Australian Privacy Reform: Where the Privacy Act Now Stands

When this article was first published in October 2023, the Australian Government had just released its Response to the Privacy Act Review Report, agreeing or agreeing in principle to most of the Report's 116 proposals. Two and a half years on, the reform program has moved from response to legislation in part. Tranche 1 is law. Tranche 2 has been promised by the Attorney-General but no Bill has been introduced. This update sets out what has actually changed, what is in force when, and what businesses should be doing now.

Working with personal data, launching a platform, or expanding globally? Our Cyber and Data Privacy lawyers can scope your compliance position under the amended Privacy Act and the Tranche 2 reforms to come.

What changed in Tranche 1 (now law)

The Privacy and Other Legislation Amendment Act 2024 (Cth) received Royal Assent on 10 December 2024 as Act No. 128 of 2024. It implements 23 of the proposals from the Government's September 2023 Response. Most provisions commenced on 11 December 2024, with two key delayed commencements: the new statutory tort (10 June 2025) and the automated decision-making transparency requirements (10 December 2026).

Statutory tort for serious invasions of privacy

For the first time in Australian law, individuals have a personal right to sue for serious invasions of privacy. Under Schedule 2 of the Amendment Act, an individual has a cause of action where another party has either intruded upon the plaintiff's seclusion or misused information relating to the plaintiff, the invasion was serious, the plaintiff had a reasonable expectation of privacy, and the public interest in privacy outweighs any countervailing public interest such as freedom of expression or media reporting. Remedies include damages (capped), injunctions, and apologies. The tort commenced on 10 June 2025.

This is a structural shift. Until 10 June 2025, Australian privacy enforcement relied on the OAIC. Now an individual can take direct action regardless of whether the OAIC chooses to act. Exemptions cover journalists, law enforcement, intelligence agencies, and certain agencies acting in good faith.

Enhanced OAIC enforcement and a tiered civil penalty regime

The OAIC now has a substantially expanded toolkit. There are three tiers of civil penalty for organisations under the amended s 13G and the new mid-tier and infringement notice provisions.

Low tier (administrative breaches, eg failing to maintain a compliant privacy policy under APP 1.3): up to 1,000 penalty units (approximately AUD 330,000 at current penalty unit rates), issued by the OAIC directly on an infringement notice.

Mid tier (interferences with privacy that are not 'serious'): up to 10,000 penalty units (approximately AUD 3.3 million), imposed by the Federal Court.

High tier (serious interferences with privacy): up to the greater of AUD 50 million, three times the benefit obtained, or 30 per cent of adjusted turnover for the relevant period.

The OAIC also has new compliance notice powers, expanded investigation powers under the Regulatory Powers (Standard Provisions) Act 2014 (Cth), and the power to conduct public inquiries with Ministerial direction or approval.

Children's Online Privacy Code

The Amendment Act requires the OAIC to develop and register a Children's Online Privacy Code by 10 December 2026. The Code will apply to APP entities that provide online services likely to be accessed by children (under 18), including social media services and 'designated internet services' under the Online Safety Act 2021 (Cth). On 31 March 2026, the OAIC released its Exposure Draft for consultation, with submissions closing 5 June 2026.

The Code is being modelled in part on the UK ICO's Age Appropriate Design Code. Businesses that build products children might reasonably access should be aligning now.

Automated decision-making transparency

From 10 December 2026, APP entities must update their privacy policies to disclose the use of computer programs that make, or substantially and directly assist in making, decisions that could reasonably be expected to significantly affect an individual's rights or interests. The new APP 1.7 sets out the required disclosures. 'Computer program' is intentionally broad and is not limited to AI or machine learning; rule-based logic and traditional algorithms are captured.

Failure to comply will be enforceable via the new infringement notice and civil penalty regime.

Overseas data flows: whitelist mechanism

The Amendment Act introduces a new mechanism allowing the Minister to prescribe countries or binding schemes whose laws provide substantially similar protection to the APPs. Disclosures to recipients in prescribed jurisdictions will satisfy APP 8.1 without case-by-case adequacy assessment. As at May 2026, no countries have been prescribed, so the existing APP 8 obligations remain in practical effect for cross-border disclosures.

Security: technical and organisational measures

APP 11.1 now expressly requires that 'reasonable steps' to protect personal information include both technical and organisational measures. This aligns the wording with Article 32 of the GDPR and signals that documented information security governance is now part of the compliance baseline, rather than something to point to only in mitigation.

Doxxing offences

Schedule 3 of the Amendment Act introduces new offences in the Criminal Code Act 1995 (Cth) targeting the release of personal data using a carriage service in a manner that would be menacing or harassing. The provisions came into force on 11 December 2024.

What is in Tranche 2 (promised, not yet introduced)

The Attorney-General, the Hon Michelle Rowland MP, confirmed in February 2026 Senate estimates that the Government is 'progressing' a Tranche 2 Bill. No timetable has been announced. The Productivity Commission has been publicly critical of several Tranche 2 proposals, which may affect the Bill's final shape.

Items understood to be in scope for Tranche 2 include: a new 'fair and reasonable' requirement for the collection, use, and disclosure of personal information regardless of consent; removal of the small business exemption (currently applying to most APP entities with annual turnover of AUD 3 million or less); reform or removal of the employee records exemption (s 7B(3) of the Privacy Act); a right to erasure for individuals; expansion of the definition of 'personal information' from 'about' to 'relates to' an individual, capturing online identifiers and IP addresses; and a 'senior privacy responsibility' obligation in line with the GDPR's DPO concept.

A targeted erosion of the small business exemption: AML/CTF Tranche 2

Separately from the Privacy Act Tranche 2, the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 (Cth) extends AML/CTF obligations to real estate professionals, lawyers, conveyancers, accountants, trust and company service providers, and dealers in precious metals and stones from 1 July 2026. The OAIC estimates more than 100,000 small businesses will become Privacy Act-covered reporting entities under these changes, regardless of whether they fall within the small business exemption for other purposes.

If your firm provides any of these designated services, the Privacy Act will start applying to your AML/CTF data handling from 1 July 2026 even if your turnover is under AUD 3 million.

How the Australian regime now compares to the GDPR

Tranche 1 has narrowed several gaps. The technical and organisational measures language in APP 11.1 mirrors Article 32. The automated decision-making transparency requirements echo (but do not match) Article 22. The penalty ceiling for serious interferences is now close to GDPR scale.

Gaps that remain include: no standalone right to erasure (Article 17 GDPR); no right not to be subject to a decision based solely on automated processing (Article 22 GDPR proper) - Australia's regime is transparency-based and GDPR's is rights-based; no mandatory DPO appointment (Article 37 GDPR); the 30-day data breach assessment timeframe under Part IIIC of the Privacy Act remains in force, and the 72-hour notification standard from Article 33 GDPR was an 'agreed in principle' Tranche 2 proposal that has not been legislated; and the small business exemption and employee records exemption remain in place, subject to the AML/CTF carve-out from 1 July 2026 and the narrowing OAIC interpretation in ALI and ALJ (Privacy) [2024] AICmr 131.

What businesses should do now

Tranche 1 is in force. Privacy policies and information governance frameworks need to be current with the new law, not the 2023 proposals. Specifically: (1) update your privacy policy now to reflect any current use of automated decision-making (the 10 December 2026 deadline applies prospectively to all such decisions, including those made by programs deployed before that date); (2) document your technical and organisational measures under APP 11.1, since generic 'we take security seriously' language is not enough; (3) review your overseas disclosure stack against APP 8 and the existing accountability regime, and wait on prescribed jurisdictions before relying on the whitelist; (4) if you provide AML/CTF designated services, scope your Privacy Act obligations now ahead of 1 July 2026; (5) if your business reaches children or could reasonably be accessed by them, engage with the Children's Online Privacy Code consultation and align with the UK Age Appropriate Design Code in the interim; and (6) watch the statutory tort - even before the OAIC takes interest, an aggrieved individual can sue.

Partner with Biztech Lawyers

Australian privacy law has moved decisively. The 'agreed proposals' of 2023 are no longer the operative framework. Tranche 1 is law, Tranche 2 is coming, and the enforcement posture has changed. Book a call with our team to scope a privacy uplift, review your policies, or test your exposure to the new statutory tort.

For a broader cross-border view, see our global data protection cheat sheet.