Cyber Law in Australia

Introduction

Australian cyber law comprises a complex and rapidly evolving patchwork of privacy and data protection laws, cybersecurity and critical infrastructure regulation, computer crime offences, surveillance and interception frameworks, and online safety powers. Unlike the European Union’s General Data Protection Regulation (GDPR), Australia lacks a single, comprehensive data protection statute. Instead, the legal landscape is fragmented across more than a dozen federal statutes, supplemented by state and territory laws and the common law. The increasing frequency and sophistication of cyber incidents — from the 2019 Australian National University breach to the 2022 Optus and Medibank incidents — have driven significant legislative reform, culminating in the enactment of the Cybersecurity Act 2024 (Cth) and the ongoing reform of the Privacy Act 1988 (Cth).

Privacy and Data Protection

The primary federal privacy statute is the Privacy Act 1988 (Cth). The Act governs the handling of personal information by Australian government agencies and by private sector organisations with an annual turnover exceeding AUD 3 million (with exceptions for small business operators, political parties, and certain other entities). The Act applies extra-territorially: it covers organisations that carry on business in Australia and collect or disclose personal information in Australia.

The Act contains 13 Australian Privacy Principles (APPs), which regulate the collection, use, disclosure, quality, security, access to, and correction of personal information:

  • APP 1 — Open and transparent management of personal information;
  • APP 2 — Anonymity and pseudonymity;
  • APP 3 — Collection of solicited personal information;
  • APP 4 — Dealing with unsolicited personal information;
  • APP 5 — Notification of the collection of personal information;
  • APP 6 — Use or disclosure of personal information;
  • APP 7 — Direct marketing;
  • APP 8 — Cross-border disclosure of personal information;
  • APP 9 — Adoption, use or disclosure of government related identifiers;
  • APP 10 — Quality of personal information;
  • APP 11 — Security of personal information;
  • APP 12 — Access to personal information;
  • APP 13 — Correction of personal information.

The Notifiable Data Breaches (NDB) scheme (Pt IIIC of the Privacy Act, effective from February 2018) requires entities to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals where there is an eligible data breach — that is, where there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by the entity, and this is likely to result in serious harm to any of the individuals to whom the information relates. The notification must include a description of the breach, the kind of information involved, and recommendations about steps individuals should take. Failure to comply with the notification obligations can result in civil penalties.

The OAIC is the principal privacy regulator. It has powers to investigate suspected interferences with privacy, to make determinations (including compensation orders and declarations), and to seek civil penalty orders in the Federal Court. The Commissioner may also conduct privacy assessments (audits) of entities and issue public determinations, guidelines, and codes of practice.

Privacy Act Reform

The Privacy Act Review, initiated by the Commonwealth Attorney-General in 2020 and culminating in the 2023 Privacy Act Review Report, has proposed the most significant reforms to Australian privacy law in decades. Key proposals include:

  • A statutory tort for serious invasion of privacy, with a focus on unreasonable intrusion and misuse of private information;
  • Strengthened enforcement powers, including increased maximum penalties (to the greater of AUD 50 million, three times the value of the benefit obtained, or 30% of adjusted turnover — aligning with the penalty regime under the Competition and Consumer Act 2010);
  • A direct right of private action for individuals affected by interferences with privacy;
  • Regulation of automated decision-making systems, requiring entities to provide meaningful information about the basis of automated decisions;
  • Enhanced obligations concerning children’s privacy (consistent with the UK Age Appropriate Design Code);
  • Introduction of a fair and reasonable personal information handling test (a “fairness test” supplementing the APPs); and
  • A more rigorous consent framework, moving from implied consent to a model of active, informed, specific, and voluntary consent.

Cybersecurity

The Cybersecurity Act 2024 (Cth) represents a major step in the consolidation of Australia’s cybersecurity regulatory framework. The Act establishes:

  • The Cyber Incident Review Board (CIRB), an independent statutory body charged with conducting post-incident reviews of significant cyber incidents, making recommendations to improve cybersecurity, and reporting to Parliament. The CIRB has powers to compel information and documents from entities involved in a reviewed incident.
  • Mandatory cybersecurity standards for critical infrastructure entities, building on the Security of Critical Infrastructure Act 2018 (Cth).
  • Enhanced information-sharing arrangements between the private sector and government, with protections against the use of voluntarily shared information in civil or criminal proceedings.

The Security of Critical Infrastructure Act 2018 (Cth) (the SOCI Act) has been progressively expanded through amendments in 2021 and 2022 (the SOCI Amendment Acts). The SOCI Act applies to entities in 11 critical infrastructure sectors: communications, financial services and markets, data storage and processing, defence industry, higher education and research, energy, food and grocery, health care and medical, space technology, transport, and water. Key obligations include:

  • The Critical Infrastructure Risk Management Program (CIRMP) (s 30AB–30AN of the SOCI Act), requiring responsible entities to identify, assess, and manage material risks (including cyber and other hazards) and to maintain a written program.
  • Mandatory cyber incident notification (s 30BC–30BL): entities must notify the Australian Cyber Security Centre (ACSC) within 12 hours of becoming aware of a critical infrastructure cyber incident (a “Part 2B incident”) and within 72 hours of becoming aware of any other cyber security incident. Failure to comply carries penalties.
  • Government assistance powers (Pt 3A): the Secretary of Home Affairs may issue a direction to a critical infrastructure entity to take specified action in response to a serious cyber security threat, or to address a material risk to the security of critical infrastructure.

Computer Crime

The Criminal Code Act 1995 (Cth) contains the principal federal computer crime offences in Chapter 10, Div 477–478. The key offences are:

  • Section 477.1 — Unauthorised access to data: A person commits an offence if they cause any unauthorised access to data held in a computer, knowing that the access is unauthorised and intending to access the data. The maximum penalty is two years imprisonment (five years if the person intends to commit a serious offence, or if the data is accessed with the intention of committing a Commonwealth offence).
  • Section 477.2 — Unauthorised modification of data: A person commits an offence if they cause any unauthorised modification of data held in a computer, knowing the modification is unauthorised and intending to cause impairment of access to data or to commit a serious offence. The maximum penalty is ten years imprisonment (five years where the intention is to cause impairment).
  • Section 477.3 — Unauthorised impairment of electronic communications: A person commits an offence if they cause any unauthorised impairment of electronic communications to or from a computer, by interfering with or interrupting the communication. The maximum penalty is ten years imprisonment.

These offences are supplemented by state and territory computer crime laws, which typically cover similar conduct (unauthorised access, modification, and impairment) in relation to computers within the relevant jurisdiction. State offences often carry different penalties and may apply to conduct not covered by the Commonwealth Code (e.g., access with the intent to commit an indictable offence under state law).

Surveillance and Interception

The surveillance and interception framework in Australia is governed by the Surveillance Devices Act 2004 (Cth) (federal), the Telecommunications (Interception and Access) Act 1979 (Cth) (the TIA Act), and complementary state and territory legislation.

The TIA Act prohibits the interception of telecommunications passing over a telecommunications system, subject to exceptions for law enforcement and national security agencies (with a warrant). Part 3-2 of the TIA Act also regulates access to telecommunications data (metadata), including subscriber information, billing data, and call details records (but not the content of communications). Law enforcement agencies may access telecommunications data without a warrant in certain circumstances.

The Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) (the AA Act or TOLA Act) introduced three forms of compelled assistance:

  • Technical assistance requests (TARs): The Australian Federal Police (AFP) or the Australian Criminal Intelligence Commission (ACIC) may request a communications provider to give voluntary technical assistance in giving effect to a warrant.
  • Technical assistance notices (TANs): The AFP or ACIC may compel a communications provider to give specified technical assistance (but not including the creation of a systemic weakness or vulnerability in a form of electronic protection).
  • Technical capability notices (TCNs): The Attorney-General may issue a notice requiring a communications provider to develop and maintain a specified technical capability to enable the execution of warrants (including the removal of electronic protection). A TCN must not require a provider to create a systemic weakness or systemic vulnerability in a form of electronic protection, but may require the removal of targeted electronic protection.

The TOLA Act has been the subject of significant public controversy and criticism from technology companies, civil society organisations, and international partners, on the basis that it weakens encryption and undermines cybersecurity.

Online Safety

The Online Safety Act 2021 (Cth) established the statutory office of the eSafety Commissioner, with broad powers to regulate online content and to protect Australians (particularly children) from harmful online conduct. The eSafety Commissioner has powers to:

  • Issue removal notices for class 1 materials (terrorist or violent extremist content) and class 2 materials (serious harm material, including cyber-bullying, image-based abuse, and pro-terror content);
  • Investigate and address cyber-bullying targeting an Australian child;
  • Investigate and address image-based abuse (the non-consensual sharing of intimate images);
  • Make determinations as to the operation of the Basic Online Safety Expectations (industry codes); and
  • Issue enforceable undertakings and seek civil penalty orders for non-compliance with industry codes or standards.

The eSafety Commissioner has an extended scope of extra-territorial application: the Act applies to online service providers outside Australia where the content targets an Australian end-user.

Conclusion

Australian cyber law is at a critical juncture. The combined effect of the Privacy Act Review, the Cybersecurity Act 2024, the expanding reach of the SOCI Act, and the evolving regulatory powers of the eSafety Commissioner is to accelerate the pace and scale of reform. The trend is towards more prescriptive obligations, higher penalties, and enhanced enforcement powers, reflecting a recognition that the existing frameworks (designed for a pre-digital era) are no longer adequate. Practitioners in this area must navigate a rapidly shifting regulatory environment, with particular attention to the interaction between federal and state laws, the implications of extra-territorial application, and the tension between security imperatives and individual rights.