Privacy law

Bill to allow victims of AI deepfakes to sue for emotional damages

by

reviewed by

Malcolm Burrows

On 24 November 2025, Senator David Pocock introduced a private Senator’s bill, the Online Safety and Other Legislation Amendment (My Face, My Rights) Bill 2025 (Cth) (Bill) to amend the Online Safety Act 2021 (Cth) (Online Safety Act) and the Privacy Act 1988 (Cth) (Privacy Act). 

Overview of the Bill

The Bill creates a new legal framework that legislates for greater protection of the subjects of non-consensual AI-generated deepfakes.  The Bill when passed will implement a new “complaints-and-takedown regime” into the Online Safety Act and create the new tort of wrongful use or disclosure of deepfake material under the Privacy Act.

Additions to the Online Safety Act

Schedule 1 of the Bill proposes to amend the Online Safety Act by clarifying definitions of key terms, empowering the eSafety Commissioner (Commissioner) to investigate complaints and issue notices, and creates a new civil penalty provision.

Section 7 of the Bill inserts section 21A which defines “core concepts regarding deepfakematerial“, and clarifies that “deepfake material” refers to:

  • any images, audio or media:
    • that depicts an individual’s face or voice in a realistic way;
    • in which the depiction is false on account of the material being created or altered entirely, substantially or in a significant respect using technology; and
    • where the depicted individual is an Australian adult or child.

Section 21A(2) explicitly precludes the following material which is still required to be dealt with under their respective parts of the Online Safety Act:

  • cyber‑bullying material targeted at an Australian child (see instead Part 5);
  • cyber‑abuse material targeted at an Australian adult (see instead Part 7);
  • intimate images (see instead Part 6); or
  • material that depicts abhorrent violent conduct (see instead Part 8).

Section 10 of the Bill inserts section 37A which allows a subject of deepfake material to make a complaint to the Commissioner about the provision of the material, which empowers the Commissioner to investigate complaint sunder section 37B.

Section 13 of the Bill inserts section 93B to create an offence where:

  • a person posts deepfake material on social media or to an internet service;
  • that person is an end-user;
  • that person is an Australian resident;
  • the publication is non‑consensual for a subject of the material; and
  • the person posts the material despite being aware that the subject does not consent for its publication.

Under the Bill, the mere creation or sharing of a deepfake is not automatically prohibited as it is the lack of consent that triggers liability. It remains to be seen how Courts will interpret key definitions such as “non-consensual”.

Under Division 3 proposed by the Bill, the Commissioner is empowered to issue a “removal notice” to social media platforms, internet services providers and individual end-users where:

  • a section 93B contravention has occurred;
  • a complaint has been made directly to the notice recipient;
  • the material is not removed within forty-eight (48) hours after the complaint was made; and
  • a section 37A complaint has been made to the Commissioner.

A removal notice will require the recipient to take all reasonable steps to ensure the removal of the material from the service with twenty-four (24) hours.

A contravention of section 93B or a failure to comply with a removal notice may result in a maximum civil penalty of:

  • 500 penalty units for an individual; worth $165,000; or
  • 2,500 penalty units for a company, worth $825,000.[1]

Amendments to the Privacy Act

Schedule 2 of the Bill proposes to amend the Privacy Act by inserting a new Schedule 3, titled “wrongful use or disclosure of deepfake material“. 

Section 7 of the proposed schedule creates a cause of action as a statutory tort to be known as wrongful use or disclosure of deepfake material.  An individual (Plaintiff) may commence civil proceedings against another person (Defendant) if:

  • the Plaintiff is a subject of deepfake material;
  • the Defendant uses or discloses the material;
  • the Defendant is not under eighteen (18) years old;
  • the Defendant does so knowing the material was created or altered using technology or is reckless as to that fact;
  • the Plaintiff did not expressly or impliedly consent to the use or disclosure; and
  • the Plaintiff suffers detriment, or the defendant makes a profit from, the use or disclosure.

The wrongful use or disclosure of deepfake material is actionable without proof of actual damage.

Section 7(6) states that, without limiting what constitutes “detriment“, the term includes any of the following:

  • discrimination, harassment or intimidation;
  • distress, embarrassment or humiliation;
  • harm or injury, including psychological harm or injury;
  • disadvantageous changes in employment status, position or duties;
  • being misrepresented in relation to a matter;
  • damage to property;
  • damage to reputation;
  • damage to a business or financial position; and
  • any other damage.

Under section 12 the Court:

  • may award damages to the Plaintiff;
  • must not award aggravated damages;
  • may award damages for emotional distress; and
  • may award exemplary or punitive damages in exceptional circumstances (such as where the defendant acted with malicious intent).

Without limiting the matters that the Court may consider in determining the amount of damages, the court may consider the following:

  • whether the Defendant apologised to the Plaintiff;
  • whether the Defendant published alongside the material a statement to the effect that the material is false;
  • whether the Plaintiff received or agreed to receive compensation in relation to the use or disclosure;
  • whether the Plaintiff or the Defendant took reasonable steps to settle the dispute; and
  • whether the Defendant engaged in conduct after the use or disclosure, including during the proceedings, that was unreasonable and subjected the Plaintiff to particular or additional detriment.

Under section 13, the Court may grant other remedies, in addition to or instead of damages, as is deemed appropriate in the circumstances.  These remedies include:

  • an account of profits;
  • an injunction;
  • an order requiring the defendant to apologise to the plaintiff;
  • a correction order;
  • an order that any material be destroyed, delivered up to the plaintiff or dealt with as the Court directs; and
  • a declaration that the defendant has wrongfully used or disclosed deepfake material.

Under section 8, the same defences that exist under the state based uniform defamation law, such as the Defamation Act 2005 (Qld) apply.  The following are therefore complete defences to claims of wrongful use or disclosure of deepfake material:

  • defence of justification;
  • defence of contextual truth;
  • defence of absolute privilege;
  • defence for publication of public documents;
  • defences of fair report of proceedings of public concern;
  • defence of publication of matter concerning issue of public interest;
  • defence of qualified privilege for provision of certain information;
  • defence of scientific or academic peer review;
  • defences of honest opinion; and
  • defence of innocent dissemination.

Significance in the context of current law

The legal protections against deepfakes in Australia are currently narrow.  Part 6 Division 3 of the Online Safety Act already provides for a take-it-down framework which empowers the Commissioner to issue removal notices for non-consensual intimate images, requiring platforms, particularly those operating within or accessible from Australia, to take down the offending content.  

The Criminal Code Amendment (Deepfake Sexual Material) Bill 2024 (Cth) also amended the Criminal Code Act 1995 (Cth) (Criminal Code) in August 2024 by creating section 474.17A which criminalises the sharing of non-consensual sexually explicit deepfakes. 

These laws however do not cover non-explicit deepfakes that may nevertheless cause harm, such as:

  • impersonation scams;
  • reputation-damaging fake videos;
  • deceptive voice-cloning; or
  • media-based disinformation.

While section 474.17A of the Criminal Code imposes a maximum sentence of six (6) years’ imprisonment, it does not offer victims avenues for civil redress.  Currently, any monetary relief for subjects of deepfakes would need to be obtained through an action in defamation, which requires plaintiffs to prove that the material has caused, or is likely to cause, serious harm to reputation.  The threshold for serious harm is prohibitively high and does not extend to the general emotional harm that section 7 of the Bill refers to.   

Key takeaways for online businesses

The Bill introduces a substantially heightened regulatory and compliance burden for online service providers, social media platforms, internet service providers and any business that hosts, transmits or facilitates user-generated content.  

The new deepfake takedown regime means platforms will be expected to respond rapidly to complaints and verify whether content may constitute deepfake material and whether it was posted with consent.  

Businesses captured by the proposed legislation should be prepared to implement and maintain efficient complaint-handling, technical filtering, and escalation processes, despite the legislative uncertainty.

As at 4 December 2025, the Bill is still before the Senate so remains subject to debate, amendment or rejection before being passed.

Links and further references

Criminal Code Act 1995 (Cth)

Criminal Code Amendment (Deepfake Sexual Material) Bill 2024 (Cth)

Defamation Act 2005 (Qld)

 Online Safety Act 2021 (Cth)

Online Safety and Other Legislation Amendment (My Face, My Rights) Bill 2025 (Cth)

Privacy Act 1988 (Cth)

Further information about privacy compliance

If you need advice on the privacy and safety obligations of your online business, contact us for a confidential and obligation‑free discussion.

Doyles Recommended TMT Lawyer 2024

[1] Section 4AA of the Crimes Act 1914


Related insights about privacy compliance

  • Bill to allow victims of AI deepfakes to sue for emotional damages

    Bill to allow victims of AI deepfakes to sue for emotional damages

    On 24 November 2025, Senator David Pocock introduced a private Senator’s bill, the Online Safety and Other Legislation Amendment (My Face, My Rights) Bill 2025 (Cth) (Bill) to amend the Online Safety Act 2021 (Cth) (Online Safety Act) and the Privacy Act 1988 (Cth) (Privacy Act). 

    Read more …

  • Malcolm Burrows on ABC’s “Legal Eagles” segment – Deepfakes

    Malcolm Burrows on ABC’s “Legal Eagles” segment – Deepfakes

    On 3 December 2025, Malcolm Burrows appeared live on Katherine Feeney’s ABC Radio program, “Legal Eagles” as the Technology and Intellectual Property Lawyer to discuss the proposed amendments to the Online Safety Act 2021 (Cth) through the introduction of the Online Safety and other legislation Amendment (My Face Rights) Bill (Cth) 2025 (My Face Rights…

    Read more …

  • OAIC publishes new guidance for under-16s social media ban

    OAIC publishes new guidance for under-16s social media ban

    On 10 October 2025, the Office of the Australian Information Commissioner (OAIC), led by Privacy Commissioner, Ms Carly Kind, released a twenty-nine (29) page Privacy Guidance on Part 4A (Social Media Minimum Age) of the Online Safety Act 2021 (New Guidance).  This New Guidance details the privacy obligations for Age-Restricted Social Media Platforms (Restricted Platforms)…

    Read more …

  • Aust Clinical Labs fined $5.8mil for failing to report data breach

    Aust Clinical Labs fined $5.8mil for failing to report data breach

    On 8 October 2025, the Federal Court published the judgement of Justice Halley in the case of Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224 (AIC v ACL).  Australian Clinical Labs Limited (ACL) was ordered to pay $5.8 million in civil penalties in relation to a 2022 data breach.  This…

    Read more …

  • Federal Government releases report into age verification trials

    Federal Government releases report into age verification trials

    On 31 August 2025, the Australian Government published the Final Report (Report) on the Age Assurance Technology Trial (Trial).  Conducted by the independent Age Check Certification Scheme (ACCS), the Trial offers insights into the technical feasibility, privacy implications, and operational deployment capabilities of various age assurance technologies.  While the Report explicitly states it is neutral…

    Read more …

  • What is the US Take It Down Act?

    What is the US Take It Down Act?

    The Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act (Take It Down Act ) is a United States (US) federal law enacted on 19 May 2025. The Take It Down Act amends 47 U.S. Code § 223 (Code) of the Communications Act 1934 (US) (Communications Act) by establishing new…

    Read more …

  • Federal parliament enacts cyber security legislation

    Federal parliament enacts cyber security legislation

    On 25 November 2024, the Australian Parliament passed a suite of legislation, collectively referred to by the Australian Government as the Cyber Security Legislative Package 2024.  The purported impetus for this legislation was a series of high-profile data breaches in 2022 and 2023.

    Read more …

  • Privacy Act amended to increase penalties to a max of $50 million

    Privacy Act amended to increase penalties to a max of $50 million

    The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Bill) was passed by both Houses of Parliament on the 28 November 2022 and now awaits Royal Assent.  The Bill was passed with virtually no amendment.

    Read more …

  • What should APP Entities include in data destruction policies?

    What should APP Entities include in data destruction policies?

    This article summarises the Australian Privacy Principles (APPs) and the importance of having a data destruction policy (DDP) in place. It outlines the steps to take when destroying or deidentifying personal and sensitive information, and the consequences of not doing so.

    Read more …

Send this to a friend