Summary of the legislative reforms passed in late 2024

In late 2024, amidst the rush of pre-Christmas celebrations, many readers may have overlooked a series of significant reforms to Australia’s digital legislative and regulatory landscape.

This article explores the following key bills that were passed last year:

1.     Privacy and Other Legislation Amendment Act 2024

2.     Cyber Security Act 2024

3.     Security of Critical Infrastructure and other Legislation Amendment (Enhanced Response and Prevention) Act 2024

4.     Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024

5.     Digital ID Act 2024

6.     Telecommunications Amendments (SMS Sender ID Register) Act 2024

7.     Scams Prevention Framework Act 2025

In late 2022, the Australia Government committed to the ambitious goal of being the most cyber-secure nation in the world by 2030.

Now, a little over two years later, the government is maintaining the pace with a bundle of reforms that were passed into law in late 2024, with additional measures being introduced and subsequently passed into law.

This article is intended as a quick guide to these developments, which can sometimes be challenging to keep track of. In some instances, our team will provide deeper insights into these reforms in future articles.

1. Privacy and Other Legislation Amendment Act 2024

Following the Optus and Medibank data breaches in 2022, the Federal Attorney General conducted a review of the Privacy Act, which we discussed in our previous article Privacy Act Reform: signalling significant changes ahead.

The review included 116 proposals for the reforming Australia’s privacy framework, of which 38 were accepted by the Australian Government in their response to the Privacy Act Review Report.

The Privacy and Other Legislation Amendment Act 2024 was passed into law on 10 December 2024. This Act forms part the first tranche of the agreed recommendations to amend the Privacy Act 1988 (Cth), with the second tranche of reforms to follow. The key reforms include:

1. Introduction of a Children’s Online Privacy Code
2. Mandating information-sharing after data breaches and emergencies
3. Allowing the Government to prescribe substantially similar countries or schemes for overseas data transfers
4. Expanding enforcement options
5. Requiring the inclusion of automated decision-making in privacy policies
6. Establishing a statutory tort for serious invasions of privacy
7. Criminalising doxing offences.

For further details on these changes, please refer to our previous article on Privacy Act Reforms.

2. Cyber Security Act 2024

The Cyber Security Act 2024, the first of its kind, became law on 29 November 2024. 

This Act is intended to enhance Australia’s cyber security and the resilience of critical infrastructure. Key measures :

Mandating minimum cyber security standards for smart devices

• Introducing mandatory reporting obligations for certain businesses to report ransom payments related to ransomware and cyber extortion
• Establishing a Limited Use obligation for the National Cyber Security Coordinator to encourage industry engagement with the government following cyber incidents
• Creating a Cyber Incident Review Board to evaluate significant cyber incidents and share lessons learned.

The Cyber Security Act is part of the broader Cyber Security Legislative Package 2024, which also includes the Security of Critical Infrastructure and other Legislation Amendment Act 2024, as well as the Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024.

For a detailed analysis of the changes introduced by this package, please see our previous article The Cyber Security Legislative Package 2024.

3. Security of Critical Infrastructure and other Legislation Amendment (Enhanced Response and Prevention) Act 2024

This Act, which was also enacted on 29 November 2024, amends the existing Security of Critical Infrastructure Act, along with five other Acts). It aims to:

1. Clarify obligations related to certain data storage systems that store or process business-critical data
2. Expand the government assistance framework to help manage the impacts of incidents on critical infrastructure assets
3. Amend the definition of ‘protected information’ to include a harms-based assessment and a non-exhaustive list of relevant information
4. Clarify the use and disclosure of protected information
5. Enable regulators to direct entities to remedy severely deficient risk management programs as well as consolidate security requirements for critical telecommunications assets
6. Remove direct interest holders from reporting obligations associated with Systems of National Significance.

4. Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024

On 29 November, the third bill was passed into law, amending the Intelligence Services Act. This law was enacted in part to address declining willingness from entities to share technical cyber security incident, network telemetry, and vulnerability information promptly. It establishes a ‘limited use’ obligation that restricts how cyber security information voluntarily provided to the Australian Signals Directorate can be used and disclosed.  Additionally, it amends the Freedom of Information Act 1982 to exempt cybersecurity information voluntarily submitted to the National Cyber Security Coordinator from the Act’s provisions.

5. Digital ID Act 2024

The Digital ID Act 2024 commenced on 1 December 2024 strengthening and expanding the current Australian Government Digital ID System (AGDIS). The AGDIS allows Australians to verify their identity online without the need to provide traditional physical documents. Recognising the potential impacts of cybersecurity breaches on personal information, the Digital ID Act introduces several reforms including:

• A voluntary accreditation scheme for digital ID providers
• An expansion of the AGDIS to ensure that protections for digital IDs are in place across the economy
• Enhanced privacy and consumer protections beyond those in the Privacy Act

The establishment of a new Digital ID Regulator, with the Australian Competition and Consumer Commission (ACCC) regulating the Accreditation Scheme and the Office of the Australian Information Commissioner (OAIC), managing privacy obligations under AGDIS.

6. Telecommunications Amendments (SMS Sender ID Register) Act 2024

Effective from 5 September 2024, this Act amends the Telecommunications Act 1977. It requires the Australian Communications and Media Authority to create and maintain an SMS Sender ID register, aimed at disrupting a specific type of SMS impersonating scam. These scams often involve hackers impersonating banks to notify victims of unauthorised withdrawals or from toll operations about unpaid toll fees.

7. Scams Prevention Framework Act 2025

The Scam Prevention Framework Bill was passed last year and has commenced on 20 February 2025. The aim is to impose obligations on service providers in certain sectors of the economy to take various actions to combat scams. We are witnessing an increase in both scale and sophistication of scams, including investment scams in cryptocurrency, romance scams, and the sale of counterfeit products. The Scam Prevention Framework (SPF) includes:

1. Principles that apply to regulated entities to implement governance arrangements to address scam activities
2. Provisions to establish sector-specific codes that apply to regulated sectors
3. Stronger regulatory oversight
4. Clear dispute resolution procedures for consumers, and guidelines for apportioning liability between parties if they fail to meet their obligations
5. Enhanced enforcement powers and penalties for breaches by regulated entities.

Conclusion

This overview provides an introduction to the bills passed by the Australian Government late last year. However, it marks only the beginning of new obligations for businesses in the technology sector. A second tranche of privacy reforms are already anticipated, and businesses are encouraged to remain vigilant in this rapidly evolving landscape.