AU Privacy Amendment 2024
Privacy and Other Legislation Amendment Bill 2024
Strengthens Privacy Act requirements for biometric data collection, raising the standard of conduct for collecting biometric information used for automated verification or identification. Cannot collect such information unless individual has consented and it is reasonably necessary.
Jurisdiction
Australia
Enacted
Nov 29, 2024
Effective
Dec 10, 2024
Enforcement
Office of the Australian Information Commissioner (OAIC)
Passed both houses November 29, 2024; received royal assent December 10, 2024
Spruson & Ferguson: Privacy and AI Regulations ReviewWhy It Matters
Strengthens biometric data protections in Australia following high-profile facial recognition enforcement cases. Establishes clear consent and necessity standards for biometric AI systems. OAIC focusing enforcement on facial recognition technology.
Recent Developments
Royal assent December 2024. OAIC announced facial recognition as 2025-26 regulatory priority. Followed enforcement actions against Bunnings and Kmart. Bunnings found to have interfered with privacy through facial recognition system.
At a Glance
Applies to
Harms addressed
Who Must Comply
- Regulated entities under Australian Privacy Act
- Organizations collecting biometric data for automated verification or identification
Safety Provisions
- Higher standard of conduct for collection of biometric data used for automated biometric verification or identification
- Explicit consent required for biometric information collection
- Reasonably necessary test for biometric data collection
- Enhanced protections following OAIC enforcement against Bunnings and Kmart for facial recognition use
Compliance & Enforcement
Penalties
Unspecified
View on map
Australia
Focus Areas
Compliance Help
Regulated entities must obtain explicit consent before collecting biometric data for automated verification/identification, and collection must be reasonably necessary for entity's functions or activities
See how NOPE helpsCite This
APA
Australia. (2024). Privacy and Other Legislation Amendment Bill 2024.
Related Regulations
AU AI Guardrails
10 mandatory guardrails proposed for high-risk AI: accountability, risk management, data governance, testing, human oversight, transparency, contestability, supply chain transparency, record keeping, conformity assessment.
AU Social Media Age Ban
World's first social media minimum age law. Platforms must prevent under-16s from holding accounts. Implementation depends on age assurance technology.
NZ Biometric Code
Sets specific legal requirements under Privacy Act for collecting and using biometric data such as facial recognition and fingerprint scans. Prohibits particularly intrusive uses including emotion prediction and inferring protected characteristics like ethnicity or sex.
China FR Security Measures
Comprehensive facial recognition regulation requiring consent, protecting minors, restricting public space use, mandating data localization, and requiring filing for large-scale processing (100K+ individuals).
Quebec Law 25
Quebec's major privacy reform modernizing data protection laws with extraterritorial scope similar to GDPR. First Canadian provincial framework to directly address AI implications through automated decision-making provisions requiring disclosure, explanation rights, and human intervention options.
Korea AI Act
First comprehensive AI legislation in Asia-Pacific and second in the world after EU. Regulates "High-Impact AI" in healthcare, energy, nuclear, transport, government, and education sectors. Requires transparency notifications, content labeling for generative AI, and fundamental rights impact assessments. Notable for lower penalties than EU AI Act and absence of prohibited AI practices.
Last updated January 23, 2026. Verify against primary sources before relying on this information.