This bill became law on Dec 12th, 2022.
Law, justice & rights
Serious or repeated privacy breaches now face much tougher penalties, including up to $2.5 million for an individual and for a company the highest of $50 million, three times the benefit gained, or 30% of turnover.
Privacy regulators were left with weak penalties, slow court-dependent powers, and gaps in reaching foreign companies or getting full breach information quickly. The bill raises privacy fines and lets the Information Commissioner demand information, issue notices, share data with regulators, and cover overseas companies doing business in Australia.
Before this bill, Australia’s privacy regime had lower penalties, slower court-dependent enforcement and weaker reach over companies handling Australians’ data from overseas. After the Optus, Medibank and MyDeal cyberattacks pushed data security to the front of public debate in late 2022, the bill was introduced to sharply lift penalties, speed up the Information Commissioner’s investigations and information-sharing powers, extend coverage to foreign businesses carrying on business in Australia, and it became law in December 2022.
The main criticism was that the bill’s new penalty regime was too blunt and unclear, risking unfair or unintended outcomes because it did not clearly distinguish between different breaches or the capacities of smaller organisations. These concerns were raised mainly by Coalition and Greens speakers who still backed the bill, so the criticism was real but largely conditional rather than outright opposition.
Hon Mark Dreyfus KC, MP introduced this bill. It passed on the voices.
Did it become law?
Yes
Became law 12 Dec 2022
Final passage
Passed without a counted vote
4 recorded amendment or procedural votes were found, but no counted vote on the bill itself was recorded.
Passage speed
47 days
From introduction to the latest recorded parliamentary step
Meaning
Serious or repeated privacy breaches now face much tougher penalties, including up to $2.5 million for an individual and for a company the highest of $50 million, three times the benefit gained, or 30% of turnover.
Foreign companies that carry on business in Australia must follow Australian privacy law even when Australians' data was collected or held overseas.
The Australian Information CommissionerThe privacy regulator that investigates breaches, gathers information and can issue notices under the bill. can require a person or organisation to provide information, documents or answers about an actual or suspected eligible data breachA breach serious enough to trigger the Privacy Act's notification rules and the regulator's extra powers in this bill..
The Australian Information CommissionerThe privacy regulator that investigates breaches, gathers information and can issue notices under the bill. can issue infringement notices when an organisation fails to give required information, instead of having to rely on drawn-out court action.
The Australian Information CommissionerThe privacy regulator that investigates breaches, gathers information and can issue notices under the bill. can share information with enforcement agencies, complaint bodies and Australian or overseas privacy regulators so investigations and enforcement can move faster.
The Bill will increase the penalty under section 13G of the Privacy Act for serious or repeated interferences with privacy to $2.5 million for a person other than a body corporate, and for a body corporate the maximum penalty will increase to an amount not exceeding the greater of $50 million; three times the value of the benefit obtained; or, if the court cannot determine the value of the benefit, 30% of their adjusted turnover in the relevant period.Privacy Legislation Amendment (Enforcement and Other Measures) explanatory memorandum
To ensure Australia's privacy laws remain fit for purpose in a globalised world and to ensure the Privacy Act can be enforced against global technology companies who may process Australians' information on servers offshore, the bill will amend the act's extraterritoriality provisions. This will mean that, even if foreign organisations do not collect or hold Australians' information directly from a source in Australia, they must still meet the obligations under the Privacy Act so long as they 'carry on a business' in Australia.Minister's second reading speech
(3) The Commissioner may give to the person or entity a written notice requiring the person or entity:Privacy Legislation Amendment (Enforcement and Other Measures) as-passed bill text
providing the Commissioner new infringement notice powers to penalise entities for failing to provide information without the need to engage in protracted litigation, andPrivacy Legislation Amendment (Enforcement and Other Measures) explanatory memorandum
providing the Commissioner with the power to disclose information or documents with an enforcement body, an alternative complaint body, and a State, Territory or foreign privacy regulator for the purpose of the Commissioner or the receiving body exercising their powers, or performing their functions or duties, andPrivacy Legislation Amendment (Enforcement and Other Measures) explanatory memorandum
Context
Before this bill, Australia’s privacy regime had lower penalties, slower court-dependent enforcement and weaker reach over companies handling Australians’ data from overseas. After the Optus, Medibank and MyDeal cyberattacks pushed data security to the front of public debate in late 2022, the bill was introduced to sharply lift penalties, speed up the Information Commissioner’s investigations and information-sharing powers, extend coverage to foreign businesses carrying on business in Australia, and it became law in December 2022.
Government says privacy penalties and powers are no longer strong enough
In introducing the bill, the Attorney-General said it would strengthen privacy, security and data protection by raising penalties and expanding enforcement powers.
Hansard ↗Optus, Medibank and MyDeal cyberattacks drive the case for urgent change
House debate repeatedly pointed to those recent attacks as evidence that millions of Australians could suffer serious financial and emotional harm when companies fail to protect personal data.
Hansard ↗House passes the bill
The bill completed its passage through the House, sending stronger penalties and new regulator powers to the Senate.
Parliamentary timeline ↗Parliament passes the bill
Both houses agreed on the bill, clearing the way for the tougher privacy enforcement regime to become law.
Parliamentary timeline ↗Royal Assent makes the privacy changes law
Royal Assent turned the bill into an Act, locking in much higher penalties and stronger information-gathering and information-sharing powers for the regulator.
Parliamentary timeline ↗Legislative route
The bill was formally presented to the chamber and read a first time, which starts its parliamentary journey.
Introduced and read a first time
A minister or sponsoring member moved the second reading, opening the main debate on the bill's purpose and principles.
Second reading moved
Referred to Committee (27/10/2022): Legal and Constitutional Affairs Legislation Committee; Committee report (22/11/2022)
Referred to committee
APH bill page notesThe bill reached this recorded parliamentary step.
The bill reached this recorded parliamentary step.
Referred to Federation Chamber
The bill reached this recorded parliamentary step.
Second reading debate
The chamber agreed to the bill at second reading, meaning it accepted the bill in principle and allowed it to continue.
Second reading agreed to
The bill reached this recorded parliamentary step.
Reported from Federation Chamber
The chamber agreed to the bill at third reading, which completed passage through that chamber. Later message exchanges with the other chamber were still recorded afterwards.
Third reading agreed to
The bill was formally presented to the chamber and read a first time, which starts its parliamentary journey.
Introduced and read a first time
A minister or sponsoring member moved the second reading, opening the main debate on the bill's purpose and principles.
Second reading moved
The bill reached this recorded parliamentary step.
The chamber agreed to the bill at second reading, meaning it accepted the bill in principle and allowed it to continue.
Second reading agreed to
The chamber considered amendments before the bill moved to the next stage.
Committee of the Whole debate
The chamber agreed to the bill at third reading, which completed passage through that chamber.
Third reading agreed to
The bill reached this recorded parliamentary step.
The House dealt with Senate amendments or requests so both chambers could settle the bill in the same form. The main accepted Senate changes reflected in the final bill were: The introduced and as-passed bill texts differ in one observed text block: the Senate-agreed Government amendment made subsection 13GThe provision the bill changes to lift the maximum penalty for serious or repeated interferences with privacy.(1) a civil penaltyA financial penalty imposed by a court for breaking the privacy rules, used here for serious or repeated privacy interferences. provision. Other recorded amendment votes included defeated Shoebridge amendments on a privacy tort and a broader civil penaltyA financial penalty imposed by a court for breaking the privacy rules, used here for serious or repeated privacy interferences. for privacy interference, and a carried Paterson second-reading amendment calling for further safeguards and review work.
Both houses passed the bill in the same form, completing parliamentary passage.
Finally passed both Houses
The Governor-General gave Royal Assent, turning the bill into an Act.
Key criticism
The main criticism was that the bill’s new penalty regime was too blunt and unclear, risking unfair or unintended outcomes because it did not clearly distinguish between different breaches or the capacities of smaller organisations. These concerns were raised mainly by Coalition and Greens speakers who still backed the bill, so the criticism was real but largely conditional rather than outright opposition.
No party represented in the debate opposed the bill, but several wanted tighter drafting, guidance and follow-up reform.
Blunt and unclear penalties
Critics argued the penalty design was a one-size-fits-few model, with definitions and thresholds too unclear and penalties not properly tiered for different kinds of privacy breaches. They warned this could produce unfair outcomes or unintended consequences, especially when the regulator had only very large maximum penalties to work with.
Rushed and incomplete reform
Some supporters said the bill was being pushed through before the Senate inquiry and broader Privacy ActThe main Australian law this bill changes. It sets the rules for how organisations must handle personal information. review were complete, making it an interim fix rather than a fully worked-through reform package. The concern was that Parliament was legislating urgently on penalties and enforcement before settling the wider privacy framework.
Need for clearer guidance, resources and follow-up safeguards
Critics said the regulator would need clearer guidance on how the new penalties should be used, plus better resourcing, review after implementation, and more support for compliance. Some also argued the bill should have gone further by adding a statutory cause of action for serious invasions of privacy.
Further sources
Votes
The bill passed both chambers on the voices. The counted divisions below were about amendments or procedure, not final passage.
House agreed to the bill's third reading on the voices, so there is no list of individual Aye and No votes for final passage in that chamber.
Passed on the voices
In a voice vote, members call out Aye or No and the presiding officer judges which side has it. Individual names are only recorded if a formal division is called.
Senate agreed to the bill's third reading on the voices, so there is no list of individual Aye and No votes for final passage in that chamber.
Passed on the voices
In a voice vote, members call out Aye or No and the presiding officer judges which side has it. Individual names are only recorded if a formal division is called.
Amendments grouped by chamber. These cards include amendment outcomes recorded without a counted division.
House
The House agreed to the amendments made by the Senate, so the bill could pass both chambers in the same form.
Carried on voices
The chamber decided this amendment without a counted division, so there is no list of individual Aye and No votes.
Senate
Moved by David Shoebridge (Australian Greens). Defeated 12 to 31. Support came from Greens. Opposition came from Labor, Liberal Party, One Nation, and UAP.
Defeating the amendment meant the bill proceeded without a Senate call for a separate privacy-tort bill.
Moved by James Paterson (Liberal Party). Passed 40 to 20. Support came from Liberal Party, Greens, Nationals, One Nation, and minor parties and independents. Opposition came from Labor.
Carrying the amendment added the Senate’s request for safeguards and review work without changing the bill text.
Moved by David Shoebridge (Australian Greens). Defeated 12 to 31. Support came from Greens. Opposition came from Labor, Liberal Party, Nationals, and UAP.
Defeating the amendments left the bill focused on the government’s narrower enforcement changes rather than a new general civil penaltyA financial penalty imposed by a court for breaking the privacy rules, used here for serious or repeated privacy interferences. for privacy interference.
Moved by David Shoebridge (Australian Greens). Defeated 12 to 31. Support came from Greens. Opposition came from Labor, Liberal Party, One Nation, and UAP.
Defeating the amendment meant the bill proceeded without a Senate call for a separate privacy-tort bill.
The Senate agreed to the Government amendment making subsection 13GThe provision the bill changes to lift the maximum penalty for serious or repeated interferences with privacy.(1) a civil penaltyA financial penalty imposed by a court for breaking the privacy rules, used here for serious or repeated privacy interferences. provision.
Carried on voices
The chamber decided this amendment without a counted division, so there is no list of individual Aye and No votes.
These are amendment votes, not the final passage vote on the bill itself. The bill passed both chambers on the voices.
The parliamentary record also shows 1 Government amendment agreed without a counted division.
Parliamentary debate
Start here — lead voices
Dreyfus supports the bill and says it is an important, urgent privacy reform that gives regulators stronger tools and much higher penalties to deter serious breaches of Australians' personal information.
Read in Hansard ↗Leeser says the opposition will support the bill at this stage because more needs to be done to deal with data breaches, but he criticises the government for rushing it through before the Senate inquiry and wider Privacy ActThe main Australian law this bill changes. It sets the rules for how organisations must handle personal information. review are complete.
Read in Hansard ↗Steggall supports the bill and says it is a welcome first step that strengthens penalties, enforcement powers and information sharing on privacy breaches.
Read in Hansard ↗Shoebridge says the Greens will support the bill, but only with reservations, because the package strengthens privacy enforcement while also creating serious problems in the penalty design and information-sharing powers.
Read in Hansard ↗All speeches by bloc
4 speakers · 5 contributions · 4 support
“This bill is an important and pressing reform that will make sure penalties for privacy breaches adequately reflect community expectations, and it will ensure Australia's privacy regulator has the enforcement tools necessary to effectively deter the misuse of Australians' personal information. I recommend the original bill to the House.”Read the full speech in Hansard ↗
Hansard records 2 separate contributions by Mark Dreyfus on this bill. They are grouped here so the speaker is listed once.
Minister's second reading speech
Dreyfus supports the bill and says it is an important, urgent privacy reform that gives regulators stronger tools and much higher penalties to deter serious breaches of Australians' personal information. He argues it is needed because recent cyberattacks showed how damaging privacy failures can be.
“The bill is an important and pressing reform that will make sure penalties for privacy breaches adequately reflect community expectations, and it will ensure Australia's privacy regulator has the enforcement tools necessary to effectively deter the misuse of Australians' personal information.”Read this contribution in Hansard ↗
Second reading speech
Dreyfus supports the bill, saying it will strengthen privacy penalties and give the regulator better enforcement tools to deter misuse of Australians' personal data. He presents it as an urgent reform that matches community expectations and says it is part of the government's privacy agenda.
“This bill is an important and pressing reform that will make sure penalties effectively deter the misuse of Australians' personal data and that will ensure Australia's privacy regulator has the enforcement tools necessary to resolve privacy breaches efficiently and effectively. The bill is a reflection of community expectations and demonstrates the Albanese government's commitment to keeping Australians' data protected. I thank all honourable members of this House for their contributions to the debate and commend the bill to the House.”Read this contribution in Hansard ↗
“The bill is an essential first step of the government's agenda to ensure Australia's privacy framework is fit for purpose and responds to new challenges in the digital era. Further reforms will be considered next year, following consideration of the Attorney-General's Department review of the Privacy Act. This bill is an important and pressing reform that will make sure penalties effectively deter the misuse of Australians' personal data and will ensure Australia's privacy regulator has the enforcement tools necessary to resolve privacy breaches efficiently and effectively. The bill is a reflection of community expectations and demonstrates the Albanese government's commitment to keeping Australians' data protected.”Read the full speech in Hansard ↗
“Importantly, this legislation will only be the beginning. With a review of the Privacy Act due by the end of the year, the government will work to further strengthen and modernise our existing laws to suit the fast-growing digital environment. I, and I think many in my community, will be glad to see our government act to prevent future data breaches and to hold these companies to account. I commend the bill to the House.”Read the full speech in Hansard ↗
4 speakers · 4 support
“The opposition is supporting this bill at this stage because we believe more needs to be done to deal with data breaches. However, we note that the government has rushed this through to give the appearance of taking these matters seriously after having failed to act quickly when the Optus data breach occurred. This does not mean that the job is done. As the Information and Privacy Commissioner, Angelene Falk, stated in her submission to the Senate inquiry:”Read the full speech in Hansard ↗
“I accept that in this bill there are some interim measures, but we are very much waiting for, as rapidly as possible, a broader set of legislative reform to come forward to the parliament. I definitely support the shadow Attorney-General's amendment on this bill. Nonetheless, we will support the bill beyond that through the parliament and look forward to further reform in this area and hopefully in the near future. I commend the bill to the chamber.”Read the full speech in Hansard ↗
“Having outlined those points of concern, we do support the legislation. But we believe there are a number of issues, which I've outlined in the course of my remarks, where the legislation can be enhanced and improved.”Read the full speech in Hansard ↗
“Just to sum up: we will be supporting this bill and moving a second reading amendment to articulate those concerns—particularly those raised by industry, including the Tech Council and independent third-party submitters like the Law Council, which we think were points well made in the inquiry process.”Read the full speech in Hansard ↗
1 speaker · 1 support
“I rise on behalf of the Greens to indicate that we will be supporting, with reservations, the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022.”Read the full speech in Hansard ↗
1 speaker · 1 support
“We will support this bill and note it is completely inadequate to ensure Australians' privacy while the Information Commissioner continues to fail its current responsibilities and the government pushes a centralised digital identity that will be a hacker's paradise. We need much more than this bill offers. It's a first step, but we need much, much more to secure people's privacy.”Read the full speech in Hansard ↗
1 speaker · 1 support
“But I do commend this bill to the House. I commend the government for acting upon it.”Read the full speech in Hansard ↗
Record
House · Introduced and read a first time
Introduced
The bill was formally presented to the chamber and read a first time, which starts its parliamentary journey.
House · Second reading moved
Second reading opened
A minister or sponsoring member moved the second reading, opening the main debate on the bill's purpose and principles.
House · Second reading debate
Second reading debate
The bill reached this recorded parliamentary step.
House · Referred to Federation Chamber
Referred to Federation Chamber
The bill reached this recorded parliamentary step.
House · Second reading debate
Second reading debate
The bill reached this recorded parliamentary step.
House · Second reading agreed to
Second reading agreed
The chamber agreed to the bill at second reading, meaning it accepted the bill in principle and allowed it to continue.
House · Reported from Federation Chamber
Reported from Federation Chamber
The bill reached this recorded parliamentary step.
House · Third reading agreed to
Third reading agreed
The chamber agreed to the bill at third reading, which completed passage through that chamber.
Senate · Introduced and read a first time
Introduced
The bill was formally presented to the chamber and read a first time, which starts its parliamentary journey.
Senate · Second reading moved
Second reading opened
A minister or sponsoring member moved the second reading, opening the main debate on the bill's purpose and principles.
Senate · Second reading debate
Second reading debate
The bill reached this recorded parliamentary step.
Senate · Second reading agreed to
Second reading agreed
The chamber agreed to the bill at second reading, meaning it accepted the bill in principle and allowed it to continue.
Senate · Committee of the whole: amendments considered
Amendment packages agreed
The chamber considered amendments before the bill moved to the next stage.
Senate · Third reading agreed to
Third reading agreed
The chamber agreed to the bill at third reading, which completed passage through that chamber.
House · Message from Senate reported
Message from Senate reported
The bill reached this recorded parliamentary step.
House · Consideration of Senate message
Consideration of Senate message
The House dealt with Senate amendments or requests so both chambers could settle the bill in the same form.
Parliament · Finally passed both Houses
Passed both houses
Both houses passed the bill in the same form, completing parliamentary passage.
Assent · Assent
Assent
The Governor-General gave Royal Assent, turning the bill into an Act.
Legal and Constitutional Affairs Legislation Committee; Committee report (22/11/2022)
Referred to committee
Referred to Committee (27 Oct 2022): Legal and Constitutional Affairs Legislation Committee; Committee report (22 Nov 2022)
APH bill page notes
