Major reforms reshape Australia's digital legal landscape

Cyber SecurityLawcybercrimeParliamentLawyers
Written By Simone Herbert-Lowe
 

As we approach 2025, Australia is witnessing significant changes to its digital regulatory framework.

Recent legislative changes and proposed reforms across cybersecurity, privacy, digital ID, and scams prevention signal a clear recognition that our legal system must evolve to meet modern digital challenges.

Key legislative changes and implementation timelines

Comprehensive Cyber Security Package

Reforms in 2024 introduced Australia's first standalone Cyber Security Act 2024, alongside amendments to the Security of Critical Infrastructure Act 2018 (SOCI Act) and Intelligence Services Act 2001. Key features include:

  • Mandatory reporting to the government of ransomware payments within 72 hours of making the payment, for businesses with more than $3M annual revenue

  • Formalising the creation of a National Cyber Security Coordinator role, and an information sharing framework that facilitates the sharing of information by private sector entities on a “limited use” basis*

  • Establishment of an independent Cyber Incident Review Board

  • Extension of critical infrastructure protections to data storage systems

  • Introduction of security standards for Internet of Things devices

The reforms begin taking effect immediately, with the information sharing framework and Coordinator role commencing in December 2024. Mandatory ransomware reporting and critical infrastructure changes have a six-month implementation period with IoT security standards and telecommunications sector reforms expected to take effect from December 2025.

*Under the regime information provided voluntarily does not affect claims of client legal privilege and cannot be re-used for the purposes of evidence or re-used by government agencies (some exceptions apply in the case of criminal matters).

Privacy Reform

On 10 December 2024 the Privacy and Other Legislation Amendment Act 2024 came into effect, bringing changes to the Privacy Act 1988 which significantly strengthen privacy protections through:

  • A new statutory tort for serious invasion of privacy

  • Enhanced enforcement powers for the Office of the Australian Information Commissioner

  • Mandatory development of a Children's Online Privacy Code

  • New requirements for privacy policies to address automated decision-making

  • Streamlined mechanisms for international data transfers

Enhanced OAIC powers take immediate effect, with remaining provisions being phased in throughout 2025 and 2026, including the development of the Children's Online Privacy Code.

The passing of the Online Safety Amendment (Social Media Minimum Age) Act has sparked significant debate, particularly regarding potential age verification requirements for social media access. While aimed at protecting young people online, critics argue that age restrictions and verification requirements could impact digital inclusion and education opportunities, while reducing the need for social media companies to take proactive steps to protect children who realistically will likely be accessing social media anyway, highlighting the significant challenges of balancing protection with access to digital resources.

Digital ID Framework

Expanding Australia’s Digital ID framework is an important part of the national cybersecurity strategy because it supports organisations in verifying individuals’ identity without requiring the collection of identity documents that can lead to identity fraud in the event of a data breach (for more background on Digital ID see our article published in the Law Society of NSW Journal here).

Australia’s Digital ID System is made up of two parts: 

  • the voluntary Accreditation Scheme for digital ID service providers. 

  • the Australian Government Digital ID System (AGDIS).

AGDIS is Australia's official, government-backed digital identity framework designed to provide secure, trusted, and consistent digital identity services across government and private sectors. It is being developed and overseen by the Digital Transformation Agency.

The Digital ID Act 2024 and associated legislation establish:

  • A national regulatory framework for Digital ID

  • Accreditation requirements for both government and private sector Digital ID providers

  • Voluntary participation principles

  • Privacy-preserving measures to reduce data collection and storage

Under the legislation, from 1 December 2024 state and territory digital ID providers can apply to join the Australian Government’s Digital ID Framework, with private sector entities able to apply to join by December 2026. Private sector entities are nevertheless already able to provide Digital ID services outside the AGDIS, including for other private sector entities.

The success of Digital ID will ultimately depend on building public trust. While the framework's privacy-preserving design and voluntary nature aim to address security concerns, widespread adoption will require demonstrating clear benefits to individuals and businesses while maintaining robust privacy protections.

Scams Prevention

The proposed Scams Prevention Framework Bill 2024 aims to establish:

  • Comprehensive obligations across telecommunications, banking and digital platforms

  • Requirements to prevent, detect, report and disrupt scams

  • Safe harbour provisions for entities taking reasonable steps to investigate and disrupt scams

  • Sector-specific codes monitored by the ACCC

Consumer advocacy groups and independent senators have raised concerns about the framework's effectiveness. Critics argue that it places too much responsibility on consumers to protect themselves, while potentially not doing enough to address systemic issues that enable scams, such as the absence of mandatory account number and name-checking by financial institutions.

Since the Bill has only recently been introduced, it will require further debate and approval in both Houses of Parliament before becoming law.

Looking Ahead

With many provisions taking effect throughout 2025, organisations face significant work to align their practices with these new requirements. The reforms set clear expectations for organisational responsibility in protecting personal information and maintaining cyber resilience.

The success of these reforms will require balancing multiple competing interests: privacy protection with digital innovation, security measures with user convenience, and industry obligations with practical implementation challenges. Particularly crucial will be building public trust in digital identity systems and ensuring that protective measures don't inadvertently create new barriers to digital participation.

Perhaps most importantly, these changes signal Australia's commitment to creating a more secure and privacy-conscious digital environment. While debate continues about specific aspects of the reforms, they represent a significant step toward addressing digital risks while promoting responsible innovation.

Get practical insights on implementing these reforms at our upcoming webinar on Wednesday 29 January 2025, 1:00 PM - 2:00 PM AEDT.

Register now to secure your place.

Simone Herbert-Lowe

AUTHOR

Simone Herbert-Lowe

Simone Herbert-Lowe is the founder and legal practitioner director of Law & Cyber, a provider of cyber-resilience education and cyber tabletop exercises for executive teams.

 
Simone Herbert-Lowe https://www.lawandcyber.com.au
Previous

Digital ID in your practice: A Guide for Firms and Their Clients
Next

Privacy Awareness Week (6-12 May, 2024) - changes to the Privacy Act that could impact your organisation