13K(4)
The amount of the penalty payable by a person in respect of a contravention of subsection (1) or (2) must not exceed 200 penalty units.
This information is provided by CCH Australia Limited Link opens in new window. View the disclaimer and notice of copyright.