Site search
2024 regulatory enforcement trends and what they mean for the year ahead
2024 regulatory enforcement trends and what they mean for the year ahead

Cyber, data and privacy

Key regulatory and enforcement developments in Australia in 2024

In 2024, we continued to see heightened scrutiny from regulators, government and the general public on privacy, data governance, cyber risk management and operational resilience. The regulatory landscape is evolving rapidly, with significant reforms to the Privacy Act 1988 (Cth) (the Privacy Act), the introduction of a suite of new cybersecurity laws and various enforcement actions by regulators relating to privacy and data incidents.

In 2024, the OAIC returned to having three commissioners, with Elizabeth Tydd appointed as the Australian Information Commissioner, Carly Kind appointed as the Privacy Commissioner and Toni Pirani appointed as the Freedom of Information Commissioner. The OAIC also began implementing the recommendations made by the Nous Group following its strategic review of the OAIC, eg by creating a statement of regulatory approach and implementing a new governance and organisational structure in line with its enhanced regulatory posture.

Key developments included:

Law reform

Cyber

  • In November 2024, the Australian Government passed a suite of legislation as part of its 2023-2030 Cyber Security Strategy. This included the Cyber Security Act 2024 (Cth), which introduces mandatory security standards for smart devices, requires certain entities to report ransomware and cyber extortion payments, implements a framework for voluntary disclosure of cybersecurity incident information to the National Cyber Security Coordinator, and establishes a Cyber Incident Review Board for significant cybersecurity incidents. The reforms also included amendments to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) to capture data storage systems as regulated critical infrastructure assets, expand the Government's cyber incident response powers, clarify when protected information can be used or disclosed and empower the Government to direct responsible entities to amend their risk management programs.1

Privacy

  • In November 2024, the Government passed the first tranche of its long-awaited reforms to the Privacy Act 1988 (Cth) (Privacy Act) based on the proposals set out in the Privacy Act Review Report. The amendments include the introduction of a tiered penalty regime for contraventions of the Privacy Act (which is likely to increase the OAIC's enforcement activity), a statutory tort for serious invasions of privacy and new transparency requirements for organisations regarding automated decision-making. Many of the most significant proposed changes (including the proposed removal of the small business exemption, the removal or modification of the employee records exemption and amendments targeting consent and the fair and reasonable collection of personal information) have been left for future tranches of reform and their timing is still unknown.2
  • Also in November 2024, the Government amended the federal Criminal Code to introduce two new offences related to doxing—which refers to the use of a carriage service to make available, publish or otherwise distribute personal data in a way that reasonable people would regard as being menacing or harassing towards the individual(s) concerned.
  • In October 2024, the OAIC registered a new Privacy (Credit Reporting) Code 2024 to implement proposals made in the OAIC's 2021 independent review of the Code. The changes aim to better protect individuals, including by increasing transparency requirements for credit reporting bodies and banks and making it easier for victims of fraud to protect themselves (eg by making it easier to extend a ban on their credit report and correct fraudulent information in their report).3
  • In August 2024, the Government commenced consultation to 'reset' the Consumer Data Right to improve cost effectiveness, take-up and to deliver better outcomes for consumers.4 This consultation is ongoing.

Online safety and digital platforms

  • In December 2024, the Government's highly publicised amendments to the Online Safety Act 2021 (Cth) banning social media for under-16s received Royal Assent. Age-restricted social media platforms are expected to have until no later than 10 December 2025 to implement robust age verification measures to prevent children under the age of 16 from having an account,5 or they risk enforcement action by the eSafety Commissioner, which may include civil penalties for companies of up to 150,000 penalty units (currently equivalent to $49.5 million).6
  • In addition, two new industry standards have been registered under the Online Safety Act 2001 (Cth). Certain online service providers have until 21 June 2025 to carry out a risk assessment relating to class 1A material (being child sexual exploitation material, pro-terror material or extreme crime and violence material), and class 1B materials (crime and violence material or drug-related material) being accessed, generated, distributed or stored using their service, and to implement the required compliance measures (as applicable).

Enforcement action

Cyber

  • The OAIC continued its investigations into Singtel Optus Pty Ltd, the Latitude group of companies and HWL Ebsworth Lawyers, as well as its civil penalty proceedings against Medibank Private Ltd and Australian Clinical Labs Ltd in relation to their respective data breaches. The outcomes of the civil penalty proceedings, in particular, are expected to provide much-needed guidance on several novel and important aspects of Australian privacy law, and will likely inform future regulatory activity in this space.7
  • In May 2024, the Australian Communications and Media Authority (ACMA) filed proceedings against Optus Mobile Pty Ltd alleging that, in relation to its 2022 data breach, Optus failed to protect the confidentiality of its customers’ personal information from unauthorised interference or unauthorised access as required by the Telecommunications (Interception and Access) Act 1979 (Cth).8 These proceedings are ongoing.
  • In September 2024, ASIC announced it was actively investigating directors in connection with their response to cyber incidents.

Privacy

  • On 17 December 2024, the OAIC settled its civil penalty proceedings against Meta Platforms Inc. and Meta Platforms Ireland Ltd (Meta) in relation to the Cambridge Analytica incident, which had been the OAIC's first attempt to exercise its civil penalty powers. The enforceable undertaking provides for a $50 million compensation scheme for affected Australians without any admission of liability by Meta and means that important aspects of Australian privacy law will remain unresolved. The settlement is expected to free up capacity for the OAIC to persist with enforcement activities using its new powers, advocate for further reforms to the Privacy Act and leverage its enforcement authority to drive changes aligned with these reforms.9
  • Recent investigations by the OAIC into a number of retail organisations10 led to a determination that an entity had breached the Privacy Act in relation to its use of facial recognition technology for surveillance purposes. This is the latest in a number of similar determinations in recent years.11
  • The OAIC issued a determination that scraping publicly available data to target vulnerable people (in the context of a real estate tool) was a breach of the Privacy Act—finding that the information was not collected by fair means and that reasonable steps were not taken to notify individuals that their information was collected. The OAIC called for a 'fair and reasonable' data-use test to be introduced into the Privacy Act in the next round of reforms.12
  • The OAIC issued a range of other determinations in 2024, covering issues like a lack of transparency in privacy policies and privacy collection notices and the collection of information by unfair means.

Telecommunications, spam and the Consumer Data Right

  • In May 2024, the ACMA issued Telstra with a remedial direction under the Telecommunications Act 1997 (Cth) after it found that Telstra had breached its carrier licence conditions on more than 163,000 occasions by publishing 24,005 unlisted (or 'silent') numbers with corresponding customer names in the White Pages and including 139,402 unlisted numbers with customer details in its directory assistance database. Telstra may be the subject of civil penalty proceedings if it breaches the remedial direction, which could attract penalties of up to $10 million per contravention.13
  • In April 2024, the ACCC ordered HSBC to pay $33,000 in penalties for allegedly failing to disclose complete and accurate information in response to Consumer Data Right data requests.14
  • The ACMA continued to prioritise enforcement of the Spam Act 2003(Cth), completing five investigations in FY24 that resulted in over $8.5 million in infringement notices and six court-enforceable undertakings.15

Reports and guidance

Cyber

  • In May 2024, the ASX published an update to ASX Listing Rules Guidance Note 8, including by adding a new worked example to help illustrate when, in the context of a cyber incident, relevant information would, or would not, be expected to be disclosed to the ASX.16
  • In February 2024, the Australian Institute of Company Directors (AICD) released Governing through a cyber crisis: cyber incident response and recovery for Australian directors, which provides practical advice to boards on how to respond to, and recover from, a cyber crisis. The guide emphasises the importance of active board involvement, effective customer remediation and compensation, timely and transparent communication to manage reputational damage, and early legal input. While the guide is not legally binding and does not have regulatory force, we anticipate that it will inform how the market, regulators and the courts are likely to expect directors to govern during a cyber crisis.17 In November 2024, the AICD released an updated version of its Cyber Security Governance Principles (originally published in 2022). The updated principles place greater emphasis on the role of key, third-party suppliers and external experts, and include more detailed expectations regarding the board's oversight of supply chain risk. They also introduce guidance on emerging risks in a cyber context (including GenAI, insider threats, geopolitical instability and personal attacks on directors and senior management).

Privacy

  • In October 2024, the OAIC published two new guidance notes on the privacy risks associated with the use and development of generative AI tools and products:
    • Guidance on privacy and the use of commercially available AI products18; and
    • Guidance on privacy and developing and training generative AI models.19

The guides clarify the OAIC's expectations regarding compliance with obligations under the Privacy Act in circumstances where organisations use or generate personal information in connection with AI tools (including to train generative AI models). The guides will also be of assistance in aligning practices with the Voluntary AI Safety Standards (outlined further AI and technology) as they relate to privacy law compliance.

  • In 2024, the OAIC also published guidance on the application of the Privacy Act to the deployment of third-party tracking pixels on websites, a joint statement (along with 16 of its international data protection and privacy counterparts) on data scraping and guidance on general considerations for private sector organisations that are considering using facial recognition technology (FRT) to undertake facial identification in a commercial or retail setting. The OAIC also continued to include guidance to assist organisations in responding to data breaches in its Notifiable Data Breaches Report.20

Digital platforms

  • In May 2024, the ACCC released its eighth interim report for the Digital Platform Services Inquiry, which found that consumers are generally unaware of how much of their data is collected, used and shared with third-party 'data firms'. The report called for the allocation of additional resources to the OAIC and various other measures to strengthen Australia's privacy laws, many of which have since been implemented as part of the first tranche of reforms to the Privacy Act.21
  • In 2022, the ACCC, the ACMA, the eSafety Commissioner and the OAIC formed the Digital Platform Regulators Forum (DP-REG) to promote a consistent approach to the regulation of digital platform technologies in Australia. In 2023, the DP-REG released its first working paper on the harms and risks posed by some commonly used types of algorithms. The DP-REG issued two more working papers in 2024: Working Paper 2: Examination of technology – Large Language Models and Working Paper 3: Examination of technology – Multimodal Foundation Models.

What are the likely regulatory and enforcement developments in Australia in 2025?

We expect to see substantial legislative changes and regulatory activity in 2025:

  • Ongoing Privacy Act reform: the first tranche of reforms to the Privacy Act came into effect on 10 December 2024, with the exception of the statutory tort of serious invasions of privacy and the provisions relating to transparency about automated decision-making involving personal information, which are slated to commence by no later than 10 June 2025 and 10 December 2026, respectively. The remaining proposals for reform are expected to be introduced in a second tranche of amendments to the Privacy Act, with the timing for such reform unknown (but likely after the federal election to be held by May 2025).22
  • Cybersecurity reform: we expect the Government may continue to build upon its Cyber Security Legislative Package and address critical gaps in Australia's cyber protections by enacting various subordinate legislation and implementing additional proposals outlined in the 2023-2030 Australian Cyber Security Strategy. In addition, the consultation process for subordinate legislation under the Cyber Security Act 2024 (Cth) and the SOCI Act is underway, and we expect we will see that finalised this year. Organisations have the opportunity to make submissions until 14 February 2025.23
  • Regulatory activity on cyber risks: we anticipate ASIC and APRA's focus on cyber risk and its associated impacts will continue into 2025 and expect these regulators to target enforcement activity as a way of driving industry standards. We also anticipate an increase in the OAIC's regulatory and enforcement activities in 2025 as it looks to leverage its new, lower-tier enforcement powers following the amendments to the Privacy Act, and to continue its focus on responding to cyber incidents.24

CPS 230: the new Prudential Standard CPS 230 (Operational Risk Management) will apply to all APRA-regulated entities when it comes into effect on 1 July 2025. The new prudential standard requires significant uplifts to governance, compliance, contractual and incident response arrangements to address recent operational risk failures, including in respect of material cyber breaches. Many businesses have already undertaken significant uplifts ahead of the 1 July 2025 deadline in anticipation of an increased level of regulatory scrutiny to ensure compliance with the new prudential standard.25

Who are the key regulators in relation to this area?

OAIC, ACMA, ACCC, ASIC, APRA, eSafety Commissioner, FIRB.

What are the key sectors of focus?

All sectors.

Footnotes

  1. https://www.allens.com.au/insights-news/insights/2024/10/new-cyber-incident-response-obligations-for-australian-organisations/

  2. https://www.allens.com.au/insights-news/insights/2024/09/first-tranche-of-privacy-reforms-bring-progress-but-no-long-term-clarity/

  3. New Credit Reporting Code strengthens privacy protections | OAIC

  4. Albanese Government to reset Consumer Data Right | Treasury Ministers

  5. Online Safety Act 2021 (Cth) s 63E(3)

  6. Online Safety Act 2021 (Cth) s 63D. We note that the maximum penalty is five times more for a body corporate due to the application of s82(5)(a) of the Regulatory Powers (Standard Provisions) Act 2014 (Cth).

  7. https://www.oaic.gov.au/__data/assets/pdf_file/0022/241375/Corporate-plan-2024.pdf

  8. ACMA v Optus (VID429/2024)

  9. https://www.allens.com.au/insights-news/insights/2024/12/metas-50M-settlement-with-the-oaic-fails-to-clarify-the-privacy-act-civil-penalty-regime/

  10. OAIC opens investigations into Bunnings and Kmart | OAIC

  11. OAIC finds against 7-Eleven over facial recognition | OAIC; Statement on Clearview AI | OAIC

  12. Grubisa companies interfered with Australians’ privacy by scraping data | OAIC

  13. https://www.acma.gov.au/articles/2024-07/telstra-discloses-thousands-unlisted-phone-numbers

  14. HSBC pays penalties for alleged breaches of Consumer Data Right rules | ACCC

  15. https://www.acma.gov.au/outcomes-compliance-priorities-2023-24

  16. Takeaways from recent guidance on cyber incident disclosure obligations

  17. https://www.allens.com.au/insights-news/insights/2024/03/AICDs-guide-for-directors-on-governing-through-a-cyber-crisis/

  18. Guidance on privacy and the use of commercially available AI products | OAIC

  19. Guidance on privacy and developing and training generative AI models | OAIC

  20. Notifiable Data Breaches Report: January to June 2024 | OAIC

  21. https://www.accc.gov.au/about-us/publications/serial-publications/digital-platform-services-inquiry-2020-25-reports/digital-platform-services-inquiry-interim-report-march-2024

  22. https://www.allens.com.au/insights-news/insights/2024/09/first-tranche-of-privacy-reforms-bring-progress-but-no-long-term-clarity/

  23. https://www.homeaffairs.gov.au/reports-and-publications/submissions-and-discussion-papers/consultation-on-subordinate-cyber-security-legislation

  24. ASIC's enforcement priorities for 2025 include 'Licensee failures to have adequate cyber-security protections': https://asic.gov.au/about-asic/news-centre/find-a-media-release/2024-releases/24-252mr-asic-announces-new-enforcement-priorities-with-a-focus-on-cost-of-living-pressures/?altTemplate=betanewsroom. Similarly, APRA's top priorities in its 2024-25 Corporate Plan includes 'raising industry standards on cyber risk management': https://www.apra.gov.au/news-and-publications/apra-outlines-new-priorities-2024-25-corporate-plan/

  25. See Allens' CPS 230 (Operational Risk Management) Practical Implementation Guide