Australia
Australia Data Privacy Laws: Privacy Act, APPs & 2026 Reforms
This page is being updated. Please check back shortly.
Frequently Asked Questions
Does the Australian Privacy Act apply to small businesses?
Businesses with annual turnover of AUD 3 million or less are generally exempt from the Privacy Act 1988 (Cth) unless they handle health information, trade in personal information, are a credit reporting body, or are a contractor under a Commonwealth contract. This exemption is under review: the OAIC supports its removal, and the government agreed in principle in its 2023 Privacy Act Review response. However, as of May 2026, no confirmed date for a general removal has been legislated. A targeted expansion from 1 July 2026 brings real estate agents, lawyers, accountants, conveyancers, and precious metals dealers under the Act through AML/CTF reforms, regardless of turnover.
What is the new statutory tort for serious invasions of privacy?
The statutory tort commenced on 10 June 2025 under Schedule 2 of the Privacy Act 1988 (Cth) as inserted by the Privacy and Other Legislation Amendment Act 2024 (Cth). It gives any individual the right to sue any other person (not only APP entities) for a serious invasion of privacy through either intrusion upon seclusion or misuse of personal information. To succeed, the plaintiff must show the invasion was serious and that the privacy interest outweighs any countervailing public interest. Remedies include damages, injunctions, and apology orders. For adults, proceedings must start within 1 year of becoming aware of the invasion or within 3 years of the invasion itself, whichever is earlier.
What should a business do if it suffers a data breach in Australia?
Under the Notifiable Data Breaches scheme in Part IIIC of the Privacy Act 1988 (Cth), the entity must first assess whether there has been unauthorized access to, disclosure of, or loss of personal information that is likely to result in serious harm. All reasonable steps must be taken to complete this assessment within 30 days. If the breach qualifies as an eligible data breach, the entity must notify the OAIC and affected individuals as soon as practicable, providing the entity's identity, a description of the breach, the types of information involved, and steps individuals should take to protect themselves. Failure to comply can result in significant civil penalties, as demonstrated by the AUD 1.6 million NDB component of the AUD 5.8 million Australian Clinical Labs penalty.
Can Australian businesses transfer personal data overseas?
Yes, but APP 8 of the Privacy Act 1988 (Cth) imposes strict accountability requirements. Before disclosing personal information to an overseas recipient, an APP entity must take reasonable steps to ensure the recipient handles the information in accordance with the APPs. If the overseas recipient breaches the APPs, the Australian disclosing entity is treated as having breached the APPs itself and faces enforcement action. Exceptions include where the recipient is subject to a substantially similar law the individual can enforce, where the individual consents after being informed that APP 8 protections will not apply, or where Australian law requires the disclosure.
How does Australia's Privacy Act compare to the GDPR?
The two frameworks share core principles around data minimization, purpose limitation, and individual rights, but differ in key areas. The GDPR applies to all organizations processing EU residents' data regardless of turnover; the Privacy Act currently has a small business exemption. The GDPR requires 72-hour breach notification to authorities; Australia's NDB scheme allows a 30-day assessment window. The GDPR includes established rights to erasure and data portability; Australia lacks these as of May 2026, though both are proposed for tranche 2. Australia does not have EU adequacy status. The reform program is gradually bringing Australia's framework closer to GDPR standards.
What were the biggest enforcement actions under the Privacy Act?
Three major enforcement actions define the current era. First, Australian Clinical Labs received the first-ever civil penalty under the Privacy Act, AUD 5.8 million in October 2025, for failing to protect 223,000 individuals' health information in a 2022 cyberattack. Second, Meta Platforms settled for AUD 50 million in December 2024 over the Cambridge Analytica data breach affecting more than 300,000 Australians. Third, the OAIC filed civil penalty proceedings against both Optus (9.5 million affected individuals, breach in 2022) and Medibank (9.7 million affected individuals, health data breach in 2022), which remain ongoing before the Federal Court as of May 2026.
Who is the OAIC and what powers does it have?
The Office of the Australian Information Commissioner (OAIC) is the independent statutory agency that administers the Privacy Act 1988 (Cth). It investigates complaints and can initiate its own investigations. Following the 2022 penalty increase and 2024 reforms, the OAIC can pursue civil penalties up to AUD 50 million per serious or repeated interference, issue infringement notices of up to AUD 66,000 per contravention for core breaches such as maintaining a non-compliant privacy policy, accept enforceable undertakings, and seek injunctions. The OAIC can also conduct proactive compliance sweeps, as demonstrated by its January 2026 review of approximately 60 entities.
Does Australia have state-level privacy laws?
Yes. New South Wales (Privacy and Personal Information Protection Act 1998), Victoria (Privacy and Data Protection Act 2014), Queensland (Information Privacy Act 2009), the ACT (Information Privacy Act 2014), and Tasmania (Personal Information Protection Act 2004) all have state-level privacy legislation. These laws primarily apply to their respective state and territory government agencies. Western Australia and South Australia do not have comprehensive state privacy statutes. Private sector entities may face dual federal and state obligations if they handle health information in states with state-level health privacy regimes that operate alongside the federal Privacy Act.
What is the Consumer Data Right and how does it relate to privacy?
The Consumer Data Right (CDR) gives Australians the ability to direct businesses to share their data with accredited third parties. It is currently active in banking and energy, with expansion to non-bank lenders planned from 2026. The OAIC regulates the privacy and confidentiality aspects of the CDR framework, including handling complaints and eligible data breach notifications under CDR rules. The CDR operates alongside the Privacy Act rather than replacing it, and CDR-related personal information handling must also comply with the APPs.
What does the automated decision-making reform require?
From December 2026, APP entities that use computer programs to make decisions using personal information that could reasonably be expected to significantly affect an individual's rights or interests must include new disclosures in their privacy policies. The policy must describe the kinds of personal information used in automated decision-making and the types of decisions made. This requirement was introduced by the Privacy and Other Legislation Amendment Act 2024 (Cth) and is designed to address concerns about algorithmic transparency in areas such as credit decisions, insurance assessments, and employment screening.
Sources and References
- Privacy Act 1988 (Cth) — Federal Register of Legislation(legislation.gov.au).gov
- Privacy and Other Legislation Amendment Act 2024 (Cth) No. 128(legislation.gov.au).gov
- Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022(legislation.gov.au).gov
- My Health Records Act 2012(legislation.gov.au).gov
- Australian Privacy Principles — OAIC(oaic.gov.au).gov
- Australian Privacy Principles Guidelines — OAIC(oaic.gov.au).gov
- About the Notifiable Data Breaches Scheme — OAIC(oaic.gov.au).gov
- NDB Report January to June 2024 — OAIC(oaic.gov.au).gov
- Statutory Tort for Serious Invasions of Privacy — OAIC(oaic.gov.au).gov
- Schedule 2 Serious Invasions of Privacy POLA Act 2024 — AustLII(austlii.edu.au)
- OAIC Regulatory Priorities 2025-26(oaic.gov.au).gov
- Privacy Compliance Sweep — OAIC(oaic.gov.au).gov
- Australian Clinical Labs Ordered to Pay Penalties — OAIC(oaic.gov.au).gov
- Landmark Settlement $50M from Meta — OAIC(oaic.gov.au).gov
- Civil Penalty Action Against Optus — OAIC(oaic.gov.au).gov
- Civil Penalty Action Against Medibank — OAIC(oaic.gov.au).gov
- Clearview AI Breached Australians Privacy — OAIC(oaic.gov.au).gov
- APP 8 Cross-Border Disclosure — OAIC(oaic.gov.au).gov
- State and Territory Privacy Legislation — OAIC(oaic.gov.au).gov
- Privacy Guidance for AML/CTF Reporting Entities — OAIC(oaic.gov.au).gov
- Privacy Act Review Report — Attorney-General Department(ag.gov.au).gov
- Government Response to Privacy Act Review Report — Attorney-General Department(ag.gov.au).gov
- Privacy — Attorney-General Department(ag.gov.au).gov
- Consumer Data Right — Australian Government(cdr.gov.au).gov