A client asked me last week whether their privacy policy from 2019 was “still fine.” It wasn't. It exposed them to an infringement notice before we'd even got to the serious stuff.

Here's the thing: most Australian businesses haven't opened their privacy policy since they had a lawyer draft it years ago and tick a box. And for years, that benign neglect carried no meaningful consequences. The Privacy Act existed. The regulator existed. Enforcement was rare, slow, and largely reserved for major breaches at large organisations.

That changed on 10 December 2024.

The Privacy and Other Legislation Amendment Act 2024 is now law, and it fundamentally changes what happens when an organisation fails to handle personal information correctly. These are the most significant Privacy Act reforms Australia has seen since the Act was introduced in 1988.

I've spent a few decades in in GRC advisory — working across healthcare, financial services, and technology. This is what changed, what it means for your organisation, and what you need to do about it.

What used to be true

The old Privacy Act relied on a complaints-driven model. Someone suffered a privacy harm. They complained to the OAIC. The OAIC investigated. Outcomes were negotiated. Civil penalties were reserved for serious or repeated interference, and enforcement action was rare enough to be news when it happened.

For most organisations, privacy compliance meant having a policy on the website, not entering personal data into AI tools, and hoping nothing serious happened.

That posture no longer works.

Three changes that matter now

1. The OAIC can fine you directly — without going to court

The regulator can now issue infringement notices directly, without court proceedings, for administrative breaches. The maximum is $66,000 per contravention.

What counts as an administrative breach? No privacy policy. A non-compliant privacy policy. Failing to allow people to interact anonymously where required. Failing to comply with direct marketing requirements.

You do not need to have suffered a data breach to receive an infringement notice. A deficient policy sitting on your website is enough. And penalties are calculated per contravention — multiple deficiencies in a single policy can stack.

2. APP 11 now explicitly requires technical and organisational security measures

Australian Privacy Principle 11 has always required “reasonable steps” to protect personal information. The amendment codifies what “reasonable steps” means: both technical measures (MFA, encryption, anti-virus, access controls, patching) and organisational measures (policies, training, procedures, governance).

The practical consequence: your privacy compliance and your cyber security posture are now legally linked. A privacy policy without a security control framework beneath it does not satisfy APP 11. Controls without documented policies don't satisfy it either.

If you are relying solely on your IT provider's “we've got it covered” to meet your privacy security obligations, ask them to put that in writing and explain specifically how it maps to the APPs.

3. Individuals can now sue you directly for a serious invasion of their privacy

From 10 June 2025, Australia has a statutory tort for serious invasion of privacy. For the first time, an individual does not need to wait for the OAIC to investigate before taking legal action against an organisation that has mishandled their personal information.

They do not need to prove financial damage. They need to show the invasion was intentional or reckless, they had a reasonable expectation of privacy, and that privacy interest outweighs the defendant's conduct.

For any organisation holding sensitive personal information at scale — patient records, student data, client financial information — this is a class action risk. It is the law.

What's still coming

Tranche 1 is not the end of the reform process. It is the beginning.

The Attorney-General confirmed in February 2026 that Tranche 2 is being progressed. The likely next wave includes:

  • Removal of the $3 million small business exemption — currently 95% of Australian businesses are outside the Act
  • A “fair and reasonable” test requiring all data collection and use to be proportionate
  • Stronger consent requirements — voluntary, informed, current, specific, and unambiguous

From 1 July 2026, AML/CTF reforms bring over 100,000 additional small businesses under the Privacy Act for the first time — lawyers, accountants, conveyancers, and real estate agents. If your supply chain includes any of these, your privacy risk just increased.

What I see in practice

When I work through a Privacy and Cyber Readiness Assessment with an organisation, this is what I consistently find:

  • An outdated privacy policy that doesn't disclose what data is collected, how it's used, or who it's shared with
  • No documented data inventory — no-one knows what personal information the business actually holds or where it lives
  • No tested breach response procedure — if something happened tomorrow, no-one knows who decides, who notifies the OAIC, or what the 30-day clock means
  • Staff training records that don't exist or are at least three years old
  • Supplier contracts with no data processing clauses

Every one of those gaps is now a regulatory exposure. Most can be resolved in 30–60 days with the right guidance and a willingness to prioritise it.

Four things to do right now

First: Open your privacy policy. Check the date it was last updated. If it's pre-December 2024, it needs a review.

Second: Ask your IT provider specifically — what technical measures are in place to protect personal information? What organisational measures? Can they document it? If the answer is vague, you have an APP 11 problem.

Third: Map the personal information your organisation holds. Who, what, where. You cannot protect what you cannot see, and you cannot notify within 30 days if you don't know what was affected.

Fourth: Review your data breach response procedure. If it's a paragraph in an IT policy document that no-one has read, it's not a procedure.

Privacy is no longer an afterthought that gets patched when something goes wrong. It is now a legal obligation with infringement notices, civil penalties, and direct litigation risk attached.

The organisations that are going to get hurt are the ones that don't start this work until something forces them to.

Daniel Johns is a CRISC-certified virtual CISO and GRC advisor, Founder of Coastal Cyber, and a member of the ISACA Global Advisory Council and CompTIA Executive Council ANZ. He works with healthcare providers, financial services firms, and technology businesses across Southeast Queensland on privacy, cyber security, and governance.

If your privacy and cyber posture needs a clear-eyed assessment, book a 20-minute conversation.