Australia’s privacy landscape is undergoing its biggest reform since the Privacy Act was introduced in 1988. While public attention has largely on the nationwide social media ban for persons under 16, which will take effect on 10 December 2025. What you might not know is that major components of the government’s wider Privacy and Other Legislation Amendment Bill 2024 are already active. Among them is a new statutory “right to sue” for serious privacy breaches, which commenced on 10 June 2025, along with substantially stronger requirements for businesses handling personal information.
The changes signal a shift toward more proactive enforcement, greater accountability for organisations, and increased rights for individuals affected by privacy violations.
Australians To Sue For Privacy Interference
A key reform is the creation of a statutory tort for serious invasions of privacy. This gives individuals the right to take legal action when their privacy is deliberately or recklessly violated, even if no criminal offence has occured.
To make a claim, a plaintiff must show:
- the defendant intruded on their private space or misused their personal information
- there was a reasonable expectation of privacy in the situation
- the invasion was intentional or reckless
- the intrusion was serious, not trivial
- and that the public interest in privacy outweighs any public interest in disclosure
If these conditions are met, plaintiffs do not need to prove financial loss or physical harm. Damages for emotional distress are available. However:
- Aggravated damages cannot be awarded
- Punitive damages may be granted only in exceptional circumstances.
Courts will also be empowered to issue injuctions, including orders to delete unlawfully obtained materials or compel public apologies for privacy interference.
What is a serious breach of privacy?
So what counts as a “reasonable expectation of privacy” or a “serious” breach? The courts will consider factors such as whether the conduct caused (or could have caused) harm, whether the harm was foreseeable, whether the behaviour was deliberate or malicious, and why the intrusion occurred in the first place. They’ll also weigh up contextual details, such as the plaintiff’s age and how their data was handled—or mishandled.
The bill also highlights a few critical exemptions, including for law enforcement agencies, national security bodies, and people under 18. And importantly, it preserves Australia’s long-standing journalism exemption, something that the Media, Entertainment & Arts Alliance (MEAA) argues is essential for genuine investigative reporting to continue without fear of legal blowback.
How Will The Bill Affect Businesses in Australia?
The federal bill hands the Office of the Australian Information Commissioner (OAIC) stronger investigative powers, allowing it to look into potential privacy breaches even when no one lodges a complaint. Businesses that fall short can expect tougher civil penalties, marking a clear shift toward proactive enforcement.
For now, these rules apply only to companies turning over more than $3 million a year. That long-standing small-business exemption still shields roughly 95 per cent of Australian businesses from compliance. But not for long. In its response to the Attorney-General’s Privacy Act Review Report, the government agreed in principle to scrap the exemption, signalling a future where any business collecting personal data will be subject to the Act.
Automated Decision-Making (ADM) is another major focus. These are decisions made by software rather than humans, and the outcomes can be unpredictable. Digital Rights Watch warns that ADM systems can carry existing bias, obscure how algorithms work, affect people without their knowledge, disproportionately impact vulnerable groups, and muddy accountability when responsibility is deflected onto a machine.
Before 11 December 2026, all APP entities must update their privacy policies to explain when and how ADM is used to make decisions that could reasonably be expected to affect someone’s rights or interests. But “reasonable” and “significant” remain open to interpretation, and many small operators are still exempt, leaving plenty of grey area that may need to be resolved by future legislation.
Industry groups are already pushing back against strict rules. The Tech Council of Australia, representing major tech players, argued in its submission that overly tight ADM regulation could stifle innovation and burden businesses with unnecessary compliance. The group is calling for a risk-based approach that zeroes in on high-impact decisions, underscoring the ongoing debate between guarding against harm and keeping the sector competitive.
What Else is in the Amendment Bill?
While the focus is on December 2025 and the upcoming social media ban for people under 16, the OAIC is looking towards 2026 and the introduction of a legally binding Children’s Online Privacy Code. Mandated for release by 10 December 2026, the Code will set out clear obligations for organisations handling the data of young Australians.
Another area of concern for the Privacy Bill is doxxing. The deliberate release of someone’s personal information to cause harm could become a criminal offence carrying penalties of up to seven years’ imprisonment.
Together, these reforms mark a significant expansion of privacy rights and enforcement powers. Whether you are a major player or currently exempt, the message is clear: update your policies now or risk scrambling when the next round of changes arrives.
Australian Privacy Laws FAQs
No, not automatically. The Privacy Act 1988 includes an exemption for most small businesses with an annual turnover of $3 million or less. However, the government’s recent Privacy Act Review has proposed removing this exemption in the future. Businesses that collect significant personal data, regardless of size, are advised to review their privacy policies.
Automated Decision-Making (ADM) is when a system, like an algorithm, makes a significant decision without human involvement (e.g., in loan applications or job shortlisting). Under the new laws, businesses (APP entities) must state in their privacy policies if they use ADM for decisions that could significantly impact an individual’s rights or interests.
If you believe your privacy has been seriously invaded, you can now pursue a “statutory tort” (a civil claim) in court. Before doing this, you should first make a complaint to the Office of the Australian Information Commissioner (OAIC). The OAIC can investigate, mediate, and (under its new powers) enforce compliance and penalties against non-compliant businesses.
Comments
We love hearing from you. or to leave a comment.