2 min read Compliance

Australia's Privacy Act Reform in 2026: The Long-Awaited Update

Australia's Privacy Act has been under reform for years. Where the 2024-2025 amendments and the further proposed changes sit in 2026.

  • Australia
  • Privacy Act
  • Privacy
  • Compliance
Australia's Privacy Act Reform in 2026: The Long-Awaited Update

Australia’s Privacy Act 1988 has been under structural reform for years. The 2020-2024 Privacy Act Review produced substantial recommendations; the 2024 first tranche of amendments enacted some recommendations; the 2025 further tranche is in late-stage progress. The OAIC’s enforcement posture has been progressively more active. By 2026, the Australian privacy framework is meaningfully more rigorous than the pre-reform baseline.

For organizations operating in Australia, the practical compliance work matters.

Australia Privacy Act reform

What changed in 2024-2025#

The 2024 first tranche of Privacy Act amendments introduced:

  • Statutory tort for serious invasions of privacy — providing a private cause of action.
  • Children’s online privacy code with substantial obligations for services likely accessed by minors.
  • Anti-doxing provisions.
  • Increased OAIC enforcement powers including civil penalties.
  • Specific provisions for automated decision-making with notice obligations.

The 2025 further tranche (in late-stage progress) is expected to introduce:

  • Broader definition of personal information including some technical identifiers.
  • Fair and reasonable processing requirement beyond consent.
  • Right to erasure and right to object in expanded form.
  • Specific obligations on small business (previously largely exempt).
  • Enhanced cross-border transfer requirements.

The cumulative effect moves Australian privacy law substantially closer to GDPR alignment, though with continued distinct features.

The OAIC’s enforcement#

The Office of the Australian Information Commissioner has been progressively more active:

  • Substantial enforcement actions post-Medibank and post-Latitude breaches.
  • Civil penalties materially increased under the 2024 amendments.
  • Determinations and orders more frequent.
  • Industry guidance more prescriptive.

The OAIC has been resource-constrained relative to the workload; the 2025 budget increases have provided expanded capacity.

Practical engineering implications#

For an Australian organization in 2026:

  1. Privacy notice updates reflecting the 2024-2025 amendments.

  2. Consent management with the additional categories required (sensitive data, automated decision-making, etc.).

  3. DSAR workflow with the expanded rights.

  4. Cross-border transfer documentation under the enhanced requirements.

  5. Breach response capability with the OAIC notification.

  6. Children’s data handling under the new code if applicable.

  7. Automated decision-making transparency under the new requirements.

  8. Privacy by design as an operational expectation.

The compliance posture for an organization with a working GDPR program transfers substantially; the work is in adapting to Australian specifics.

The interaction with CDR and sector regulators#

The Privacy Act sits alongside:

  • CDR framework (covered here) with sector-specific privacy obligations.
  • APRA prudential requirements for financial-services entities.
  • Therapeutic Goods Administration (TGA) for health data.
  • ACMA for telecommunications data.
  • Sector-specific overlays across various industries.

The architecture is workable but requires careful jurisdictional mapping for multi-sector entities.

What’s coming in 2026 and 2027#

Three things to watch:

The 2025 further tranche enactment expected.

The OAIC enforcement continues to scale.

Possible further amendments under the Privacy Act Review’s later-tranche recommendations.

Where pdpspectra fits#

Our privacy compliance work spans Australia and the broader Asia-Pacific. We help clients navigate the reforming Australian framework.

Related reading: the UK Data Protection post, the India DPDPA compliance post, and the Japan APPI post.

Australian privacy law is rapidly maturing. Talk to our team about your compliance.

Keep reading

Related posts.

Nepal

Nepal's Data Protection and Privacy Framework in 2026

Nepal's data protection framework has been developing. Where it sits in 2026 and what enterprises should know.

Read post →
UK

UK Data Protection in 2026: UK GDPR, the DPDI Act, and Post-Brexit Divergence

The UK's data protection framework has gradually diverged from EU GDPR since Brexit. Where UK GDPR sits in 2026 and what the DPDI Act actually changed.

Read post →
Japan

Japan's APPI in 2026: A Practitioner's Guide to the Act on Protection of Personal Information

APPI is older, narrower, and more pragmatic than GDPR or DPDPA. What it actually requires of an engineering team in 2026, and where it differs from the other major regimes.

Read post →