Legal Insights

Recent Commonwealth privacy reforms: What are they, and what do they mean for Victorian councils?

By
• 26 August 2025 • 8 min read

There have been some significant reforms in relation to privacy and data security at the Commonwealth level, but how do they apply to Victorian local government?’

The Commonwealth Privacy Act 1988 (Cth) (Commonwealth Privacy Act) was subject to some significant amendment by operation of the Privacy and Other Legislation Amendment Act 2024 (Cth). An overview of the key changes can be found in our previous eAlerts Navigating Privacy Reforms: Challenges and opportunities for government in 2025 and Privacy reforms - what now? Our top 3 tips for Australian Government agencies.

In summary, the Commonwealth Privacy Act has been amended to:

  • introduce a new statutory tort for serious invasions of privacy
  • impose new transparency obligations in relation to automated-decision making
  • introduce a doxxing offence
  • require the Office of the Australian Information Commissioner to develop a code addressing online privacy for children
  • confer Ministerial powers to ‘whitelist countries’ that provide substantially similar privacy protections, to assist entities disclosing personal information overseas
  • increase enforcement powers and penalties.

While the Commonwealth Privacy Act generally does not apply to other levels of government, including councils, some of these changes do have some implications for local government.

A snapshot of the reforms

  • Increased powers and penalties

    Penalties increased from $2.2M per contravention to the greater of:

    1. $50M;
    2. 3x value of benefits obtained or attributed to the breach; or
    3. 30% of the corporation's 'adjusted turnover' during the 'breach turnover period'.
  • Tranche 1 Privacy Act reforms passed

    • Need for technical and organisational measures to secure information
    • Tort for serious privacy invasion
    • Anti-doxxing offences

    More changes expected to come in Tranche 2.

  • Ransom payment reporting

    • Cyber Security Act 2024 (Cth)
    • Introduced mandatory ransomware payment reporting obligations 

Serious invasions of privacy

A tort is a civil wrong which gives a person the right to sue another person or organisation for damages. For example, negligence is a common tort. In Australia, up until June 2025, there was no tort for invasion of privacy. People in Australia have had some limited rights to sue people for disclosing their confidential information, although these rights have generally only been exercised for commercially-sensitive information and trade secrets.

For example, in the Victorian Supreme Court case of Giller v Procopets [2004] VSC 113, the court found that a man who shared sexually-explicit images of a woman he had been in a relationship with breached her confidence, but also found that she had no right to recover damages. 

Courts in Australia have considered recognising a tort for invasion of privacy (including in Giller v Procopets), but have always held that there has not been sufficient precedent for it. 

What has changed? 

Under the change, any individual (the plaintiff) may sue another individual or organisation (the defendant) where:

  • the plaintiff has a reasonable expectation of privacy;
  • the defendant either intruded on their seclusion or misused information relating to them;
  • the invasion of privacy was serious, and also intentional or reckless; and
  • the public interest in the plaintiff’s privacy outweighed any countervailing public interest.

There are some defences, for example if the invasion of privacy was required or authorised by law, or was necessary to protect a person’s life, health or safety. The court may respond to the invasion of privacy by issuing an injunction restraining the defendant or awarding damages to the plaintiff.

As the tort is new, there is no case law on it. However, there is case law from the UK dealing with questions of reasonable expectation of privacy and public interest. 

What has changed for local government? 

Councils and their employees will have some protections under sections 16 and 16A of Schedule 2 of the Commonwealth Privacy Act. An individual will not have a cause of action against a council or a council employee who invades an individual’s privacy in good faith when performing or purporting to perform an official function or exercising or purporting to exercise a power. 

The change will, however, apply in other cases. Victorian councils, as well as state government entities, are covered by the Privacy and Data Protection Act 2014 (PDPA). This means that they must only collect, hold, use and disclose personal information as permitted by the Information Privacy Principles (IPPs). Individuals who believe that a council has improperly collected, held, used or disclosed their personal information may make a complaint to the Office of the Victorian Information Commissioner (OVIC) and can now attempt to sue them for serious invasions of privacy under the Commonwealth Privacy Act. Previously, individuals did not have this express right to sue the council. 

While the risk of a council being liable for a serious invasion of privacy is not high, it is important to keep in mind that:

  • many councils in Victoria maintain Closed Circuit TV (CCTV) systems for security. CCTV systems are a useful tool, but also raise privacy risks, particularly if the footage is compromised or misused. Councils should be mindful of OVIC’s guiding principles for surveillance.
     
  • in the event that councils maintain social media sites or websites which allow users to comment, they may be considered a publisher of comments and other content posted to these sites by members of the public. As such, they could find themselves as a defendant if anyone does post information causing a serious invasion of privacy on a council platform. Councils should refer to OVIC’s guidance on social media and engaging with the community.

Doxxing Offence 

Alongside the tort of serious invasion of privacy, the Commonwealth Parliament has also made doxxing an offence in the Commonwealth Criminal Code. 

What has changed? 

Doxxing refers to releasing personally-identifiable information about an individual online without their consent, usually for a malicious purpose. It is now an offence in Australia to release personal data of individuals in a way which is “in all the circumstances, menacing or harassing towards those individuals”. 

What has changed for local government? 

Councils are already bound by the IPPs regarding the disclosure of personal information, but the change could make individuals, including Councillors, criminally liable for releasing personal information online. It will also mean that Councillors and officers who are subject to doxxing, something which is becoming increasingly common, will have recourse to these new offence provisions, although they will be reliant on the Australian Federal Police being prepared to take up their case. 

Whitelist 

Companies and government agencies in Australia need to be careful about disclosing personal information to overseas recipients. Under Australian Privacy Principle (APP) 8, entities bound by the Commonwealth Privacy Act have been able to send personal information to an overseas recipient where they are in a jurisdiction subject to a substantially similar law or binding scheme. Prior to this year, it was up to entities to make this assessment themselves and bear the risk of being incorrect. 

What has changed? 

The recent privacy reforms allow the Commonwealth Government to release a “white list” of jurisdictions considered safe for overseas disclosure of personal information for the purposes of APP 8. 

What has changed for local government? 

Councils are not bound by the APPs, but under IPP 9.1(a), they too are permitted to disclose personal information outside of Victoria if they reasonably believe that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the IPPs. Councils will be able to draw on the white list when assessing if it is safe for them to disclose personal information to overseas recipients.

What about other recent reforms at the Commonwealth level? 

There have been some significant reforms from a data security perspective, such as the Cyber Security Act 2024 (Cth), which is the Commonwealth’s first stand-alone law in relation to cyber security. Some of the key measures implemented by this Act include: 

  • mandatory security standards for smart devices
  • mandatory ransomware and cyber extortion reporting obligations
  • the establishment of an independent body to conduct reviews of significant cyber incidents (the Cyber Incident Review Board).

However, these reforms are targeted at the corporate sector and to government entities that are responsible entities of critical assets under the Security of Critical Infrastructure Act 2018 (Cth). As such, the Act is unlikely to directly apply to councils. Councils that have concerns that they may be facing a cyber security breach should raise their concerns with OVIC. 

Conclusion 

While the reforms to the Commonwealth Privacy Act and the Cyber Security Act 2024 (Cth) are only likely to apply to local government in limited circumstances, councils should be aware of these reforms, the renewed focus of the Commonwealth on privacy and data security, and the resulting potential impacts for them.

Our Government expertise

For advice or support with managing these reforms, please get in touch with our Privacy and FOI team.

Georgia Hunt

Georgia is an experienced commercial lawyer advising government, professional services and education organisations.

View profile
By

Recent articles

Online Access