Australia's December 2024 Privacy Reforms: 5 Things You Must Know

Don't Have Time to Read the Full Guide?

The Privacy and Other Legislation Amendment Act 2024 brought the biggest changes to Australian privacy law in over a decade. Most provisions are already in effect. Here are the 5 critical things you need to know right now.

Read the complete reform guide →

1. Penalties Increased 2,250% (In Effect Now)

Old maximum: $2.22 million
New maximum: $50 million for companies (or 30% of adjusted turnover, or three times the benefit obtained—whichever is greater)

Why this matters: Privacy breaches are now treated as seriously as other major regulatory violations. The financial risk has exploded.

What to do:

Treat privacy as a board-level risk
Ensure adequate cyber insurance
Document all compliance efforts
Conduct privacy impact assessments

2. OAIC Can Fine You On-the-Spot (In Effect Now)

The Office of the Australian Information Commissioner (OAIC) can now issue infringement notices up to $66,000 per violation without going to court.

Before: OAIC had to go to Federal Court for every penalty (time-consuming, expensive)
Now: "Mid-tier" enforcement option makes it much faster and easier to penalize non-compliance

The OAIC indicated 2025 would be "a big year" for enforcement—and they've actively used these powers.

What to do:

Ensure your privacy practices are demonstrable
Document privacy decisions
Conduct a privacy audit now

3. Individuals Can Sue You Directly (In Effect Since June 2025)

The statutory tort for serious privacy invasions took effect on 10 June 2025 and is now in full force.

What this means:

Individuals can sue directly for privacy breaches
No need to prove financial damage first
Opens door to privacy class actions
Several cases already proceeding through courts

What to do NOW:

Conduct privacy risk assessment
Review and strengthen access controls
Enhance staff training
Ensure robust consent mechanisms
Consider D&O insurance

4. Cybersecurity Requirements Just Got Specific (In Effect Now)

APP 11 now explicitly states that "reasonable steps" to protect personal information must include both technical and organisational measures.

Technical measures:

Encryption
Access controls
Firewalls
Intrusion detection
Regular patching

Organisational measures:

Staff training
Incident response plans
Vendor management
Security policies
Access management processes

What to do:

Audit both types of security measures
Document your security policies
Train staff on security
Update incident response plan

5. Big Changes Coming in December 2026 and Beyond

December 2026 (10 months away)

Automated decision-making transparency: Must disclose in your privacy policy when you use automated systems to make decisions affecting individuals.

This includes:

Loan application systems
Contract approval processes
Service access decisions
Even simple rule-based systems (not just AI)

What to do now:

Audit all decision-making systems
Identify which are automated vs. human-reviewed
Begin preparing privacy policy disclosures

2026-2027 (Expected)

Removal of small business exemption: Currently, businesses under $3M turnover are generally exempt. This is expected to be removed, affecting 2.3 million additional businesses.

Stronger consent requirements: Consent must be voluntary, informed, current, specific, and unambiguous. Pre-ticked boxes won't work.

"Fair and reasonable" test: Collection, use, and disclosure must be fair and reasonable regardless of consent.

What to do now:

If under $3M: Start preparing for compliance
Strengthen consent mechanisms
Budget for privacy compliance

Quick Action Checklist

This Week ☑️

Review your privacy policy for completeness
Check if it includes all 13 APPs and NDB scheme
Verify it reflects December 2024 reforms

This Month ☑️

Audit security measures (technical + organisational)
Update staff training on new penalties
Review access controls

This Quarter ☑️

Conduct statutory tort risk assessment
Audit automated decision-making systems
Prepare for December 2026 transparency requirements

The Easy Way to Stay Compliant

Privacy law keeps changing. December 2024 reforms. June 2025 statutory tort. December 2026 automated decisions. Tranche 2 coming 2026-2027.

Most businesses can't keep up.

ComplianceKit Stays Current for You

Already updated for:

✅ All 13 Australian Privacy Principles
✅ Notifiable Data Breaches scheme
✅ December 2024 reforms
✅ June 2025 statutory tort

Will automatically update for:

🔄 December 2026 automated decision-making
🔄 Tranche 2 reforms (small business exemption removal, consent changes)
🔄 Any future law changes

Pricing

Generate Once - $79 one-time:

Complete, compliant policy
Download in 4 formats
We'll email when laws change
You can update yourself

Managed Compliance - +$29/year: ⭐ Recommended

Automatic updates when laws change
Hosted at secure URL
Email notifications
Complete version history
One-click regeneration

No other generator updates for Australian law changes. ComplianceKit does.

Generate Your Compliant Privacy Policy →

Why This Matters

Privacy is no longer optional:

$50M penalties
Direct lawsuits possible
OAIC actively enforcing
Criminal offences for doxxing

Privacy is a competitive advantage:

Customers demand transparency
Strong practices build trust
Proactive compliance > reactive crisis

Privacy is getting more complex:

Multiple reform tranches
Frequent law changes
New requirements every year

Don't try to keep up manually. Let ComplianceKit handle the updates while you focus on your business.

More Information

Comprehensive guides:

Complete Guide to Australian Privacy Principles (15 min read)
December 2024 Privacy Reforms: Full Details (12 min read)
Privacy Compliance Checklist (3 min read)

Official resources:

OAIC: oaic.gov.au
Privacy enquiries: 1300 363 992

Last updated: February 6, 2026

This guide provides general information about privacy law reforms. It's not legal advice. For specific questions, consult a qualified privacy lawyer.