As we step into 2025, it's clear that privacy and AI regulations are entering a critical juncture in Australia. The Office of the Australian Information Commissioner (OAIC) delivered a strong finish to 2024, with notable milestones.
In 2024, the Privacy and Other Legislation Amendment Bill 2024 was passed, introducing key reforms to the Privacy Act 1988 (Cth) (Privacy Act). We also saw the outcome of various enforcement actions, including those involving the Grubisa companies and Bunnings which lead to both being required to publish statements about their conduct.
Meanwhile, the AI regulatory landscape continued to progress, with the Senate Select Committee on Adopting Artificial Intelligence releasing its final report on the opportunities and impacts of AI technologies in Australia, setting the stage for future development. Here's a recap of last year's updates and their implications for 2025.
Privacy and Other Legislation Amendment Bill 2024
The Privacy and Other Legislation Amendment Bill 2024 passed both houses on 29 November 2024 and received royal assent on 10 December 2024.
As reported in our previous article here, key changes introduced include greater regulatory enforcement tools, including a wider range of civil penalties, and clarity around technical and organisational measures to address information security risks in relation to personal information. There are also new requirements to increase transparency when entities are automating significant decisions involving personal information, including requirements to cover the use of AI tools in privacy policies, and a new statutory cause of action in tort for serious invasions of privacy.
Some other changes introduced, and not covered in our earlier article (which focused on the version of the Bill initially introduced to Parliament), are worth noting. These include the ability for the Australian Information Commissioner to issue compliance notices to entities which have contravened certain Australian Privacy Principles (APPs). The Bill also introduced a requirement that the public interest in the plaintiff's privacy must outweigh any competing public interest in order to establish a cause of action in tort for serious invasion of privacy. Additionally, the court has powers to determine whether exemptions apply under Part 3 in relation to the invasion of privacy.
Most of the changes took effect the day following royal assent, with a few exceptions. The amendments to give effect to the new statutory tort will take effect no later than 6 months after the date of royal assent, while the requirement to include details of automated decision-making in privacy policies will take effect 24 months after royal assent.
These changes implement the first tranche of reforms arising from agreed proposals in the Australian Government's response to the Privacy Act review which has been ongoing since 2020, with further reform on the way.
Enforcement actions for interferences with privacy
Scraping data by Grubisa companies
On 18 and 22 November 2024, the Australian Information Commissioner found, following an investigation initiated by public complaint, that companies linked to Ms Dominique Grubisa, Master Wealth Control Pty Ltd t/a DG Institute and Property Lovers Pty Ltd interfered with the privacy of individuals.
The companies offered educational courses and programs to find "distressed properties" of individuals in vulnerable situations such as divorce, bankruptcy, or a deceased estate. The companies accessed third party websites and databases, such as court lists, for the purpose of collecting the personal information of individuals that may be in distressed situations, which they then consolidated in their leads lists and distributed to participants of the programs.
The Commissioner found that the companies
- did not collect the personal information of individuals by fair means
- did not take reasonable steps to notify individuals whose information was collected, and
- it was contrary to the terms and conditions of the third parties' websites and databases.
The Commissioner directed both companies to
- immediately stop unfairly collecting personal information from third parties
- destroy their leads lists within 30 days; provide evidence to the Commissioner on the actions taken, and
- update their privacy policies.
Additionally, Property Lovers is required to publish a written apology.
Bunnings's facial recognition tool
On 29 October 2024, the Australian Information Commissioner, following a Commissioner-initiated investigation, found that Bunnings Group Limited interfered with the privacy of individuals by collecting personal and sensitive information through its facial recognition technology system that it operated in 63 stores in Victoria and New South Wales between November 2018 and November 2021.
The Commissioner found that Bunnings
- collected the sensitive information of individuals without their consent
- failed to take reasonable steps to notify individuals about the facts and purposes of their personal information being collected, as well as the consequences if their personal information was not collected
- failed to take reasonable steps to implement measures to ensure it complied with the APPs, and
- failed to include in its privacy policies information about the kinds of personal information it collected and held, and how it collected and held that personal information.
The Commissioner made a number of declarations including that Bunnings
- must not repeat or continue the acts and practices found to be an interference with privacy
- make a public statement about the conduct within 30 days, to be made available for 12 months, and
- to hold and then destroy all relevant personal and sensitive information 12 months and one day after the publication of the statement.
The Senate Committee's final report – Select Committee on Adopting Artificial Intelligence
On 26 March 2024, the Select Committee on Adopting Artificial Intelligence was established by the Senate to report on the impact of the uptake of AI technologies in Australia. On 26 November 2024, the Committee released the final report which includes a list of 13 recommendations highlighting that further regulation is on the horizon.
For example, the Committee has recommended that the Australian Government introduce dedicated legislation to define and regulate high-risk AI uses, which was an option presented by the government in their Mandatory Guardrails for High-risk Settings, which we previously reported on here. A full copy of the Committee's report and recommendations can be accessed here.
Recommendations of interest include that:
- Consultation with creative workers – The Australian Government continue to consult with creative workers, rightsholders and their representative organisations through the Copyright and Artificial Intelligence Reference Group on appropriate solutions to the unprecedented theft of their work by multinational tech companies operating within Australia (recommendation 8)
- Transparency in AI training datasets – Developers of AI products to be transparent about the use of copyrighted works in their training datasets, and that the use of such works is appropriately licensed and paid for (recommendation 9)
- Fair remuneration for AI-generated outputs based on copyrighted material – The Australian Government urgently undertake further consultation with the creative industry to consider an appropriate mechanism to ensure fair remuneration is paid to creators for commercial AI-generated outputs based on copyrighted material used to train AI systems (recommendation 10)
- Automated decision-making and Privacy Act recommendations – The Australian Government implement the recommendations pertaining to automated decision-making in the review of the Privacy Act, including Proposal 19.3 to introduce a right for individuals to request meaningful information about how substantially automated decisions with legal or similarly significant effect are made (Recommendation 11). This change was notably captured by the recent changes to the Privacy Act.
Outlook for 2025
The upcoming reforms, including the enhanced enforcement powers of the Australian Information Commissioner, make 2025 a crucial year for privacy compliance and AI governance.
Businesses that collect and use personal information should ensure they are informed about the recent and upcoming changes to the privacy laws and take action to review privacy and data collection practices and policies to ensure they align with those changes. With AI increasingly used in decision-making, it is important to review privacy policies to ensure they are clear on how personal information is handled for such purposes.
Businesses should also stay ahead of the regulatory curve, ensuring their AI design, deployment, and use align with industry standards and anticipated regulations.
If you need guidance on navigating these changes, including compliance with the Privacy Act or AI regulations, please reach out to the team.
Contributor: Fiona Deng
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.