Data & Privacy · Australia
Data protection & privacy laws in Australia (2026)
Australia shaded by its data & privacy status
Australia has a comprehensive, principles-based federal privacy regime under the Privacy Act 1988 (Cth), built around the 13 Australian Privacy Principles that govern the collection, use, storage and disclosure of personal information by Australian Government agencies and private-sector organisations with annual turnover above AU$3 million. The regime is enforced by the OAIC and includes a mandatory Notifiable Data Breaches scheme. A significant reform package — the Privacy and Other Legislation Amendment Act 2024 — strengthened enforcement powers and introduced a statutory tort for serious invasions of privacy (in force 10 June 2025), with further reforms still to be implemented.
Key points
The Privacy Act 1988 contains 13 Australian Privacy Principles covering the open and transparent handling, collection, use, disclosure, security, access and correction of personal information. They apply to most Australian Government agencies and to private-sector 'APP entities' with annual turnover of AU$3 million or more.
The Office of the Australian Information Commissioner (OAIC) regulates and enforces the Act. Its powers include investigating breaches of the APPs and credit reporting provisions, accepting enforceable undertakings, and seeking civil penalties for serious or repeated interferences with privacy.
The Notifiable Data Breaches (NDB) scheme, in force since February 2018, requires regulated entities to notify affected individuals and the OAIC of an 'eligible data breach' — unauthorised access, disclosure or loss of personal information likely to result in serious harm.
The Privacy and Other Legislation Amendment Act 2024 (No. 128, 2024) received Royal Assent on 10 December 2024, progressing 23 agreed proposals from the Privacy Act Review. It grants the OAIC new infringement- and compliance-notice powers and provides for a Children's Online Privacy Code.
Effective 10 June 2025, individuals have a direct right to sue for serious invasions of privacy — either intrusion upon seclusion or misuse of information. Remedies include damages (non-economic loss capped at the greater of ~AU$478,550 or the defamation cap), injunctions and apologies, with defences and exemptions (e.g. journalism, law enforcement).
Individuals can access and seek correction of their personal information and lodge complaints with the OAIC. Entities must take reasonable steps to secure personal information, handle it for permitted purposes, and meet additional rules for sensitive information, direct marketing and cross-border disclosures.
Timeline - major decisions & events
The Federal Court ordered Australian Clinical Labs to pay AUD 5.8 million over the 2022 Medlab Pathology breach affecting 223,000 people — the first-ever civil penalty under the Privacy Act, establishing how courts assess 'reasonable steps' and breach-notification failures.
OAIC ↗The Australian Information Commissioner filed civil penalty proceedings in the Federal Court against Optus, alleging it seriously interfered with the privacy of about 9.5 million Australians by failing to protect their personal information between 2019 and 2022.
OAIC ↗Schedule 2 of the Privacy Act took effect, giving individuals for the first time a direct cause of action to sue for serious invasions of privacy (intrusion on seclusion or misuse of information), with remedies including damages and injunctions.
OAIC ↗First tranche of post-review reforms became law, implementing 23 government-agreed proposals — including the statutory tort, new transparency rules for automated decision-making, a children's online privacy code, and tiered civil penalties.
OAIC ↗The Commissioner began Federal Court proceedings alleging Medibank failed to take reasonable steps to protect the personal information of 9.7 million Australians between 2021 and 2022, breaching the Privacy Act after its major 2022 breach.
OAIC ↗The Government agreed (in full or in principle) to 106 of 116 review proposals, committing to the biggest overhaul of the Act since 2014 — including removing the small-business exemption and creating a statutory privacy tort.
Attorney-General's Department ↗The Attorney-General's Department published its review of the Privacy Act with 116 reform proposals to modernise Australia's privacy framework for the digital age, setting the agenda for current and pending reforms.
Attorney-General's Department ↗Spurred by the Optus and Medibank breaches, Parliament raised the maximum penalty for serious or repeated privacy breaches to the greater of A$50 million, three times the benefit obtained, or 30% of relevant turnover, and boosted OAIC's enforcement powers.
OAIC ↗A breach of an exposed Optus API exposed the personal data of up to 9.5–10 million current and former customers (including passport and licence numbers), triggering an OAIC investigation and becoming a catalyst for privacy law reform.
OAIC ↗Mandatory breach notification took effect, requiring entities to notify affected individuals and the OAIC of any breach likely to result in serious harm — a foundational pillar of Australia's modern data-protection regime.
OAIC ↗Australia - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →