Privacy and Other Legislation Amendment Act 2024 (128 of 2024)

Schedule 1   Privacy reforms

Part 8   Penalties for interference with privacy

Privacy Act 1988

56   At the end of Division 1 of Part III

Add:

13H Civil penalty provision for interference with privacy of individuals

Civil penalty provision

(1) An entity contravenes this subsection if the entity does an act, or engages in a practice, that is an interference with the privacy of an individual.

(2) Subsection (1) is a civil penalty provision.

Note: Section 80U deals with civil penalty provisions in this Act.

Maximum pecuniary penalty

(3) The amount of the penalty payable by a person in respect of a contravention of subsection (1) must not exceed 2,000 penalty units.

13J Alternative orders

If, in proceedings for an order in relation to a contravention of section 13G, the court:

(a) is satisfied that the entity has done an act, or engaged in a practice, that is an interference with the privacy of an individual; but

(b) is not satisfied that the interference with privacy is serious;

the court may make a pecuniary penalty order against the entity for contravening section 13H, instead of section 13G.

13K Civil penalty provision for which infringement notices or compliance notices can be issued

Civil penalty provision for breaching Australian Privacy Principles

(1) An entity contravenes this subsection if:

(a) the entity does an act, or engages in a practice; and

(b) the act or practice breaches any of the following Australian Privacy Principles:

(i) Australian Privacy Principle 1.3 (requirement to have APP privacy policy);

(ii) Australian Privacy Principle 1.4 (contents of APP privacy policy);

(iii) Australian Privacy Principle 2.1 (individuals may choose not to identify themselves in dealing with entities);

(iv) Australian Privacy Principle 6.5 (written notice of certain uses or disclosures);

(v) Australian Privacy Principle 7.2(c) or 7.3(c) (simple means for individuals to opt out of direct marketing communications);

(vi) Australian Privacy Principle 7.3(d) (requirement to draw attention to ability to opt out of direct marketing communications);

(vii) Australian Privacy Principle 7.7(a) (giving effect to request in reasonable period);

(viii) Australian Privacy Principle 7.7(b) (notification of source of information);

(ix) Australian Privacy Principle 13.5 (dealing with requests);

(x) any other Australian Privacy Principle prescribed by the regulations.

Note: Conduct that contravenes this section may also contravene section 13G or 13H.

Civil penalty provision for non-compliant eligible data breach statement

(2) An entity contravenes this subsection if:

(a) the entity prepares a statement under section 26WK (eligible data breaches); and

(b) the statement does not comply with subsection 26WK(3).

Civil penalty provisions

(3) Subsections (1) and (2) are civil penalty provisions.

Note: Section 80U deals with civil penalty provisions in this Act.

Maximum pecuniary penalty

(4) The amount of the penalty payable by a person in respect of a contravention of subsection (1) or (2) must not exceed 200 penalty units.