Significant changes to the Australian Privacy Act are underway, with the first tranche of major reforms introduced in December 2024. These changes are designed to modernise the legislation and align it with global privacy standards. They will impact how organisations of all sizes handle personal information, with key implications for cyber businesses, government agencies, and small to medium enterprises (SMEs). While further reforms are expected, the scope and timing of the next phase remain unclear.
What’s changing?
Strong penalties and enforcement powers
Serious or repeated privacy breaches attract significantly tougher penalties. The maximum penalty is the greater of $40 million, three times the value of any benefit obtained, or 30% of the organisation’s adjusted turnover (as of November 2022).
From December 2024, the Privacy Commissioner also has enhanced enforcement powers, including the ability to issue infringement notices of up to $66,000 per contravention and compliance notices that direct how privacy breaches must be addressed.
More businesses included
The longstanding exemption for small businesses with a turnover under $3 million remains in place for now. While removing this exemption has been proposed as part of broader privacy reform, it has not yet been legislated and the Government has not committed to including it in the next tranche of updates. If your business handles personal data, it’s still worth keeping an eye on future developments.
A new right to sue for privacy breaches
Individuals will be able to pursue legal action if their privacy is seriously invaded, even if they haven’t suffered financial loss.
Greater accountability for data protection
Organisations must implement reasonable and proactive security measures to protect personal data. This includes staff training, strong policies and processes, and swift breach response protocols.
What does this mean for different sectors?
Cyber businesses
This is an opportunity to lead by example. Demonstrating strong data governance and cyber resilience will become a competitive edge, but compliance obligations will increase. Expect more demand for services like privacy audits, secure data storage and breach readiness.
Government
While most government entities are not directly covered by the Privacy Act, the evolving privacy landscape may still influence public sector expectations and standards. There will likely be increased scrutiny around data handling practices, particularly when working with third-party vendors or in areas where public trust is critical.
Non-tech SMEs
Most small businesses with a turnover under $3 million remain exempt from the Privacy Act, so there is currently no obligation to comply. However, this is not to say the exemption could change in the future. In the meantime, adopting good privacy practices like transparent data handling and clear consent processes can still strengthen customer trust and reduce reputational risk.
Privacy reform is no longer a distant issue or just a ‘big business’ concern. While not all organisations are currently affected, the direction of reform suggests that stronger privacy expectations are here to stay. Now is a good time to review your data practices and consider how prepared your organisation is for what may come next.
Looking to learn more?
If you’re after a deeper dive into the latest reforms and what they mean in practice, these resources are a great place to start:
