SecurityPolicy.com.au
Home/ Australia/ Law and Obligations/ Privacy Act reforms
Australia Law and Obligations Law Reviewed 2026-07-12

Privacy Act Reforms: What Australian Businesses Need to Know

$50m
fixed limb of the top-tier corporate civil penalty
$3.3m
middle-tier corporate maximum when reforms commenced
10 Jun 2025
statutory privacy tort commencement
10 Dec 2026
ADM transparency and Children's Code deadline
Why this guide exists

Australian businesses most often ask whether the small-business exemption still protects them, which reforms are already law, and whether the headline $50 million penalty applies to every breach. A high-demand question missing from the fixed 10 is how the reforms affect specific AI, analytics, advertising, identity-verification and customer-profiling systems.

What are the Privacy Act reforms, and do they apply to my business?

The reforms are a staged modernisation of the Privacy Act rather than one change commencing on one date. Parliament passed the first legislative tranche in November 2024, with most of its amendments commencing on 11 December 2024 and a statutory tort for serious invasions of privacy commencing on 10 June 2025. Existing Australian Privacy Principle obligations continue to apply to APP entities, while automated-decision-making transparency and the Children's Online Privacy Code have a legislated 10 December 2026 deadline. Most businesses with annual turnover of A$3 million or less remain exempt from the APP regime unless an exception applies, but the statutory tort is broader and can apply to people and entities that are not APP entities.

How this differs by situation
  • annual turnover over A$3m — The business is generally covered by the Privacy Act and APPs, subject to the Act's detailed entity and activity rules.
  • annual turnover of A$3m or less — The small-business exemption generally remains, but statutory exceptions, AML/CTF-connected activities and the privacy tort may still create obligations or exposure.
  • online service likely to be accessed by children — If the provider is an APP entity within the legislated service categories, it may become bound by the Children's Online Privacy Code from its registration by 10 December 2026.
  • person or business outside APP coverage — The statutory tort can still apply to an intentional or reckless serious invasion of privacy, subject to its elements and exemptions.
PUT THIS IN YOUR POLICY, EXACTLY

Privacy reform status. The Privacy Officer must maintain an obligations register that labels each requirement as IN FORCE, LEGISLATED BUT NOT YET COMMENCED, or PROPOSED. Before relying on the small-business exemption, the business must document its annual turnover, statutory exceptions, regulated activities and exposure to the statutory tort for serious invasions of privacy.

Who exactly is covered — thresholds and the small-business exemption?

The Privacy Act generally covers Australian Government agencies and private organisations with annual turnover of more than A$3 million. A business with turnover of A$3 million or less is generally a small business for Privacy Act purposes, but important exceptions include private health service providers, businesses trading in personal information, credit-reporting participants, Australian Government contracted service providers and businesses that have opted in. The 2024 first tranche did not remove the small-business exemption, and no legislation removing it had been introduced or enacted as at 12 July 2026. From 1 July 2026, however, new AML/CTF reporting entities can be covered for personal-information activities connected with their AML/CTF obligations even when they are small businesses, and the statutory tort remains relevant regardless of APP-entity status.

How this differs by situation
  • more than A$3m annual turnover — Generally covered by the Privacy Act as an organisation, subject to the Act's definitions and exemptions.
  • A$3m or less annual turnover — Generally eligible for the small-business exemption, but only after checking every statutory exception and regulated activity.
  • health, credit, personal-information trading or Commonwealth-contracted business — May be covered irrespective of the ordinary A$3 million threshold.
  • AML/CTF tranche 2 reporting entity from 1 July 2026 — Privacy Act obligations apply to activities for the purposes of or connected with AML/CTF duties, even where unrelated business activities remain exempt.
  • small business facing a serious-invasion claim — The APP small-business exemption does not itself exclude liability under the statutory tort.
PUT THIS IN YOUR POLICY, EXACTLY

Coverage assessment. At least annually, and before launching a new service, the business must document total annual turnover, all Privacy Act small-business exceptions, AML/CTF reporting-entity status, health and credit activities, personal-information trading, Commonwealth contracts and any voluntary opt-in. The APP exemption must not be treated as an exemption from the statutory tort for serious invasions of privacy.

What does it actually require me to do?

For businesses already covered by the Privacy Act, the reforms sit on top of the existing APP lifecycle: govern privacy, collect only permitted information, explain handling practices, control use and disclosure, maintain data quality, secure information and destroy or de-identify it when no longer needed unless retention is legally required. Since 11 December 2024, APP 11 expressly states that reasonable security steps include technical and organisational measures. Covered entities must assess suspected eligible data breaches and notify the OAIC and affected individuals when the NDB test is met. The statutory tort adds a separate need to avoid intentional or reckless serious intrusions on seclusion or misuse of information, even outside ordinary APP coverage. From 10 December 2026, relevant APP entities must add automated-decision-making information to privacy policies, while entities covered by the final Children's Online Privacy Code will also need to comply with that binding code.

How this differs by situation
  • current APP entity — Must continue complying with all applicable APPs and implement the first-tranche changes already in force.
  • automated decision-making user — Must identify programs that use personal information to make or substantially assist decisions with significant effects and prepare the required privacy-policy disclosures for 10 December 2026.
  • online service likely accessed by children — Must monitor final Code coverage and requirements rather than treating the 2026 exposure draft as the final legal text.
  • business outside APP coverage — Should still control intrusive surveillance and information misuse because the statutory tort may apply.
PUT THIS IN YOUR POLICY, EXACTLY

Personal information lifecycle. The business must identify each category of personal information, its collection purpose, lawful handling rule, authorised users and disclosures, storage location, security controls, retention authority and destruction or de-identification trigger. New systems must not collect or retain personal information merely because it may become useful later.

What are the deadlines and key commencement dates?

The first tranche received Royal Assent on 10 December 2024, and most amendments commenced on 11 December 2024. The statutory tort commenced on 10 June 2025. From 1 July 2026, new AML/CTF tranche 2 reporting entities became subject to Privacy Act obligations for AML/CTF-connected activities. Automated-decision-making privacy-policy obligations commence on 10 December 2026, and the Children's Online Privacy Code must also be registered and in place by that date. Separately, a covered entity that suspects an eligible data breach must take all reasonable steps to complete its assessment within 30 calendar days and must notify as soon as practicable once it reasonably believes an eligible breach occurred.

How this differs by situation
  • first-tranche reforms — Most commenced on 11 December 2024.
  • statutory privacy tort — Commenced on 10 June 2025.
  • new AML/CTF tranche 2 reporting entity — Privacy Act coverage for AML/CTF-connected activities applies from 1 July 2026.
  • automated-decision-making transparency — New APP privacy-policy requirements commence on 10 December 2026.
  • Children's Online Privacy Code — The final Code must be registered and in place by 10 December 2026.
  • suspected eligible data breach — Complete the assessment within 30 calendar days and notify as soon as practicable once the statutory test is met.
PUT THIS IN YOUR POLICY, EXACTLY

Privacy deadlines. The Privacy Officer must maintain a dated compliance calendar covering 11 December 2024 first-tranche duties, the 10 June 2025 statutory tort, 1 July 2026 AML/CTF-related coverage, and the 10 December 2026 ADM and Children's Code changes. Suspected eligible data breaches must be escalated immediately so the statutory 30-calendar-day assessment period is not treated as a target response time.

What are the penalties for getting it wrong?

The tiered civil-penalty structure commenced on 11 December 2024. For a serious interference with privacy by a body corporate, the maximum is the greatest of A$50 million, three times the benefit obtained, or 30% of adjusted turnover during the breach turnover period; the A$50 million top-tier setting was originally introduced in 2022 and retained in the new tiered regime. The new middle tier is 10,000 penalty units for a body corporate, which equalled A$3.3 million when the reforms commenced, and the lower tier is 1,000 penalty units, which equalled A$330,000. Because the Commonwealth penalty unit increased from A$330 to A$364 on 1 July 2026, those indexed body-corporate maxima are now A$3.64 million and A$364,000. The statutory tort creates separate private-court exposure, including damages, injunctions, apologies, corrections and destruction or delivery-up orders.

How this differs by situation
  • serious interference with privacy — Corporate maximum is the greatest of A$50m, three times the attributable benefit, or 30% of adjusted turnover during the breach turnover period.
  • non-serious interference with privacy — Middle-tier maximum for a body corporate was A$3.3m at commencement and is A$3.64m from 1 July 2026.
  • specified administrative APP or NDB-statement breach — Lower-tier maximum for a body corporate was A$330,000 at commencement and is A$364,000 from 1 July 2026.
  • serious-invasion tort claim — This is private civil litigation rather than an OAIC penalty and can produce damages and non-monetary court orders.
PUT THIS IN YOUR POLICY, EXACTLY

Penalty escalation. Any suspected interference with privacy, non-compliant privacy policy, defective eligible-data-breach statement, failure to follow a compliance notice or potential serious invasion of privacy must be escalated immediately to the Privacy Officer and Legal Lead. Staff must not describe A$50 million as an automatic fine or assume that a lower-tier breach cannot lead to investigation, litigation, compensation, injunctions or reputational harm.

What's already in force vs what's still coming (tranche 2)?

Already in force are most first-tranche changes, including the tiered penalty regime, stronger OAIC tools, express recognition that APP 11 security includes technical and organisational measures, and the statutory tort. Privacy Act coverage for AML/CTF-connected activities of new tranche 2 reporting entities also began on 1 July 2026. Legislated but not yet commenced are the automated-decision-making privacy-policy provisions, and the final Children's Online Privacy Code must be in place by 10 December 2026. Still proposed rather than enacted are broader tranche 2 measures commonly associated with the Review, including possible removal or narrowing of the small-business and employee-record exemptions, a fair-and-reasonable handling test, expanded individual rights and further consent and governance reforms. The Attorney-General stated in February 2026 that the Government was progressing a second tranche, but no firm Bill-introduction or commencement timetable had been announced as at 12 July 2026.

How this differs by situation
  • IN FORCE — Most tranche 1 amendments, tiered penalties, APP 11.3, statutory tort and relevant AML/CTF-connected coverage.
  • LEGISLATED BUT NOT YET COMMENCED — Automated-decision-making transparency obligations and the binding Children's Online Privacy Code due on 10 December 2026.
  • PROPOSED / TRANCHE 2 — Potential exemption changes, fair-and-reasonable handling, expanded rights and other agreed-in-principle Review proposals remain subject to future legislation.
PUT THIS IN YOUR POLICY, EXACTLY

Proposal control. The business must not describe a Privacy Act Review proposal, government agreement in principle, consultation paper, exposure draft or expected tranche 2 measure as current law. Every compliance requirement must cite its current legislative source, commencement date and status.

What do I need to have in place to comply?

A covered business needs named privacy accountability, an accurate data inventory, a current privacy policy and collection notices, lawful collection and disclosure rules, retention and destruction controls, vendor oversight and evidence that technical and organisational security measures operate. It should maintain practical workflows for access, correction, complaints and data breaches rather than relying only on policy wording. A breach-response plan should identify decision-makers, evidence sources, affected information, remedial action, the 30-day assessment requirement and all parallel notification duties. Businesses should also inventory automated and AI-assisted decisions before 10 December 2026 and assess whether any services are likely to be accessed by children. All businesses, including exempt small businesses, should review surveillance, tracking, recording and information-use practices against the statutory tort.

How this differs by situation
  • APP entity — Needs a complete APP governance and evidence program, not only a website privacy policy.
  • small business relying on exemption — Should retain a documented coverage assessment and controls addressing the statutory tort, contracts, tax file numbers, AML/CTF and other applicable laws.
  • automated or AI-assisted decisions — Inventory programs, personal information used, decision types, human involvement, significant effects and third-party providers.
  • child-accessible online service — Assess likely Code coverage, age-related data flows and readiness while monitoring the final registered Code.
PUT THIS IN YOUR POLICY, EXACTLY

Minimum privacy controls. The business must maintain a privacy owner, coverage register, data inventory, current privacy policy and collection notices, approved use and disclosure rules, retention schedule, destruction or de-identification evidence, supplier controls, access and correction workflow, complaint process, security-control register, data-breach response plan, automated-decision inventory and child-accessible-service assessment.

How does it interact with the Cyber Security Act, NDB scheme and security duties?

Privacy and cyber obligations overlap but have different triggers. APP 11 imposes an ongoing duty on covered entities to take reasonable technical and organisational steps to secure personal information, while the NDB scheme requires assessment and notification when a personal-information breach is likely to cause serious harm. The Cyber Security Act's ransomware-payment regime is separate: a covered business reports a qualifying payment within 72 hours of paying or becoming aware of an on-behalf payment, whether or not the incident is an eligible Privacy Act data breach. Voluntary information sharing with ASD or the National Cyber Security Coordinator under limited-use protections does not discharge NDB or other regulator reporting duties. One incident may therefore start several clocks, and one report should never be assumed to satisfy all of them.

How this differs by situation
  • APP 11 — Ongoing security and information-destruction duty for information within Privacy Act coverage.
  • Notifiable Data Breaches scheme — Triggered by an eligible personal-information breach likely to cause serious harm, subject to remedial action and statutory exceptions.
  • Cyber Security Act ransomware payment report — Triggered by a qualifying payment by or on behalf of a covered reporting business, with a separate 72-hour clock.
  • limited-use information sharing — Protects specified voluntary information for restricted government uses but does not replace mandatory regulatory reports.
  • SOCI, APRA, ASX, state law, contract or insurer — May add separate incident, breach, disclosure or consent requirements.
PUT THIS IN YOUR POLICY, EXACTLY

Parallel reporting. For every cyber or data incident, the Incident Lead must assess APP 11, the NDB scheme, the Cyber Security Act, SOCI, sector regulation, contracts, insurance and State or Territory law separately. A report or voluntary disclosure to ASD, the National Cyber Security Coordinator, the OAIC or any other recipient does not satisfy another obligation unless that outcome is confirmed in writing.

The common mistakes and misconceptions?

The first mistake is treating every proposal in the Privacy Act Review as current law. The small-business exemption has not been generally removed, the Children's Code was still in draft consultation during 2026, and the broader tranche 2 package had no firm timetable as at 12 July 2026. Another mistake is treating A$50 million as an automatic or minimum fine; it is one limb of the maximum for a serious corporate interference, and the court determines the actual outcome. Businesses also confuse a published privacy policy with operational compliance, assume cyber tools alone satisfy privacy duties, or believe the statutory tort cannot affect an exempt small business. Finally, automated decision-making is broader than generative AI and can include rule-based or third-party computer programs that use personal information in decisions with significant effects.

How this differs by situation
  • Privacy Act Review proposal — Not binding until enacted and commenced.
  • small business under A$3m — Not automatically free of every privacy obligation, statutory exception, contract or tort exposure.
  • A$50m penalty — A maximum-calculation limb for serious corporate interference, not an automatic fine for every incident.
  • Children's Online Privacy Code — Legislated framework and deadline, but the exposure draft should not be mistaken for the final registered Code.
  • automated decision-making — Can involve rule-based systems and procured third-party programs, not only generative AI or fully autonomous decisions.
PUT THIS IN YOUR POLICY, EXACTLY

Accuracy rule. No employee or provider may describe a consultation proposal, exposure draft, expected tranche 2 reform or media summary as current law. Privacy statements must distinguish the APP regime, NDB scheme, statutory tort, future ADM disclosure duties and future Children's Code, and must cite the applicable source and commencement date.

What's my next step?

Common misconceptions

  • All Privacy Act Review proposals became law in December 2024. VERIFIED
  • The small-business exemption has already been removed for every Australian business. VERIFIED
  • A business with annual turnover of A$3 million or less can never be covered by the Privacy Act. VERIFIED
  • The small-business exemption prevents an individual from bringing a claim under the statutory tort for serious invasions of privacy. VERIFIED
  • Every privacy breach automatically attracts a A$50 million fine. VERIFIED
  • The A$3.3 million and A$330,000 corporate penalty amounts remain fixed despite changes to the Commonwealth penalty-unit value. VERIFIED
  • The draft Children's Online Privacy Code was already the final binding Code during its 2026 consultation. VERIFIED
  • Automated-decision-making transparency applies only to generative AI or decisions made with no human involvement. VERIFIED
  • A website privacy policy is sufficient evidence of full Privacy Act compliance. INFERRED
  • Reporting an incident to ASD under limited-use arrangements satisfies the Privacy Act's Notifiable Data Breaches scheme. VERIFIED
  • Tranche 2 has a confirmed Bill-introduction or commencement date. INFERRED

Obligations at a glance

The obligations most relevant to this guide, with the regulator, the trigger and the timeframe. Follow the source links in the appendix for the authoritative wording.

OBLIGATION REGULATOR TRIGGER TIMEFRAME PENALTY
APP 1 privacy governance and privacy policy Office of the Australian Information Commissioner An organisation or agency is an APP entity covered by the Privacy Act. Ongoing; maintain implemented privacy practices, procedures and systems and a clearly expressed, up-to-date privacy policy. Specified privacy-policy contraventions can be subject to compliance notices, infringement notices and civil penalties under the tiered regime.
APP 11 security of personal information Office of the Australian Information Commissioner An APP entity holds personal information within the scope of the Privacy Act. Ongoing; APP 11.3's express reference to technical and organisational measures applies to information held from 2024-12-11. Depending on seriousness and the provision contravened, exposure can arise under the A$50 million top tier, the penalty-unit-based middle or lower tiers, compliance orders and compensation-related court orders.
Notifiable Data Breaches scheme Office of the Australian Information Commissioner A Privacy Act-covered entity suspects or reasonably believes that an eligible data breach involving information within its coverage has occurred. Take all reasonable steps to complete a suspected-breach assessment within 30 calendar days; notify the OAIC and affected individuals as soon as practicable once an eligible breach is established. A defective eligible-data-breach statement is a lower-tier civil-penalty provision; broader failures may also constitute an interference with privacy.
Tiered civil-penalty regime Office of the Australian Information Commissioner and the Federal Courts An entity contravenes the applicable serious-interference, interference-with-privacy or specified administrative civil-penalty provision. Applies to relevant acts or practices occurring from 2024-12-11. For a body corporate: top tier is the greatest of A$50 million, three times attributable benefit or 30% adjusted turnover; middle tier is 10,000 penalty units; lower tier is 1,000 penalty units. The latter two equalled A$3.3 million and A$330,000 at commencement and equal A$3.64 million and A$364,000 from 2026-07-01.
Statutory tort for serious invasions of privacy Federal Court, Federal Circuit and Family Court of Australia and other courts with jurisdiction A person intentionally or recklessly seriously invades another individual's privacy through intrusion upon seclusion or misuse of information, and the remaining statutory elements are met without an applicable defence or exemption. Applies from 2025-06-10. Proceedings generally must begin before the earlier of one year after awareness and three years after the invasion, subject to special rules and possible extension. Private remedies can include damages, injunctions, an account of profits, apology, correction, destruction or delivery-up of material and a declaration. Combined non-economic and exemplary or punitive damages are subject to the statutory cap.
Automated-decision-making privacy-policy transparency Office of the Australian Information Commissioner An APP entity arranges for a computer program to use personal information to make, or substantially and directly assist in making, decisions reasonably expected to significantly affect an individual's rights or interests. Commences on 2026-12-10 and applies to relevant decisions from that date regardless of when the arrangement began or information was acquired. Failure to include required information in an APP privacy policy can engage the Privacy Act's enforcement and civil-penalty framework.
Children's Online Privacy Code Office of the Australian Information Commissioner An APP entity falls within the final Code's covered online-service categories, including relevant social media, electronic or designated internet services likely to be accessed by children, or another prescribed class. The final Code must be registered and in place by 2026-12-10; exact operative requirements depend on the final registered instrument. A breach of a binding registered APP code is an interference with privacy and may attract Privacy Act regulatory action and civil penalties.
Privacy coverage for AML/CTF tranche 2 reporting entities Office of the Australian Information Commissioner and AUSTRAC A small business becomes a reporting entity or authorised agent under the expanded AML/CTF regime and handles personal information for the purposes of or in connection with its AML/CTF obligations. Applies to new tranche 2 reporting entities from 2026-07-01. Privacy Act enforcement and civil-penalty consequences apply to covered AML/CTF-connected personal-information activities.

Sources

  1. Privacy primary
  2. Privacy and Other Legislation Amendment Act 2024 primary
  3. Privacy and Other Legislation Amendment Act 2024 — full text primary
  4. Privacy Act 1988 — current text primary
  5. The Privacy Act primary
  6. Privacy Act rights and responsibilities primary
  7. Small business and the Privacy Act primary
  8. Australian Privacy Principles primary
  9. APP 1 — Open and transparent management of personal information primary
  10. APP 3 — Collection of solicited personal information primary
  11. APP 11 — Security of personal information primary
  12. About the Notifiable Data Breaches scheme primary
  13. Part 4 — Notifiable Data Breach scheme primary
  14. Responding to data breaches — four key steps primary
  15. Statutory tort for serious invasions of privacy primary
  16. Children's Online Privacy Code primary
  17. Consultation on guidance for transparency in automated decision making primary
  18. Guide to privacy regulatory action — civil penalties primary
  19. Privacy compliance sweep to put privacy policies under the spotlight primary
  20. Commonwealth penalty units primary
  21. Privacy and Other Legislation Amendment Bill 2024 — Bills Digest primary
  22. Privacy guidance for AML/CTF reporting entities primary
  23. Cyber Security Act primary
  24. Ransomware payment reporting guidance primary
  25. Limited use primary
  26. Privacy Act reforms tracker forum
  27. Why isn't data privacy taken seriously forum
  28. Struggling with Starting a Side Business in Australia forum
  29. Does anyone know why Australia doesn't have a maximum time personal data can be retained? forum
  30. OAIC consultation on automated decision-making guidance forum
  31. Australian data-breach consequences discussion forum
  32. Australia's Privacy Act reforms: What marketers need to know forum
  33. Important information sent to wrong email address forum
  34. Protecting against data and identity theft forum
Not legal advice

This guide and its templates are a professionally drafted starting point, not legal advice. Your obligations depend on your industry, your contracts and your data. Have a qualified adviser review anything high stakes before you rely on it.