Australia's Privacy Reforms


Australian privacy law has entered its enforcement era. In October 2025, the Federal Court approved the first civil penalty ever imposed under the Privacy Act: $5.8 million against Australian Clinical Labs over its 2022 data breach. Meta settled for $50 million over Cambridge Analytica. Proceedings against Optus and Medibank remain on foot. For businesses, privacy has moved from a policy document nobody read to a genuine business risk.

Yet beneath the enforcement headlines lies a more interesting question: is the law being strengthened, or actually rethought? As I argued in my earlier piece on AI regulation, privacy law built around individual consent and identifiability struggles against modern data practices that harm people through inference — what a model learns about people like you from data other people have disclosed. Judged against that standard, tranche one sharpens the old law’s teeth. Only tranche two would change what the law is about.

Where things stand:

ReformTrancheStatus
Expanded OAIC powers, tiered penaltiesOneIn force (Dec 2024)
Security uplift — APP 11.3OneIn force (Dec 2024)
Statutory tort of serious invasion of privacyOneIn force (10 June 2025)
Automated decision-making transparencyOneCommences 10 Dec 2026
Children’s Online Privacy CodeOneRegistered by 10 Dec 2026
”Fair and reasonable” test, definition change, exemptions, erasureTwoBill in progress, no timetable

Currently, the Privacy Act contains 13 Australian Privacy Principles (APPs). The APPs apply to government agencies and private sector organisations with an annual turnover of $3 million or more. However, the Privacy Act’s scope encompasses some small business operators (organisations with an annual turnover of $3 million or less), including, but not limited to, private-sector health service providers and reporting entities under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006. For the latter, the list of industries regulated under the AML-CTF Act continues to expand.

From 1 July 2026, the AML-CTF Act will cover not only the financial sector, but also lawyers, conveyancers, accountants, real estate professionals, and dealers in high-value goods such as jewellers, amongst others.

Businesses in those industries which previously enjoyed the ‘small business’ exemption from the Privacy Act will lose the benefit of that exemption on 1 July. The OAIC estimates that this change will impact more than 100,000 small businesses.

Tranche one: real consequences, real ambiguities

A regulator with options

The Privacy and Other Legislation Amendment Act 2024 transformed the OAIC from a complaints-handler into a modern enforcement agency, importing standard tools from the Regulatory Powers Act: monitoring and investigation powers, public inquiries, compliance notices, and a tiered penalty regime beneath the top-end penalties of up to $50 million (or more where turnover-based calculations apply). Infringement notices of up to $66,000 per contravention now attach to administrative breaches, including something as mundane as a non-compliant privacy policy.

Enforcement no longer requires a catastrophe; the regulator can price everyday sloppiness.

It has started doing so. In January 2026, the OAIC launched its first compliance sweep, auditing the privacy policies of around sixty organisations in sectors that collect information in person, such as real estate agencies, chemists, licensed venues, car dealers and pawnbrokers.

The statutory tort

On 10 June 2025, the Privacy and Other Legislation Amendment Bill 2024 (Cth) (Bill) received Royal Assent, and the Privacy and Other Legislation Amendment Act 2024 (Cth) (Act) is now in effect. A key change involved establishing a new statutory tort for serious invasions of privacy.

The statutory tort allows individuals to sue directly for intrusion upon seclusion or misuse of their information, without going through the OAIC and without proving damage. But its design is narrower than the headlines suggest: the invasion must be intentional or reckless, and negligence is expressly excluded. That confines the risk in an important way.

A company hacked by a third party despite reasonable efforts is unlikely to be liable. A company actively engaged in intrusive conduct, such as covert monitoring, tracking, or monetising data without transparency, squarely is. The untested frontier lies between the two: plaintiffs will argue that ignoring known security warnings amounts to recklessness, and the first well-funded class action to run that argument will be watched closely.

Two boundaries deserve attention. What makes an invasion “serious” is an objective test yet to be judicially mapped, with non-economic damages capped at defamation levels (around $478,550). And, notably, neither the small-business nor the employee-records exemption applies to the tort, so an employer’s conduct can be actionable even where the APPs would not reach it.

AI and automated decision-making

From 10 December 2026, the new APP 1.7 requires entities to disclose in their privacy policies where a computer program uses personal information to make, or do something “substantially and directly related” to making, a decision that could reasonably be expected to significantly affect an individual’s rights or interests. Company policies must soon identify the types of information used, the decisions made solely by automation, and the decisions automation substantially supports.

The above change creates new ambiguities to monitor. A model that scores loan applicants, feeding a nominally human decision, is almost certainly caught. A generative AI tool summarising a candidate’s CV for a recruiter is unclear. “Computer program” is deliberately broad, covering rule-based systems, AI and machine learning, and much of the automated decision-making that has run in businesses for two decades with little documentation or risk assessment.

Furthermore, the obligation applies to systems deployed before commencement. Accordingly, the compliance task is an enterprise-wide inventory, not a form update. The OAIC’s separate AI guidance signals the direction: privacy by design, accuracy obligations that extend even to AI “hallucinations” about individuals, and consent before sensitive information is used to train models.

Security is now organisational, not just technical

APP 11 requires organisations to take ‘such steps as are reasonable in the circumstances’ to keep personal information secure.

The introduction of APP 11.3, modelled on the GDPR, clarifies that ‘reasonable steps’ to protect information include ‘technical and organisational measures’. The message is that firewalls alone no longer discharge the duty. IT security is not solely a technical problem; organisations can no longer rely on it to protect personal information. Documented staff training, internal policies and governance procedures are now part of the legal standard, and their absence is part of the liability analysis after a breach. Consequently, a gap is created between an organisation’s privacy and cyber defences. However, this gap is necessary, as modern-day cyberattacks are increasingly capable, utilising both technical attacks and social engineering.

Children

Companies providing services to children will face an even greater upcoming regulatory challenge. As part of the reforms brought by the Privacy and Other Legislation Amendment Act 2024, the OAIC is developing the Children’s Online Privacy Code (Code), which will be registered by 10 December 2026. This will bind social media and designated internet services, and potentially education technology service providers, wearables, and smart toys that are likely to be accessed by under-18s. Any business with a plausibly child-facing digital product should be watching the current consultation.

Tranche two: reforming the concept itself

A bigger development in privacy is expected to be contained in the tranche 2 reforms, which the Attorney-General confirmed in February 2026 is being progressed without a timetable, despite public criticism from the Productivity Commission.

The below highlights three tranche two reforms that are highly probable and would lead to significant commercial impacts.

The “fair and reasonable” test

The centrepiece: collection, use and disclosure would need to be fair and reasonable regardless of consent. The Privacy Commissioner has framed this as moving Australia toward the GDPR while taking an innovative step beyond it, deliberately departing from the consent-based model.

It is quietly radical. It concedes that tick-boxes cannot carry the moral weight the current law places on them, because no individual can meaningfully police an ecosystem built to extract data. Commercially, it converts privacy from a documentation exercise into a design constraint: business models resting on technically consented-to but unreasonable practices would need substantive redesign, not merely be re-papered.

Redefining “personal information”, and the IoT problem

Tranche two may expand the definition of ‘personal information’ within the Privacy Act 1988 (Cth) from information ‘about’ an individual to information that ‘relates to’ one. The commercial impact from this will be broad as the new definition would expand the perimeter of the entire Act, capturing online identifiers, IP addresses, and much of the data the inference economy runs on. Evidence of this reform is already observable in recent cases.

In determinations against Monash IVF and Medmate in June 2026, the Privacy Commissioner held that a person can be “reasonably identifiable” under the current definition where information enables “individuation”: singling someone out from others in a way that affects their rights or interests, even if their identity is never known. On that reasoning, health websites using third-party tracking pixels were found to have collected sensitive information without consent, and hashing the data was no answer. The interpretation is novel and may be appealed, which is precisely the case for statutory reform: tranche two would write into the Act what the regulator is currently achieving through contested interpretation.

The other live illustration is the Internet of Things. Under the existing definition, whether a connected vehicle’s driving data is about the device or the individual is debatable, and manufacturers have used that ambiguity to argue the Privacy Act does not apply. The Commissioner has made clear she expects IoT data to be treated as personal information under current law, with informed consent for secondary uses such as insurance pricing, and in early 2026 the OAIC opened investigations into two carmakers over their data collection and handling practices. The proposed redefinition would settle these arguments.

The exemptions

The small business exemption currently keeps organisations with annual turnover of $3 million or less outside the Act, subject to long-standing carve-ins for health service providers, businesses that trade in personal information, and Commonwealth contractors. The government agreed in principle to remove it, conditional on an impact analysis and support for transition, while the Productivity Commission has objected on compliance-cost grounds. That is the live tension. But two pressures point toward removal. The exemption is a key gap between Australian law and the GDPR, complicating any future EU adequacy assessment.

The OAIC is already reading it narrowly (in ALI and ALJ [2024], only actions with an “absolute, exact or precise connection” to the employment relationship qualified), the tort already bypasses it, and AI-driven workplace surveillance is a stated policy concern.

What businesses should do now

Build for the destination, not the current milestone.

  • Audit the privacy policy now. The OAIC’s sweep shows the cheapest enforcement target is a stale policy. Check APP 1.3/1.4 compliance, collection statements, and direct-marketing opt-outs.
  • Inventory automated decision-making before December 2026. Map every system, including legacy and procured tools, that makes or substantially supports decisions significantly affecting individuals, then draft the APP 1.7 disclosures.
  • Uplift organisational measures under APP 11.3. Documented, regularly reviewed staff training; incident response procedures; governance policies. Technical controls alone no longer suffice.
  • Assess tort exposure. Review monitoring, tracking and data-monetisation practices (the tort’s real target), and treat ignored security warnings as a litigation risk rather than just an IT ticket.
  • Design for tranche two. Minimise collection, justify retention, treat inferred and device data as regulated data, and stress-test business models against a “fair and reasonable” standard.

The deeper point is philosophical, but its consequences are commercial. Australia’s reform project is a live test of whether privacy law can evolve from protecting secrets to governing power: the power that flows from what organisations can infer, predict, and decide about us. Tranche one proved Parliament can strengthen the old model. Whether it can replace it is the question tranche two will answer, and businesses would be wise not to bet on the status quo.

Published by

Victor Lin

Victor Lin

Current USYD Student, Aspiring Legal and Technology Professional

Victor is a student at the University of Sydney, with over three years of experience in paralegal roles at leading law firms, experiences in tech consulting, and entrepreneurship within various tech startups.

Comments