Big changes are coming to Australian privacy law—and they’re long overdue.
Almost a year after the government signalled its agreement with a whopping 106 of the 116 recommendations in the Attorney-General’s Privacy Act Review Report, we’re seeing the first steps of real reform with the introduction of the Privacy and Other Legislation Amendment Bill 2024 (Tranche 1).
If you thought your privacy obligations were tight before, get ready for a whole new level of compliance.
We’ll unpack the most relevant changes in the first tranche of the privacy reforms, what it means for you, and how you and your agency can avoid any associated privacy pitfalls.
Penalties for Common Privacy Mistakes & Breaches
Another big shake-up in the Bill is the introduction of new civil penalties under Section 13K.
This one’s a bit of a wake-up call for real estate agencies because now, failing to meet specific obligations under the Australian Privacy Principles (APPs) could hit your agency with fines of up to $62,600.
The penalties are tied to a range of common mistakes, like not having an up-to-date and clear privacy policy with all the required information, failing to give individuals the option to remain anonymous, or making it too hard for them to opt out of marketing communications.
Some of the biggest offenders? Not providing a simple opt-out option for marketing, failing to draw attention to this option in your materials, or dragging your feet on processing an opt-out request.
There’s also a penalty for not correcting personal information or associating a statement with it in a timely manner under APP 13.
If these sound familiar, it’s time to tighten up—these are the errors we see most often in the real estate space.
The Bill also introduces a hefty new civil penalty under Section 13H for interferences with privacy that don’t quite meet the threshold of a “serious interference.”
This is aimed at situations like failing to notify individuals of an eligible data breach promptly, as required under the current rules.
For individuals, the maximum penalty can reach up to $660,000, and for corporations, the fine could soar to a staggering $3.3 million.
This is a major escalation, ensuring that privacy breaches come with real consequences.
The message here is clear: the penalties are designed not only to deter privacy violations but also to prevent businesses from treating these fines as just another cost of doing business.
If an agency gains a commercial advantage by misusing or disclosing personal information without proper consent, for example, these penalties aim to ensure that the financial consequences far outweigh any competitive benefits.
With community expectations around privacy continuing to rise, it’s crucial that your agency takes privacy compliance seriously—this isn’t an area where you can afford to cut corners.
Overseas Data Flow
APP 8 deals with cross-border disclosure of personal information, and this often comes into play if your agency is using offshore VA’s or service providers that are abroad.
Under the proposed amendments to APP 8, If you disclose client data to overseas recipients, you may no longer need to ensure the recipient complies with Australian privacy standards, provided the recipient is located in a country with privacy laws deemed “substantially similar” to Australia’s.
Essentially, if the country is on a supposed list of approved jurisdictions or part of a binding scheme, your compliance burden may be significantly reduced when sharing personal information internationally.
While this change could ease some of the red tape around overseas data flow, it’s crucial to stay updated on which countries make the cut and continue to assess your international data handling practices to ensure you remain compliant with both domestic and global privacy standards.
AI & Automated Decision Making
Another key change in the is the new requirement for transparency around automated decision-making (ADM).
For real estate agencies using computer programs to make decisions based on personal information—such as tenant screening, credit checks, or rental pricing—this may be area you’ll need to keep an eye on.
Under the proposed amendments to APP 1, you will be required to inform individuals if ADM is being used to make decisions that could have a legal or significant impact on them, for example, approving a rental application or determining eligibility for a mortgage.
This means updating your privacy policies to disclose when and how ADM is used, including details about the types of personal information processed and the nature of the decisions being made.
Security of Personal Information
The Bill also tightens up what it means to protect personal information under APP 11.
Now, it’s clear that the “reasonable steps” you must take to safeguard personal info include both technical and organisational measures.
In other words, it’s not just about having a strong IT setup with firewalls and encryption—your agency also needs solid governance and processes in place to manage and secure client data properly.
This is a good reminder that data security isn’t just about your tech. It’s about making sure your internal practices are up to scratch too.
Whether that’s staff training, regular audits of your data handling, or clear roles and responsibilities for privacy governance, these organisational measures will be just as important as your tech solutions when it comes to staying compliant.
Right to bring action, including against small businesses
The Bill also introduces a new statutory cause of action for serious invasions of privacy,
which means individuals can take legal action if their privacy is significantly violated.
Currently, the Privacy Act mainly covers how Australian Government agencies and larger private sector organisations (with an annual turnover great than $3million) handle personal information, leaving gaps in situations involving individuals acting in a personal capacity or certain exempt entities (eg. small businesses with annual turnover less than $3 million).
For real estate agencies, this is a clear signal to tighten up your privacy protections; a serious lapse could now not only lead to regulatory scrutiny but also open the floodgates for litigation, even if you’re agency isn’t required to abide by the Privacy Act and APP.
It’s more important than ever to ensure your privacy practices are compliant, up-to date, and followed.
Power of Public Enquiries
A major change introduced by the Bill is the new power granted to the Information Commissioner to hold public inquiries into systemic privacy issues across industries.
With the Minister’s direction or approval, these inquiries can investigate widespread practices that may be putting personal information at risk. or real estate agencies, this means greater scrutiny on how personal data is handled across the sector.
It’s a reminder to keep your privacy practices in check—because if there’s an inquiry into industry-wide practices, your agency could be under the microscope.
With these expanded powers, it’s more important than ever to ensure your data-handling policies are airtight.
Staying compliant not only protects your clients but also shields your agency from becoming part of any potential systemic investigation into privacy breaches.
Key Takeaways:
Agencies should review and update their privacy policies, implement technical and organisational safeguards, and conduct regular audits to protect personal information and maintain client trust.
This Privacy Bill has expanded the compliance landscape for real estate agencies, bringing significant implications that could impact your bottom line.
With hefty new civil penalties, enhanced powers for the Information Commissioner, and a statutory cause of action for serious invasions of privacy, agencies that don’t get their privacy practices in order risk facing steep fines, reputational damage, and the potential loss of clients.
Real estate agencies must adapt to new obligations, such as disclosing automated decision-making practices and ensuring robust data protection measures, at the technical and organisational level.
Small agencies (annual turnover > $3 million) will now also need to watch out for privacy risks, as individuals will be given the power to take them to court for serious invasions of their privacy