24/7/365 First Response Hotline

If you have concerns about a potential cyber incident, contact us 24/7/365 to access our First Response team – we will guide you through a triage process and help you take decisive action on next steps.

response@atmosgroup.com.au
response@atmosgroup.co.nz

Australia

1800 737 667

New Zealand

0800 200 027
16:23

Auckland

14:23

Sydney/Melbourne

14:23

Brisbane

13:53

Adelaide

05:23

London

article

The Privacy Commissioner, the infringement notice and the low-tier civil penalty

18 June 2025

|

Author: Alec Christie

The most impactful changes in the Stage 1 changes to the Privacy Act in November 2024 were the introduction of a new three‑tiered civil penalty system. Potentially the most impactful of those changes was empowering the Privacy Commissioner to issue infringement notices and impose a low-tier penalty for each of a list of ‘minor’ contraventions specified in s 13K Privacy Act, without the need to go to Court to do so. The infringement notice regime represents a significant new privacy risk for organisations as it will encourage the Commissioner to enforce some of the most basic but fundamental privacy obligations and usher in a more active privacy enforcement environment.

The infringement notice regime

If an organisation does not comply with any of the basic privacy requirements specified in s 13K Privacy Act, the organisation may receive from the Commissioner either (a) an infringement notice and low-tier fines of up to $19,800 for each non-compliance or (b) a compliance notice requesting any such contraventions be rectified. The relevant contraventions are:

  • failure to have a clearly expressed up-to-date privacy policy (APP 1.3);
  • failure to include any of the required information in a privacy policy (APP 1.4);
  • failure to provide individuals with the option to not identify themselves (APP 2.1);
  • failure to make a written record of a use or disclosure under APP 6.2(e) (APP 6.5);
  • failure to provide a simple means by which the individual may easily opt out of marketing communications (APPs 7.2(c) and 7.3(c));
  • failure to appropriately draw attention to an individual’s ability to opt out of marketing communications (APP 7.3(d));
  • failure to give effect to a request to opt out of marketing communications within a reasonable period (APP 7.7(a));
  • failure to notify the source of information, on request, within a reasonable period (APP 7.7(b));
  • failure to deal with a request for correction under APP 13.1 or associated statement under APP 13.4 within 30 days (APP 13.5);
  • any breach of any other APP prescribed by regulation;
  • failure to include all of the required information in an eligible data breach statement or notification; and
  • failure to notify individuals of a notifiable data breach in a reasonable time.

If the organisation does not wish to pay the penalty amounts noted in the infringement notice or otherwise wishes to challenge it, the organisation must commence proceedings in the Court to do so. However, any challenge to the civil penalties imposed will enliven the Court’s new range of orders to hear from affected individuals and, if the Court establishes that a civil penalty provision (e.g. s 13K Privacy Act) has been breached, award damages to those affected individuals.

Compliance notices

In addition to an infringement notice imposing low‑tier civil penalties, there is also a “compliance notice” mechanism. This allows the Commissioner to issue a compliance notice, instead of an infringement notice. The compliance notice does not impose and penalty but will specify what the relevant s 13K Privacy Act contraventions are occurring and detail the action(s) that must be taken within the specified time to address these contravention(s) and to ensure that the contraventions are not repeated or continued.

Failure to comply with a compliance notice or to successfully challenge it in Court itself gives rise to a contravention subject to the infringement notice regime and low‑tier civil penalty.

How to limit the risk of receiving a penalty/compliance notice in practice

Organisations should assess now whether they have appropriate processes, policies, risk management and oversight in place to address and prevent any of the contravention specified in s 13K Privacy Act. In particular, if their publicly available privacy policy fully complies with APPs 1.3 and 1.4 and ss 13K (1) (b) (i) and (ii) Privacy Act. The report arising from this review should detail, as regards the s 13K Privacy Act contraventions: (a) where the organisation stands now; (b) what is needed to minimise the risk of being in contravention of any of these; and (c) the practical organisation specific ‘fixes’ to address any gaps found. Of course, these reviews will not be effective unless any recommendations made are implemented by the organisation.

We are happy to discuss how this review can help your organisation minimise the risk of an infringement notice.

To hear more or to organise a chat, get in touch:

info@atmosgroup.com.au

1 - Apologies to the classic 60’s Western, “The Good, the Bad and the Ugly”