Sweeping changes are coming to Australia's landscapes for privacy and children's online protection. The Parliament of Australia used the final days of its 2024 legislative work session to finalize the first wave of reforms aimed at modernizing the Privacy Act while also adopting a social media bill requiring age verification and a ban on social media use by minors under age 16.
Both bills were late introductions and priorities for the Albanese government, as the Privacy and Other Legislation Amendment Bill was introduced 12 Sept. and the Online Safety Amendment (social Media Minimum Age) Bill was only brought forward six days before the end of the legislative period.
The Privacy Act reforms include new enforcement powers for the Office of the Australian Information Commissioner's privacy division, approval to establish an OAIC-drafted Children's Online Privacy Code, and transparency requirements around automated decisions. The bill also ushers in a new statutory tort for individuals to use with emerging risks of "serious invasions of privacy," which includes doxxing.
"These new powers and functions come at a critical time, as privacy harms increase and the Australian community demands more power over their personal information," Privacy Commissioner of Australia Carly Kind told the IAPP.
The children's protections in the social media bill are making waves as the Albanese government indicated the ban and subsequent age verification provisions will raise "robust privacy provisions" by "requiring platforms to ringfence and destroy any information collected to safeguard the personal information of all Australians." While questions remain around the implementation and enforcement of a ban on minors, companies that violate the law will face up to AUD49.5 million fines for "systemic breaches."
"We want Australian children to have a childhood, and we want parents to know the Government is in their corner," Prime Minister of Australia Anthony Albanese said in a statement. "This is a landmark reform. We know some kids will find workarounds, but we're sending a message to social media companies to clean up their act."
The government will trial enforcement methods over the next 12 months before the minor ban takes effect November 2025.
"This is a responsibility these companies should have been fulfilling long ago, but for too long they have shirked these responsibilities in favour of profit," Liberal Party Senator Maria Kovacic told the CBC.
Meanwhile, the Parliament of Western Australia also finalized the Privacy and Responsible Information Sharing Bill to establish public-sector privacy protections. The law aims to establish personal data handling and sharing requirements for public entities while creating a federal chief data officer position.
First step to modern privacy protections
The Privacy Act amendments are a product of an attorney-general review commenced in 2023 that generated 23 legislative proposals taken up in the bill passed 29 Nov. They follow a 2022 amendment for enhanced OAIC privacy enforcement and the addition of the Notifiable Data Breaches Scheme in 2018.
IAPP Legal Research Associate Aly Apacible-Bernardo, CIPM, detailed the approved reforms when the bill was introduced in September, along with a window into what the second tranche of reforms may contain. The enhanced enforcement tools include new criminal offenses and data breach minimization tools while the government has authority to grant adequacy certifications for international data transfers.
Ground Up Consulting Director Nicole Stephenson noted a majority of the Privacy Act reforms are effective immediately based on royal assent, meaning compliance measures need to be considered immediately.
"Organizations that have been risk managing — particularly in relation to the security of personal information — resting on their accountability laurels or otherwise deprioritizing privacy investment to date should consider themselves 'on notice,'" Stephenson told the IAPP. She pointed to potential "low-hanging fruit" violations as targets for the OAIC, including insufficient privacy notices, missing opt-out mechanisms for direct marketing and data subject access request responses outside the mandated 30-day window.
Children's focus
The privacy reform bill and the social media bill each raise new standards for children's privacy and online safety that could make Australia a leader on minors' digital protections. However, the interplay between the requirements of each bill and the potential intrusiveness of required age verification leave much to be settled.
There are no current concepts for what will be included in the Children's Online Privacy Code to be drafted by the OAIC, which will submit the code to public consultation before finalizing. At the same time, clearer rules associated with implementation and enforcement of age verification in the social media bill will be considered separately but likely simultaneously with the code drafting.
In a statement on LinkedIn, Commissioner Kind welcomed the passage of the social media bill and its age assurance requirements, touting it as an initiative to "fundamentally shape the online ecosystem." She also noted the OAIC's privacy division has "a significant role to play" with the age assurance requirements, which include oversight of privacy-focused assurance method proposals along with proper deletion and purpose limitation around data collected for age verification purposes.
The Albanese government called out some of the social platforms that will fall under the definition of "age-restricted social media platform." Those include Snapchat, TikTok, Instagram, the social platform X and others. Minister of Communications Michelle Rowland said the ban and age verification will "go a long way to providing that support and creating a new normal in the community around what age is okay to use social media."
Initial reactions from the biggest social media companies relay the uncertainty that will exist until enforcement trials begin in 2025. A Meta spokesperson told Reuters "productive consultation" is the next step to ensure "rules will be consistently applied across all social apps used by teens," while a Snap spokesperson said they look forward to finding an age-assurance approach "that balances privacy, safety and practicality."
Australian Human Rights Commissioner Lorraine Finlay and National Children's Commissioner Anne Hollonds called out the rushed nature of the social media bill, calling the kids ban a "blunt instrument" and describing the "risky gamble" around potential privacy issues around biometric data and government-issued identification potentially being used in the age verification process. It said there are other avenues "to treat the underlying causes" of negative social media impacts, including a legal duty of care.
"This is a proactive response that forces companies to be accountable and improves online safety for all," they wrote.
Joe Duball is the news editor for the IAPP.
