Published:
Readtime: 6 min
Every product is carefully selected by our editors and experts. If you buy from a link, we may earn a commission. Learn more. For more information on how we test products, click here.
You’ve no doubt heard about Australia’s controversial nationwide social media ban for persons under 16, which will come into effect on 10 December 2025. What you might not know about is everything else that’s being rolled out as part of the Privacy and Other Legislation Amendment Bill, passed in 2024. Beyond the headline-stealing social media ban, the government is introducing a ‘right to sue’ for serious privacy breaches, alongside a range of new rules and regulations for businesses.
It’s being marked as the most significant update since the Privacy Act was passed in 1988.
A lot of time has passed since the late 80s, so let’s get you up to speed with what’s changed.
Australians To Sue For Privacy Interference
One of the bill’s most significant measures is the introduction of a statutory tort for serious invasions of privacy. For those who didn’t study law, basically what this means is that if someone interferes with your personal privacy, you can take them to court , even if no criminal offence was committed.
However, you can’t just take anyone to court over a privacy matter. To launch a claim under the new privacy amendment, the plaintiff (that’s you if you’re taking someone to court) must be able to prove:
- the defendant intruded on their private space or misused their personal information
- there was a reasonable expectation of privacy in the situation
- the invasion was intentional or reckless
- the intrusion was serious, not trivial
- and that the public interest in privacy outweighs any public interest in disclosure
If you have ticked those boxes, the plaintiff doesn’t need to prove financial loss or physical harm. They can recover damages for emotional distress. However, they cannot claim aggravated damages, which are extra payments awarded when the defendant’s conduct has made the harm worse through cruelty, insult or bad behaviour. Punitive damages, which are designed to punish the defendant rather than compensate the plaintiff, are rare but possible in exceptional cases.
Courts will also be able to hand down injunctions, which can force a defendant to do things like delete sensitive material or issue a public apology.ns, which can force a defendant to do things like delete sensitive material or issue a public apology.
What is a serious breach of privacy?
So what counts as a “reasonable expectation of privacy” or a “serious” breach? The courts will look at factors like whether the conduct caused (or could have caused) harm, whether the harm was foreseeable, whether the behaviour was deliberate or malicious, and why the intrusion happened in the first place. They’ll also weigh up contextual details, such as the plaintiff’s age and how their data was handled—or mishandled.
The bill also carves out a few important exemptions, including for law enforcement agencies, national security bodies, and people under 18. And importantly, it preserves Australia’s long-standing journalism exemption, something that the Media, Entertainment & Arts Alliance (MEAA) argues is essential for genuine investigative reporting to continue without fear of legal blowback.
How Will The Bill Affect Businesses in Australia?
The federal bill hands the Office of the Australian Information Commissioner (OAIC) stronger investigative powers, allowing it to look into potential privacy breaches even when no one lodges a complaint. Businesses that fall short can expect tougher civil penalties, marking a clear shift toward proactive enforcement.
For now, these rules apply only to companies turning over more than $3 million a year. That long-standing small-business exemption still shields roughly 95 per cent of Australian businesses from compliance. But not for long. In its response to the Attorney-General’s Privacy Act Review Report, the government agreed in principle to scrap the exemption, signalling a future where any business collecting personal data will be subject to the Act.
Automated Decision-Making (ADM) is another major focus. These are decisions made by software rather than humans, and the outcomes can be unpredictable. Digital Rights Watch warns that ADM systems can carry existing bias, obscure how algorithms work, affect people without their knowledge, disproportionately impact vulnerable groups, and muddy accountability when responsibility is deflected onto a machine.
Before 11 December 2026, all APP entities must update their privacy policies to explain when and how ADM is used to make decisions that could reasonably be expected to affect someone’s rights or interests. But “reasonable” and “significant” remain open to interpretation, and many small operators are still exempt, leaving plenty of grey area that may need to be resolved by future legislation.
Industry groups are already pushing back against strict rules. The Tech Council of Australia, representing major tech players, argued in its submission that overly tight ADM regulation could stifle innovation and burden businesses with unnecessary compliance. The group is calling for a risk-based approach that zeroes in on high-impact decisions, underscoring the ongoing debate between guarding against harm and keeping the sector competitive.
What Else is in the Amendment Bill?
While the focus is on December 2025 and the upcoming social media ban for people under 16, the OAIC is looking towards 2026 and the introduction of a legally binding Children’s Online Privacy Code. Mandated for release by 10 December 2026, the Code will set out clear obligations for organisations handling the data of young Australians.
Another area of concern for the Privacy Bill is doxxing. The deliberate release of someone’s personal information to cause harm could become a criminal offence carrying penalties of up to seven years’ imprisonment.
Together, these reforms mark a significant expansion of privacy rights and enforcement powers. Whether you are a major player or currently exempt, the message is clear: update your policies now or risk scrambling when the next round of changes arrives.
Australian Privacy Laws FAQs
No, not automatically. The Privacy Act 1988 includes an exemption for most small businesses with an annual turnover of $3 million or less. However, the government’s recent Privacy Act Review has proposed removing this exemption in the future. Businesses that collect significant personal data, regardless of size, are advised to review their privacy policies.
Automated Decision-Making (ADM) is when a system, like an algorithm, makes a significant decision without human involvement (e.g., in loan applications or job shortlisting). Under the new laws, businesses (APP entities) must state in their privacy policies if they use ADM for decisions that could significantly impact an individual’s rights or interests.
If you believe your privacy has been seriously invaded, you can now pursue a “statutory tort” (a civil claim) in court. Before doing this, you should first make a complaint to the Office of the Australian Information Commissioner (OAIC). The OAIC can investigate, mediate, and (under its new powers) enforce compliance and penalties against non-compliant businesses.
Comments
We love hearing from you. or to leave a comment.