What Is the Australia Privacy Act 1988?
Australia’s Privacy Act 1988 is a long-standing federal law that regulates how personal information is handled. Parliament passed major reforms in November 2024 through the Privacy and Other Legislation Amendment Act 2024, which received Royal Assent on 10th December 2024. These reforms implement staged changes through 2026.
The Privacy Act applies to Australian Government agencies, businesses with annual turnover of A$3 million or more, all private health service providers, and some small businesses meeting specific criteria. Importantly, it also applies to international businesses that handle Australian personal information, meaning UK businesses serving Australian customers must comply.
The 2024 reforms significantly strengthen enforcement powers and penalties, introduce a statutory tort for serious privacy invasions, and create new obligations around automated decision-making and children’s online privacy.
Who Must Comply?
The Privacy Act applies to organisations conducting business in Australia or handling Australian personal information. You must comply if you’re an Australian Government agency, a business with annual turnover of A$3 million or more, a private health service provider regardless of turnover, or a small business that provides credit reporting services, is a related entity of a larger covered business, or contracts to provide services to a covered entity.
International businesses must comply if they collect or hold personal information in Australia, even if they have no physical presence there. If your UK business has Australian customers and collects their personal information, the Privacy Act likely applies to you.
The A$3 million threshold is significantly lower than most US state privacy laws, meaning the Privacy Act captures far more businesses. Additionally, the threshold applies to overall business turnover, not to the number of individuals whose data you process.
Individual Rights Under the Privacy Act
Australians have the right to access their personal information held by organisations, request corrections to inaccurate or outdated information, complain to the Office of the Australian Information Commissioner about privacy breaches, and seek compensation through the Commissioner or courts for privacy violations.
Starting 10th June 2025, Australians also have a statutory tort for serious invasions of privacy. This means individuals can sue directly in court for serious privacy violations without needing to go through the Commissioner first. This represents a significant shift, giving individuals a powerful enforcement tool beyond regulatory action.
What Are Your Obligations?
The Privacy Act requires compliance with 13 Australian Privacy Principles that govern how you collect, use, store, and disclose personal information.
You must maintain an up-to-date privacy policy that clearly explains your information handling practices in plain language. You must provide individuals with the option to deal with you anonymously or using a pseudonym where practicable.
You must collect personal information only when reasonably necessary for your functions and only through lawful, fair, and non-intrusive means. When collecting information directly from individuals, you must notify them about who you are, why you’re collecting their information, who you’ll disclose it to, your privacy policy, and how they can access their information or complain.
You must use or disclose personal information only for the purpose you collected it, unless an exception applies. Direct marketing restrictions specifically limit how you can use information for marketing. Before disclosing information overseas, ensure the recipient will handle it consistently with Australian Privacy Principles.
You cannot adopt government identifiers like tax file numbers as your own identifiers. You must keep personal information accurate, up-to-date, complete, and relevant. You must protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure through appropriate technical and organisational measures.
You must provide individuals access to their personal information within a reasonable period unless an exception applies. If you refuse access, provide reasons. You must correct information when requested or when you identify inaccuracies.
You must have a complaints process and must investigate and respond to complaints within a reasonable period.
By December 2026, you must provide meaningful information about automated decision-making that significantly affects individuals and comply with the Children’s Online Privacy Code when providing online services likely accessed by children.
Training Your Team
Whilst the Privacy Act doesn’t explicitly mandate training, compliance requires staff who understand their obligations. Your programme should cover what personal information your organisation collects, the Australian Privacy Principles relevant to staff roles, how to handle access and correction requests, data breach notification procedures, security practices, and your specific privacy policies.
Customer service teams need training on privacy requests and complaints. IT teams need security and system training. Marketing teams need direct marketing restrictions training. Management needs breach reporting and governance training. Regular refresher training maintains a privacy-aware culture.
Enforcement and Penalties
The Office of the Australian Information Commissioner enforces the Privacy Act. The 2024 reforms significantly strengthened enforcement powers and increased penalties.
The Commissioner can now issue compliance notices requiring organisations to take specific actions to remedy breaches. Failure to comply with a compliance notice carries penalties up to A$330,000 for corporations. This provides an alternative to immediate court action.
The new penalty structure has three tiers. Low-tier violations can result in infringement notices issued directly by the Commissioner. Mid-tier violations involving non-serious interferences with privacy carry maximum penalties of A$660,000 for individuals or A$3.3 million for companies. High-tier violations for serious or repeated contraventions carry maximum penalties of A$50 million, three times the value of any benefit obtained, or 30% of adjusted turnover during the breach period, whichever is greater.
These penalties represent a massive increase from previous maximum penalties and bring Australia’s privacy enforcement in line with GDPR-level consequences.
The Commissioner can also seek injunctions, declarations, and orders requiring organisations to implement privacy management programmes or conduct audits.
With the statutory tort now in effect since June 2025, individuals can sue directly for serious invasions of privacy. Courts can award damages for financial loss, emotional distress, and harm to reputation. This creates significant liability risk beyond regulatory penalties.
Recent enforcement demonstrates the Commissioner’s active approach. Following the major Medibank data breach in 2022, the Commissioner launched an investigation that resulted in significant scrutiny of data security practices. In 2024, the Commissioner ordered Bunnings to cease using facial recognition technology in its stores, finding the retailer collected sensitive biometric information without adequate notification or consent. These cases signal focus on data breaches, inadequate security, emerging technologies like facial recognition, and transparency failures.
Preparing for Compliance
Determine whether the Privacy Act applies to your organisation. Australian businesses with turnover over A$3 million, health service providers, and international businesses handling Australian personal information must comply.
Review your privacy policy against the Australian Privacy Principles. Ensure it’s comprehensive, current, clearly written, and explains your information handling practices in plain language.
Implement processes for handling access and correction requests, including identity verification, information location, access provision or refusal explanation, correction processing, and response documentation.
Review data security measures. Implement technical safeguards like encryption, access controls, and secure storage. Implement organisational measures including policies, training, incident response procedures, and vendor management.
If you disclose information overseas, review cross-border transfer arrangements and ensure appropriate safeguards like contractual protections or adequacy assessments.
Prepare for December 2026 deadlines for automated decision-making transparency and the Children’s Online Privacy Code. Develop a data breach response plan covering detection, harm assessment, containment, notification, and remediation.
Train your staff on privacy obligations relevant to their roles.
Where to Get Help
The Office of the Australian Information Commissioner provides comprehensive guidance and resources. Review the Australian Privacy Principles Guidelines for detailed interpretation.
For international businesses, consult lawyers familiar with Australian privacy law and your jurisdiction’s laws. Privacy consultants can conduct gap assessments and help implement privacy management programmes.
Measured Collective offers privacy training covering universal principles underlying privacy regulations worldwide. The Australian Privacy Principles share common concepts with GDPR, UK GDPR, and US state laws—transparency, data minimisation, purpose limitation, security, accountability.
The 2024 reforms position Australia among the world’s strictest privacy regimes. Significantly increased penalties, new enforcement powers, and individual litigation rights create substantial compliance pressure. Start your compliance efforts now, particularly for December 2026 obligations. The A$50 million maximum penalties make Australian privacy compliance business-critical.
Official Sources:
- Privacy Act 1988 (Cth): https://www.legislation.gov.au/Series/C2004A03712
- Office of the Australian Information Commissioner: https://www.oaic.gov.au/
- Australian Privacy Principles Guidelines: https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines/
