HomeLawyer ArticlesAustralia's New Privacy Laws Explained - What Every Australian Needs to Know?

Australia’s New Privacy Laws Explained – What Every Australian Needs to Know?

Australia’s privacy laws have just gone through their biggest overhaul since the Privacy Act was first introduced in 1988. If you share personal information with businesses online, use social media, or run a company that collects customer data, these changes affect you directly.

The Privacy and Other Legislation Amendment Act 2024 received royal assent on 10 December 2024 and has been rolling out in stages. The most significant change of all, a brand new right to sue for serious invasions of privacy, came into force on 10 June 2025. More reforms are still on the way.

This article breaks down what changed, what it means for you as an individual, and what businesses operating in Australia now need to do to stay on the right side of the law.

Why Did Australia’s Privacy Laws Need to Change?

The original Privacy Act was written for a world without smartphones, social media, or cloud computing. In the years since, Australians have handed over more personal data than ever before, often without fully understanding how it is collected, stored, or shared.

A series of major data breaches brought the issue to a head. The Optus breach in 2022 exposed the personal details of approximately 9.8 million Australians. The Medibank breach shortly after compromised the health records of 9.7 million people. These events made it impossible to ignore how poorly protected Australian consumers were under the old framework.

The reform process drew on 116 recommendations from the Attorney-General’s Department’s Privacy Act Review Report published in February 2023. What emerged is a law designed to give Australians more control over their data and hold businesses to a much higher standard of accountability. You can read the full review findings at the Office of the Australian Information Commissioner (OAIC).

The Key Changes You Need to Know About

1. The Right to Sue for Serious Privacy Invasions

This is the most significant new right introduced for individuals. From 10 June 2025, Australians can take a private legal action (known as a statutory tort) against a person or organisation that has seriously invaded their privacy.

To succeed in a claim, you need to show that:

  • Your privacy was invaded by someone intruding on your personal space or misusing your personal information
  • A reasonable person in your position would have expected privacy in those circumstances
  • The invasion was intentional or reckless, not merely accidental

Remedies can include financial compensation and court injunctions. It is worth noting that the tort does not apply posthumously, meaning it cannot be pursued on behalf of a deceased person’s estate.

2. Much Higher Penalties for Businesses That Breach the Law

Fines for serious or repeated privacy breaches have increased dramatically. Organisations can now face penalties of up to $50 million per incident, or 3 times the benefit gained from the breach, or 30 percent of adjusted annual turnover, whichever is greater.

The first civil penalty under the federal Privacy Act was handed down in 2025, when Australian Clinical Labs faced legal action after a data breach exposed patient medical records. The outcome sent a clear message to every organisation handling sensitive data in Australia.

3. Stronger Data Security Obligations

Businesses must now demonstrate that they have taken both technical and organisational steps to protect personal information. This goes further than the previous requirement, which was more loosely defined.

Acceptable technical measures include multi-factor authentication and data encryption. Organisational measures include access controls, staff training, and deactivating accounts when employees leave. The Australian Cyber Security Centre (ACSC) publishes practical guidance that businesses can use to meet these requirements.

4. New Right to Erasure

Individuals can now request that a business delete their personal data in certain circumstances, including when the data is no longer needed for its original purpose, when consent has been withdrawn, or when the information was unlawfully collected in the first place. Businesses must have clear processes in place to handle these requests.

5. Tighter Rules Around Consent

Pre-ticked boxes, vague wording, and bundled consent are no longer acceptable. Consent must now be specific, informed, and transparent. This is particularly relevant for online businesses collecting data for marketing, third-party sharing, or any use involving sensitive personal information.

6. Transparency Around Automated Decision-Making

If a business uses an algorithm or automated system to make decisions that could significantly affect your rights or interests, such as approving a loan, shortlisting a job application, or determining an insurance premium, it must now disclose this in its privacy policy. Businesses have until 11 December 2026 to update their documentation.

7. A Children’s Online Privacy Code Is Coming

The OAIC is developing a dedicated Children’s Online Privacy Code, which will apply to social media platforms, apps, and websites commonly accessed by people under 18. The code must be registered by December 2026 and is expected to require child-friendly privacy notices and stricter rules around collecting minors’ data.

What Do the New Laws Mean for Everyday Australians?

For most people, these reforms deliver three meaningful improvements. First, you have a genuine legal pathway if a company or individual seriously misuses your personal information. Second, businesses face real financial consequences for careless data handling, which creates a stronger incentive to get it right. Third, you now have the ability to ask that your data be deleted if there is no longer a legitimate reason to hold it.

If you believe your privacy has been seriously invaded, the recommended first step is to lodge a complaint with the OAIC. The commissioner has expanded powers to investigate, mediate, and enforce penalties. If the matter is not resolved, you may then pursue the statutory tort through the courts.

For help understanding your rights and how to make a complaint, visit the Australian Competition and Consumer Commission (ACCC), which also covers consumer data rights across a range of sectors.

What Do Businesses Need to Do Right Now?

If your business collects, stores, or uses personal information, the time to act is now. The following steps are a practical starting point:

  • Review your privacy policy and update it to reflect the new laws, including any use of automated decision-making
  • Audit how you collect, store, and share personal data and eliminate any unnecessary collection
  • Review and strengthen your consent processes, removing pre-ticked boxes and vague language
  • Build or update your data breach response plan and ensure you can notify the OAIC within the required timeframe
  • Train staff across privacy, HR, legal, and risk teams so everyone understands the new obligations
  • Conduct a Privacy Impact Assessment before adopting new technologies that handle personal data

The small business exemption, which currently excludes businesses with annual turnover under $3 million, remains in place for now. However, advocacy groups are pushing for its removal, and businesses in this category should stay informed as further reform tranches are expected.

For a comprehensive compliance checklist and plain-language guidance, the LegalVision Privacy Act Reform Guide is a well-regarded resource for Australian businesses of all sizes.

Conclusion

Australia’s new privacy laws represent the most significant upgrade to individual data rights in a generation. The introduction of the right to sue, sharply increased penalties, and stronger data security obligations reflect how seriously the government is taking privacy protection in a digital economy.

For individuals, the message is clear: you now have real tools to protect your personal information and seek redress when things go wrong. For businesses, the cost of getting privacy wrong has never been higher. Proactive compliance is no longer optional.

Stay up to date with ongoing reforms and your state-specific obligations by bookmarking the OAIC’s official resource hub. The second tranche of reforms is expected to follow, and the privacy landscape will continue to evolve throughout 2026 and beyond.

FAQs

1. When did Australia’s new privacy laws come into effect?

Most of the amendments under the Privacy and Other Legislation Amendment Act 2024 came into effect on 10 December 2024. The statutory tort giving individuals the right to sue for serious invasions of privacy commenced on 10 June 2025. Further changes, including the Children’s Online Privacy Code, are scheduled for 2026.

2. Can I sue a company that misused my personal information?

Yes, from 10 June 2025 you can pursue a statutory tort for serious invasions of privacy. You need to show that the invasion was intentional or reckless and that a reasonable person in your situation would have expected privacy. The recommended starting point is to lodge a complaint with the OAIC before taking court action.

3. Does my small business need to comply with the new privacy laws?

The small business exemption currently applies to businesses with annual turnover under $3 million, meaning many small operators are still exempt from the main provisions of the Privacy Act. However, this exemption is under review, and some specific obligations may still apply depending on the type of data your business handles. It is worth seeking legal advice to understand your specific position.

4. What is automated decision-making, and does the new law cover it?

Automated decision-making (ADM) refers to when a system or algorithm makes a significant decision about a person without direct human involvement, such as in loan approvals or job shortlisting. Under the new laws, businesses that use ADM in ways that significantly affect people’s rights or interests must disclose this in their privacy policy. Businesses have until 11 December 2026 to comply with this requirement.

5. How do I make a privacy complaint in Australia?

You can make a formal privacy complaint directly to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au. The OAIC can investigate your complaint, facilitate conciliation, and in serious cases take enforcement action against the organisation involved. If your complaint involves a serious invasion of privacy, you may also be able to pursue a legal claim through the courts.