Unless you live completely off the grid, chances are you’ve been affected by some kind of data breach. Naturally, we can blame technology for that. Digital advancements have driven innovation and efficiency – but they’ve also increased the risks to individuals’ privacy.

Recognising this issue, the Attorney-General’s Department released the Privacy Act Review Report. The report reviewed the Privacy Act 1988 and proposed 116 changes to better address the privacy needs of modern Australia. The government agreed to 106 out of the 116 recommendations, and the first set of reforms, known as Tranche 1, has been introduced in the Privacy and Other Legislation Amendment Bill 2024 (Cth). Tranche 2 is expected to follow soon.

Tranche 1 of the Bill includes expanding the scope of the Privacy Act and increasing the enforcement powers of regulatory bodies. Let’s take a closer look at what these changes could mean for your business.

Why Do These 2025 Privacy Changes Matter? 

If you’re running a business, it’s crucial to pay attention to these changes. Your regulatory compliance measures, customer interactions, and overall business operations are likely to be affected. With the second part of the Privacy Updates potentially removing the small business exemption, now is the time for business owners to urgently review their privacy practices and ensure their business is legally compliant.

Note: The privacy changes are currently part of a bill that is still subject to parliamentary debate and review. While we expect most of the bill to pass, please keep in mind that it is not yet officially law.

Key Changes In Tranche 1 of the Amendments

The aim of the Privacy Act reforms is to strengthen Australian privacy regulations. Currently, consumers face high risks of data breaches and misuse of their personal information without consent. The new reforms aim to tighten the rules around data handling and increase penalties for non-compliance. 

Here’s what you can expect as these changes take shape:

  • The Privacy Act will be expanded to cover more business activities
  • Consent and notice rules for handling personal data will become stricter
  • The fairness standard for data practices will broaden
  • Individual rights will increase, giving people new ways to make claims for privacy breaches
  • The enforcement powers of regulatory bodies will be strengthened
  • High-risk activities will require privacy impact assessments
  • Overall, there will be stricter rules for data breaches, security, and data retention

Let’s take a look at these changes in more detail. 

Expanding The Scope Of The Privacy Act

The last major changes to the Privacy Act occurred in 2014 with the introduction of the Australian Privacy Principles (APPs). However, since then, the scope of the Privacy Act has not been updated to address the significant technological advancements that have reshaped how personal data is collected, stored, and used.

The proposed reforms will expand the definition of ‘personal information’ under the Act. Previously, personal information was defined as data that was directly about an individual. Under the proposed reforms, the definition will be broadened to include information that relates to an identified or reasonably identifiable individual, as well as indirectly identifiable information, such as metadata or behavioural data. 

This means that even if information is not directly about an individual but can be used to reasonably identify them, it will be considered personal information under the Act.

Stricter Consent And Notice Rules

When it comes to data and privacy, consent is a crucial element. When a business collects personal information, it needs to ensure it has received proper consent from individuals. The proposed legislative reforms aim to make consent and notice rules stricter, allowing for greater transparency and giving individuals more control over their data.

Consent for the collection or use of personal data will now need to meet these requirements:

  • Voluntary
  • Informed
  • Current
  • Specific
  • Unambiguous
  • Easily withdrawn

Businesses and organisations will also be required to provide more information about how an individual’s data is handled. This includes informing individuals about:

  • Any overseas parties the data may be shared with
  • Whether the organisation will use the data for high-risk activities
  • The retention period for how long the data will be stored

Additionally, there will be more situations where consent is required for data collection. Businesses will now need to receive consent if they plan on:

  • Collecting geo-location tracking data
  • Engaging in the trade of personal data, such as selling or sharing it with third parties

Broader ‘Fairness’ Standard For Data Practices

When a business collects data from individuals, it must do so fairly. This means ensuring that the collection of information is limited to what is necessary for its business purposes and that data collection practices are not being misused. The legislative updates aim to broaden the fairness standard for data practices. This will require businesses to assess whether their collection, use, or disclosure of personal information is fair and reasonable, even if consent has been given. Key factors include the legal requirements, the necessity of the data for business operations, whether it involves sensitive information, and whether it could harm individuals.

Even if a business has explicit consent from consumers, they must ensure that their data practices align with this fairness standard. Meaning they cannot collect, store, or use data that could be deemed unfair or unreasonable.

New Enforcement Powers For Regulators

With the new changes, the Office of the Australian Information Commissioner (OAIC) will have stronger investigation and enforcement powers. As Australia’s primary privacy regulator, the OAIC plays a critical role in ensuring that privacy rights are protected.

The new reforms grant the OAIC more flexibility, power, and jurisdiction. Key changes include:

  • Broader grounds and more flexibility to conduct privacy breach investigations
  • The ability to obtain information about data breaches by issuing requests for information, documents, or answers
  • The power to request any relevant information during compliance assessments, especially when it serves the public interest
  • Sharing information with other regulatory bodies (domestic or international), provided those bodies have appropriate safeguards in place to protect the data
  • Public interest disclosure powers, which allow the OAIC to share information with the public if it’s deemed in the public’s best interest. The OAIC must carefully consider factors like complainants’ rights, the progress of investigations, and potential prejudice before making such disclosures
  • Issuing infringement notices and criminal penalties for failure to comply with requests for information
  • Publishing statements about privacy breaches after investigations, increasing transparency about how businesses respond to breaches
  • The Privacy Act’s scope will be expanded to apply to overseas companies that carry on business in Australia, even if they do not collect or store data in Australia, aligning the Act more closely with global privacy regulations like the EU’s GDPR and California’s CCPA.
  • Criminal penalties for breaches of privacy laws have been strengthened, with fines reaching up to $50 million for the most serious cases

Additionally, the reforms introduce other important measures:

  • Businesses engaging in high-risk data activities may be required to conduct Privacy Impact Assessments (PIAs) to identify and mitigate privacy risks in advance.
  • Greater transparency will be required in automated decision-making processes that use personal information. Businesses must disclose when automated systems are making significant decisions affecting individuals.

These reforms significantly enhance the OAIC’s ability to regulate privacy in Australia, ensuring that businesses are more accountable and individuals’ privacy rights are better protected in a rapidly evolving digital landscape.

Introduction Of A Statutory Tort For Serious Privacy Invasions

The updates to Australian privacy legislation will introduce a statutory tort — something that has been missing in Australian privacy law until now.

The statutory tort allows individuals to sue and seek remedies if they have been the victim of a serious privacy invasion. This means individuals can pursue compensation for harm caused by privacy breaches, and it acts as a deterrent for entities that misuse personal information. The tort covers two main types of privacy invasions:

  • Intrusion into Seclusion: This occurs when someone’s physical or digital privacy is invaded without their consent (e.g., hacking or spying).
  • Misuse of Private Information: This involves the unauthorised use or sharing of someone’s personal information with a third party without their consent.

However, there are limitations to this tort:

  • The person suing must have had a reasonable expectation of privacy in the situation. They need to show that the other party had an obligation to respect their privacy.
  • The court will also weigh public interest in privacy invasion cases. For example, if the invasion was justified for public interest, such as investigative journalism, the case may not succeed.

Certain parties, such as journalists, government bodies, law enforcement, and intelligence agencies, may be exempt from liability under this tort, depending on the specific circumstances and the balance of public interest.

Criminalising Doxxing: New Offences Under The New Amendments

Torts aren’t the only privacy cases the courtroom might see after these updates — the new changes will also criminalise doxxing, a growing concern where someone’s private information is deliberately released to the public with the intent to cause harm or distress.

Under the legislative updates, doxxing will become a criminal offence. The new laws distinguish between:

  • General doxxing, where personal information is shared to cause them harm
  • Doxxing based on attributes such as race, religion, gender, or sex, which will carry more severe penalties due to its potential to incite discrimination or hate-based harm

While the new laws aim to protect individuals from such malicious actions, legitimate uses of information (such as in law enforcement or journalism) will not be affected.

Do The New Changes Address AI In Any Way? 

In recent years, artificial intelligence (AI) has become an increasingly important part of our digital interactions. While AI has been a topic of regulatory discussion in Australia for some time, the 2024 privacy law updates represent the first comprehensive legal framework that explicitly addresses the interaction between AI and privacy laws.

These changes will regulate the use of AI by:

  • Demanding greater transparency from businesses that use personal data in automated AI based decision-making processes. Businesses must disclose their reasoning for utilising AI 
  • Applying the same fairness and reasonableness standards to AI systems as to other privacy-related systems 
  • Giving individuals increased rights to request information if their data is being used in AI-driven decisions 
  • Requiring businesses using AI for high-risk activities to potentially undertake a Privacy Impact Assessment (PIA) to evaluate privacy risks

What Else Will The Legislative Updates Do?

Wait, there’s more – Tranche 1 of the updates covers additional details relating to marketing, employee privacy, and targeting children.

  • Individuals will have an absolute right to opt out of direct marketing communications, such as email, phone calls, and text messages. Businesses will need to provide a clear and easy way for individuals to do this
  • Targeting children in marketing will be prohibited unless it’s for something in their best interest, such as education or health-related purposes
  • Sensitive information (such as health or racial data) cannot be used in targeted marketing strategies unless it’s for a socially beneficial purpose, such as a public health campaign
  • Businesses must be transparent about the use of algorithms and profiling in advertising, clearly explaining how these technologies impact targeted ads
  • Businesses will need to meet baseline data security standards, implement a data breach response plan, and ensure they have a process in place to notify the OAIC within 72 hours of a notifiable data breach
  • Businesses will be required to define and document minimum and maximum retention periods for different types of personal information, and this information must be included in their privacy policies
  • The employee records exemption will be limited, meaning businesses will now be required to protect their employees’ personal information in line with broader privacy regulations

How Can I Prepare My Small Business For the Upcoming Changes? 

Small businesses are likely to be among the most impacted by the privacy updates, especially with the potential removal of the small business exemption in Tranche 2 (see below). In preparation, it’s important to review your privacy practices, ensure all legal documents are up to date, make sure workplace policies are in line with the updates, and ensure staff are well-informed.

Here are some actions you can take:

It’s a good idea to chat with a legal expert – they can provide advice that’s specific to your small business and make the necessary legal arrangements to keep your business legally compliant with the updates. 

Tranche 2: What’s Next?

With Tranche 1 already introduced, businesses should also prepare for the upcoming changes in Tranche 2 of the privacy updates. Tranche 2 is expected to address further privacy challenges and expand on areas not covered in the first set of reforms.

In Tranche 2, expect changes such as the right to be forgotten, removal of the small business exception, stricter regulation of biometric data, stricter consent requirements, and the right to data portability — plus much more! Keep an eye out, and we’ll keep you posted as these updates roll out.

Key Takeaways 

The legislative updates to Australian privacy law could present a huge change for Australian small businesses — it’s important to keep an eye out for them and update your business practices to be legally compliant. Consider seeking the help of a legal expert, as they can guide you in the right direction. 

To summarise what we’ve discussed: 

  • The 2025 privacy updates will bring significant changes to the Privacy Act, expanding its scope and increasing penalties for non-compliance, particularly affecting small businesses
  • Businesses will need to comply with stricter consent and notice rules, ensuring that individuals are informed, and consent is voluntary, specific, and easily withdrawn
  • Targeting children in marketing and using sensitive information for targeted ads will face new restrictions, while individuals will have more rights to control their data, including the right to be forgotten
  • Broader fairness standards will require businesses to ensure that data collection and use are fair and reasonable, even when consent is provided
  • The Office of the Australian Information Commissioner (OAIC) will gain enhanced powers to enforce privacy regulations, investigate breaches, and issue penalties, including for overseas companies operating in Australia
  • Businesses will need to update data breach response plans, meet new data retention standards, and ensure transparency in automated decision-making processes, especially those involving AI
  • The removal of the small business exemption is expected, meaning small businesses must urgently review their privacy practices, update policies, and ensure compliance with the new regulations

If you would like a consultation on the upcoming privacy changes, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.

Sapna Goundan
Sapna has completed a Bachelor of Arts/Laws. Since graduating, she's worked primarily in the field of legal research and writing, and she now writes for Sprintlaw.
About Sprintlaw

Sprintlaw's expert lawyers make legal services affordable and accessible for business owners. We're Australia's fastest growing law firm and operate entirely online.

5.0 Review Stars
(based on Google Reviews)
Do you need legal help?
Get in touch now!

We'll get back to you within 1 business day.

  • This field is hidden when viewing the form
  • This field is for validation purposes and should be left unchanged.

Related Services

Privacy Policy

Privacy policies outline how you handle information.
Learn More

Privacy Impact Assessment Plan

Get a Privacy Impact Assessment Plan
Learn More

Data Breach Response Plan

Equip yourself to deal with data breaches.
Learn More

Data Breach Notification

Make sure your business is ready to respond to a data breach.
Learn More

Workplace Policy

Workplace Policies by Award Winning Lawyers.
Learn More

Staff Handbook

Improve workplace culture with a Staff Handbook.
Learn More

Data & Privacy Lawyers

Specialist data & privacy lawyers
Learn More
Related Articles
Spam and Your Business: Understanding Its Impact and How to Combat It
Posted 2nd March, 2025
Commercial in Confidence Demystified: Safeguarding Your Business’s Sensitive Data
Posted 2nd March, 2025
The Compliance Officer’s Role in Australia: Essential Insights for Businesses
Posted 2nd March, 2025
Personally Identifiable Information in Australia: A Comprehensive Business Guide
Posted 2nd March, 2025
Protecting Confidential Trade Items: A Comprehensive Guide for Australian Businesses
Posted 2nd March, 2025
Spam Act 2003 in Australia: Your Comprehensive Compliance Guide for E-Commerce Businesses
Posted 2nd March, 2025