Privacy Laws in Australia: A Complete Guide for 2026
Understand privacy laws in Australia including the Privacy Act 1988, APPs, and new privacy law reforms. Requirements for businesses handling personal data.
Privacy laws in Australia are built on the Privacy Act 1988 (Cth), a federal statute that governs how organisations and government agencies collect, use, store, and disclose personal information. The Act contains 13 Australian Privacy Principles (APPs) that set the standard for data handling across the country.
For businesses operating in or targeting Australia, understanding these requirements is essential for compliance. This guide covers the current legal framework, the Australian Privacy Principles, recent enforcement trends, and the new privacy laws Australia is actively developing. This content is educational and does not constitute legal advice. Consult a qualified legal professional for guidance specific to your circumstances.
Overview of the Privacy Act 1988
The Privacy Act 1988 is Australia's foundational privacy legislation. Originally focused on government agencies, it was extended to the private sector in 2000 through the Privacy Amendment (Private Sector) Act 2000. The Act applies to:
- Australian Government agencies and their contractors.
- Private sector organisations with annual turnover exceeding $3 million AUD.
- Health service providers, regardless of turnover.
- Organisations that trade in personal information, regardless of turnover.
- Credit reporting bodies, credit providers, and tax file number recipients.
- Entities that have opted in to Privacy Act coverage.
The Office of the Australian Information Commissioner (OAIC) administers and enforces the Act. Individuals can lodge complaints with the OAIC if they believe an organisation has mishandled their personal information.
What counts as personal information
Under Section 6 of the Privacy Act, personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information is true or not and whether recorded in material form or not. This definition is broad and includes:
- Names, addresses, email addresses, and phone numbers
- IP addresses and device identifiers (where they can identify an individual)
- Health and financial records
- Photos and biometric data
- Employment history and education records
Sensitive information, a subset of personal information, receives stronger protections. It includes health data, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, criminal records, biometric data, and trade union membership.
The 13 Australian Privacy Principles (APPs)
The APPs replaced the previous National Privacy Principles and Information Privacy Principles in 2014. They apply to all APP entities and cover the full lifecycle of personal information.
Collection principles (APPs 1 to 5)
- APP 1: Open and transparent management requires organisations to have a clearly expressed, up-to-date privacy policy. The policy must describe the types of information collected, how it is held, the purposes of collection, and how individuals can access or complain.
- APP 2: Anonymity and pseudonymity gives individuals the option to interact anonymously or under a pseudonym where practicable.
- APP 3: Collection of solicited personal information limits collection to information that is reasonably necessary for the organisation's functions. Sensitive information requires consent and must be directly related to the organisation's activities.
- APP 4: Dealing with unsolicited personal information requires organisations to assess unsolicited information and destroy or de-identify it if they could not have collected it under APP 3.
- APP 5: Notification of collection mandates that organisations inform individuals at or before the time of collection about the entity's identity, the purposes of collection, and any third parties to whom data may be disclosed.
Use and disclosure principles (APPs 6 to 9)
- APP 6: Use or disclosure restricts use to the primary purpose of collection or a directly related secondary purpose the individual would reasonably expect.
- APP 7: Direct marketing prohibits using personal information for direct marketing unless specific conditions are met, including providing a simple opt-out mechanism.
- APP 8: Cross-border disclosure requires organisations to take reasonable steps to ensure overseas recipients comply with the APPs. The disclosing entity remains accountable for any breach by the overseas recipient.
- APP 9: Adoption, use, or disclosure of government identifiers prevents organisations from using government identifiers (such as tax file numbers or Medicare numbers) as their own identifier for individuals.
Data quality and security principles (APPs 10 to 13)
- APP 10: Quality of personal information obligates organisations to take reasonable steps to ensure data is accurate, up-to-date, complete, and relevant.
- APP 11: Security of personal information requires reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access or disclosure. When information is no longer needed, it must be destroyed or de-identified.
- APP 12: Access to personal information gives individuals the right to request access to their personal information held by an organisation.
- APP 13: Correction of personal information requires organisations to correct personal information that is inaccurate, out-of-date, incomplete, irrelevant, or misleading.
Notifiable Data Breaches Scheme
Since February 2018, the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act requires APP entities to notify affected individuals and the OAIC when a data breach is likely to result in serious harm.
The notification process involves three steps:
- Assessment: When an organisation suspects a breach, it has 30 days to assess whether it meets the threshold of likely serious harm.
- Notification to the OAIC: If the threshold is met, the organisation must notify the OAIC with details including the type of information involved, the circumstances of the breach, and recommended steps for affected individuals.
- Notification to affected individuals: The organisation must notify each affected individual, or if that is not practicable, publish a statement on its website and take reasonable steps to publicise the statement.
Between July 2023 and June 2024, the OAIC received 527 data breach notifications under the NDB scheme. Contact information, identity information, and financial details were the most commonly breached data types.
New Privacy Laws Australia Is Developing
The Australian Government has been pursuing significant reforms to the Privacy Act following the Attorney-General's Department Privacy Act Review Report, released in February 2023. These reforms represent the most substantial changes to Australian privacy law in decades.
Key proposed reforms
The Government's response, published in September 2023, agreed (or agreed in principle) to the majority of the Review's 116 proposals. The most significant include:
- Statutory tort for serious invasions of privacy: A new cause of action allowing individuals to sue for serious privacy breaches, independent of the existing complaint mechanism.
- Children's privacy code: A dedicated code for services likely to be accessed by children, similar to the UK Age Appropriate Design Code.
- Expanded definition of personal information: Aligning more closely with the GDPR's definition of personal data, covering technical identifiers and inferred information more explicitly.
- Right to erasure: Introducing a right for individuals to request deletion of their personal information in certain circumstances.
- Removal of the small business exemption: Under consideration, which would bring businesses with turnover of $3 million or less under the Privacy Act for the first time.
- Automated decision-making transparency: Requirements to disclose when substantially automated decisions affect individuals' rights.
- Direct right of action: Allowing individuals to take privacy complaints directly to the Federal Court, bypassing the OAIC conciliation process.
Reform timeline
The Privacy and Other Legislation Amendment (Data Breach Prevention and Response and Other Measures) Bill was introduced in September 2024. Additional tranches of reform legislation are expected through 2026. Organisations should monitor the Attorney-General's Department and the OAIC for updates and begin preparing for expanded obligations.
Privacy Laws Australia: Requirements for Websites
Websites that collect personal information from Australian visitors must comply with the APPs. This applies to Australian-based websites and to overseas websites that have an "Australian link" under Section 5B of the Privacy Act, meaning they carry on business in Australia and collect personal information within Australia.
Privacy policy requirements
Under APP 1, every APP entity must maintain a clearly expressed, up-to-date privacy policy available free of charge. The policy should cover:
- The kinds of personal information collected and held
- How personal information is collected and held
- The purposes of collection, use, and disclosure
- How individuals can access their information and seek correction
- How complaints are handled
- Whether information is likely to be disclosed to overseas recipients, and if so, which countries
A privacy policy generator can help you create a baseline document covering these requirements. Review the output with an Australian-qualified lawyer to ensure it addresses your specific data practices.
Cookie and tracking technology disclosures
While Australia does not have a specific cookie consent law equivalent to the EU's ePrivacy Directive, the Privacy Act's transparency and collection limitation principles still apply. If cookies or tracking technologies collect personal information (including IP addresses or device identifiers that can identify an individual), you must:
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate Now- Disclose this collection in your privacy policy under APP 5.
- Ensure collection is reasonably necessary under APP 3.
- Provide a clear explanation of tracking purposes.
As the new privacy laws Australia is developing take effect, cookie consent requirements may become more explicit. The proposed reforms include enhanced transparency obligations that could bring Australia closer to GDPR-style consent requirements for tracking technologies.
Cross-border data transfers
APP 8 requires organisations to take reasonable steps before disclosing personal information to overseas recipients. This includes ensuring the overseas recipient is subject to a substantially similar privacy regime or that the individual consents to the transfer. Cloud hosting, analytics platforms, and email service providers commonly involve cross-border transfers that require assessment.
Enforcement and Penalties
The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 dramatically increased the OAIC's enforcement powers and maximum penalties.
Current penalty framework
For serious or repeated interferences with privacy, the maximum penalty for a body corporate is the greatest of:
- $50 million AUD
- Three times the value of any benefit obtained from the contravention
- 30% of the entity's adjusted turnover for the relevant period
These penalties place Australia among the strictest privacy enforcement regimes globally, comparable to the GDPR's penalty structure.
Notable enforcement actions
- Medibank (2022): Following a major data breach affecting 9.7 million customers, the OAIC commenced Federal Court proceedings against Medibank alleging failures to take reasonable steps to protect personal information under APP 11.
- Clearview AI (2021): The OAIC found that Clearview AI breached the Privacy Act by scraping Australians' biometric information without consent. The company was ordered to cease collecting facial images from Australian individuals and destroy existing data.
- Australian Information Commissioner v Facebook (2020): The OAIC commenced proceedings against Facebook (now Meta) over the Cambridge Analytica data breach, alleging the personal information of over 300,000 Australian users was disclosed without consent.
How Privacy Laws Australia Compare to the GDPR
Australian businesses operating internationally, or overseas businesses targeting Australian consumers, need to understand where the Privacy Act and GDPR overlap and diverge.
| Area | Australia (Privacy Act) | EU (GDPR) |
|---|---|---|
| Scope | Turnover above $3M AUD (with exemptions) | All organisations processing EU residents' data |
| Consent standard | Not always required; depends on APP and context | Required for most processing; must be freely given, specific, informed |
| Data breach notification | 30-day assessment period, then notify | 72 hours to notify supervisory authority |
| Right to erasure | Not yet enacted (proposed in reforms) | Article 17 right to erasure established |
| Cross-border transfers | Reasonable steps to ensure compliance (APP 8) | Adequacy decisions, SCCs, or BCRs required |
| Maximum penalties | $50M AUD / 30% turnover / 3x benefit | 20M EUR / 4% global turnover |
| Privacy officer requirement | Not mandatory (recommended) | Mandatory for certain controllers and processors |
The proposed reforms will narrow many of these gaps, particularly around consent requirements, erasure rights, and the scope of covered entities.
Practical Compliance Steps for Businesses
Meeting Australian privacy requirements involves operational changes beyond drafting a privacy policy.
- Conduct a data mapping exercise: Identify what personal information you collect, where it is stored, who accesses it, and where it flows. This is the foundation for APP compliance.
- Draft or update your privacy policy: Ensure it meets APP 1 requirements with current, specific disclosures. TermsBox provides a privacy policy generator that covers Australian Privacy Principle requirements and can be updated as your data practices change.
- Implement data breach response procedures: Prepare a response plan that meets the NDB scheme's 30-day assessment window. Assign roles, document escalation paths, and test the plan.
- Review cross-border data flows: Assess every overseas recipient of personal information against APP 8 requirements. Document the safeguards in place.
- Train staff: Privacy awareness training for employees who handle personal information reduces the risk of breaches caused by human error, which remains the leading cause of reported incidents.
- Monitor reforms: Subscribe to OAIC updates and Attorney-General's Department announcements. The new privacy laws Australia is enacting will require further adjustments.
Frequently Asked Questions
What is the main privacy law in Australia?
The Privacy Act 1988 (Cth) is Australia's primary privacy legislation. It regulates how Australian Government agencies, private sector organisations with annual turnover above $3 million, and certain other entities handle personal information. The Act is enforced by the Office of the Australian Information Commissioner (OAIC).
Do the Australian Privacy Principles apply to small businesses?
Generally, no. Businesses with annual turnover of $3 million or less are exempt from the Privacy Act unless they trade in personal information, are a health service provider, are related to a larger organisation, or have opted in to coverage. The proposed reforms may lower or remove this threshold.
What are the penalties for breaching Australian privacy laws?
Since the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022, maximum penalties increased significantly. For serious or repeated interferences with privacy, organisations face fines of up to $50 million AUD, three times the benefit obtained from the breach, or 30% of adjusted turnover for the relevant period, whichever is greatest.
Does Australia have a right to erasure like the GDPR?
Not yet under current law, though APP 13 allows individuals to request correction of inaccurate information. The Australian Government's response to the Privacy Act Review Report supports introducing a right to erasure. This is expected to be included in new privacy laws Australia is developing as part of ongoing reforms.