Privacy Law Bulletin 2025 Special Edition

Authored by: By Sharon Givoni, General Editor of the Privacy Law Bulletin, Principal Lawyer, Sharon Givoni Consulting and Alec Christie, Partner, Head of Privacy Risk and Digital Law, Atmos Legal

Australia is undergoing a transformative change in privacy law with reforms designed for the digital age, introducing new statutory torts, enhanced data security measures, and significant penalties for breaches.

These updates, introduced through the Privacy and Other Legislation Amendment Act 2024 (Cth), aim to modernise the country’s privacy framework while aligning it with international standards like the GDPR.

The 2025 special edition of the Privacy Law Bulletin brings together expert insights and practical guidance on the profound implications of these changes for legal professionals, businesses, and privacy advocates.

Privacy Law Bulletin subscribers can read the full bulletin here. 

This themed edition of the Privacy Law Bulletin focuses on the most significant overhaul of Australia’s privacy laws in decades.

The reforms were introduced to address longstanding concerns that existing privacy laws were outdated and insufficient for the digital age. They also respond to the need for alignment with international privacy standards such as the General Data Protection Regulation and aim to fill significant legal gaps.

These changes have been a long time coming and reflect the recommendations of multiple law reform reviews seeking to modernise Australia’s privacy framework and enhance individual protections in a data-driven world.

Enacted through the Privacy and Other Legislation Amendment Act 2024 (Cth), which amends the Privacy Act 1988 (Cth), the reforms introduce a new statutory tort for serious invasions of privacy, which came into effect on 10 June 2025. This remedy enables individuals to take action against certain forms of harmful interference with their privacy.

Alongside the tort, the reforms also introduce:

• Stronger data security obligations, requiring organisations to implement both technical and organisational measures to safeguard personal data
• Stricter consent frameworks and a new right to erasure, allowing individuals to request deletion of their personal information
• Increased penalties for serious or repeated breaches— up to $50 million or 30% of adjusted turnover
• Expanded powers for the Office of the Australian Information Commissioner (OAIC) to investigate, issue infringement notices, and enforce compliance.
• New criminal offences, including for doxxing — the malicious publication of personal information
• Greater transparency requirements, including disclosure of any reliance on automated decision making in privacy policies
• A Children’s Online Privacy Code currently in development

This issue brings together three timely contributions.

Interview With Carly Kind, Privacy Commissioner - By Sharon Givoni, General Editor

We begin with a feature interview with Carly Kind, Australian Privacy Commissioner, who gives us insight into the policy rationale behind the reforms, the competing interests that shaped the final model, and the Government’s ambitions for a future-ready privacy regime. Her reflections are particularly valuable for lawyers and policy professionals seeking to understand how the new enforcement tools, individual rights and OAIC priorities will operate in practice.

Be careful What You Wish For: APP 11.3 and TOMs - By Alec Christie, Atmos Legal

Alec Christie’s clear and practical summary of the amendments to the Privacy Act outlines the key structural changes — from enhanced OAIC enforcement powers to expanded data handling obligations — and identifies the core compliance priorities for businesses in the months ahead.

For corporate counsel, privacy officers and legal advisors, it offers an essential roadmap to the operational impacts of the reforms.

The New Tort of Serious Invasion of Privacy - By Sharon Givoni

Finally, General Editor Sharon Givoni explores the statutory tort for serious invasions of privacy through a cultural and legal lens. Her article examines how the tort may be applied in the context of user-generated content, online expression, and the publication of private facts.

The piece highlights how the new cause of action could reshape accountability in digital spaces — particularly where individuals’ private lives are exposed without consent. Her contribution is especially relevant for practitioners working with media, creatives, and rights-holders navigating new legal boundaries. Together, these pieces reflect a turning point in Australia’s approach to privacy. Legal risk and responsibility are no longer confined to large-scale data holders or cyber breaches. We hope this edition will serve as a valuable guide as the legal community adapts to these important and fast-moving changes.

If you're a current Privacy Law Bulletin subscriber, you can access the full bulletin here. If you haven't subscribed yet, and would like to stay informed with the latest privacy insights, contact a LexisNexis representative by filling out our contact form here.