On 10 December 2024, reforms to Australia’s Privacy Act were passed. Key changes as of 2025 include expanded enforcement capabilities for the Office of the Australian Information Commissioner (OAIC) and the introduction of a new statutory tort allowing Australians to sue for serious invasions of privacy.
When the APA was first passed in 1988, floppy disks were still the norm, and a data breach might have consisted of a handful of people passing one around. Now, things have changed; data loss can occur right under your nose, and sensitive information can be leaked to the world in minutes.
With that in mind, it’s no surprise that 75% of organisations expect their security budgets to increase to address evolving threats this year, as per our latest security report.
State of IT: Security (Fourth Edition), p. 7
The key to navigating compliance is being prepared. In this guide, we’re going to walk you through the current legal landscape for businesses, explore what’s changing in the future, and explain what you can do to stay ahead of the curve. Let’s dive in.
Much of the data mentioned in this article comes from research conducted by Salesforce in the State of IT: Security report (Fourth Edition). Read the full report to gain insights from more than 2,000 security, privacy and compliance leaders worldwide.
Gartner named Salesforce a Leader in Customer Data Platforms. See why.
A quick overview of data privacy in Australia
Australia relies on a mixture of Federal, State and Territory data privacy laws. The primary federal law is the Privacy Act 1988. This contains the 13 Australian Privacy Principles (APPs), which govern the collection, use and disclosure of personal information.
The Privacy Act received a long-overdue update in 2024, largely due to the evolving challenges of keeping data private and secure in the era of automation and AI analytics. Add in the fact that 64% of customers feel companies are being reckless with their data, and it’s clear to see why the government is so keen to bring the legislation up to modern-day standards.
State of IT: Security (Fourth Edition), p. 21
Who does the Australian Privacy Act apply to?
The Privacy Act currently applies to Australian Government agencies and most private sector organisations earning over A$3 million annually. Some small businesses with an annual turnover of less than A$3 million, such as those that provide health services or sell/buy personal information, are also included.
Note that the Australian Government is considering scrapping the exemption for small businesses, which would bring millions of new companies within the scope of the legislation.
Who are the key regulators?
Here’s a quick summary showing the key players in Australia’s privacy overhauls:
| Body | What role do they play? | What’s their focus? |
|---|---|---|
| OAIC | Main federal regulator for data privacy | Enforces the Privacy Act, handles complaints and oversees data breach notifications |
| Information Commissioner | Head of the OAIC | Takes charge of the OAIC’s strategy and policies |
| Privacy Commissioner | Role that supports the OAIC | Oversees development and enforcement of privacy laws |
| FOI Commissioner | Role that supports the OAIC | Focuses specifically on freedom of information (FOI) matters |
| State/territory offices | Local privacy regulators by state/territory | Enforces state and territory-specific privacy laws |
What state and territory laws are in play?
All states and territories except for Western Australia and South Australia have their own data privacy and protection laws. Here are the main ones to know:
| State or Territory | Australian Law | Who does it apply to? |
|---|---|---|
| Australian Capital Territory (ACT) | Information Privacy Act 2014 | ACT public sector agencies and contractors |
| New South Wales (NSW) | Privacy and Personal Information Protection Act 1998 | NSW public sector agencies, local councils and universities |
| Northern Territory (NT) | Information Act 2002 | NT public sector agencies and contracted service providers |
| Queensland (QLD) | Information Privacy Act 2009 | QLD government departments and agencies |
| Tasmania (TAS) | Personal Information Protection Act 2004 | TAS public sector agencies and contracted service providers |
| Victoria (VIC) | Privacy and Data Protection Act 2014 | VIC public sector agencies and organisations handling personal information at the state level |
These laws don’t replace the APA but rather sit alongside it, covering state and territory public sector agencies and their providers. This means businesses that work on both state and federal levels may need to adhere to multiple privacy regulations.
Key amendments to the Privacy Act in 2025
A lot has changed in the last year. Let’s discuss some of the amendments that have already taken shape and then look at the road ahead.
Statutory tort for serious invasions of privacy
A new statutory tort for serious invasions of privacy came into effect on 10 June 2025. This means Australians now have the right to sue a business that has intentionally or recklessly invaded their privacy, allowing them to recover damages or obtain an injunction. This means you could theoretically have 10 million people taking legal action against you.
Criminal offence for doxxing
Publishing personal data in a menacing or harassing way is now a criminal offence, bringing penalties of up to six years imprisonment or seven years if motivated by discrimination. This law came into effect in December 2024.
New powers for the OAIC
The OAIC now has more power to conduct public inquiries, issue compliance notices and thoroughly investigate offending businesses.
They can also issue administrative fines for minor breaches without a court order (civil penalties up to A$66,600 for individuals and A$330,000 for businesses) or seek court orders to issue penalties up to A$50 million, 30% of the company’s adjusted turnover in the relevant period, or three times whatever benefit the company gained from the interference (whichever is greater) for more serious offences.
Automated process privacy notices
Organisations that use automated processes (such as AI data processing or screening) to make decisions that impact the rights or interests of individuals will now need to include details about this process in their privacy policy. This requirement comes into effect on 10 December 2026.
Children’s Online Privacy Code framework
The amended Privacy Act also introduced a framework for developing a Children’s Online Privacy Code (COPC), which will add new guidelines surrounding the collection of children’s personal data. The code will be written and enforced by 10 December 2026.
Say hello to Data Cloud.
Data Cloud, the only data platform native to Salesforce, unifies data from any system with built-in trust, security, and compliance. Get real-time customer insights while protecting privacy and staying compliant.
What’s still to come: future privacy act reforms
Understanding the new laws is a great start, but there are still more changes to come. The 2022 Australian Privacy Act Review Report laid out 116 proposals for modernising the Privacy Act, and only a fraction of them have come into play.
The upcoming ‘tranche two’ reforms are expected to be more extensive and prescriptive, meaning businesses will need to be on their toes and plan ahead. Some of the anticipated changes include:
- A redefinition of key terms like ‘personal information’
- Clarity around requirements for obtaining consent
- Removal of small business exemptions
- The right to be forgotten (known as the right to erasure)
- Mandatory privacy assessments for high-risk data processing
The end goal here is to bring the Privacy Act in line with more comprehensive data protection legislation worldwide, such as Europe’s GDPR.
How will the government handle AI?
A defining moment will be the Australian government’s response to artificial intelligence (AI). So far, we’ve only seen the change associated with privacy notices for automated processes, but there’s almost certainly more on the horizon.
In late 2024, the Department of Industry, Science and Resources (DISR) issued the Safe and Responsible AI in Australia proposals paper, outlining 10 proposed guardrails for high-risk AI, covering accountability, transparency, human oversight, recordkeeping and risk management.
Our State of IT: Security report (Fourth Edition) reveals that 43% of security leaders feel unprepared for AI-related security regulations, so the best time to start reviewing your procedures is now. It’s much easier (and less risky) to plan ahead for the likely outcome than to retrofit compliance once the laws are in force.
Sector-specific privacy and data security laws in Australia
Next, let’s touch on some of the sector-specific laws that operate alongside the Privacy Act. These laws add additional privacy and security requirements for certain industries like finance and national security.
Assistance and Access Act (2018)
The Assistance and Access Act gives a law enforcement agency the power to request help from tech companies to access encrypted data. They can issue notices that require a company to help using the tools they already have or make tech companies build new capabilities to enable future access.
This legislation applies to a broad range of tech companies, including device manufacturers and software developers working in Australia.
Security of Critical Infrastructure Act (SOCI Act)
The SOCI Act looks to safeguard Australia’s core services from both internal and external threats. It covers the security of personal information and applies to all sectors deemed ‘critical infrastructure’, such as energy, communications, ports and data hosting/storage providers. Obligations include:
- Mandatory risk management programs that cover cyber and physical security
- Mandatory cyber incident reporting within 12 hours of becoming aware of the issue
- Government intervention for severe cyber threats or attacks
- Regular critical infrastructure risk assessments
Consumer Data Right (CDR)
The CDR gives consumers the right to access and share their own data with third parties. It currently applies to the banking (specifically open banking) and energy sectors, though there are plans to expand this legislation into additional industries, such as telecommunications.
Businesses that fall under the CDR umbrella need to ensure that they have clear consent and data sharing mechanisms and that they’re compliant with the privacy and security rules outlined by the ACCC and OAIC.
Cyber Security Act 2024
The Cyber Security Act is the government’s response to the evolving sophistication of cyber threats. It requires any business that handles personal data to meet some essential obligations:
- Mandatory reporting of eligible data breaches and cyber incidents within 72 hours
- A Cyber Incident Review Board (CIRB) to provide guidance and support during cyber incidents
- New security standards for smart devices sold in Australia
This legislation is part of the government’s attempt to get a handle on artificial intelligence. While AI has countless benefits (including upholding security), it also introduces challenges, especially when cyber criminals can leverage it for their own purposes.
Of the security leaders we surveyed, 79% believed AI agents will introduce new security and compliance challenges. The Cyber Security Act is just one of the ways the government intends to ‘walk the tightrope’ between the benefits and risks AI brings.
What these laws mean for businesses in 2025
There’s a lot to unpack in the current privacy and protection landscape, so let’s translate it into core obligations for businesses. Here are the five core things you need to do:
- Strengthen data management: Learn where your personal data is stored and processed, especially high-risk records like children’s data or health information.
- Prepare for breaches: Prepare to detect, report and respond to breaches within 72 hours of learning of a breach.
- Update your privacy policies: Adapt your privacy policies to reflect the APA changes to automated process privacy notices and the right to consent.
- Protect children’s data: Understand the rules around children’s data and update your procedures to ensure increased transparency during handling.
- Review your AI policies: Start auditing, documenting and reviewing your AI practices to prepare for future AI governance regulations.
Artificial intelligence, in particular, is going to be the double-edged sword of this change. While the security risks are no secret (the idea of cyber criminals using AI to automate attacks is concerning), according to our survey, 80% of security leaders also believe AI will bring new security opportunities.
The businesses that best cope with the legislative changes will be the ones that can toe the line between using AI for its benefits and maintaining security and oversight at every stage.
How to stay compliant (and build customer trust)
By making targeted changes to your processes and procedures, you can stay ahead of evolving compliance, build trust with consumers and gain an edge over your competitors. Here are the steps to take:
Part 1: Compliance
Compliance has always been a moving target, but the goalposts have rarely moved this fast. It’s having an impact, as 68% of security leaders say compliance is becoming more difficult amid evolving regulations.
As mentioned, the key is always preparation. Here’s what you can do to adapt to the current landscape and prepare for the future:
1. Conduct a privacy impact assessment (PIA)
The first step is to understand your current privacy practices. How does your business collect, store, use and share its personal information? Conduct a risk assessment and map out your data flow to identify potential compliance gaps.
This is especially important if you handle sensitive data, work with the data of children or operate in a heavily regulated industry.
2. Appoint a data protection officer
If you haven’t done so already, assign the responsibility of your data privacy and protection compliance to one or more individuals. It’s helpful to have a dedicated specialist who can stay up to date with the new compliance standards as they evolve.
3. Revise your policies and procedures
Now, you’re ready to update your privacy policy to reflect the new changes. Here are some things to consider:
- Include privacy disclosures if your business uses AI or automation for decision-making
- Create a plan for rapid cyber incident reporting and disaster recovery
- Develop processes for data consent and the right to erasure
- Start documenting your AI activities for upcoming mandatory privacy assessments
You should also prepare for sector-specific requirements, such as SOCI Act reporting and CDR data sharing rules (based on your industry).
4. Tighten your security measures
You should also implement security measures to comply with the new rules. This could include:
- Investing in technical safeguards like encryption
- Creating internal playbooks to detect data breaches early
- Segmenting high-risk data (such as children’s data)
- Adding measures to meet industry-specific standards like CPS 234 for financial services
If you develop your own AI applications, you may also consider implementing DevSecOps to embed Secure by Design into every stage of the development lifecycle. It’s a proactive approach that can help organisations maintain compliance as regulations change.
5. Train your teams
Your new policies are only as strong as the buy-in of your teams. Make sure every employee who handles personal data understands what’s required of them, and provide ongoing education to keep everyone up to date, especially when new laws are established.
Part 2: Trust
With 71% of customers reporting that their trust in companies is decreasing, regulatory compliance alone isn’t enough to heal the wound. Businesses need to embed trust into their business through action.
Here are some ideas:
- Be transparent with your customers about how you’re using AI and why it matters
- Inform users that they have control over their data and what this means
- Offer clear opt-ins and opt-outs, and make these options easy to find
- Remove the jargon from your privacy policy to explain things in simple terms
- Demonstrate accountability if things go wrong
Need support meeting the new regulations? Salesforce Privacy Center can help you minimise your risk. With just a few clicks, Privacy Center simplifies data privacy compliance and builds trust with customers. It’s a simpler, more secure future for businesses and their customers.
Get expert Data Cloud guidance from Salesforce Professional Services.
With 1.3K+ certified Data Cloud consultants and 240+ implementations globally, we’ll help you realise value quickly. Check out our guide to learn how.
Final thoughts
Australia’s data privacy landscape is evolving faster than ever, and it shows no signs of slowing down. Only a small fraction of the proposals from the Privacy Act Review Report have currently been implemented, and more guardrails are sure to follow soon.
The best way to stay ahead is to make privacy a priority, monitor legal changes and focus on watertight data security. This is even more important in the age of artificial intelligence, with 61% of customers saying AI makes it more important than ever for customers to protect their data.
Fortunately, technology can also fight on the other side of the battle to keep your data secure.
Take Salesforce Data Cloud, for instance. Our solution will help you unify, manage and secure all your data at scale across the entire Salesforce ecosystem, with built-in features for governance and role-based access controls (RBAC). And with robust encryption and granular data policies, you can be confident your customer data is protected at every layer.
Try Data Cloud for free to see how Salesforce can help you stay ahead of evolving compliance standards.
Ready to learn more about the current security landscape in 2025? Read our State of IT: Security report to gain insights from more than 2,000 security leaders and compliance experts worldwide.
Are there any other industry-specific updates I should be aware of?
Yes. The Privacy (Credit Reporting) Code 2025 was updated on 25 March 2025. Among other changes, ‘Buy Now, Pay Later’ businesses will need to report and manage their credit data under stricter rules. Financial institutions are now under increased APRA CPS 234 scrutiny.
My Health Record was also updated recently, mandating that pathology labs and diagnostic imaging providers automatically upload patient test results to the platform.
How does the Privacy Act 1988 differ from the GDPR?
Currently, the GDPR is much more prescriptive and strict than the Privacy Act. It has several additional data subject rights, such as the right to be forgotten and the right to portability, explicit consent standards and mandatory data protection legislation for organisations. The upcoming reforms will look to bring Australia’s laws closer to those of the GDPR.
What is considered a serious invasion of privacy under the new tort?
In general, a serious invasion of privacy involves an intentional or reckless act that causes loss, distress or humiliation to an individual. This could include disclosing personal information or surveilling an individual. It can also include data being exposed during a data breach.
