Australia Data Privacy Laws: Privacy Act 1988, APPs & 2025-2026 Reforms

Australia's Privacy Act 1988 (Cth) has governed the country's information protection framework for more than three decades, but the pace of change since 2022 has been significant. A wave of high-profile data breaches, the Privacy Act Review Report with 116 reform proposals, and the Privacy and Other Legislation Amendment Act 2024 (Cth) have collectively produced the most substantial overhaul of Australian privacy law in the Act's history.

This guide covers the current state of Australian data privacy law as of May 2026, including the 13 Australian Privacy Principles (APPs), the enforcement powers of the Office of the Australian Information Commissioner (OAIC), the Notifiable Data Breaches scheme, landmark enforcement actions through 2025-2026, and the staged reform timeline that will reshape obligations for businesses of all sizes.

This article addresses Australian federal privacy law under the Privacy Act 1988 (Cth) as amended, with notes on state and territory privacy regimes and sector-specific laws. For information on recording consent laws in Australia, including state-by-state wiretapping and surveillance provisions, see Australia Recording Laws.

---

Quick Answer: What Is Australia's Privacy Law?

Australia's primary privacy law is the Privacy Act 1988 (Cth), which imposes obligations on APP entities through 13 Australian Privacy Principles. The OAIC enforces the Act. As of June 2025, individuals also have a direct right to sue for serious invasions of privacy under a new statutory tort. Maximum penalties for bodies corporate reach AUD 50 million, three times the benefit obtained, or 30% of adjusted domestic turnover. A first wave of reform passed in December 2024; a second wave addressing the small business exemption, individual rights to erasure, and a fair and reasonable test is under active development.

---

The Privacy Act 1988: Foundation of Australian Data Protection

The Privacy Act 1988 (Cth) is the principal piece of federal legislation governing how personal information is handled in Australia. Parliament enacted it to implement Australia's obligations under the International Covenant on Civil and Political Rights and has amended it numerous times since, most recently by the Privacy and Other Legislation Amendment Act 2024 (Cth).

The Act regulates the handling of personal information by Australian Government agencies and by private sector organizations that meet certain thresholds. It establishes the role of the Australian Information Commissioner as the primary regulator and sets out the framework for complaints, investigations, and enforcement.

Personal information under the Act is defined broadly. Section 6 of the Privacy Act 1988 (Cth) defines it as information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information is true or not and whether it is recorded in a material form or not. This definition is wider than many comparable international frameworks.

Sensitive information receives heightened protection. This category includes health information, genetic data, biometric information, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, and criminal records. Collection of sensitive information generally requires consent and must be reasonably necessary for the entity's functions.

Who Must Comply: APP Entities

The Privacy Act applies to organizations and agencies collectively known as APP entities. These include:

• All Australian Government agencies and departments
• Private sector organizations with annual turnover of more than AUD 3 million
• All private sector health service providers, regardless of turnover
• Credit reporting bodies and credit providers
• Organizations that trade in personal information
• Tax file number recipients
• Entities prescribed by regulations
• Contractors providing services under a Commonwealth contract

A significant gap remains. Small businesses with annual turnover of AUD 3 million or less are generally exempt from the Privacy Act unless they fall within one of the listed exceptions. This exemption covers a large proportion of Australian businesses. As of May 2026, the government has not set a confirmed date for a general removal of the small business exemption, though the OAIC supports its removal and consultation is ongoing under tranche 2 reform work. A targeted expansion through AML/CTF reforms takes effect from 1 July 2026 (discussed below).

---

The 13 Australian Privacy Principles (APPs)

The Australian Privacy Principles replaced the National Privacy Principles and Information Privacy Principles on 12 March 2014. They are set out in Schedule 1 of the Privacy Act 1988 (Cth) and apply to all APP entities.

The APPs are principles-based rather than prescriptive. This gives organizations flexibility to tailor their personal information handling practices to their business models, but it also means compliance requires ongoing judgment about what constitutes reasonable steps in particular circumstances.

Part 1: Consideration of Personal Information Privacy

• APP 1: Open and Transparent Management. APP entities must manage personal information in an open and transparent way. This includes maintaining a clearly expressed and up-to-date privacy policy describing what personal information is collected, how it is held, used, and disclosed, and how complaints can be made.
• APP 2: Anonymity and Pseudonymity. Individuals must have the option of not identifying themselves, or using a pseudonym, when dealing with an APP entity, unless it is impractical or required by law.

Part 2: Collection of Personal Information

• APP 3: Collection of Solicited Personal Information. An APP entity must not collect personal information unless it is reasonably necessary for the entity's functions or activities. Collection of sensitive information also requires consent.
• APP 4: Dealing with Unsolicited Personal Information. If an entity receives personal information it did not solicit, it must determine whether it could have collected that information under APP 3. If not, the entity must destroy or de-identify it as soon as practicable.
• APP 5: Notification of Collection. At or before the time of collection, an entity must take reasonable steps to notify the individual of specified matters, including the entity's identity, the purposes of collection, and the individual's right to access and seek correction of the information.

Part 3: Dealing with Personal Information

• APP 6: Use or Disclosure. Personal information may only be used or disclosed for the primary purpose of collection, or for a secondary purpose where the individual would reasonably expect it and the purpose is related to the primary purpose.
• APP 7: Direct Marketing. An organization may only use or disclose personal information for direct marketing if certain conditions are met, including providing a simple opt-out mechanism on every direct marketing communication.

Part 4: Integrity of Personal Information

• APP 8: Cross-Border Disclosure. Before disclosing personal information to an overseas recipient, an APP entity must take reasonable steps to ensure the recipient handles the information in accordance with the APPs. The disclosing entity remains accountable for breaches by the overseas recipient.
• APP 9: Government-Related Identifiers. Organizations must not adopt, use, or disclose a government-related identifier such as a tax file number or Medicare number unless a specific exception applies.

Part 5: Access to and Correction of Personal Information

• APP 10: Quality of Personal Information. An entity must take reasonable steps to ensure personal information it collects, uses, or discloses is accurate, up-to-date, complete, and relevant to the purposes for which it is to be used.
• APP 11: Security of Personal Information. An entity must take reasonable steps to protect personal information from misuse, interference, loss, and unauthorized access, modification, or disclosure. When information is no longer needed, the entity must destroy or de-identify it.
• APP 12: Access to Personal Information. Individuals have the right to request access to personal information held about them by an APP entity. The entity must respond within 30 days and may charge only a reasonable cost-recovery fee.
• APP 13: Correction of Personal Information. Individuals may request correction of inaccurate, out-of-date, incomplete, irrelevant, or misleading personal information. If the entity refuses, it must provide written reasons and note the refused correction request alongside the information.

---

Individual Rights Under the Privacy Act

The APPs confer several rights on individuals directly, through APPs 12 and 13.

Right of Access (APP 12)

An individual may request access to personal information held about them by any APP entity. The entity must respond within 30 days. Grounds for refusing access are limited and include circumstances where access would unreasonably impact another person's privacy, pose a threat to health or safety, or prejudice ongoing legal proceedings. If access is refused in whole or in part, the entity must provide written reasons.

Right of Correction (APP 13)

Where personal information is inaccurate, out-of-date, incomplete, irrelevant, or misleading, an individual may ask the APP entity to correct it. The entity must take reasonable steps to correct the information within 30 days. If the entity declines to correct, it must provide written reasons and, on request, note that the individual sought correction alongside the record.

Complaints Mechanism

Individuals who believe an APP entity has breached the Privacy Act may lodge a complaint directly with the OAIC. The OAIC will attempt conciliation first. If conciliation fails or the complaint raises a systemic issue, the Commissioner may investigate and make a determination. From 2025, the OAIC's complaint-handling approach has shifted to focus resources on systemic matters and repeated breaches, with a faster triage model for routine individual complaints.

No General Right to Erasure (Yet)

Australia does not yet have a statutory right to erasure comparable to Article 17 of the GDPR. APP 11 requires destruction or de-identification of personal information no longer needed for any purpose, but this applies to the entity as a duty, not as an individual right the person can directly enforce. A right to erasure is among the proposals under consideration for the tranche 2 reforms.

---

The OAIC: Australia's Privacy Regulator

The Office of the Australian Information Commissioner (OAIC) is the independent statutory agency responsible for privacy regulation at the federal level. It administers the Privacy Act and oversees compliance by APP entities.

The OAIC has broad powers. It can conduct investigations on its own initiative (own motion investigations) or in response to complaints. It can accept enforceable undertakings, make determinations, seek injunctions, and pursue civil penalty proceedings in the Federal Court. From December 2024, the OAIC also gained the power to issue infringement notices for breaches of core obligations such as failing to maintain a compliant privacy policy, with penalties of up to AUD 66,000 per contravention.

2025-2026 Regulatory Priorities

The OAIC's regulatory priorities for 2025-2026 focus on three themes:

• Rebalancing power asymmetries: Targeting sectors and technologies that compromise individual rights, including advertising technology, artificial intelligence systems, and excessive data collection and retention practices.
• New and emerging technologies: Particular scrutiny of facial recognition technology, biometric scanning in licensed venues and retail, surveillance technologies embedded in apps and vehicles, and smart devices.
• High-risk sectors: Privacy practices in rental and property platforms, healthcare (particularly pharmacies), licensed venues, car dealerships, and second-hand dealers.

First-Ever Privacy Compliance Sweep

In January 2026, the OAIC launched its inaugural privacy compliance sweep, reviewing approximately 60 entities across six sectors. Entities found with non-compliant privacy policies face compliance notices, infringement notices, and penalties of up to AUD 66,000 per contravention. This sweep represents a deliberate shift toward proactive enforcement rather than waiting for complaints or breach reports.

---

Penalties and Enforcement

The 2022 Penalty Increase

The enforcement landscape changed dramatically in December 2022 when the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Cth) took effect. For serious or repeated interferences with privacy, the maximum civil penalty for bodies corporate is now the greatest of:

• AUD 50 million
• Three times the value of the benefit obtained from the contravening conduct
• 30% of the body corporate's adjusted domestic turnover during the breach turnover period (minimum 12 months)

The previous maximum was AUD 2.22 million. The increase was directly motivated by the Optus and Medibank breaches that exposed millions of Australians' personal information in late 2022.

Landmark Enforcement Actions (2021-2026)

Australian Clinical Labs: AUD 5.8 Million (October 2025)

The Federal Court ordered Australian Clinical Labs to pay AUD 5.8 million in the first-ever civil penalty under the Privacy Act. The penalty followed a 2022 cyberattack on its subsidiary Medlab Pathology that affected 223,000 individuals. The breakdown: AUD 4.2 million for failing to take reasonable steps to protect personal information under APP 11.1, AUD 800,000 for failing to conduct a reasonable and expeditious breach assessment, and AUD 800,000 for failing to notify the OAIC in a timely manner.

Meta Platforms: AUD 50 Million Settlement (December 2024)

The OAIC reached a landmark AUD 50 million settlement with Meta Platforms, Inc. as part of an enforceable undertaking resolving civil penalty proceedings originally filed in March 2020. The proceedings related to Meta's disclosure of Australian Facebook users' personal information to Cambridge Analytica without consent. More than 300,000 Australians are eligible for payments under a program administered by KPMG, with registration open until 31 December 2025.

Optus: Civil Proceedings (Filed August 2025, Ongoing)

The OAIC filed civil penalty proceedings against Optus in the Federal Court following its September 2022 data breach, which exposed personal information of approximately 9.5 million Australians. The Commissioner alleges Optus failed to take reasonable steps to protect personal information over a three-year period from October 2019 to September 2022. Proceedings are ongoing as of May 2026.

Medibank: Civil Proceedings (Filed, Ongoing)

The OAIC filed civil penalty proceedings against Medibank Private for its October 2022 breach affecting 9.7 million Australians, including highly sensitive health data. The Commissioner alleges Medibank failed to take reasonable steps to protect personal information from March 2021 to October 2022. Proceedings continue as of May 2026.

Clearview AI: Determination (2021)

The OAIC determined that Clearview AI breached the Privacy Act by scraping Australians' facial images from the internet and using them in a facial recognition tool without consent. Clearview AI was ordered to cease collecting images from Australian individuals and destroy all collected images within 90 days. The case established that the Privacy Act can apply to overseas entities processing Australians' personal information.

---

The Notifiable Data Breaches Scheme

The Notifiable Data Breaches (NDB) scheme in Part IIIC of the Privacy Act 1988 (Cth) took effect on 22 February 2018. It requires APP entities to notify affected individuals and the Australian Information Commissioner when a data breach is likely to result in serious harm.

What Triggers the NDB Scheme

An eligible data breach occurs when three conditions are met:

1. There is unauthorized access to, or unauthorized disclosure of, personal information held by an entity (or the information is lost in circumstances where unauthorized access or disclosure is likely).
2. The breach is likely to result in serious harm to any of the affected individuals.
3. The entity has been unable to prevent the likely risk of serious harm through remedial action.

Serious harm is assessed by reference to factors including the sensitivity of the information, the number of individuals affected, the people who have obtained or could obtain access, and the nature of the potential harm (financial, physical, psychological, reputational).

Assessment and Notification Timeline

When an entity suspects a breach may have occurred, it must carry out a reasonable and expeditious assessment. The entity must take all reasonable steps to complete the assessment within 30 days of becoming aware of grounds to suspect a breach.

If the assessment confirms an eligible data breach, the entity must prepare a notification statement and provide it to the OAIC as soon as practicable. The statement must include the entity's identity and contact information, a description of the breach, the kinds of information involved, and recommendations for affected individuals.

The entity must also take reasonable steps to notify each affected individual directly, or, if direct notification is not practicable, publish the statement on its website and take reasonable steps to publicize it.

NDB Statistics

The OAIC publishes half-yearly NDB reports. The January to June 2024 report recorded 527 notifications, with malicious or criminal attacks remaining the leading cause. Health information is consistently the most frequently reported category of sensitive information involved in eligible data breaches.

Consequences of Non-Compliance

Failing to comply with the NDB scheme is itself an interference with privacy and can result in the full range of enforcement actions, including civil penalties. The Australian Clinical Labs penalty of AUD 5.8 million included AUD 1.6 million specifically for NDB failures.

---

The Privacy and Other Legislation Amendment Act 2024 (Cth)

The Privacy and Other Legislation Amendment Act 2024 (Cth) (Act No. 128 of 2024) passed both Houses of Parliament on 29 November 2024 and received Royal Assent on 10 December 2024. It advanced 23 of the 116 proposals from the Privacy Act Review Report and introduced changes at staged commencement dates.

Statutory Tort for Serious Invasions of Privacy (Commenced 10 June 2025)

The most significant change for individuals is a new cause of action in Schedule 2 of the Privacy Act 1988 (Cth), which commenced on 10 June 2025. Under the statutory tort, an individual has a cause of action against any person (not only APP entities) who invaded their privacy by:

• Intrusion upon seclusion: Physically intruding into a private space, watching or surveilling a private act, or intercepting private communications.
• Misuse of personal information: Collecting, using, or disclosing personal information in a way that violates a reasonable expectation of privacy.

To succeed, the plaintiff must show the invasion was serious and that the privacy interest outweighs any countervailing public interest (such as journalism, law enforcement, or safety). The court applies a proportionality analysis.

Courts may grant any remedy considered appropriate, including damages, injunctions, orders requiring an apology, and orders for correction or removal of information. The tort is actionable without proof of damage, meaning a plaintiff does not need to demonstrate financial loss to bring a claim.

Time limits: For adults, proceedings must commence within 1 year after the plaintiff became aware of the invasion, or within 3 years of the date of invasion (whichever is earlier). For individuals under 18 at the time of the invasion, proceedings must commence before their 21st birthday.

Defences include lawful authority, consent, necessity, and defence of persons or property.

The breadth of this tort is notable. Unlike complaints to the OAIC (which are limited to APP entities), the statutory tort applies to individuals, private companies outside the APP threshold, and conduct that occurred before or outside a formal APP entity relationship.

Automated Decision-Making Transparency (Commencing December 2026)

APP entities that use computer programs to make decisions using personal information that could reasonably be expected to significantly affect individuals' rights or interests must include additional disclosures in their privacy policies. These disclosures cover the kinds of personal information used and the types of decisions made by automated means. This requirement commences in December 2026.

Children's Online Privacy Code

The OAIC has been empowered to develop a Children's Online Privacy Code to provide additional protections for minors' personal information in digital services. The Code development process is underway as of 2026.

Enhanced OAIC Powers

The Act gave the OAIC new enforcement tools from December 2024, including:

• Infringement notices for non-compliance with core obligations (up to AUD 66,000 per contravention)
• Strengthened investigative powers
• Clearer powers to share information with overseas privacy regulators

---

Cross-Border Data Transfers (APP 8)

Australia's rules on international data transfers are governed by APP 8. Before disclosing personal information to an overseas recipient, an APP entity must take reasonable steps to ensure the recipient handles the information in accordance with the APPs.

The critical feature of APP 8 is accountability transfer. If an overseas recipient breaches the APPs in handling the disclosed information, the disclosing Australian entity is treated as having breached the APPs itself. The Australian entity faces enforcement action for the overseas recipient's failures.

Exceptions to APP 8

The accountability obligation does not apply where:

• The APP entity reasonably believes the overseas recipient is subject to a law or binding scheme that is substantially similar to the APPs, and the individual can enforce that law or scheme.
• The individual consents to the cross-border disclosure after being informed that APP 8's accountability protection will not apply to them.
• The disclosure is required or authorized by Australian law or a court order.

No EU Adequacy Decision

Australia does not currently have an EU adequacy decision under the GDPR. Transfers of personal data from the EU/EEA to Australia require appropriate safeguards such as Standard Contractual Clauses. The small business exemption has been cited as a barrier to obtaining adequacy, which adds urgency to the tranche 2 reform work.

Proposed Adequacy Whitelist Framework

The ongoing reform program includes a proposal to develop a country whitelist system, allowing transfers to recipients in approved jurisdictions without individual case-by-case assessment. This framework is under development as of 2026.

---

Pending Reforms: Tranche 2 and Beyond

The second tranche of reforms addresses the remaining proposals from the 116-recommendation Privacy Act Review Report. The key proposals under active development include:

Small Business Exemption

The OAIC supports full removal of the small business exemption. The government agreed in principle to the proposal in its 2023 response to the Review Report. However, as of May 2026, no specific commencement date for a general removal has been legislated or confirmed. Consultation with the small business community on transition support and compliance guidance is ongoing.

What is confirmed for July 2026: From 1 July 2026, real estate professionals, lawyers, conveyancers, accountants, and dealers in precious metals and stones become Privacy Act-covered reporting entities under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) reforms, regardless of whether they fall within the small business exemption. This targeted expansion does not constitute a general removal of the exemption, but it significantly extends Privacy Act coverage in high-risk sectors.

Employee Records Exemption

The employee records exemption (section 7B(3) of the Privacy Act 1988 (Cth)) exempts acts and practices by private sector employers directly related to an employee relationship. Removal or reduction of this exemption is under active consultation.

Right to Erasure

Australia does not yet have a statutory right to erasure. The Privacy Act Review Report recommended introducing a qualified right to erasure. This remains in the tranche 2 proposals without a confirmed commencement date.

Fair and Reasonable Test

A proposed overarching requirement that collection, use, and disclosure of personal information be fair and reasonable in the circumstances would add an objective test beyond the existing APPs. This would bring Australian law closer to EU standards.

Controller/Processor Distinction

Reforms may introduce a formal distinction between data controllers (who determine purposes) and data processors (who act on instructions), analogous to the GDPR framework. This would change accountability flows for organizations using third-party data processors.

---

Sector-Specific Privacy Laws

My Health Records Act 2012

The My Health Records Act 2012 (Cth) governs the national digital health record system. It establishes strict rules about who may access health information in the My Health Record system and imposes criminal penalties for unauthorized collection, use, or disclosure. The Australian Digital Health Agency operates the system, and the OAIC oversees privacy compliance.

The Act mandates separate data breach notification to both the OAIC and the System Operator for breaches involving My Health Record data, supplementing the general NDB scheme obligations.

Consumer Data Right

The Consumer Data Right (CDR) gives Australians greater control over their data by allowing them to direct businesses to share their data with accredited third parties. The CDR is active in banking (since July 2020) and energy (since November 2022) and is set to expand to non-bank lenders from 2026.

The OAIC regulates privacy and confidentiality aspects of the CDR, handling complaints and eligible data breach notifications within the CDR framework.

State and Territory Laws

State and territory governments have their own privacy legislation primarily covering their own public sectors:

Jurisdiction	Legislation
New South Wales	Privacy and Personal Information Protection Act 1998 (PPIPA)
Victoria	Privacy and Data Protection Act 2014 (PDP Act)
Queensland	Information Privacy Act 2009 (IPA)
Australian Capital Territory	Information Privacy Act 2014 (ACT)
Tasmania	Personal Information Protection Act 2004
Northern Territory	Information Act 2002 (privacy-related provisions)
Western Australia	No comprehensive state privacy legislation
South Australia	No comprehensive state privacy legislation

State and territory laws primarily apply to their respective public sectors. Private sector entities handling health information in New South Wales, Victoria, and the ACT may need to comply with both federal and applicable state privacy obligations.

---

Australia vs. GDPR: Key Comparisons

Feature	Australia (Privacy Act 1988)	EU (GDPR)
Scope	APP entities (turnover threshold, with targeted expansions)	All organizations processing EU residents' data
Legal basis for processing	Reasonably necessary; consent for sensitive data	Six legal bases including consent, contract, legitimate interest
Right to erasure	Not yet enacted; proposed in tranche 2	Yes, Article 17
Data breach notification	30-day assessment; notify "as soon as practicable"	72 hours to supervisory authority
Maximum penalties	AUD 50M / 3x benefit / 30% turnover	EUR 20M / 4% global turnover
Private right of action	Statutory tort (from 10 June 2025)	Yes, Article 82
Data Protection Officer	Not required (may change in tranche 2)	Required in certain circumstances
Adequacy status	No EU adequacy decision	N/A
Cross-border accountability	APP 8: disclosing entity remains liable	Adequacy decisions, SCCs, BCRs

---

Business Compliance: Practical Steps for APP Entities

Any private sector organization operating in Australia with annual turnover above AUD 3 million (or within a covered category regardless of turnover) should maintain the following baseline:

1. Maintain a current privacy policy covering what information is collected, how it is used and disclosed, how individuals can access and correct their information, and how to complain. Non-compliant policies are the primary target of the OAIC's 2026 compliance sweep.

2. Map your data flows. Know what personal information you collect, where it is stored, who it is shared with (including overseas recipients), and how long it is retained. APP 4 requires you to assess and destroy unsolicited personal information.

3. Implement an APP 11 security program. Take reasonable steps appropriate to the size and nature of your organization to protect personal information from unauthorized access, modification, disclosure, misuse, and loss.

4. Establish a data breach response plan. Your plan must enable you to identify, contain, and assess a potential breach within the 30-day NDB assessment window. Designate who triggers the NDB assessment process and who notifies the OAIC.

5. Review overseas vendor contracts. Under APP 8, you remain accountable for your overseas recipients' handling of personal information. Contracts with overseas processors should require APPs-equivalent handling and include breach notification obligations to you.

6. Prepare for the statutory tort. From 10 June 2025, any person (not only a government body or large corporation) can be sued for a serious invasion of privacy. Review your surveillance, monitoring, and data practices against the new tort standard. Employees, contractors, and small businesses that were previously outside the Privacy Act's scope can now be sued directly.

7. Plan for AML/CTF expansion (July 2026). If you are a real estate professional, lawyer, accountant, conveyancer, or precious metals dealer, obtain advice on your Privacy Act obligations commencing 1 July 2026, regardless of your annual turnover.

8. Prepare for automated decision-making disclosures (December 2026). If your organization uses algorithms or computer programs to make decisions significantly affecting individuals, update your privacy policy to include the new APP disclosures before December 2026.

---

This article presents general legal information about Australian federal privacy law as verified in May 2026. It does not constitute legal advice. The law continues to evolve through ongoing legislative reform and OAIC enforcement action. Consult a lawyer admitted in the relevant Australian jurisdiction for advice on your specific situation.