12 min read

Australia's December 2024 Privacy Reforms: What Changed and Why Every Business Must Act Now

The Privacy and Other Legislation Amendment Act 2024 brought the biggest changes to Australian privacy law in over a decade. Here's what changed, what's in effect now, and what's still coming.

Executive Summary

Don't have 12 minutes? Here's what you need to know:

On 10 December 2024, the Privacy and Other Legislation Amendment Act 2024 (POLA) became law, introducing the most substantial changes to Australian privacy law since 2012. Most provisions are already in effect, including enhanced OAIC enforcement powers, dramatically increased penalties (up to $50M for companies), and clarified cybersecurity requirements.

The statutory tort for serious privacy invasions took effect on 10 June 2025 and is now in full force—individuals can sue directly for privacy breaches without proving damage first. This has already led to multiple court cases and represents a fundamental shift in how privacy harms are treated.

Coming in December 2026: Automated decision-making transparency requirements will force organisations to disclose when they use algorithms or AI to make decisions affecting individuals.

The big one still coming (2026-2027): "Tranche 2" reforms will remove the small business exemption, bringing 2.3 million additional businesses under Privacy Act requirements. They'll also introduce a "fair and reasonable" test, stronger consent requirements, and update the definition of personal information.

Bottom line: If you haven't updated your privacy practices since December 2024, you're already behind. The OAIC has actively used its new enforcement powers throughout 2025, and the litigation risk from the statutory tort is real and growing.

Table of Contents

Understanding the Changes:

What Changed in December 2024 (Now in Effect):

What Took Effect in June 2025 (Now in Effect):

What's Coming in December 2026:

The Big One Still Coming:

Taking Action:

What Just Happened: The POLA Act Explained

The Timeline

February 2023: Attorney-General's Privacy Act Review Report released with 116 recommendations

September 2024: Privacy and Other Legislation Amendment Bill 2024 introduced to Parliament

29 November 2024: Bill passed both Houses of Parliament

10 December 2024: Royal Assent—most provisions took effect immediately

10 June 2025: Statutory tort for serious privacy invasions commenced (now in effect)

10 December 2026: Automated decision transparency requirements commence (10 months away)

2026-2027: "Tranche 2" reforms expected, including removal of small business exemption

Why This Matters

This is the first of two planned tranches of reforms. While Tranche 1 focused on enforcement, cybersecurity, and individual rights, Tranche 2 will tackle the big structural changes—including making 2.3 million additional small businesses subject to the Privacy Act.

The Australian Privacy Commissioner Carly Kind said: "These new powers and functions come at a critical time, as privacy harms increase and the Australian community demands more power over their personal information."

What Changed in December 2024 (Now in Effect)

These changes took effect on or shortly after 10 December 2024. If you haven't already adjusted your privacy practices, you're already behind.

1. Enhanced OAIC Enforcement Powers

What changed: The Office of the Australian Information Commissioner (OAIC) now has significantly expanded powers to investigate and enforce privacy breaches.

New powers include:

  • Infringement notices: The OAIC can issue on-the-spot fines up to $66,000 per contravention without going to court
  • Compliance notices: The OAIC can require organisations to take specific actions to address privacy failures
  • Search and seizure powers: Enhanced investigation powers similar to other regulators
  • Public inquiries: The OAIC can conduct public inquiries into privacy matters

Status: In effect since 11 December 2024

Why this matters: The OAIC previously had to go to Federal Court for every penalty, which was time-consuming and expensive. Now they have a "mid-tier" enforcement option that makes it much faster and easier to penalize non-compliance. The OAIC indicated that 2025 would be "a big year" for enforcement—and they've been actively using these powers.

What you should do:

  • Ensure your privacy practices, procedures, and systems can demonstrate compliance
  • Document your privacy decisions and risk assessments
  • Train staff on privacy obligations
  • Conduct a privacy audit to identify any compliance gaps

2. Tiered Civil Penalties

What changed: A new tiered penalty structure with significantly increased maximum penalties.

New penalty structure:

  • Mid-tier penalties: Up to $660,000 for individuals, $3.3 million for companies (for "interference with privacy")
  • Serious or repeated breaches: Up to $2.5 million for individuals, $50 million for companies (or 30% of adjusted turnover, or three times the benefit obtained—whichever is greater)

Status: In effect since 11 December 2024

Context: The maximum penalty under the old system was just $2.22 million. The new maximum of $50 million represents a 2,250% increase.

Why this matters: Privacy breaches are now treated as seriously as other major regulatory violations. The financial risk of non-compliance has increased dramatically.

What you should do:

  • Treat privacy compliance as a board-level risk
  • Consider privacy impact assessments for new projects
  • Ensure adequate cyber insurance coverage
  • Document your compliance efforts

3. Cybersecurity Requirements Clarified

What changed: APP 11 (Security of Personal Information) now explicitly states that "reasonable steps" to protect personal information include both technical and organisational measures.

Status: In effect since 11 December 2024

What this means:

  • Technical measures: Encryption, access controls, firewalls, intrusion detection, secure software development, regular patching
  • Organisational measures: Staff training, incident response plans, vendor management, security policies, access management processes

Why this matters: This brings Australia closer to international standards like GDPR and removes any ambiguity about what "reasonable security" means. It's not enough to just have technical controls—you need documented policies and trained staff too.

What you should do:

  • Audit your current security measures against both technical and organisational requirements
  • Document your security policies and procedures
  • Implement or improve staff security training
  • Review and update your incident response plan
  • Assess third-party vendor security practices

4. Anti-Doxxing Criminal Offences

What changed: New criminal offences for "doxxing"—sharing someone's personal information online with intent to cause harm.

Status: In effect since 11 December 2024

Penalties: Up to 7 years imprisonment for intentionally sharing personal information to cause physical or mental harm, incite harassment, or facilitate identity theft.

Why this matters: This addresses a growing problem of malicious sharing of personal information, particularly in online harassment campaigns. While most businesses won't intentionally dox people, this underscores the seriousness with which personal information protection is now treated.

What you should do:

  • Ensure staff understand that malicious sharing of customer data is now a criminal offence
  • Review access controls to prevent unauthorised disclosure
  • Include this in staff training and acceptable use policies

5. Emergency Data Breach Declaration Regime

What changed: The Attorney-General can now make "eligible data breach declarations" that allow organisations to share information to respond to large-scale breaches.

Status: In effect since 11 December 2024

Example: If multiple financial institutions are affected by the same breach, they can share information to reduce fraud risks and coordinate response—something previously restricted by privacy laws.

Why this matters: Large-scale data breaches often affect multiple organisations. This allows faster, more coordinated responses to protect consumers.

What you should do:

  • Understand that information sharing restrictions may be lifted during declared breach emergencies
  • Review your breach response plan to account for this possibility
  • Establish communication channels with industry peers for coordinated responses

What Took Effect in June 2025 (Now in Effect)

Statutory Tort for Serious Invasions of Privacy

Status: Commenced 10 June 2025 - NOW IN EFFECT

What this means: Individuals now have a direct right to sue organisations or individuals for serious privacy invasions—without needing to prove damage first.

Two types of invasion:

  1. Intrusion upon seclusion: Physical or technological intrusion into a person's private affairs
  2. Misuse of personal information: Improper collection, use, disclosure, or other handling of personal information

When it applies:

  • The invasion was serious
  • The invasion was intentional or reckless
  • The person had a reasonable expectation of privacy
  • The public interest in the individual's privacy outweighs any countervailing public interest (like freedom of expression)

Why this is huge: Previously, Australians had very limited ability to take direct legal action for privacy harms. This opens the door to privacy class actions and individual lawsuits without needing to prove financial damage.

What you should do NOW:

  • Conduct a privacy risk assessment focused on potential serious invasions
  • Review and strengthen access controls
  • Enhance staff training on privacy obligations
  • Ensure robust consent mechanisms
  • Review and update privacy impact assessments
  • Consider directors and officers insurance coverage
  • Document all privacy decisions and compliance efforts

Current developments: Since commencing in June 2025, courts have begun developing the boundaries of this tort. Australian courts are drawing on jurisprudence from New Zealand, Canada, the UK, and the US where similar privacy torts exist. Several cases are already proceeding through the courts, establishing important precedents.

What's Coming in December 2026 (10 Months Away)

Automated Decision-Making Transparency Requirements

Status: Commences 10 December 2026

What will change: Organisations must disclose in their privacy policies when they use automated decision-making systems.

What you must disclose:

  • When personal information is used in automated decision-making
  • When decisions are made solely by automated systems without human intervention
  • When automated systems do something "substantially and directly related" to making a decision

Covered decisions include:

  • Decisions about granting or refusing benefits (like loan applications)
  • Decisions affecting rights under a contract
  • Decisions affecting access to significant services or support

Why this matters: Many businesses use automated systems without realizing they need to disclose this. It's not limited to AI—even simple rule-based systems can be captured.

What you should do (before December 2026):

  • Audit all systems that make or contribute to decisions affecting individuals
  • Identify which decisions are made automatically vs. with human review
  • Update privacy policies to disclose automated decision-making
  • Document the logic and significance of automated decisions
  • Implement processes for human review where appropriate
  • Consider privacy impact assessments for automated systems

Preparation status: Organisations have been given a 24-month implementation window. With 10 months remaining, now is the time to complete your audit and prepare policy updates.

Children's Online Privacy Code

Status: Must be registered by 10 December 2026

What this means: The OAIC must develop a mandatory Children's Online Privacy Code within 24 months of the POLA Act's passage.

Coverage: Any online service "likely to be accessed by children" (defined as individuals under 18).

Expected requirements:

  • Higher standards for obtaining valid consent
  • Restrictions on using children's information for marketing
  • Requirements to consider children's best interests
  • Enhanced protections for data collection and use

Current developments: The OAIC released its Children's Online Privacy Code Issues Paper in June 2025 and is currently conducting consultations. A 60-day public consultation on the draft Code is expected in 2026.

Why this matters: If your website, app, or online service might be accessed by anyone under 18, you'll likely be covered by this code. This includes most general-purpose websites, not just services specifically targeted at children.

What you should do:

  • Assess whether your online services might be accessed by children
  • Monitor the OAIC's consultation process on the code
  • Consider what additional protections might be needed
  • Review how you obtain consent from or about minors
  • Consider submitting feedback during the public consultation

The Big One Still Coming: Tranche 2 Reforms (Expected 2026-2027)

While Tranche 1 focused on enforcement and specific issues, Tranche 2 will tackle fundamental structural changes to Australian privacy law. These are still being developed but are expected to include:

Removal of Small Business Exemption

Current rule: Businesses with annual turnover under $3 million are generally exempt from the Privacy Act.

Expected change: This exemption will be removed, bringing approximately 2.3 million additional businesses under the Privacy Act.

Why this is happening:

  • The digital economy means even tiny businesses collect significant personal information
  • Small businesses are increasingly targeted by cybercriminals as "easier targets"
  • The exemption created a compliance gap affecting millions of Australians
  • It's inconsistent with international privacy standards

When: Expected in 2026-2027, likely with a transition period

What this means for small businesses: You'll need to:

  • Comply with all 13 Australian Privacy Principles
  • Have a privacy policy
  • Implement proper security measures (technical and organisational)
  • Handle data breaches under the NDB scheme
  • Respond to access and correction requests
  • Face the same penalties as larger businesses

Updated Definition of "Personal Information"

Expected change: Broader definition to capture technical identifiers, inferred information, and information about deceased individuals.

Examples:

  • Device identifiers and IP addresses (clearer that these are personal information)
  • Inferred or derived information (like predictions or profiles based on data)
  • Information about deceased individuals (currently largely unprotected)

New "Fair and Reasonable" Test

Expected change: Collection, use, and disclosure of personal information must be "fair and reasonable" regardless of whether consent was obtained.

Why this matters: Consent alone won't be enough. You'll need to justify that your data practices are fair and reasonable in the circumstances.

Stronger Consent Requirements

Expected change: Consent must be voluntary, informed, current, specific, and unambiguous.

Likely implications:

  • Pre-ticked boxes won't constitute valid consent
  • Bundled consent (agreeing to everything or nothing) may be invalid
  • Consent must be as easy to withdraw as it was to give
  • More detailed information required before consent

When to Expect Tranche 2

The government has committed to progressing Tranche 2 reforms, but given the federal election held in 2025, implementation may extend into late 2026 or 2027. Privacy reform has bipartisan support, so passage is expected regardless of which party is in government.

Why This Matters for YOUR Business

The Litigation Risk Has Exploded

The statutory tort (in effect since June 2025) has created a new path for individuals and class action lawyers to sue for privacy breaches. You don't need to wait for the OAIC to act—anyone affected can bring a claim directly.

What this means:

  • Privacy class actions are becoming more common
  • No need to prove financial damage (unlike previous common law claims)
  • Significant reputational risk even if you successfully defend
  • Legal costs can be enormous even before any penalty
  • Cases are already proceeding through the courts

The OAIC Can Act Faster and Harder

The new infringement notice and compliance notice powers mean the OAIC can take enforcement action much more quickly and easily than before.

What this means:

  • Higher likelihood of enforcement action for violations
  • Faster penalties without court proceedings
  • More frequent and visible enforcement activity
  • The OAIC has actively used these powers throughout 2025

Compliance Costs Are Rising

Whether through the new penalties, the litigation risk, or the compliance requirements themselves, the cost of privacy non-compliance—and compliance—has increased significantly.

What this means:

  • Budget for privacy compliance infrastructure
  • Consider hiring or training dedicated privacy resources
  • Factor privacy into all new project and system decisions
  • Ensure board-level oversight of privacy risks

Customer Trust Is a Competitive Advantage

As privacy harms increase and Australian consumers become more aware of their rights, businesses that demonstrate strong privacy practices have a competitive advantage.

What this means:

  • Privacy compliance isn't just about avoiding penalties
  • Transparent, strong privacy practices build customer trust
  • Privacy can be a differentiator in competitive markets
  • Proactive compliance is better than reactive crisis management

Action Plan: What to Do Right Now

Immediate Actions (This Month)

1. Review your privacy policy

  • Ensure it covers all 13 Australian Privacy Principles
  • Include the Notifiable Data Breaches scheme
  • Verify it's accurate and up to date
  • Reflect the December 2024 and June 2025 reforms

2. Audit your security measures

  • Confirm you have both technical and organisational measures
  • Document your security policies and procedures
  • Identify any gaps in encryption, access controls, or staff training

3. Review access controls

  • Limit who can access customer data to essential personnel only
  • Implement role-based access controls
  • Audit and remove unnecessary access

4. Update staff training

  • Ensure all staff understand their privacy obligations
  • Cover the new penalties and enforcement powers
  • Include anti-doxxing criminal offences
  • Explain the statutory tort implications
  • Document who has been trained and when

5. Review your incident response plan

  • Ensure procedures for detecting and responding to breaches are current
  • Test the plan with a tabletop exercise
  • Update contact information for the OAIC and key personnel

Short-Term Actions (Next 3 Months)

6. Conduct a statutory tort risk assessment

  • Identify potential serious privacy invasions
  • Assess current controls and gaps
  • Document findings and remediation plans
  • Consider litigation risk in all privacy decisions

7. Strengthen consent mechanisms

  • Review how you obtain consent for marketing and data use
  • Ensure consent is clear, specific, and separate from other agreements
  • Make it easy for people to withdraw consent
  • Document consent obtained and when
  • Prepare for stricter consent requirements in Tranche 2

8. Begin automated decision-making audit

  • Identify all systems that make or contribute to decisions
  • Determine which decisions are fully automated vs. human-reviewed
  • Document the logic and significance of automated decisions
  • Begin preparing disclosures for December 2026 deadline

9. Review vendor contracts

  • Ensure third-party processors have adequate security
  • Verify contractual obligations for data protection
  • Assess overseas data transfer protections

Medium-Term Actions (Next 6-12 Months)

10. Complete automated decision-making preparation (due December 2026)

  • Finalize audit of automated systems
  • Draft privacy policy disclosures
  • Implement human review processes where appropriate
  • Conduct privacy impact assessments for high-risk systems

11. Prepare for small business exemption removal (if under $3M turnover)

  • Understand you'll likely need to comply within 1-2 years
  • Start building privacy compliance infrastructure now
  • Budget for privacy policy development and compliance costs
  • Begin comprehensive staff training on privacy obligations

12. Implement privacy by design

  • Incorporate privacy considerations into all new projects
  • Conduct privacy impact assessments before launching new systems
  • Build privacy into product and service development
  • Make privacy a default, not an afterthought

How ComplianceKit Helps You Stay Compliant

ComplianceKit is purpose-built for Australian privacy law and already reflects the December 2024 reforms and June 2025 statutory tort.

What's Already Updated

Our privacy policy generator includes:

  • All 13 Australian Privacy Principles (introduced 2014)
  • Notifiable Data Breaches scheme (mandatory since 2018)
  • December 2024 reform implications (enhanced security requirements)
  • Statutory tort considerations (in effect since June 2025)
  • Clear security requirements (technical and organisational measures)
  • Plain English at Grade 10 reading level

What Happens When December 2026 Arrives

With Managed Compliance, we'll automatically:

  • Update your policy for automated decision-making transparency requirements
  • Reflect the Children's Online Privacy Code requirements
  • Email you when updates are made
  • Maintain complete version history

What Happens When Tranche 2 Passes

With Managed Compliance, we'll automatically:

  • Update your policy when the small business exemption is removed
  • Reflect new consent requirements
  • Incorporate the "fair and reasonable" test
  • Update definitions and requirements as they change
  • Email you when updates are made
  • Maintain complete version history

Without Managed Compliance

If you choose the one-time $79 option:

  • You get a complete, compliant policy covering all current requirements
  • We'll email you when significant law changes affect your policy
  • You can update your policy yourself by editing the DOCX file
  • You can upgrade to Managed Compliance anytime for automatic updates

Why Purpose-Built for Australia Matters

US-based privacy policy generators:

  • Don't cover the NDB scheme (100% miss rate in our research)
  • Average only 8.6 of 13 APPs covered
  • Don't reflect December 2024 reforms
  • Don't account for the June 2025 statutory tort
  • Won't update for December 2026 or Tranche 2 changes
  • Aren't written for Australian Privacy Act requirements

ComplianceKit is built specifically for Australian businesses and stays current with Australian privacy law.

Additional Resources

Official Sources

Office of the Australian Information Commissioner (OAIC)

  • Website: oaic.gov.au
  • Privacy enquiries: 1300 363 992
  • Guidance on December 2024 reforms
  • Information about the statutory tort
  • Updates on Children's Online Privacy Code development
  • Templates and resources for businesses

Attorney-General's Department

  • Privacy Act Review Report (February 2023)
  • Government Response to Review
  • Updates on Tranche 2 progress

Professional Guidance

When to get legal advice:

  • You handle sensitive information (health, financial, children's data)
  • You've experienced a data breach
  • You're facing a privacy complaint or investigation
  • You need to understand how specific reforms affect your business
  • You're making major changes to data practices
  • You're concerned about statutory tort liability

Industry associations:

  • Many industries have specific privacy guidance
  • Check your industry association for tailored resources

Conclusion

The December 2024 privacy reforms represent a fundamental shift in how Australia treats personal information protection. With enhanced enforcement powers, significantly higher penalties, a statutory tort now in effect, automated decision-making transparency coming in December 2026, and more reforms on the horizon, privacy compliance is now a critical business priority.

The key takeaways:

  1. Most changes are already in effect - Including the statutory tort since June 2025
  2. December 2026 deadline approaching - Automated decision-making transparency in 10 months
  3. Tranche 2 coming in 2026-2027 - Even bigger changes including small business exemption removal
  4. Document everything - Your compliance efforts need to be demonstrable
  5. Make privacy a priority - This isn't just a legal requirement, it's a business imperative

The good news is that strong privacy practices aren't just about compliance—they build customer trust, reduce risk, and create competitive advantage. Businesses that are ahead of these changes are better positioned for success in an increasingly privacy-conscious marketplace.

For a detailed explanation of the 13 Australian Privacy Principles that form the foundation of these reforms, read our Complete Guide to Australian Privacy Principles.

Ready to Ensure Compliance?

ComplianceKit generates privacy policies specifically for Australian businesses, already updated for the December 2024 reforms, the June 2025 statutory tort, and ready for upcoming changes.

Generate Once - $79 one-time:

  • Complete policy covering all 13 APPs
  • NDB scheme included
  • December 2024 and June 2025 reforms reflected
  • Download in 4 formats (PDF, DOCX, HTML, TXT)
  • Update anytime for free

Managed Compliance - +$29/year:

  • Automatic updates for December 2026 and Tranche 2
  • Hosted at secure URL
  • Email notifications when updated
  • Complete version history
  • One-click regeneration when your business changes

Generate Your Compliant Privacy Policy →

Last updated: February 6, 2026

This guide provides general information about Australian privacy law reforms. It's not legal advice. For specific legal questions about your situation, consult a qualified privacy lawyer.

Generate Your Compliant Privacy Policy

ComplianceKit automatically includes all 13 Australian Privacy Principles and the NDB scheme. Generate your policy in 5 minutes.

Get Started →

Last updated: 6 February 2026

This guide provides general information about Australian privacy law. It's not legal advice. For specific legal questions about your situation, consult a qualified privacy lawyer.