Australia Privacy Act Reform: What's Changing and How to Prepare

Australia's Privacy Act was written in 1988—before the internet, before social media, before the data economy. For decades, it's been a patchwork of incremental fixes that left glaring gaps: a small business exemption that shields 95% of Australian businesses from privacy obligations, no direct right to sue for privacy violations, and enforcement mechanisms that are slow, reactive, and under-resourced.

That's changing. The Attorney-General's Privacy Act Review Report, released in 2023, proposed 116 reforms. In December 2024, Parliament passed the first tranche of amendments—23 reforms that fundamentally reshape Australia's privacy landscape. The second tranche, expected in 2025-2026, will bring even more disruptive changes: the removal of the small business exemption, a new definition of personal information, and a "fair and reasonable" test that shifts the compliance burden squarely onto businesses.

If you operate in Australia—or process data of Australian residents—here's what you need to know about the Privacy Act reform, what's already changed, and how to prepare for what's coming.

The Privacy Act 1988: Why Reform Is Overdue

The Privacy Act has been the foundation of Australian privacy law for over 35 years, but it was designed for a pre-digital world. Key limitations include:

Small business exemption: Businesses with annual turnover under AUD $3 million are exempt from the Privacy Act entirely. This exempts an estimated 95% of Australian businesses, leaving consumers with no privacy protections when dealing with most companies.
No direct right to sue: Individuals cannot take businesses to court for privacy violations—they must lodge a complaint with the Office of the Australian Information Commissioner (OAIC), which can investigate but cannot award damages.
Narrow definition of personal information: The current definition doesn't clearly cover inferred data, algorithmic profiles, or certain types of technical identifiers.
Limited penalties: Until 2022, penalties were capped at AUD $2.22 million per violation. The Privacy Legislation Amendment Act 2022 increased penalties to AUD $50 million, 3x the benefit obtained, or 30% of adjusted turnover (whichever is greater)—a dramatic increase, but enforcement remains slow and complaint-driven.
No mandatory privacy-by-design or data minimization: The Privacy Act includes broad Australian Privacy Principles (APPs), but it lacks explicit requirements for privacy-by-design, data minimization, or privacy impact assessments.

The Attorney-General's Privacy Act Review: 116 Proposals for Reform

In 2023, the Attorney-General's Department released a comprehensive review of the Privacy Act, proposing 116 reforms across eight themes:

Strengthening privacy protections (expanded rights, stricter consent standards, data minimization)
Empowering individuals (direct right to sue, stronger access rights, automated decision-making transparency)
Enhancing OAIC enforcement powers (binding directions, infringement notices, proactive investigations)
Modernizing definitions (broader definition of personal information, clearer treatment of inferred and de-identified data)
Addressing emerging technologies (AI transparency, automated decision-making, biometric data safeguards)
Removing exemptions (small business exemption, employee records exemption, political parties exemption)
Harmonizing with international standards (GDPR-style accountability, data breach notification reforms)
Creating a statutory tort of privacy (allowing individuals to sue for serious invasions of privacy)

The government's response: phased implementation. Tranche 1 (December 2024) addressed 23 reforms. Tranche 2 (expected 2025-2026) will address the most significant and contentious changes.

Tranche 1: What's Already Changed (December 2024)

The Privacy and Other Legislation Amendment Act 2024 passed in December 2024, implementing 23 reforms. Key changes include:

1. Statutory Tort of Privacy

What it is: Individuals can now sue organizations (and individuals) in court for serious invasions of privacy. This is a direct legal remedy—no need to lodge a complaint with the OAIC and wait for an investigation.

What qualifies as a "serious invasion of privacy":

Unlawful disclosure of sensitive personal information (health records, financial data, biometric data)
Intrusion into an individual's private affairs (surveillance, stalking, doxxing)
Misuse of private information in a way that causes significant distress, harm, or humiliation

Why this matters: Until now, the only remedy for privacy violations was a regulatory complaint to the OAIC, which could take years to resolve and rarely resulted in compensation. The tort allows individuals to seek damages, injunctions, and public accountability through the courts.

Defenses: Consent, public interest, lawful authority, and reasonable conduct in the circumstances.

Practical impact: Businesses face a new litigation risk. A data breach, an unauthorized disclosure, or even aggressive marketing practices could trigger tort claims. This fundamentally changes the risk calculus for privacy violations.

2. Anti-Doxxing Offences

What it is: New criminal offences prohibit "doxxing"—the malicious publication of personal information with the intent to cause harm (physical, psychological, financial, or reputational).

Penalties: Up to 7 years imprisonment for individuals who intentionally dox someone, and up to 3 years imprisonment for corporations that fail to remove doxxing content after being notified.

Why this matters: Doxxing has become a common harassment tactic, particularly against journalists, activists, and public figures. The new offences provide law enforcement with tools to prosecute offenders and hold platforms accountable.

3. Tiered Civil Penalty Regime

What it is: A new tiered penalty structure that increases fines for repeat offenders and serious violations.

Penalty tiers:

Tier 1 (serious breaches): Repeat violations, systemic non-compliance, breaches involving large-scale or sensitive data—penalties up to the maximum (AUD $50 million, 3x benefit, or 30% of turnover).
Tier 2 (moderate breaches): First-time violations, limited harm, technical non-compliance—penalties at the mid-range.
Tier 3 (minor breaches): Procedural violations, good-faith errors, prompt remediation—penalties at the lower end.

Why this matters: The OAIC now has clearer guidance on penalty calculation, which should result in more consistent enforcement and higher penalties for egregious violations.

4. Children's Privacy Code

What it is: The OAIC is developing a Children's Privacy Code that will impose heightened obligations on organizations that collect, use, or disclose children's personal information.

Expected requirements:

Enhanced consent mechanisms (parental consent for children under 13, age verification)
Data minimization (collect only what's necessary, no profiling for marketing)
Stronger security safeguards (encryption, access controls, breach notification)
Transparency (clear, age-appropriate privacy notices)

Why this matters: Australia has historically lagged behind the EU (GDPR's age-of-consent provisions) and the US (COPPA) in children's privacy protections. The Children's Privacy Code will bring Australia closer to international standards.

5. Automated Decision-Making Transparency

What it is: Organizations must disclose when they use automated decision-making (including AI and algorithms) to make decisions that significantly affect individuals.

What you must disclose:

The fact that automated decision-making is used
The logic or criteria used to make the decision
The consequences of the decision for the individual

Effective date: December 2026 (giving businesses two years to implement).

Why this matters: This aligns Australia with the GDPR's Article 22 (right to explanation for automated decisions) and addresses growing concerns about algorithmic bias, opaque AI systems, and lack of accountability in automated decision-making.

Practical challenge: Many organizations use complex machine learning models that are difficult to explain. "The algorithm decided" is not a compliant explanation. You'll need to invest in explainable AI (XAI) or human-in-the-loop review processes.

Tranche 2: What's Coming (Expected 2025-2026)

Attorney-General Michelle Rowland confirmed that a second set of reforms is currently being prepared for cabinet approval. Tranche 2 will address the most significant and contentious reforms, including:

1. Removal of the Small Business Exemption

Current rule: Businesses with annual turnover under AUD $3 million are exempt from the Privacy Act (with narrow exceptions for health service providers and certain data types).

Proposed change: The small business exemption will be scrapped, meaning all businesses that collect personal information will be subject to the Privacy Act, regardless of size.

Why this matters: This is the single most disruptive reform. An estimated 95% of Australian businesses currently operate outside the Privacy Act. When the exemption is removed, sole traders, startups, family-owned businesses, and boutique consultancies will all face the same privacy obligations as multinational corporations.

What this means for small businesses:

You'll need to draft and publish a privacy policy
You'll need to implement data security safeguards (encryption, access controls, breach detection)
You'll need to respond to access and correction requests from individuals
You'll need to notify the OAIC and affected individuals of data breaches
You'll face potential penalties (up to AUD $50 million) for non-compliance

Government response: The government has signaled it will provide guidance, templates, and transitional support to help small businesses comply. However, the timeline for implementation remains uncertain. Expect at least a 12-24 month transition period once the reform is legislated.

What to do now: Even if you're exempt today, start building privacy practices. Conduct a data audit, draft a privacy policy, implement basic security measures (password protection, encryption, access logs). When the exemption is removed, you'll be ahead of the curve.

2. Expanded Definition of Personal Information

Current definition: "Information or an opinion about an identified individual, or an individual who is reasonably identifiable."

Proposed change: Broaden the definition to explicitly cover:

Inferred data: Data derived from other data (e.g., predictive scores, algorithmic profiles)
Technical identifiers: Device IDs, IP addresses, cookies, and other identifiers that enable tracking
De-identified data that can be re-identified: Data that has been de-identified but can be re-identified with reasonable effort

Why this matters: The current definition is narrow and ambiguous, particularly for modern data practices like behavioral tracking, algorithmic profiling, and pseudonymization. The expanded definition will clarify that inferred data and technical identifiers are personal information—bringing Australia in line with the GDPR and CCPA.

Practical impact: More data will be subject to the Privacy Act's obligations. If you collect IP addresses, device IDs, or generate predictive scores, you'll need to treat that data as personal information.

3. "Fair and Reasonable" Test

What it is: A new requirement that organizations' collection, use, and disclosure of personal information must be "fair and reasonable" in the circumstances.

How it's assessed: The OAIC will consider:

Whether the individual would reasonably expect the collection, use, or disclosure
The sensitivity of the information
The potential impact on the individual (harm, privacy intrusion, power imbalance)
Whether less intrusive alternatives exist

Why this matters: This shifts the burden from the individual (to prove harm) to the organization (to prove fairness). Even if you have consent, if the OAIC determines your practices are "unfair" or "unreasonable," you're non-compliant.

Practical examples of "unfair" practices:

Collecting excessive data "just in case" (data minimization failure)
Using personal information for purposes unrelated to the original collection (purpose creep)
Dark patterns that manipulate users into consenting (deceptive design)
Profiling or automated decision-making that disadvantages vulnerable individuals

This is a GDPR-style "accountability principle." You must be able to justify every data practice as fair and reasonable—not just technically compliant.

4. Mandatory Privacy-by-Design and Privacy-by-Default

What it is: Organizations must implement privacy protections at the design stage of systems, products, and processes—not as an afterthought.

Key requirements:

Data minimization: Collect only what you need, retain only as long as necessary.
Default settings: Privacy-protective settings must be the default (e.g., opt-in for marketing, not opt-out).
Security safeguards: Encryption, access controls, and breach detection must be built in from the start.

Why this matters: This mirrors GDPR Article 25 (data protection by design and by default) and shifts privacy from a compliance checkbox to an engineering requirement.

Practical impact: Privacy officers and legal teams must be involved in product development, system design, and vendor selection. Post-launch retrofits are expensive and often insufficient.

5. Enhanced Data Subject Rights

Proposed enhancements:

Right to object: Individuals can object to certain uses of their personal information (e.g., direct marketing, profiling), similar to GDPR Article 21.
Right to erasure: Stronger "right to be forgotten"—individuals can request deletion of personal information in broader circumstances (no longer needed, consent withdrawn, unlawfully processed).
Portability: Individuals can request their personal information in a structured, machine-readable format (similar to GDPR Article 20).

Why this matters: Australia's current access and correction rights are narrower than GDPR and CCPA. The enhanced rights align Australia with international standards and increase operational burden for businesses.

Practical challenge: You'll need systems to:

Locate all personal information about an individual (across databases, backups, third-party processors)
Export data in machine-readable formats (CSV, JSON)
Delete data upon request (with exceptions for legal obligations)
Track and honor objection requests (e.g., suppress individuals from marketing lists)

6. Privacy Impact Assessments (PIAs) for High-Risk Processing

What it is: Mandatory PIAs for processing activities that pose high privacy risks (e.g., large-scale profiling, biometric data, children's data, sensitive data, AI-driven decisions).

What a PIA must include:

Description of the processing activity and its purpose
Assessment of privacy risks to individuals
Measures to mitigate those risks (technical safeguards, access controls, data minimization)
Consultation with stakeholders (including individuals, if appropriate)

Why this matters: This is a GDPR-style Data Protection Impact Assessment (DPIA) requirement. It forces organizations to proactively assess and mitigate privacy risks before launching new systems or processing activities.

Practical impact: PIAs must be conducted before launching new products, systems, or data processing activities. Retroactively conducting PIAs for existing systems may reveal compliance gaps that require costly remediation.

7. Strengthening OAIC Enforcement Powers

Proposed enhancements:

Binding directions: The OAIC can issue binding orders (not just recommendations) requiring organizations to take specific actions (e.g., delete data, revise policies, implement safeguards).
Infringement notices: The OAIC can issue on-the-spot fines for minor violations without a full investigation.
Proactive investigations: The OAIC can initiate investigations without waiting for a complaint—allowing it to investigate systemic issues, emerging technologies, or high-risk sectors.

Why this matters: The OAIC has historically been under-resourced and reactive. These reforms empower the OAIC to be proactive, issue faster penalties, and enforce more aggressively.

Practical impact: The risk of OAIC investigation increases—even without a complaint. Regular privacy audits and proactive compliance are now essential.

What to Do Now: Preparing for Tranche 2

The second tranche of reforms is still being finalized, but you can start preparing today:

1. Audit Your Data

Conduct a comprehensive data inventory:

What personal information do you collect? (Names, emails, phone numbers, IP addresses, device IDs, inferred data)
Where is it stored? (Databases, CRM systems, analytics platforms, third-party processors)
How is it used? (Marketing, analytics, profiling, automated decisions)
Who has access? (Employees, contractors, third-party vendors)
How long is it retained? (Retention policies, deletion schedules)

Use a Data Inventory tool to document your findings. This will be essential for PIAs, DSAR responses, and demonstrating compliance with the "fair and reasonable" test.

2. Implement Privacy-by-Design

Integrate privacy into your product development, system design, and vendor selection processes:

Involve privacy officers and legal teams in design reviews
Apply data minimization principles (collect only what you need)
Use default settings that are privacy-protective (opt-in, not opt-out)
Implement security safeguards from day one (encryption, access controls, breach detection)

3. Prepare for Enhanced Data Subject Rights

Build systems to respond to:

Access requests: Locate and export all personal information about an individual (30-day deadline is typical)
Correction requests: Update inaccurate or incomplete data
Erasure requests: Delete data when no longer needed or when consent is withdrawn
Objection requests: Suppress individuals from marketing lists, profiling, or automated decision-making
Portability requests: Export data in structured, machine-readable formats (CSV, JSON)

Use our Australia DSAR calculator to track response deadlines and ensure compliance with the Privacy Act's timelines.

4. Draft Clear, Accessible Privacy Policies

Your privacy policy must explain:

What personal information you collect and why
How you use and disclose that information
Who has access (employees, contractors, third-party processors)
How individuals can access, correct, or delete their information
How to lodge a complaint

Use plain language. Avoid legal jargon and use layered notices (summary + full policy) for ease of understanding.

5. Implement Security Safeguards

Security is a core Privacy Act obligation (APP 11). Implement technical, physical, and organizational safeguards appropriate to the sensitivity of data:

Encryption: Encrypt data at rest and in transit (AES-256, TLS 1.3)
Access controls: Role-based access, multi-factor authentication, least-privilege principles
Breach detection: Monitoring, logging, and alerting for unauthorized access
Incident response: Pre-approved breach notification templates, escalation procedures, tabletop exercises

6. Prepare for Automated Decision-Making Transparency (December 2026 Deadline)

If you use AI, algorithms, or automated systems to make decisions that significantly affect individuals (credit scoring, hiring, pricing, insurance), you must:

Identify all automated decision-making systems in use
Document the logic, criteria, and data sources for each system
Draft explanations that are clear and understandable (no "the algorithm decided" cop-outs)
Implement human-in-the-loop review for high-stakes decisions (if appropriate)

Test your explanations with non-technical stakeholders. If they can't understand your explanation, neither can your customers—or the OAIC.

7. Monitor Regulatory Developments

Privacy law is changing faster than ever. Subscribe to updates from:

OAIC: Guidance, investigation summaries, enforcement actions
Attorney-General's Department: Consultation papers, draft legislation, reform timelines
Industry associations: Privacy-specific resources and compliance tools

Join a privacy community (IAPP, privacy officer networks, industry forums) to share knowledge and stay ahead of changes.

The Broader Context: Australia's Privacy Act and International Standards

Australia's Privacy Act reform is part of a global trend toward stronger privacy protections. Here's how Australia compares to international standards:

Feature	Australia (Post-Reform)	GDPR	CCPA
Max Penalty	AUD $50M or 30% turnover	€20M or 4% revenue	$7,500/violation
Small Business Exemption	Removed (Tranche 2)	None	Threshold: $25M revenue or 100K consumers
Direct Right to Sue	Yes (tort of privacy)	Yes (under certain circumstances)	Yes (private right of action for breaches)
Privacy Impact Assessments	Mandatory for high-risk (Tranche 2)	Mandatory for high-risk (DPIA)	No general requirement
Automated Decision Transparency	Mandatory (Dec 2026)	Mandatory (Article 22)	No general requirement
Data Minimization	"Fair and reasonable" test (Tranche 2)	Explicit principle (Article 5)	Implicit in "reasonably necessary"
Breach Notification	Mandatory (since 2018)	72 hours to regulator	No mandatory requirement

Key takeaway: Australia's reforms are GDPR-inspired but tailored to the Australian context. The removal of the small business exemption is unique and will have massive impact domestically.

For a broader view of how Asia-Pacific privacy laws compare, explore our regional compliance hub.

Key Takeaways

Tranche 1 (December 2024) introduced 23 reforms: statutory tort of privacy, anti-doxxing offences, tiered penalties, Children's Privacy Code, and automated decision-making transparency (effective December 2026).
Tranche 2 (expected 2025-2026) will address the most disruptive reforms: removal of the small business exemption, expanded definition of personal information, "fair and reasonable" test, mandatory privacy-by-design, enhanced data subject rights, and PIAs for high-risk processing.
The small business exemption will be removed, meaning all businesses that collect personal information will be subject to the Privacy Act—regardless of size. This will impact 95% of Australian businesses.
The statutory tort of privacy allows individuals to sue for serious invasions of privacy, creating a new litigation risk for businesses.
The "fair and reasonable" test shifts the burden to businesses to justify every data practice as fair and reasonable—not just technically compliant.
Automated decision-making transparency is mandatory by December 2026—invest in explainable AI and human-in-the-loop review processes now.
Start preparing now: Audit your data, implement privacy-by-design, prepare for enhanced data subject rights, draft clear privacy policies, implement security safeguards, and monitor regulatory developments.
Australia is aligning with GDPR and international standards, but the removal of the small business exemption is uniquely Australian—and uniquely disruptive.

Australia's Privacy Act reform is the most significant overhaul of privacy law in the country's history. Businesses that prepare proactively will have a competitive advantage. Those that wait will face costly retrofits, enforcement actions, and litigation risk.

Sources: