← Back to Resources Regulation & Compliance

Australia's Privacy Act Reforms: What Changed in 2024 and What You Need to Do Now

The most significant overhaul of Australian privacy law since 1988 is now in force. The Privacy and Other Legislation Amendment Act 2024 received Royal Assent on 10 December 2024 — here's what's already in effect, what's still coming, and what the changes mean for your organisation's security and compliance obligations.

6 March 2026  ·  8 min read  ·  Regulation & Compliance

Australia's Privacy Act 1988 went largely unchanged for decades while the digital economy transformed what "personal information" means, how it's collected, and what harms a breach can cause. The 2022 Optus and Medibank breaches — which exposed the records of tens of millions of Australians — sharpened public and political appetite for reform. The result, after years of review and consultation, is the Privacy and Other Legislation Amendment Act 2024 (POLA): the first major rewrite of Australian privacy law in a generation.

This is the first tranche of what will be multiple rounds of reform. The government has agreed in principle to remove the small business exemption, introduce a "fair and reasonable" test for data handling, and bring Australian law closer to GDPR in several key respects — but those changes are still to come. What's already law matters significantly for any organisation handling personal information today.

10 Dec 2024
POLA received Royal Assent — most provisions immediately in force
$50M
Maximum penalty for serious or repeated privacy breaches by large organisations
10 Jun 2025
Statutory tort for serious invasions of privacy commenced — individuals can now sue directly

What Has Already Changed — The Reform Timeline

Different provisions of POLA took effect at different times. Understanding which changes are already in force versus still pending is essential for compliance planning.

  • 10 December 2024 — Already in effect

    Majority of POLA provisions commence

    Enhanced OAIC enforcement powers, new tiered penalty structure, clarification that "reasonable steps" under APP 11 includes technical and organisational measures, new infringement notice powers for inadequate privacy policies, expanded search and seizure powers for the regulator, international data transfer whitelist mechanism.

  • 10 June 2025 — Already in effect

    Statutory tort for serious invasions of privacy

    Individuals now have a direct right to sue for serious privacy invasions — either intrusion upon seclusion or misuse of personal information — without relying on the OAIC to act. Applies to any person or organisation, including those not otherwise covered by the Privacy Act.

  • 11 December 2026 — Deadline approaching

    Automated decision-making transparency

    All APP entities must update their privacy policies to explain when and how automated processes are used to make decisions that could significantly affect individuals. Any organisation using AI or algorithmic tools in customer-facing or HR processes needs to plan for this now.

  • 10 December 2026 — Deadline approaching

    Children's Online Privacy Code must be registered

    The OAIC must develop and register a code establishing specific obligations for organisations handling the personal information of children. Relevant to digital platforms, healthcare providers, childcare operators, and any organisation with a significant child audience.

  • Timing uncertain — Tranche 2

    Small business exemption removal, fair and reasonable test, expanded rights

    The government has agreed in principle to remove the $3M turnover exemption, introduce a "fair and reasonable" test for all data handling, and expand individual rights including erasure. The second tranche of reforms has been delayed and its timing remains uncertain as of early 2026.

The Most Important Changes for Businesses

1. "Reasonable steps" now explicitly means technical controls

APP 11 has always required APP entities to take "reasonable steps" to protect personal information from misuse, loss, and unauthorised access. POLA has clarified — for the first time in the legislation — that these reasonable steps include technical and organisational measures. This is not a new obligation; it's a codification of what regulators and courts have long expected. But the explicit language removes any ambiguity about whether documented policies alone are sufficient.

What it means in practice: organisations covered by the Privacy Act are now expected to demonstrate both governance (written policies and procedures) and technical implementation (access controls, encryption, patching, MFA, backup procedures). A privacy policy document is not enough — the controls described in that policy must actually exist and be operating. The ASD's Essential Eight framework is increasingly referenced by the OAIC as a practical benchmark for what that technical implementation looks like.

The OAIC's enforcement focus: Privacy Commissioner Carly Kind has made clear that 2025 marks a shift to active enforcement. Recent OAIC determinations — including findings against Bunnings for facial recognition technology and Property Lovers for data scraping — demonstrate a regulator willing to use its expanded powers. The OAIC can now issue compliance notices, infringement notices, and commence civil penalty proceedings with substantially lower barriers than before.

2. New penalties — and a mid-tier that makes enforcement easier

The penalty framework has been significantly restructured. The maximum penalty for serious or repeated interferences with privacy remains $50 million for large organisations. But POLA has added a mid-tier: civil penalties of up to $3.3 million for companies (and $660,000 for individuals) for privacy breaches that are serious but not at the highest level. There are also infringement notices — fixed penalties — for technical breaches such as maintaining an inadequate or missing privacy policy.

This matters because the original framework required the OAIC to prove a "serious interference with privacy" to obtain civil penalties — a high bar that had historically resulted in very few enforcement actions. The new tiered structure gives the regulator a proportionate response for breaches that are real but not catastrophic, making enforcement far more likely across a wider range of conduct. For a detailed picture of the full consequences when a breach occurs, see what happens when an Australian business gets hacked.

3. The statutory tort — individuals can now sue directly

This is arguably the most significant structural change in POLA. From 10 June 2025, individuals have a direct statutory right of action for serious invasions of privacy. They do not need to rely on the OAIC investigating and prosecuting; they can go to court themselves.

To succeed, a claimant must show: the invasion was intentional or reckless (not merely negligent), the individual had a reasonable expectation of privacy, and the invasion was serious — meaning it is of a kind that a reasonable person would consider serious, not trivial. Remedies include damages (up to the current defamation cap of $459,000), injunctions, and account of profits. Importantly, the plaintiff doesn't need to prove they suffered quantifiable financial damage — the tort protects dignity and intangible interests.

The Medibank breach is often cited as the type of event that could now generate significant class action exposure under this provision. Consider: if a healthcare provider suffered a breach of patient records today and could be shown to have handled security recklessly, affected patients would have a direct legal path to damages.

4. Privacy policies — fines for getting this wrong

POLA introduced infringement notice powers that allow the OAIC to fine organisations directly for failing to maintain a compliant privacy policy. The required contents under APP 1.4 include: what personal information is collected, how it's used and disclosed, how individuals can access and correct their information, how to complain, whether information is disclosed overseas and to which countries, and — from December 2026 — whether automated decision-making is used.

The Privacy Commissioner has specifically flagged privacy policies as a priority enforcement area. If yours hasn't been reviewed in the last 12 months, it almost certainly needs updating to reflect POLA's requirements and the new tort of serious invasion of privacy.

5. International data transfers simplified — but no countries whitelisted yet

POLA introduced a whitelist mechanism: once the Governor-General prescribes a country as having substantially similar privacy protections to Australia's, organisations can transfer personal information there without additional contractual safeguards. The EU, UK, and other GDPR-aligned jurisdictions are expected to be among the first listed. However, as of early 2026, no countries have yet been formally whitelisted — organisations must still comply with the existing APP 8 requirements for international transfers.

Who Must Comply — and Who Is Still Exempt

The Privacy Act applies to "APP entities" — broadly, organisations with annual turnover above $3 million, plus specific categories regardless of size.

Organisations that must comply regardless of turnover include:

  • All private sector health service providers — GP clinics, allied health practices, pharmacies, psychologists, physiotherapists, gyms, childcare centres — with no turnover threshold
  • Credit reporting bodies and credit providers
  • Organisations that trade in personal information
  • Contractors to Commonwealth agencies
  • Organisations that opt in to coverage

Regulated professions — including health practitioners registered under AHPRA and registered tax agents and BAS agents — face layered obligations where the Privacy Act interacts with sector-specific regulatory codes. The $3 million small business exemption still applies for now. It covers roughly 95% of Australian businesses by count — around 2.5 million SMEs. But the government has agreed in principle to remove it in Tranche 2. The timing is uncertain, but the direction is clear: Australian small businesses that collect personal information should treat full Privacy Act coverage as a near-term certainty, not a distant possibility.

Several sectors face stronger obligations regardless of turnover. Health service providers are covered by the Privacy Act regardless of size. Accounting and tax practices that handle tax file numbers are also covered regardless of turnover — the TFN Guidelines make the exemption unavailable.

Small businesses are already affected — even if technically exempt. Three practical reasons: First, the statutory tort for serious invasions of privacy applies to anyone, not just APP entities — a small business can be sued under it. Second, larger customers and enterprise supply chains increasingly require privacy compliance from their suppliers as a contractual condition, regardless of the Privacy Act exemption. Third, if you process or store personal information on behalf of an organisation that is covered by the Act, their APP obligations flow through to you.

What Businesses Need to Do Now

Immediate priorities (already required)

  • Review and update your privacy policy — check it meets all APP 1.4 requirements; fix any gaps now that infringement notices apply to inadequate policies
  • Assess your technical security controls — "reasonable steps" explicitly includes technical and organisational measures; document what controls you have and identify gaps
  • Review your data breach response plan — the Notifiable Data Breaches scheme is unchanged, but the new tort and enforcement posture increase the stakes of any breach
  • Audit who accesses personal information — access controls, privileged user management, and third-party data access all factor into whether your "reasonable steps" defence is credible
  • Map your overseas data transfers — identify all third parties in non-whitelisted jurisdictions and ensure APP 8 obligations are met

Before 11 December 2026

  • Automated decision-making audit — identify any systems (algorithms, AI tools, scoring models) that make or materially influence decisions affecting individuals, and prepare privacy policy disclosures
  • Children's data review — if your service is accessible to or used by children, begin assessing what the Children's Online Privacy Code is likely to require

Prepare now for Tranche 2

  • If you're currently exempt — treat full Privacy Act coverage as likely in the next one to two years; begin the compliance work now rather than scrambling when exemption removal is legislated
  • Privacy impact assessments — the Tranche 2 reforms are expected to require PIAs for high-risk data activities; developing this capability now positions you ahead of the obligation
  • Data minimisation — stop collecting personal information you don't need; this reduces breach exposure now and reduces the compliance burden when the "fair and reasonable" test applies

Assess Your Privacy Compliance Posture

Our industry-specific cyber security health checks cover the security controls that underpin your Privacy Act obligations — including technical and organisational measures, access management, backup and recovery, and incident response readiness. Available for GP clinics, allied health, accounting, legal, financial planning, and more.

Small Business Health Checks Enterprise Assessments

Related Articles

Cyber Security for Financial Planners

AFSL holders sit in one of the highest-risk categories under the strengthened APP 11 — the FIIG Securities case illustrates the enforcement consequences.

The Essential Eight

The Essential Eight directly implements the technical measures that APP 11 now explicitly requires.

What Happens If Your Business Gets Hacked

Understanding the breach response obligations under the updated NDB Scheme is essential reading for any business covered by the Privacy Act.

References

  1. Privacy and Other Legislation Amendment Act 2024 (Cth) — Royal Assent 10 December 2024. legislation.gov.au
  2. Attorney-General's Department, Privacy Act Review Report, February 2023 — 116 recommendations forming the basis for reform. ag.gov.au
  3. Office of the Australian Information Commissioner, Australian Privacy Principles — APP 11: Security of Personal Information — clarification that reasonable steps includes technical and organisational measures. oaic.gov.au
  4. Ashurst, Australia's First Tranche of Privacy Reforms — A Deep Dive, December 2024 — detailed commencement date analysis. ashurst.com
  5. Norton Rose Fulbright, Australian Privacy Alert: Parliament Passes Major Privacy Law Reform, December 2024 — statutory tort analysis and penalty structure. nortonrosefulbright.com
  6. FTI Consulting, Australian Privacy Law Reforms Take Effect, January 2025 — APP 11 technical and organisational measures; whitelist mechanism. fticonsulting.com
  7. Governance Institute of Australia, Privacy Reforms 2025: New Statutory Tort, Policies Under Scrutiny, and What Next, July 2025 — statutory tort commencement 10 June 2025; Privacy Commissioner enforcement posture. governanceinstitute.com.au
  8. Corrs Chambers Westgarth, Australia's Ongoing Privacy Reforms: Bolstering the Privacy Regulatory Framework, 2025 — Children's Online Privacy Code development, OAIC enforcement update. corrs.com.au
  9. Pinsent Masons, Australia's Next Set of Privacy Act Reforms Will Address Innovation and Protection, December 2025 — Tranche 2 status; small business exemption removal timing. pinsentmasons.com