Australia’s Privacy Act Reforms: Three Questions Directors Should Be Asking

In September 2023, the Australian Government released its response to the Privacy Act Review Report, agreeing to 38 of 116 proposed reforms and agreeing in principle to a further 68. At the time, I suggested three practical questions that directors could put to management while waiting for the legislative detail to land.

Two and a half years on, the first tranche of reforms has passed, the statutory tort for serious invasions of privacy is in force, and the small business exemption is being removed. The three questions have proven more relevant than I expected.

Question 1: Can we meet a 72-hour reporting obligation?

The original question asked what organisations would need to shift to meet a compressed Notifiable Data Breach reporting timeframe. While the Privacy Act reforms did not adopt a universal 72-hour NDB obligation, the Cyber Security Act 2024 introduced mandatory ransomware payment reporting within 72 hours, and the SOCI Act requires critical infrastructure entities to report significant cyber incidents within 12 hours.

The direction of travel is clear. Reporting windows are compressing across multiple regulatory frameworks, not just the Privacy Act. Most organisations were geared to a 30-day reporting obligation. Anyone who has been involved in the initial days of an incident knows the fog of war makes it difficult to land on a timely and accurate understanding of what has happened and who may be impacted.

The lesson from the EU's experience with GDPR reporting remains relevant: shifting organisations to respond at this pace takes time, planning and rehearsal.

Updated recommendation for directors: Ask management to map every reporting obligation the organisation faces, across the Privacy Act, SOCI Act, Cyber Security Act and any sector-specific requirements. Then test whether the incident response capability can actually meet the shortest applicable window. Paper plans are not enough; tabletop exercises against realistic scenarios will expose the gaps.

Question 2: Do we know our data?

The original question focused on whether management has the capability and capacity to inventory organisational data: what it is, what is sensitive, where it sits, whether it is ever disposed of, and how it is controlled.

The Privacy Act reforms have sharpened this question considerably. The new requirement for organisations to take steps that include "technical and organisational measures" to protect personal information means that demonstrating you know what data you hold and where it lives is now a baseline regulatory expectation, not an aspiration.

The MediSecure case provides a stark illustration of what happens when data governance is inadequate. Approximately 12.9 million Australians were affected by a breach of data the organisation held from a service it no longer operated. The company could not even identify which specific individuals were impacted.

From 1 July 2026, the small business exemption is being removed, bringing an estimated 100,000 additional businesses under the Privacy Act for the first time. For many of these organisations, the data inventory question has never been asked.

Updated recommendation for directors: If your organisation has not completed a comprehensive data inventory, this is now urgent rather than aspirational. The regulatory expectation is moving from declarative compliance ("we have a privacy policy") to evidentiary compliance ("we can demonstrate how personal information is handled across our systems").

Question 3: Have we learned from the GDPR experience?

The original question pointed to the GDPR implementation experience, particularly the lessons from Hitachi System Security's post-mortem highlighting SMB uncertainty, the impact on charities, and the need for "Privacy by Design and by Default" to be pervasive across the business.

This question has proven prescient. The Australian reforms are following a path closely aligned with the GDPR, with the Privacy Commissioner noting publicly that Australia's framework is moving towards closer alignment with the European model while going further in some areas, particularly around the statutory tort.

The December 2026 deadline for automated decision-making transparency obligations adds another GDPR-parallel dimension. Organisations will need to disclose in their privacy policies when decisions are made using automated processes and explain the use of that automation. For organisations already using AI tools across their operations, this is not a trivial exercise.

Updated recommendation for directors: Organisations with comparable EU-based peers or industry bodies should actively leverage the GDPR compliance experience as a roadmap. The mistakes were expensive and well-documented. The second tranche of reforms, expected during the current parliamentary term, is likely to include the "fair and reasonable" test for data processing and expanded definitions of personal information and consent, both of which draw directly from GDPR principles.

The bigger picture

What has changed most since September 2023 is not the substance of these questions but the consequence of not asking them. The statutory tort for serious invasions of privacy means individuals now have a direct legal pathway to challenge how their personal information is handled, without depending on the regulator to act. The enhanced penalty regime gives the OAIC mid-tier enforcement tools it previously lacked. And the removal of the small business exemption means the reach of these obligations is about to expand dramatically.

Directors who ensured their organisations started working through these questions in 2023 are well positioned. Those who waited for the legislation to be finalised are now working to compressed timelines.

The Privacy and Other Legislation Amendment Act 2024 is available on the Federal Register of Legislation. OAIC guidance on the reforms is published at oaic.gov.au.