Privacy Act 1988 (Cth) Amended 10 Dec 2024 Statutory tort live · 10 Jun 2025 Automated decisions · 10 Dec 2026

Australia's privacy
law, re-architected.

The Privacy Act 1988 protects how personal information is collected, used, stored and disclosed across Australia's federal public sector and most of the private sector. Quiet for thirty years, it has just been overhauled. A three-tier penalty regime, a new statutory tort for serious invasions of privacy, an enforceable code for children online and (from December 2026) transparency duties for automated decisions all now sit on top of the original thirteen Australian Privacy Principles.

13
Australian Privacy Principles. The operating system of the Act, applying across the data lifecycle.
AU$50M
Maximum penalty per serious interference, or 3× benefit, or 30% adjusted turnover, whichever is greatest.
AU$3M
Annual turnover threshold above which most private sector businesses become APP entities.
3tiers
Civil penalty regime introduced in Dec 2024, calibrated from infringement notices to serious breach.
§ 01 · Application

Who is bound by this Act.

The Privacy Act applies to "APP entities", a term covering all Commonwealth agencies and every private sector organisation above a turnover threshold, with several stitched-on exceptions. Knowing whether you fall inside the regime is the first question; the threshold has been settled since 2001 and the carve-outs were narrowed in 2024.

Annual turnover threshold
AU$3M

An "APP entity" is any Commonwealth agency or any private sector organisation with annual turnover of AU$3 million or more. Once you are an APP entity, every one of the thirteen Australian Privacy Principles applies to your handling of personal information.

The 2024 reforms also clarified that organisations doing business in Australia are bound, regardless of where the personal information is collected. The old "Australian link" carve-out has been narrowed.

◉ Always covered

Inside the regime

  • All Commonwealth government agencies and ministers
  • Private organisations with turnover ≥ AU$3M
  • Private health service providers, regardless of size
  • Credit reporting bodies and credit providers
  • Tax File Number recipients of every size
  • Businesses trading in personal information
◇ Narrow exemptions

Outside the regime

  • Most small businesses below AU$3M turnover
  • State and territory public sectors (separate regimes)
  • Registered political parties for political acts
  • Media organisations for journalistic activities
  • Employee records, for the employer of the employee
§ 02 · Schedule 1

The thirteen principles, mapped.

The Australian Privacy Principles are a single list of thirteen rules, but they are best read as five phases of a personal information lifecycle. Tap any principle to see what it requires. The Office of the Australian Information Commissioner (OAIC) treats the APPs as the foundational standard against which every interference with privacy is judged.

01
Open Management
Part 1 · The posture of the entity
APP 1Open & transparent
APP 2Anonymity
02
Collection
Part 2 · How information enters the entity
APP 3Solicited
APP 4Unsolicited
APP 5Notification
03
Dealing
Part 3 · How information is used and shared
APP 6Use & disclosure
APP 7Direct marketing
APP 8Cross-border
APP 9Gov identifiers
04
Integrity
Part 4 · Quality and security
APP 10Quality
APP 11Security
05
Access
Part 5 · The individual's rights
APP 12Access
APP 13Correction
§ 03 · Part IIIC · Operative since 22 Feb 2018

The data-breach protocol.

The Notifiable Data Breaches scheme is the most operationally consequential part of the Act. Any APP entity that suspects an "eligible data breach" must move through a fixed assessment-and-notification sequence, on a strict 30-day clock. Get it wrong, or get it slow, and Section 13G civil penalties enter the picture.

01 · TRIGGER

Reasonable grounds to suspect

The entity becomes aware of circumstances suggesting an eligible data breach, unauthorised access or disclosure of personal information, or loss likely to result in such access.

s 26WH(1)
02 · ASSESS

Reasonable & expeditious enquiry

A 30-day window to take all reasonable steps to confirm whether an eligible data breach has occurred. Failure to assess is itself an interference with privacy.

s 26WH(2) · 30 days
03 · NOTIFY OAIC

Statement to the Commissioner

If confirmed, prepare a statement covering the entity's identity, the kinds of information affected, and recommended steps. Provide it to the OAIC as soon as practicable.

s 26WK
04 · NOTIFY INDIVIDUALS

Tell the people affected

Notify each affected individual, or the class of individuals at risk, or publish the statement on the website and take reasonable steps to publicise it.

s 26WL
◇ Threshold · "Likely risk of serious harm"
An eligible data breach exists where unauthorised access, disclosure, or loss of personal information is likely to result in serious harm to one or more individuals, and the entity has not been able to prevent that harm through remedial action. Serious harm covers physical, psychological, emotional, financial, or reputational harm. The 2024 reforms made clear that "reasonable steps" to protect personal information under APP 11 expressly include both technical and organisational measures, lifting the security bar.
§ 04 · Three-Tier Civil Penalty Regime

Three tiers of consequence.

The Privacy and Other Legislation Amendment Act 2024 reorganised enforcement into three escalating tiers, calibrated to the severity of the breach. For body corporates, the Tier 3 figure is the greater of an absolute amount, three times any benefit obtained, or 30% of "adjusted turnover" over the breach period, putting Australia broadly in line with GDPR-style consequences.

Tier 03 · Serious interference (s 13G)
AU$50Mor 3× benefit obtained, or 30% of adjusted turnover during the breach period, whichever is greatest. AU$2.5M cap for individuals.
Serious interference with the privacy of an individual
Reserved for the most egregious conduct. The 2024 amendments removed the "or repeated" limb (each interference is now charged separately) and codified factors a court considers, including the nature and sensitivity of information, the number of people affected, and prior privacy practices.
Relative severity
Tier 02 · Mid-level interference
AU$3.3M10,000 penalty units for body corporates. AU$660,000 (2,000 penalty units) for individuals.
Interference with privacy that is not "serious"
A new mid-tier created in 2024 to give the OAIC a more proportionate enforcement option. Aimed at conduct that is non-trivial but does not meet the serious threshold. Court order required.
Relative severity
Tier 01 · Administrative breach
AU$330KPer contravention, by infringement notice. Up to AU$66,000 for individuals. AU$19,800 for non-listed bodies under expedited route.
Specified APP and notice failures, by infringement notice
A new on-the-spot tool. The Commissioner can issue an infringement notice for breaches such as failing to maintain a compliant privacy policy (APP 1.4) or filing a non-compliant data-breach statement, without going to court.
Relative severity
◆ Australian Clinical Labs · Federal Court · 8 Oct 2025
The first civil penalty under section 13G. Following a 2022 cyber attack affecting roughly 223,000 customers, ACL agreed to pay AU$5.8 million: AU$4.2M for breaching APP 11.1(b) (failing to take reasonable steps to protect health information), AU$0.8M for failing to assess the breach expeditiously (s 26WH(2)), and AU$0.8M for failing to notify the Commissioner as soon as practicable (s 26WK(2)). The Court found inadequate incident response, no mandatory MFA for remote access, and weak data-loss prevention. The penalty was issued under the prior cap of AU$2.22M per contravention; the new AU$50M ceiling now applies to post-Dec 2022 conduct.
§ 05 · Schedule 2 · Privacy & Other Legislation Amendment Act 2024

The new statutory tort.

For the first time in Australian legal history, an individual has a personal right of action for serious invasions of privacy. The statutory tort sits beside (not inside) the APP regime, and reaches defendants who would never have been bound by the Act. It is actionable without proof of damage.

10 Jun
2025
Commencement of Schedule 2

Two pathways. The tort recognises two species of invasion: (i) intrusion upon seclusion (physical surveillance, hacking devices, watching or listening) and (ii) misuse of information (collecting, using, or disclosing information, broadly construed).

Crucially, claims can be brought against any person or organisation, including individuals and small businesses outside the APP regime. The OAIC has standing only to make submissions or appear as amicus, not to bring the claim itself. Class actions are explicitly contemplated.

All five elements must be satisfied
Element 01
Invasion

Intrusion upon seclusion or misuse of information relating to the plaintiff.

Element 02
Reasonable expectation

The plaintiff had a reasonable expectation of privacy in the circumstances.

Element 03
Fault

The defendant's conduct was intentional or reckless. Negligence does not suffice.

Element 04
Seriousness

The invasion is serious, judged on degree, sensitivity and likely consequences.

Element 05
Public-interest balance

Public interest in the plaintiff's privacy outweighs any countervailing public interest (free expression, media, security).

◇ Cap on damages
Non-economic loss and exemplary damages combined are capped at the greater of AU$478,550 or the maximum award available under defamation law in the relevant jurisdiction. Remedies also include injunctions, account of profits, apology orders, and declarations. Defences include consent, lawful authority, necessity, and broad exemptions for journalistic material, law enforcement, intelligence agencies, and persons under 18.
§ 06 · The Regulator

What the OAIC can now do.

The Office of the Australian Information Commissioner is the independent regulator. Before December 2024 its enforcement toolkit was thin, often limited to determinations after long investigations. The Amendment Act gave the Commissioner a working enforcement toolbox: infringement notices on the spot, compliance notices, search-and-seizure powers, and the standing to seek mid-tier penalties without first establishing seriousness.

Investigate

Open own-motion investigations or respond to complaints. Compel documents and answers under oath.
  • Conduct privacy assessments of APP entities
  • Compulsory information-gathering notices
  • New search and seizure powers (Dec 2024)
  • Information sharing with other regulators

Issue Notices

Resolve breaches without protracted litigation by issuing infringement and compliance notices directly.
  • Infringement notices up to AU$330,000
  • Compliance notices specifying remedial steps
  • Failure-to-comply penalty up to AU$330,000
  • Public determinations binding on the entity

Make Codes

Develop legally binding APP Codes that translate the principles into sector-specific rules.
  • Children's Online Privacy Code (by Dec 2026)
  • Privacy (Credit Reporting) Code 2014
  • Power to direct an entity to develop a code
  • Codes are enforceable as the Act itself

Litigate

Apply to the Federal Court for civil penalty orders or seek enforceable undertakings before action.
  • Civil penalty proceedings (s 80W)
  • Accept enforceable undertakings (s 33E)
  • Seek injunctions and declaratory relief
  • Intervene in statutory tort claims as amicus
§ 07 · Reform Trajectory

From 1988 to 2026.

The Privacy Act has had three major chapters: enactment as a public-sector statute in 1988, extension to the private sector in 2000, and the 2024 modernisation. A second tranche of reforms remains in the pipeline; the items below are already on the statute book or announced.

1988
Enactment
Privacy Act passed. Originally applied only to Commonwealth agencies, with eleven Information Privacy Principles.
21 DEC 2001
Private sector
National Privacy Principles extended the Act to the private sector with the AU$3M turnover threshold.
12 MAR 2014
The 13 APPs
Privacy Amendment (Enhancing Privacy Protection) Act consolidated public and private rules into a single set of thirteen Australian Privacy Principles.
22 FEB 2018
NDB scheme
Notifiable Data Breaches scheme commenced. Mandatory assessment within 30 days and notification of the OAIC and affected individuals.
13 DEC 2022
Penalty step-up
Maximum penalty for serious or repeated interference raised from AU$2.22M to AU$50M, 3× benefit, or 30% of turnover.
10 DEC 2024
Amendment Act
Privacy and Other Legislation Amendment Act receives Royal Assent. Three penalty tiers, doxxing offences, children's code, OAIC powers expanded.
10 JUN 2025
Statutory tort live
Tort of serious invasion of privacy commences. Automated-decision transparency duty follows on 10 December 2026.
§ 08 · Self-Assessment

Where does your situation sit?

A guided walk through the Act's key triggers. Answer up to five questions to land on the regime that applies to you, the APPs, the new tort, the breach scheme, or none of the above. This is a heuristic, not legal advice. The binding answers come from the Privacy Act itself, the APP guidelines and the cases.