High profile cyber attack cases (Optus, Medibank and Latitude to name a few) serve as cautionary tales of how data breaches can cripple a business and expose individuals to serious harm.
While malicious attacks are often the ones which attract headlines, privacy breaches may also be caused by human error, misconfigured systems and/or unintended disclosures. Despite being one of the most significant risks facing Australian businesses today, privacy laws are often poorly understood and many businesses lack a clear plan for how to respond if a data breach occurs.
This article walks you through the current state of Australia’s privacy laws, tranche 1 of the privacy reforms including key changes that businesses should be aware of, as well as a brief overview of what’s to come in terms of privacy reforms.
Australia’s Privacy Framework and Governing Legislation
The primary piece of legislation governing privacy in Australia is the Privacy Act 1988 (Cth) (‘Privacy Act’), which includes the 13 Australian Privacy Principles (‘APPs’) contained in Schedule 1. The Privacy Act applies to APP entities (see discussion below for the definition of an APP entity). The Office of the Australian Information Commissioner (‘OAIC’) is the independent government body responsible for enforcing the Privacy Act.
Most states and territories also have their own privacy laws covering the public sector agencies, with privacy principles broadly similar to, but distinct from the APPs.
Beyond the Privacy Act, a number of other Australian laws carry privacy-related obligations. An example is the Telecommunications Act 1997 (Cth), which imposes restrictions on the use and disclosure of customer information obtained during the supply of telecommunications services (see in particular Part 13 of the Telecommunications Act).
Does My Business Need to Comply with the Australian Privacy Principles (‘APPs’)?
The Australian Privacy Principles apply to APP entities, which includes Australian Government agencies and organisations with an annual turnover of more than $3 million, and some other organisations. Small businesses with an annual turnover of $3 million or less are generally not covered by the Privacy Act and fall outside the reach of the APPs, unless a specific exception applies.
Even if your business currently falls outside the reach of the Privacy Act, it is still good practice to voluntarily adopt the APPs. Careful handling of personal information builds consumer trust. Further, the Australian Government has agreed in-principle that the small business exemption should be removed, but commented that this should not occur until further consultation has been undertaken. Given the direction of the reforms, small businesses may wish to consider adopting the APPs proactively, rather than waiting for compliance to become mandatory.
What do the APPs require of Australian Businesses?
The Australian Privacy Principles contained in Schedule 1 of the Privacy Act consists of 13 principles governing standards, rights and obligations around the collection, use and disclosure of personal information.
The APPs are principle based laws, intentionally drafted so as to allow businesses the flexibility to tailor their personal information handling practices to their business model. The APPs govern the full lifecycle of how Personal Information is handled.
Section 6(1) of the Privacy Act defines Personal Information:
“personal information” means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
(a) whether the information or opinion is true or not; and
(b) whether the information or opinion is recorded in a material form or not.
While a single piece of information on its own may not identify an individual (for example, a first name), the more information an organisation holds about a person, the more likely the information is to become personal information (for example, a first name combined with a residential address, may well meet the threshold.)
Sensitive Information is a subset of personal information which attracts a higher level of protection under the Privacy Act.
Section 6(1) of the Privacy Act defines Sensitive Information:
“sensitive information” means:
(a) information or an opinion about an individual’s:
(i) racial or ethnic origin; or
(ii) political opinions; or
(iii) membership of a political association; or
(iv) religious beliefs or affiliations; or
(v) philosophical beliefs; or
(vi) membership of a professional or trade association; or
(vii) membership of a trade union; or
(viii) sexual orientation or practices; or
(ix) criminal record;
that is also personal information; or
(b) health information about an individual; or
(c) genetic information about an individual that is not otherwise health information; or
(d) biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or
(e) biometric templates.
An organisation’s governance and accountability, the integrity and correction of personal information, and the rights of individuals to access their personal information are also covered by the APPs.
Under Section 13 of the Privacy Act, a breach of an APP constitutes an ‘interference with the privacy of an individual’ and can lead to regulatory action and penalties.
What Changes Were Introduced as Tranche 1 of the Privacy Reforms?
The Attorney-General’s Department reviewed the Privacy Act and published the Privacy Act Review Report (‘Report’) on 16 February 2023, outlining 116 proposals for reform. On 28 September 2023, the Australian Government released its response to the Report and the Privacy and Other Legislation Amendment Act 2024 (Cth) (‘Amendment Act’) came into effect on 10 December 2024. It progresses 23 proposals from the Government Response (often collectively termed as the Tranche 1 reforms), with various provisions coming into effect on a staggered basis.
The key changes that Australian Businesses should be aware of are outlined below.
Tougher Standards for Data Security
The obligation under APP 11.1 to take “reasonable steps” to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure, has now been strengthened with the specification that reasonable steps must include “technical and organisational measures” (see APP 11.3 added by the Amendment Act).
The explanatory memorandum suggests that technical measures could include securing access to premises, encrypting data, anti-virus software and strong passwords, and organisational measures could include staff training on privacy and security obligations, and developing operating procedures and policies for securing personal information.
Implementing technical and organisational measures to protect the personal information held by your organisation (proportionate to the type, volume, sensitivity and potential risk of harm associated with the data) is not only required by law for APP entities, but it serves as clear evidence that an organisation can produce to demonstrate it has taken “reasonable steps” to protect personal information should a complaint arise.
New Statutory Tort for Serious Invasion of Privacy
The Amendment Act also introduced a new statutory tort for serious invasion of privacy which commenced on 10 June 2025. Individuals can now take direct legal action against businesses or individuals who seriously intrude upon their privacy either by invading their seclusion or misusing their information (see Schedule 2 of the Amendment Act for full wording of the provisions).
This new tort was applied by the District Court New South Wales for the first time in the published decision of Kurraba Group Pty Ltd & Anor v Williams [2025] NSWDC 396 (‘Kurraba case’). In this case, the Plaintiffs (an Australian Company and its CEO) sought a suite of interlocutory orders based on the torts of defamation, intimidation, and importantly, the serious invasion of privacy. The Defendants allegedly led a “campaign of extortion” against the Plaintiffs, which included publishing the CEO’s private wedding photos online without his consent and in a manner that sought to portray “moral delinquency and drunkenness”.
Justice Gibson found that there was a serious question to be tried in relation to the tort of privacy. Her reasons for the decision included that the photos were never intended to be made public, the wedding photos were intended to be “as private as was possible”, the CEO and his wife were not public figures and had no intention of publishing their wedding photos to any mass publications, and the Defendant misused the wedding photos in seeking to portray “moral delinquency and drunkenness”. The journalistic exemption did not apply, as Justice Gibson determined that the Defendant’s conduct was that of extortion and not journalistic-style investigation. The Court granted interlocutory injunction, making this the first published judicial consideration under the new statutory tort.
This new tort is broadly defined, and entities and conduct previously outside the reach of the Privacy Act may now potentially be captured, subject to further interpretative guidance. As illustrated in the Kurraba case, individuals including business leaders may benefit from greater privacy protections than before (in addition to new doxxing provisions which came into effect 11 December 2024, also via the enactment of the Amendment Act), however the risk of businesses being sued for mishandling privacy related matters has also increased.
Stronger Enforcement Powers for the OAIC
The OAIC has been granted stronger investigative and enforcement powers, including a new power to conduct public inquiries into systemic industry-wide acts and practices, with ministerial approval. A tiered civil penalty regime has also been introduced, meaning the OAIC can now issue infringement notices directly for lower-level violations of the Privacy Act.
For individuals, complaints to the OAIC remain the primary avenue for seeking redress, with the new statutory tort allowing individuals to bypass the OAIC and to commence proceedings directly in court for serious invasions of privacy. For businesses, they now face a lower threshold for potential intervention by the regulator across a spectrum of privacy-related activity, regardless of whether a complaint has been made.
Transparency in Automated Decision-Making
If your business (an APP entity) uses an individual’s personal information in an automated decision making (‘ADM’) system to make a decision, and the decision could reasonably be expected to significantly affect the rights or interests of the individual, then your privacy policies must describe the kinds of personal information used in ADM, and the decisions made by ADM (see Schedule 1, Part 15 of the Amendment Act for details).
As the provisions do not take effect until 10 December 2026, official guidance on their practical application remains limited. However, the new APP 1.9 (to come into effect) provides a non-exhaustive list of the types of decisions that may trigger the obligations, including decisions to grant or refuse a benefit, decisions affecting contractual rights or decisions affecting access to significant services. Drawing on this, it can be inferred that the provisions may extend to decisions such as credit scoring, insurance underwriting, and employment screening.
Children’s Online Privacy Code
If your business provides social media services, messaging app, website or another online platform that is likely to be accessed by children, the Children’s Online Privacy Code to be developed and registered by the Australian Information Commissioner will be relevant. The Commissioner will seek and consider public submissions on the draft code, therefore affected businesses may wish to monitor consultation opportunities as engagement may help shape its final form.
This summary does not capture the full suite of Tranche 1 reforms. For a thorough review of all changes and their application to your business, we recommend seeking professional legal advice.
What is Still to Come:
The exact timeline of further reforms to the Privacy Act is yet to be confirmed. The full scope of these changes also remains uncertain, but based on previous indications outlined in the Review Report and the Government Response to the Report, they may include:
- removal of small business exemption which currently applies to businesses with an annual turnover of $3 million or less;
- an expanded definition of personal information to include technical identifiers such as IP addresses and device identifiers;
- a new ‘fair and reasonable’ test to apply to the handling of personal information notwithstanding any consent provided by the individual; and
- expanded individual rights such as the right to erasure.
In Summary:
Practical steps businesses can take to bolster their Privacy processes in light of the ongoing Privacy reforms:
- Take reasonable measures to protect personal information as required by APP 11.1, and be in a strong position to demonstrate you have done so.
- Understand current privacy obligations required by the APP, including the more explicitly defined security measures required by the new APP 11.3 mandating technical and organisational measures.
- Review current organisational privacy policies and update as necessary, particularly if your business utilises automated decision making processes (new transparency obligations commence 10 December 2026).
- Embed ‘privacy by design’ as an organisational principle, ensuring privacy compliance is a whole of organisation approach.
- If your business provides an online service or platform that is likely to be accessed by children, uplift resources to ready your business to comply with the Children’s Online Privacy Code to be developed. Monitor consultation opportunities closely.
- Ensure your business has a clear data breach preparation and response plan (the guide made available by the OAIC is a useful starting point).
- Seek legal advice if you need guidance or are unsure of the application of privacy laws particularly as they apply to your business.
By undertaking these steps businesses not only reduce the likelihood of attracting a privacy complaint in the first place, but it also strengthens their position should one ensue.
In the determination of ‘ATE’ and ‘ATF’ [2025] AICmr10 (13 January 2025), the OAIC dismissed claims that the organisation had breached APP11.1 (an ancillary matter considered as part of the broader complaint). In this matter, personal information was secured in a Customer Management System (‘CMS’) where access was limited to staff who worked in the customer support team or required access to carry out their functions. The CMS was password protected and all changes to customer details were logged.
The OAIC was of the view that even if additional steps were implemented to protect personal information in this case, it would not have prevented the disclosure by the senior employee. It commented, “The fact that the senior employee circumvented the respondent’s practices, procedures and systems does not itself indicate that the respondent failed to take reasonable steps to protect the complainant’s personal information.”
Where a business can demonstrate a documented, layered and considered approach to privacy compliance, it creates a strong evidentiary foundation to survive a Privacy Claim.
This publication contains general information only and does not constitute legal advice. You should obtain professional advice tailored to your circumstances before acting on any information contained in this article.
¹ Privacy Act Review Report available here: https://www.ag.gov.au/rights-and-protections/publications/privacy-act-review-report