Australia Data Privacy Laws: Privacy Act & APPs Guide (2026)

Australia's approach to data privacy law sits at a crossroads. The Privacy Act 1988 has served as the backbone of the country's information protection framework for more than three decades, but a wave of high-profile data breaches and rapid technological change has forced the most significant overhaul since the Act was written.

This guide covers the current state of Australian data privacy law as of 2026, including the 13 Australian Privacy Principles, the enforcement powers of the Office of the Australian Information Commissioner (OAIC), the Notifiable Data Breaches scheme, landmark enforcement actions, and the reform timeline that will reshape obligations for businesses of all sizes.

The Privacy Act 1988: Foundation of Australian Data Protection

The Privacy Act 1988 (Cth) is the principal piece of federal legislation governing how personal information is handled in Australia. It was originally enacted to implement Australia's obligations under the International Covenant on Civil and Political Rights (ICCPR) and has been amended numerous times since.

The Act regulates the handling of personal information by Australian Government agencies and by private sector organizations that meet certain thresholds. It establishes the role of the Australian Information Commissioner as the primary regulator and sets out the framework for complaints, investigations, and enforcement.

Personal information under the Act is defined broadly. It includes any information or opinion about an identified individual, or an individual who is reasonably identifiable, whether the information is true or not and whether it is recorded in a material form or not. This definition is wider than many comparable international frameworks.

Sensitive information receives heightened protection. This category includes health information, genetic data, biometric information, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, and criminal records. Collection of sensitive information generally requires consent and must be reasonably necessary for the entity's functions.

Who Must Comply: APP Entities

The Privacy Act applies to organizations and agencies collectively known as APP entities. These include:

• All Australian Government agencies and departments
• Private sector organizations with annual turnover of more than AUD 3 million
• All private sector health service providers, regardless of turnover
• Credit reporting bodies and credit providers
• Organizations that trade in personal information
• Tax file number recipients
• Entities prescribed by regulations
• Contractors providing services under a Commonwealth contract

A significant gap remains. Small businesses with annual turnover of AUD 3 million or less are generally exempt from the Privacy Act. This exemption covers roughly 95% of Australian businesses and has been a major point of criticism. As of March 2026, the government has signaled that the small business exemption will be phased out, with more than 100,000 businesses expected to come under the Act's coverage starting from changes linked to anti-money laundering reforms in July 2026.

The 13 Australian Privacy Principles (APPs)

The Australian Privacy Principles replaced the National Privacy Principles and Information Privacy Principles on 12 March 2014. They are set out in Schedule 1 of the Privacy Act and apply to all APP entities.

The APPs are principles-based rather than prescriptive. This gives organizations flexibility to tailor their personal information handling practices to their business models, but it also means compliance requires ongoing judgment about what constitutes "reasonable steps" in particular circumstances.

The 13 principles cover the full lifecycle of personal information:

Part 1: Consideration of Personal Information Privacy

• APP 1 -- Open and Transparent Management: APP entities must manage personal information in an open and transparent way. This includes having a clearly expressed and up-to-date privacy policy.
• APP 2 -- Anonymity and Pseudonymity: Individuals must have the option of not identifying themselves, or using a pseudonym, when dealing with an APP entity, unless it is impractical or required by law.

Part 2: Collection of Personal Information

• APP 3 -- Collection of Solicited Personal Information: An APP entity must not collect personal information unless it is reasonably necessary for the entity's functions or activities. Sensitive information requires consent and reasonable necessity.
• APP 4 -- Dealing with Unsolicited Personal Information: If an entity receives personal information it did not solicit, it must determine whether it could have collected that information under APP 3. If not, the entity must destroy or de-identify the information.
• APP 5 -- Notification of Collection: At or before the time of collection, an entity must take reasonable steps to notify the individual of specified matters, including the entity's identity, the purposes of collection, and the consequences if information is not collected.

Part 3: Dealing with Personal Information

• APP 6 -- Use or Disclosure: Personal information can only be used or disclosed for the primary purpose for which it was collected, or for a secondary purpose that the individual would reasonably expect and that is related to the primary purpose.
• APP 7 -- Direct Marketing: An organization may only use or disclose personal information for direct marketing if certain conditions are met, including providing a simple opt-out mechanism.

Part 4: Integrity of Personal Information

• APP 8 -- Cross-Border Disclosure: Before disclosing personal information to an overseas recipient, an APP entity must take reasonable steps to ensure the recipient does not breach the APPs. The disclosing entity remains accountable for breaches by the overseas recipient.
• APP 9 -- Adoption, Use, or Disclosure of Government-Related Identifiers: Organizations must not adopt, use, or disclose a government-related identifier (such as a tax file number or Medicare number) unless an exception applies.

Part 5: Access to and Correction of Personal Information

• APP 10 -- Quality of Personal Information: An entity must take reasonable steps to ensure personal information it collects, uses, or discloses is accurate, up-to-date, complete, and relevant.
• APP 11 -- Security of Personal Information: An entity must take reasonable steps to protect personal information from misuse, interference, loss, and unauthorized access, modification, or disclosure. It must also destroy or de-identify information no longer needed.
• APP 12 -- Access to Personal Information: Individuals have the right to request access to personal information held about them by an APP entity.
• APP 13 -- Correction of Personal Information: Individuals can request correction of their personal information if it is inaccurate, out-of-date, incomplete, irrelevant, or misleading.

The OAIC: Australia's Privacy Regulator

The Office of the Australian Information Commissioner (OAIC) is the independent statutory agency responsible for privacy regulation at the federal level. It administers the Privacy Act and oversees compliance by APP entities.

The OAIC has broad powers. It can conduct investigations on its own initiative or in response to complaints. It can accept enforceable undertakings, make determinations, seek injunctions, and pursue civil penalty proceedings in the Federal Court.

2025-2026 Regulatory Priorities

The OAIC's regulatory priorities for 2025-2026 focus on:

• Rebalancing power asymmetries: Targeting sectors and technologies that compromise individual rights, including advertising technology, artificial intelligence, and excessive data collection and retention.
• New and emerging technologies: Particular scrutiny of facial recognition technology (FRT), biometric scanning, surveillance technologies in apps and vehicles, and smart devices.
• High-risk sectors: Privacy practices in rental and property, healthcare (pharmacies), licensed venues, car dealerships, and second-hand dealers.

First-Ever Privacy Compliance Sweep

In January 2026, the OAIC launched its inaugural privacy compliance sweep, reviewing approximately 60 entities across six sectors. Entities found with non-compliant privacy policies face compliance notices, infringement notices, and penalties of up to AUD 66,000 per contravention. This sweep represents a shift toward proactive enforcement rather than waiting for complaints or breaches.

Penalties and Enforcement

The enforcement landscape in Australia changed dramatically in December 2022 when the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 took effect.

Maximum Penalties

For serious or repeated interferences with privacy, the maximum penalty for bodies corporate is now the greatest of:

• AUD 50 million
• Three times the value of the benefit obtained from the contravening conduct
• 30% of the body corporate's adjusted domestic turnover during the breach turnover period (minimum 12 months)

This was a massive increase from the previous maximum of AUD 2.22 million. The new penalty framework was directly motivated by the Optus and Medibank data breaches that exposed millions of Australians' personal information in late 2022.

For individuals, maximum penalties also increased significantly, though the specific amounts depend on the nature of the contravention.

Landmark Enforcement Actions

Australian Clinical Labs -- AUD 5.8 Million (October 2025)

The Federal Court ordered Australian Clinical Labs to pay AUD 5.8 million in the first-ever civil penalty under the Privacy Act. The penalty followed a 2022 cyberattack on its subsidiary Medlab Pathology that affected 223,000 individuals. The breakdown was AUD 4.2 million for failing to take reasonable steps to protect personal information (APP 11.1), AUD 800,000 for failing to conduct a reasonable and expeditious breach assessment, and AUD 800,000 for failing to notify the OAIC in a timely manner.

Optus -- Civil Proceedings (Filed August 2025, Ongoing)

The OAIC filed civil penalty proceedings against Optus in the Federal Court following its September 2022 data breach, which exposed the personal information of approximately 9.5 million Australians. The Commissioner alleges Optus failed to take reasonable steps to protect personal information over a three-year period from October 2019 to September 2022. Proceedings are ongoing.

Medibank -- Civil Proceedings (Filed, Ongoing)

The OAIC also filed civil penalty proceedings against Medibank Private for its October 2022 breach affecting 9.7 million Australians. The Commissioner alleges Medibank failed to take reasonable steps to protect personal information, including highly sensitive health data, from March 2021 to October 2022. These proceedings are also ongoing as of 2026.

Clearview AI -- Determination (2021)

The OAIC determined that Clearview AI breached the Privacy Act by scraping Australians' facial images from the internet and using them in a facial recognition tool without consent. Clearview AI was ordered to cease collecting images from individuals in Australia and destroy all collected images within 90 days. No financial penalty was imposed, though the case established that the Privacy Act applies to overseas companies processing Australians' data.

The Notifiable Data Breaches Scheme

The Notifiable Data Breaches (NDB) scheme in Part IIIC of the Privacy Act took effect on 22 February 2018. It requires APP entities to notify affected individuals and the Australian Information Commissioner when a data breach is likely to result in serious harm.

What Triggers the NDB Scheme

An eligible data breach occurs when three conditions are met:

1. There is unauthorized access to, or unauthorized disclosure of, personal information held by an entity (or the information is lost in circumstances where unauthorized access or disclosure is likely).
2. The breach is likely to result in serious harm to any of the affected individuals.
3. The entity has been unable to prevent the likely risk of serious harm through remedial action.

Assessment and Notification Timeline

When an entity suspects a breach may have occurred, it must carry out a reasonable and expeditious assessment. The entity must take all reasonable steps to ensure the assessment is completed within 30 days of becoming aware of grounds to suspect a breach.

If the assessment determines an eligible data breach has occurred, the entity must prepare a notification statement and provide it to the OAIC as soon as practicable. The statement must include the entity's identity and contact information, a description of the breach, the kinds of information involved, and recommendations for affected individuals.

The entity must also take reasonable steps to notify each affected individual, or if that is not practicable, publish the statement on its website and take reasonable steps to publicize it.

Consequences of Non-Compliance

Failing to comply with the NDB scheme is an interference with privacy and can result in the full range of enforcement actions, including civil penalties. The Australian Clinical Labs penalty of AUD 5.8 million included AUD 1.6 million specifically for NDB failures.

Privacy Act Reform: The 2024-2026 Overhaul

The most significant reform of the Privacy Act since its enactment is underway. In February 2023, the Attorney-General released the Privacy Act Review Report containing 116 proposals for reform. The government responded by agreeing or agreeing in principle to the majority of these proposals.

First Tranche (December 2024)

The Privacy and Other Legislation Amendment Bill 2024 passed both Houses of Parliament on 29 November 2024 and received Royal Assent on 10 December 2024. It addressed 23 of the 116 proposals, including:

Statutory Tort for Serious Invasions of Privacy (Effective June 2025)

For the first time, Australians have a direct right to sue for serious invasions of privacy. This statutory tort allows individuals to bring court proceedings against anyone who intrudes upon their seclusion or misuses their personal information, without going through the OAIC first. The tort applies broadly, not just to APP entities, making it a powerful new tool for individuals.

Automated Decision-Making Transparency (Effective December 2026)

APP entities must include additional information in their privacy policies if they use computer programs to make decisions using personal information that could reasonably be expected to significantly affect individuals' rights or interests. This includes disclosing the kinds of personal information used and the types of decisions made.

Children's Privacy Code

The OAIC has been empowered to develop a Children's Online Privacy Code to provide additional protections for minors' personal information in digital services.

Enhanced OAIC Enforcement Powers

The OAIC gained new powers including the ability to issue infringement notices for breaches of core obligations (such as failing to maintain a compliant privacy policy), with penalties of up to AUD 66,000 per contravention.

Second Tranche (Expected 2026)

The second tranche of reforms is anticipated to address the more transformative proposals, including:

• Removal or reduction of the small business exemption: This would bring more than 100,000 additional businesses under the Act.
• Removal or reduction of the employee records exemption: Currently, employee records held by private sector employers in connection with employment are exempt.
• Expanded individual rights: Including a right to erasure (similar to GDPR's right to be forgotten) and rights related to profiling.
• Updated definition of personal information: Bringing the definition closer to international standards.
• Fair and reasonable test: A new overarching requirement that collection, use, and disclosure of personal information be fair and reasonable in the circumstances.
• Controller/processor distinction: Similar to the GDPR framework.

Cross-Border Data Transfers (APP 8)

Australia's rules on international data transfers are governed by APP 8. Before disclosing personal information to an overseas recipient, an APP entity must take reasonable steps to ensure the recipient handles the information in accordance with the APPs.

The critical feature of APP 8 is accountability. If an overseas recipient breaches the APPs, the disclosing Australian entity is treated as having breached the APPs itself. This means the Australian entity faces enforcement action for the overseas recipient's failures.

Exceptions to APP 8

An APP entity is not required to comply with APP 8 in several circumstances, including:

• The entity reasonably believes the overseas recipient is subject to a law or binding scheme substantially similar to the APPs, and the individual can enforce that law or scheme.
• The individual consents to the cross-border disclosure after being informed that APP 8 will not apply.
• The disclosure is required or authorized by Australian law or a court order.

No EU Adequacy Decision

Australia does not currently have an EU adequacy decision under the GDPR. This means that transfers of personal data from the EU/EEA to Australia require appropriate safeguards (such as Standard Contractual Clauses or Binding Corporate Rules). The small business exemption has been cited as a significant barrier to obtaining adequacy, which is one reason the government is moving to remove it.

The 2024 reforms strengthened cross-border accountability by making it clear that organizations remain legally responsible for how personal information is handled overseas, even when processed by third-party vendors.

Proposed Adequacy Framework

As part of the ongoing reforms, Australia is developing a country "whitelist" system that would allow businesses to transfer personal information to recipients in approved countries without individual assessment, similar to the EU adequacy model.

Sector-Specific Privacy Laws

Beyond the Privacy Act, several sector-specific laws add additional data protection obligations.

My Health Records Act 2012

The My Health Records Act 2012 governs the national digital health record system. It establishes strict rules about who can access health information in the My Health Record system and imposes criminal penalties for unauthorized collection, use, or disclosure. The Australian Digital Health Agency operates the system, and the OAIC oversees its privacy aspects.

The Act requires mandatory data breach notification to both the OAIC and the System Operator for breaches involving My Health Record data, separate from the general NDB scheme.

Consumer Data Right (CDR)

The Consumer Data Right gives Australians greater control over their data by allowing them to direct businesses to share their data with accredited third parties. Currently active in banking (since July 2020) and energy (since November 2022), the CDR is set to expand to non-bank lenders from 2026.

The OAIC regulates privacy and confidentiality aspects of the CDR, handling complaints and eligible data breach notifications under the CDR framework.

State and Territory Laws

Australia's federal system means that state and territory governments have their own privacy legislation, primarily covering their own public sectors:

• New South Wales: Privacy and Personal Information Protection Act 1998 (PPIPA)
• Victoria: Privacy and Data Protection Act 2014 (PDP Act)
• Queensland: Information Privacy Act 2009 (IPA)
• Australian Capital Territory: Information Privacy Act 2014
• Tasmania: Personal Information and Protection Act 2004

Western Australia and South Australia do not have comprehensive state-level privacy legislation. Northern Territory relies on its Information Act 2002 which has privacy-related provisions.

State and territory laws primarily apply to their respective public sectors. Private sector entities dealing with health information in NSW, Victoria, and the ACT may need to comply with both federal and state privacy obligations.

Comparison with Other Frameworks

Australia's Privacy Act shares some characteristics with the EU's GDPR but differs in several important ways:

Feature	Australia (Privacy Act)	EU (GDPR)
Scope	Organizations over AUD 3M turnover (exemption being phased out)	All organizations processing EU residents' data
Legal basis	Collection must be reasonably necessary; consent required for sensitive information	Six legal bases including consent, contract, legitimate interest
Right to erasure	Not yet enacted (expected in second tranche)	Yes, Article 17
Data breach notification	30-day assessment period, then "as soon as practicable"	72 hours to supervisory authority
Maximum penalties	AUD 50M / 3x benefit / 30% turnover	EUR 20M / 4% global turnover
Private right of action	Statutory tort for serious invasions (from June 2025)	Yes, Article 82
Data Protection Officer	Not required (may change in second tranche)	Required in certain circumstances