Cybernion
← Insights

Privacy

Australian Privacy Act Reform: What Changed in 2024 and 2025

3 July 2026 · Updated 3 July 2026

Short answer: The Privacy and Other Legislation Amendment Act 2024 is the first major overhaul of Australian privacy law in years. It added a statutory tort for serious invasions of privacy, a tiered civil penalty regime, criminal doxing offences and new transparency duties. Changes are phased between December 2024 and December 2026.

Australian privacy law changed more in the past 18 months than it had in the previous decade. If you handle personal information and you are still working off the old rulebook, some of your exposure is already live.

What is the Australian Privacy Act reform?

The Australian Privacy Act reform is the set of changes made by the Privacy and Other Legislation Amendment Act 2024, which amended the Privacy Act 1988. It received Royal Assent on 10 December 2024 and progresses 23 of the agreed responses to the Privacy Act Review Report. The reform is the first tranche of a longer program, not a complete rewrite.

The Office of the Australian Information Commissioner (OAIC) called the passing of the Bill a significant step for Australia’s privacy law. The headline measures are a statutory tort for serious invasions of privacy, an expansion of the OAIC’s enforcement and investigation powers, a mandate to develop a Children’s Online Privacy Code, a new mechanism to prescribe countries with adequate privacy protections for cross border data transfers, and a requirement that privacy policies disclose substantially automated decisions. Several measures are already in force. Others are staged out to December 2026, which matters for planning.

What did the Privacy and Other Legislation Amendment Act 2024 change?

The Privacy and Other Legislation Amendment Act 2024 changed enforcement, individual rights and transparency obligations at once. The OAIC gained a tiered civil penalty regime: the existing penalty for serious or repeated interference was reworked so it applies to serious interference, a new mid tier penalty was added for interferences that do not meet the serious threshold, and a lower tier with infringement notice powers was added for administrative breaches of the Australian Privacy Principles (APPs).

Alongside enforcement, the Act created a statutory tort for serious invasions of privacy, introduced new criminal offences for doxing, mandated a Children’s Online Privacy Code covering online services likely to be accessed by children, and set up a mechanism to prescribe overseas countries and binding schemes with adequate protections to ease cross border transfers. It also introduced a duty to explain substantially automated decisions that significantly affect individuals in a privacy policy. For the tort in depth, see the statutory tort for serious invasions of privacy.

When did the Privacy Act reforms commence?

The reforms commenced in stages, which is the single most misread part of the change. The Act received Royal Assent on 10 December 2024, and most amendments within the Information Commissioner’s remit commenced the next day, on 11 December 2024. The statutory tort commenced separately on 10 June 2025. The automated decision making disclosure requirement and the Children’s Online Privacy Code apply from 10 December 2026.

Treating the whole package as effective from one date will either overstate your current obligations or, worse, leave you unprepared for what is already enforceable. The table below sets out the main measures and when each applies.

MeasureCommencementStatus
Tiered civil penalties and infringement notice powers11 December 2024In force
Criminal offences for doxing11 December 2024In force
Mechanism for prescribing countries with adequate protections11 December 2024In force
Statutory tort for serious invasions of privacy10 June 2025In force
Automated decision making disclosure in privacy policies (APP 1)10 December 2026Future
Children’s Online Privacy CodeBy 10 December 2026Future

How do the new civil penalties under the Privacy Act work?

The new civil penalties under the Privacy Act create three levels of consequence rather than one. Before the reform, a court could impose a penalty only for a serious or repeated interference with privacy. The Act removed the repeated element from the top tier so it now targets serious interference, added a mid tier penalty for interferences that fall short of serious, and added a low tier with infringement notice powers for administrative breaches of the APPs.

This matters because the old regime effectively meant an organisation had to do something egregious or persistent before financial penalty was on the table. The tiered model lets the OAIC respond to a wider range of conduct and issue infringement notices without going to court for lower level breaches. If your privacy practices have been drifting on the assumption that only a major failure attracts a penalty, that assumption no longer holds. A defensible privacy program, mapped to the APPs, is now the practical baseline.

What are the doxing offences in the Privacy Act reform?

The doxing offences criminalise the malicious release of an individual’s personal data, and they came in through the same 2024 Act. Doxing is the intentional exposure of a person’s identity or private information without consent. The offences were introduced into the Criminal Code, targeting conduct that uses a carriage service to make personal data available in a way that is menacing or harassing, with an aggravated form where the targeting is based on characteristics such as race, religion or sexual orientation.

For organisations, the direct compliance impact is smaller than the tort or the penalty tiers, because these are criminal offences aimed at individual conduct. The relevance is cultural and operational: staff handling personal information need to understand that publishing or leaking someone’s details maliciously is now a crime, and incident response plans should account for that. It also signals the direction of travel, where privacy harms increasingly attract legal consequence rather than only regulatory correction.

What should Australian businesses do about the Privacy Act reform?

Australian businesses should start by mapping what personal information they hold and confirming their practices against the APPs, because the tiered penalties are live now. A current privacy policy, a working data breach response plan and an accurate record of information flows are the foundation. If you hold sensitive information or make decisions that significantly affect people, the exposure is higher.

Practical next steps: run a privacy impact assessment on any project touching personal information, tighten your notifiable data breach readiness so you can meet the assessment clock, and review whether you make substantially automated decisions that will need disclosure by December 2026. A structured information security program, such as one aligned to ISO 27001, supports the security obligation in APP 11. If you need ongoing privacy and security leadership without a full-time hire, a virtual CISO can own the program and keep it current as the law continues to change. None of this is legal advice, and where the tort or a specific obligation could apply to you, get your own legal advice.

Frequently asked questions

What did the 2024 Privacy Act reform actually change?

The Privacy and Other Legislation Amendment Act 2024 introduced a statutory tort for serious invasions of privacy, a tiered civil penalty regime with infringement notice powers, new criminal offences for doxing, a mandate for a Children’s Online Privacy Code, a mechanism for prescribing countries with adequate privacy protections, and a requirement to disclose substantially automated decision making in privacy policies.

When did the Privacy Act reforms commence?

The Act received Royal Assent on 10 December 2024 and most measures within the Information Commissioner’s remit commenced on 11 December 2024. The statutory tort for serious invasions of privacy commenced on 10 June 2025. The automated decision making disclosure requirement and the Children’s Online Privacy Code apply from 10 December 2026.

Is the Privacy Act reform the end of privacy law changes in Australia?

No. The OAIC and the government have described the 2024 Act as a first tranche. It progresses 23 of the agreed responses to the Privacy Act Review Report, and further reform is expected, including proposals the government agreed to in principle. Businesses should treat the current changes as a floor, not a ceiling.

Do the Privacy Act reforms apply to small businesses?

The existing small business exemption was not removed by the 2024 Act, so most businesses with an annual turnover of $3 million or less remain outside the Australian Privacy Principles unless an exception applies. The statutory tort, however, is broader than the Privacy Act and can apply to individuals and entities that are not APP entities.


Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.

Talk to us.

Sources:

  1. Passing of bill a significant step for Australia’s privacy law, OAIC, 29 November 2024
  2. Statutory tort for serious invasions of privacy, OAIC, 19 June 2025
  3. Privacy and Other Legislation Amendment Act 2024, Federal Register of Legislation, assented 10 December 2024
  4. Government response to the Privacy Act Review Report, Attorney-General’s Department, 2023

Last updated: 3 July, 2026

Talk to us about your engagement

A scoped proposal within one business day.