{"id":62214,"date":"2024-01-08T14:14:04","date_gmt":"2024-01-08T03:14:04","guid":{"rendered":"https:\/\/www.salesforce.com\/?p=62214"},"modified":"2025-09-12T16:20:54","modified_gmt":"2025-09-12T06:20:54","slug":"australian-privacy-act-update","status":"publish","type":"post","link":"https:\/\/www.salesforce.com\/au\/blog\/australian-privacy-act-update\/","title":{"rendered":"Australian Data Protection Laws in 2025: What Businesses Need to Know"},"content":{"rendered":"\n

On 10 December 2024, reforms to Australia\u2019s Privacy Act were passed. Key changes as of 2025 include expanded enforcement capabilities for the Office of the Australian Information Commissioner (OAIC) and the introduction of a new statutory tort allowing Australians to sue for serious invasions of privacy.<\/p>\n\n\n\n

When the APA was first passed in 1988, floppy disks were still the norm, and a data breach might have consisted of a handful of people passing one around. Now, things have changed; data loss can occur right under your nose, and sensitive information can be leaked to the world in minutes. <\/p>\n\n\n\n

With that in mind, it\u2019s no surprise that 75% of organisations expect their security budgets to increase<\/a> to address evolving threats this year, as per our latest security report.<\/p>\n\n\n\n

\"\"\n\t\t\t\n\t\t\t\t\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n

State of IT: Security (Fourth Edition)<\/a>, p. 7<\/p>\n\n\n\n

The key to navigating compliance<\/a> is being prepared. In this guide, we\u2019re going to walk you through the current legal landscape for businesses, explore what\u2019s changing in the future, and explain what you can do to stay ahead of the curve. Let\u2019s dive in. <\/p>\n\n\n\n

Much of the data mentioned in this article comes from research conducted by Salesforce in the State of IT: Security report (Fourth Edition)<\/a>. Read the full report to gain insights from more than 2,000 security, privacy and compliance leaders worldwide. <\/em><\/p>\n\n\n\n

\n\t
\n\n\t\t
\n\t\t\t

Gartner named Salesforce a Leader in Customer Data Platforms. See why.<\/h2>\n\t\t\t\t\t\t\t

<\/p>\n\t\t\t\n\t\t\t\n\t\t\t\t\t\t\t

\n\t\t\t\t\tRead the report<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\n\t\t
\n\t\t\t\t\t<\/div>\n\t<\/div>\n\n\t\t\t
<\/div>\n\t\n\t\t\t\n\t\t\"\"\n\n\t\t\n\t\t\t\t\t\"\"\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\t\t\t\"\"\n\t\t\n\t<\/div>\n\n\n\n

A quick overview of data privacy in Australia<\/strong><\/h2>\n\n\n\n

Australia relies on a mixture of Federal, State and Territory data privacy<\/a> laws. The primary federal law is the Privacy Act 1988<\/a>. This contains the 13 Australian Privacy Principles (APPs), which govern the collection, use and disclosure of personal information. <\/p>\n\n\n\n

The Privacy Act received a long-overdue update in 2024, largely due to the evolving challenges of keeping data private and secure in the era of automation and AI analytics. Add in the fact that 64% of customers feel companies are being reckless with their data<\/a><\/strong>, and it\u2019s clear to see why the government is so keen to bring the legislation up to modern-day standards. <\/p>\n\n\n\n

\"\"\n\t\t\t\n\t\t\t\t\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n

State of IT: Security (Fourth Edition)<\/a>, p. 21<\/p>\n\n\n\n

Who does the Australian Privacy Act apply to? <\/strong><\/h2>\n\n\n\n

The Privacy Act currently applies to Australian Government agencies and most private sector organisations earning over A$3 million annually. Some small businesses<\/a> with an annual turnover of less than A$3 million, such as those that provide health services or sell\/buy personal information, are also included.<\/p>\n\n\n\n

Note that the Australian Government is considering scrapping the exemption for small businesses<\/strong>, which would bring millions of new companies within the scope of the legislation. <\/p>\n\n\n\n

Who are the key regulators?<\/strong><\/h3>\n\n\n\n

Here\u2019s a quick summary showing the key players in Australia\u2019s privacy overhauls:<\/p>\n\n\n\n

Body<\/strong><\/th>What role do they play?<\/strong><\/th>What\u2019s their focus?<\/strong><\/th><\/tr><\/thead>
OAIC<\/strong><\/td>Main federal regulator for data privacy<\/td>Enforces the Privacy Act, handles complaints and oversees data breach notifications<\/td><\/tr>
Information Commissioner<\/strong><\/td>Head of the OAIC<\/td>Takes charge of the OAIC\u2019s strategy and policies<\/td><\/tr>
Privacy Commissioner<\/strong><\/td>Role that supports the OAIC<\/td>Oversees development and enforcement of privacy laws<\/td><\/tr>
FOI Commissioner<\/strong><\/td>Role that supports the OAIC<\/td>Focuses specifically on freedom of information (FOI) matters<\/td><\/tr>
State\/territory offices<\/strong><\/td>Local privacy regulators by state\/territory<\/td>Enforces state and territory-specific privacy laws<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

What state and territory laws are in play? <\/strong><\/h3>\n\n\n\n

All states and territories except for Western Australia and South Australia have their own data privacy and protection laws. Here are the main ones to know:<\/p>\n\n\n\n

State or Territory<\/strong><\/th>Australian Law<\/strong><\/th>Who does it apply to?<\/strong><\/th><\/tr><\/thead>
Australian Capital Territory (ACT)<\/strong><\/td>Information Privacy Act 2014<\/td>ACT public sector agencies and contractors<\/td><\/tr>
New South Wales (NSW)<\/strong><\/td>Privacy and Personal Information Protection Act 1998<\/td>NSW public sector agencies, local councils and universities<\/td><\/tr>
Northern Territory (NT)<\/strong><\/td>Information Act 2002<\/td>NT public sector agencies and contracted service providers<\/td><\/tr>
Queensland (QLD)<\/strong><\/td>Information Privacy Act 2009<\/td>QLD government departments and agencies<\/td><\/tr>
Tasmania (TAS)<\/strong><\/td>Personal Information Protection Act 2004<\/td>TAS public sector agencies and contracted service providers<\/td><\/tr>
Victoria (VIC)<\/strong><\/td>Privacy and Data Protection Act 2014<\/td>VIC public sector agencies and organisations handling personal information at the state level<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

These laws don\u2019t replace the APA but rather sit alongside it, covering state and territory public sector agencies and their providers. This means businesses that work on both state and federal levels may need to adhere to multiple privacy regulations. <\/p>\n\n\n\n

Key amendments to the Privacy Act in 2025<\/strong><\/h2>\n\n\n\n

A lot has changed in the last year. Let\u2019s discuss some of the amendments that have already taken shape and then look at the road ahead. <\/p>\n\n\n\n

Statutory tort for serious invasions of privacy<\/strong><\/h3>\n\n\n\n

A new statutory tort for serious invasions of privacy came into effect on 10 June 2025<\/strong>. This means Australians now have the right to sue a business that has intentionally or recklessly invaded their privacy, allowing them to recover damages or obtain an injunction. This means you could theoretically have 10 million people taking legal action against you.<\/p>\n\n\n\n

Criminal offence for doxxing<\/strong><\/h3>\n\n\n\n

Publishing personal data in a menacing or harassing way is now a criminal offence, bringing penalties of up to six years imprisonment or seven years if motivated by discrimination. This law came into effect in December 2024<\/strong>. <\/p>\n\n\n\n

New powers for the OAIC<\/strong><\/h3>\n\n\n\n

The OAIC now has more power to conduct public inquiries, issue compliance notices and thoroughly investigate offending businesses.<\/p>\n\n\n\n

They can also issue administrative fines for minor breaches without a court order (civil penalties up to A$66,600 for individuals and A$330,000 for businesses) or seek court orders to issue penalties up to A$50 million, 30% of the company\u2019s adjusted turnover in the relevant period, or three times whatever benefit the company gained from the interference (whichever is greater) for more serious offences. <\/p>\n\n\n\n

Automated process privacy notices<\/strong><\/h3>\n\n\n\n

Organisations that use automated processes (such as AI data processing or screening) to make decisions that impact the rights or interests of individuals will now need to include details about this process in their privacy policy. This requirement comes into effect on 10 December 2026<\/strong>. <\/strong><\/p>\n\n\n\n

Children\u2019s Online Privacy Code framework<\/strong><\/h3>\n\n\n\n

The amended Privacy Act also introduced a framework for developing a Children\u2019s Online Privacy Code (COPC), which will add new guidelines surrounding the collection of children\u2019s personal data. The code will be written and enforced by 10 December 2026<\/strong>. <\/strong><\/p>\n\n\n\n

\n\t
\n\n\t\t
\n\t\t\t

Say hello to Data Cloud.<\/h2>\n\t\t\t\t\t\t\t

Data Cloud, the only data platform native to Salesforce, unifies data from any system with built-in trust, security, and compliance. Get real-time customer insights while protecting privacy and staying compliant.<\/p>\n\t\t\t\n\t\t\t\n\t\t\t\t\t\t\t

\n\t\t\t\t\tExplore Data Cloud<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\n\t\t
\n\t\t\t\t\t<\/div>\n\t<\/div>\n\n\t\t\t
<\/div>\n\t\n\t\t\t\n\t\t\"\"\n\n\t\t\n\t\t\t\t\t\"\"\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\t\t\t\"\"\n\t\t\n\t<\/div>\n\n\n\n

What\u2019s still to come: future privacy act reforms<\/strong><\/h2>\n\n\n\n

Understanding the new laws is a great start, but there are still more changes to come. The 2022 Australian Privacy Act Review Report laid out 116 proposals for modernising the Privacy Act, and only a fraction of them have come into play. <\/p>\n\n\n\n

The upcoming \u2018tranche two\u2019 reforms are expected to be more extensive and prescriptive, meaning businesses will need to be on their toes and plan ahead. Some of the anticipated changes include: <\/p>\n\n\n\n