If you thought privacy compliance was something only large corporations needed to worry about, 2026 has a very different message for you.
Australia's privacy landscape has undergone its most significant transformation in the history of the Privacy Act 1988. A wave of legislative reform, landmark court decisions, and a newly aggressive regulator have collectively changed the rules — and the consequences — for how businesses handle personal information.
Whether you run a small healthcare practice, a growing e-commerce store, or a national financial services firm, the obligations are real, the penalties are serious, and the time to act is right now.
What Is the Privacy Act and Who Does It Apply To?
The Privacy Act 1988 (Cth) is Australia's primary federal law governing how organisations collect, use, store, and disclose personal information. It applies to most Australian Government agencies, private sector businesses with an annual turnover above $3 million, and certain health service providers regardless of size.
But here's what many businesses haven't registered yet: an estimated 100,000+ small businesses will become regulated by the Privacy Act for the first time, starting 1 July 2026, thanks to a little-known amendment. If your business has been operating under the assumption that the Act doesn't apply to you because of your size, that assumption may need revisiting.
The law is built around 13 Australian Privacy Principles (APPs), which set out how personal information must be handled across its entire lifecycle — from initial collection through to destruction or de-identification when it's no longer needed.
The 2024 Reforms: What Has Actually Changed
Australia's Privacy and Other Legislation Amendment Bill 2024 was passed on November 28, 2024. It introduces a statutory tort for serious privacy invasions, criminalises "doxxing," mandates a Children's Online Privacy Code, and boosts the OAIC's enforcement powers to strengthen data protection.
That's a lot in one piece of legislation. Here's what it means practically for businesses:
A New Right to Sue — The Statutory Tort
The amendments have introduced a statutory tort of serious invasions of privacy. For the first time, Australians have a personal right of action to sue another party where that party has invaded their privacy by intruding upon their seclusion or misusing information relating to them.
This is a fundamental shift. Before this change, privacy enforcement was essentially a matter between an organisation and the regulator. Now, individuals can take you to court directly. The statutory tort for serious invasions of privacy has applied since 10 June 2025.
For businesses that have experienced data breaches or mishandled customer information in ways that caused genuine harm — the exposure is now dual: regulatory penalties AND private litigation.
Tiered Penalties That Hit Hard
The OAIC now operates with two additional tiers to the privacy civil penalty regime. A new mid-tier penalty applies to privacy breaches that aren't deemed 'serious' enough for the highest penalty, and can result in fines of up to $3.3 million for corporations or $660,000 for individuals. A new low-tier penalty allows the OAIC to issue infringement notices up to $330,000 for corporations or $66,000 for non-incorporated entities.
At the top end, the numbers are genuinely alarming. For the most serious breaches — repeated, systemic, or deliberate — penalties for bodies corporate can reach $50 million, three times the benefit obtained from the conduct, or 30% of adjusted domestic turnover. Whichever of those three figures is the greatest is what applies.
Automated Decision-Making Transparency — Coming December 2026
The amendments that require automated decision-making in privacy policies to be disclosed take effect on 10 December 2026.
If your organisation uses AI tools, algorithms, or automated processes to make decisions that affect individuals — in hiring, lending, insurance, healthcare, or customer service — you will need to disclose this in your privacy policy before that deadline. This is not a minor administrative update. For organisations that have been quietly deploying AI tools without reviewing their privacy obligations, the clock is running.
The OAIC Is Not Waiting: Real Enforcement in Action
The most telling signal that privacy compliance has fundamentally changed isn't the legislation — it's what the regulator is actually doing with it.
Australia's First Civil Penalty Under the Privacy Act
The Federal Court's decision in Australian Information Commissioner v Australian Clinical Labs (No 2) [2025] FCA 1224 marks a turning point in privacy enforcement in Australia. It resulted in the first civil penalty under the Privacy Act being imposed on Australian Clinical Labs, which was ordered to pay an AUD $5.8 million penalty following a 2022 data breach affecting 223,000 individuals.
The case involved a ransomware attack on Medlab Pathology. What made it legally significant wasn't just the breach itself — it was the organisation's failure to properly investigate whether data had been exfiltrated, and then its delay in notifying the OAIC. That sequence of poor decisions converted what might have been a regulatory conversation into a Federal Court matter.
The OAIC's Compliance Sweep
The regulator didn't stop at one enforcement action. Australia's privacy regulator started 2026 with its first-ever compliance sweep, conducting a targeted review of selected businesses' privacy policies to ensure they meet strict rules — scrutinising businesses that collect information in person, such as real estate agents asking for phone numbers at open houses or car rental agencies presenting customers with lengthy forms.
In 2026, the OAIC will continue civil penalty proceedings against Optus and Medibank, and advance Commissioner-initiated investigations into rental tech, connected cars, and tracking pixels.
The message from the regulator is clear: enforcement is no longer theoretical. It is active, targeted, and expanding into sectors that previously hadn't experienced significant privacy scrutiny.
What Australian Businesses Must Do Right Now
Compliance isn't about having a privacy policy on your website. It never really was. But in 2026, the gap between performative compliance and genuine compliance is where the risk lives.
Here's what practical compliance looks like:
Review your privacy policy against APP 1.4. The OAIC's compliance sweep targeted this specific provision. Your policy must accurately describe what information you collect, why you collect it, how you use it, and how individuals can access or correct their information. Entities found to have non-compliant privacy policies may face compliance and infringement notices and penalties of up to $66,000.
Map your data — including AI tools. Many organisations have deployed AI-powered tools across their operations without mapping what personal information those tools access or how they use it. With the December 2026 automated decision-making transparency deadline approaching, this mapping exercise is now urgent.
Build a notifiable data breach response plan. Businesses must assess "notifiable" status within 30 days and report to both the OAIC and potentially impacted individuals "as soon as practicable" if serious. Written response plans are required for organisations which handle sensitive data or who see more than $3M in revenue.
Train your people. A privacy policy sitting in a compliance folder doesn't protect your organisation. Employees who handle personal information — whether in customer service, HR, marketing, IT, or operations — need to understand what they're permitted to do with that information and what to do when something goes wrong.
This is exactly where structured training makes an immediate practical difference. The Privacy & AI Governance: Complying with the Privacy Act course from the Australian Compliance Training covers the Privacy Act's practical requirements, the AI governance intersection, and real-world application for Australian workplaces. If your team is handling personal information daily without this grounding, that's a risk your organisation is carrying unnecessarily.
The Children's Online Privacy Code — On Its Way
The Children's Online Privacy Code must be developed and registered by December 10, 2026, giving relevant businesses more time to adjust — but requiring forward planning.
This code will impose specific obligations on online platforms and services used by children. Social media platforms are already subject to the Social Media Minimum Age laws that came into effect in late 2025. The Privacy Code will add a further layer of data protection requirements for operators whose services are accessed by under-18s.
If your business has any digital touchpoint that could attract younger users — gaming, education, entertainment, social features — this code is coming for your practices.
How Australia Compares Globally
Australia's Privacy Act reforms are part of a broader global movement toward stronger data protection. Europe's GDPR has been the reference point for a decade, and Australia's reforms — particularly the new individual rights, enhanced enforcement powers, and AI transparency requirements — reflect significant influence from that framework.
What's distinctive about Australia's approach is its enforcement model. Rather than attempting to pre-approve data processing activities, the Office of the Australian Information Commissioner (OAIC) operates on a principle-based framework with responsive enforcement. The practical consequence is that organisations have genuine flexibility in how they meet their obligations — but no excuse for not meeting them.
The gap between Australian obligations and GDPR is still meaningful, particularly around rights to erasure and data portability, which remain under consideration for the next tranche of reforms. But the direction of travel is firmly toward equivalence.
