Australia's Privacy Act reforms 2024-2026: what CISOs must build before the new rules hit

On 8 October 2025 the Federal Court handed down the first civil penalty under the Privacy Act 1988, ordering Australian Clinical Labs to pay A$5.8 million for the Medlab Pathology breach. Two days short of four months earlier, on 10 June 2025, the statutory tort for serious invasions of privacy commenced, and on 8 August 2025 the Australian Information Commissioner sued Optus pleading one contravention for each of the roughly 9.5 million affected customers.

For CISOs and DPOs in Australia, the regulatory pressure is no longer about whether the Office of the Australian Information Commissioner (OAIC) will start writing cheques against your insurance tower. It is about whether the controls, the breach-response runbook, the third-party SaaS register and the board attestation pack will hold up against an enforcement regime that now treats breach-response failures as separate contraventions and exposes named executives personally under the Financial Accountability Regime.

This guide walks through the Privacy and Other Legislation Amendment Act 2024 (Tranche 1), the changes already live in 2025-2026, the items still ahead, and the control work a security leader needs to finish before the Automated Decision-Making (ADM) transparency rules switch on 10 December 2026.

The Privacy and Other Legislation Amendment Act 2024 received Royal Assent on 10 December 2024 after passing Parliament on 29 November 2024. It is the law CISOs are now working against. The Act introduces tiered civil penalties including new mid-tier (s 13H) and low-tier infringement-notice powers, the statutory tort for serious invasions of privacy, ADM transparency obligations, and new criminal offences for doxxing. The statutory tort commenced on 10 June 2025. ADM transparency in privacy policies commences on 10 December 2026.

Tranche 2 is where the bigger structural reforms still sit: a "fair and reasonable" test for personal information handling, narrowing or removal of the small business exemption (currently A$3 million turnover threshold), reform of the employee records exemption, and a direct right of action that lets individuals sue in court without going through the OAIC. None of these are in force yet. They have slipped multiple times since 2023 and there is no current Bill before Parliament.

The practical implication: the controls and disclosures you build for Tranche 1 need to be designed so that Tranche 2 (when it lands) does not require a rebuild. That means designing privacy notices that already articulate a fair-and-reasonable basis for processing, and standing up data-handling records that would survive a direct right of action filed by a plaintiff firm such as Slater and Gordon or Maurice Blackburn.

The s 13G ceiling for serious or repeated interference with privacy sits at the greater of A$50 million, three times the benefit derived from the contravention, or 30 percent of adjusted turnover for the contravention period. That ceiling is what hangs over Medibank and Optus.

What the 2024 Act added is the layer beneath. Section 13H introduces a mid-tier civil penalty for an interference with privacy that is not "serious or repeated", with a maximum of 2,000 penalty units (currently around A$660,000 for a body corporate). Below that, the OAIC now has infringement-notice power for specific administrative breaches such as failing to update a privacy policy or to honour requests.

The Australian Clinical Labs decision (Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224, Halley J) showed how this stack works in practice. The A$5.8 million total was split: A$4.2 million for failing to take reasonable steps to protect personal information (s 13G via APP 11.1), A$0.8 million for delayed assessment of a suspected eligible data breach, and A$0.8 million for delayed notification under the NDB scheme. The court treated assessment failures and notification failures as separate contraventions attracting independent penalties, with costs of A$0.4 million added.

For CISOs, that pleading strategy reshapes the priority list. A breach-response runbook that is well-documented, log-evidenced and time-stamped now has a direct financial value. So does an OAIC-facing communications template that does not need legal review on the day of notification. Pair this with a VAPT program that produces a written "reasonable steps" trail and the s 13G defence becomes structurally stronger.

The Notifiable Data Breaches scheme under the Privacy Act has been in force for several years, but the 2024-2025 enforcement run has clarified how the OAIC reads its timing language. There are two clocks. First, the entity must carry out an assessment of a suspected eligible data breach within 30 days of becoming aware of the suspicion. Second, if the assessment confirms an eligible data breach, the entity must notify the OAIC and affected individuals "as soon as practicable" thereafter.

The Australian Clinical Labs case is the benchmark for how loose those words are not. The Federal Court awarded A$0.8 million specifically for the delay in commencing the assessment, with a further A$0.8 million for delayed notification. Clayton Utz has commented that the court treated breach response failures, not just the underlying breach, as a target for separate s 13G contraventions.

OAIC statistics for January to June 2025 show 532 notifications, down 10 percent from the record second half of 2024. 59 percent originated in malicious or criminal attacks and 37 percent in human error. Health (18 percent), Finance (14 percent) and Government (13 percent) led the sector breakdown. The average cyber incident affected just over 10,000 individuals.

For CISO readiness, the operational implication is to make assessment a parallel-track activity rather than a sequential one. The moment an alert hits a SOC analyst's screen, both forensic containment and the eligible-data-breach assessment file should be opened. A 24x7 SOC with documented playbooks for the Privacy Act assessment, the SOCI 12-hour critical-incident clock, the SOCI 72-hour significant-incident clock and the Cyber Security Act 72-hour ransomware-payment report is now table stakes. Each of these timers starts at a different moment and stops on a different definition.

The statutory tort for serious invasions of privacy is the single biggest expansion of exposure in the 2024 Act. It commenced on 10 June 2025 as a standalone cause of action sitting alongside, not inside, the Privacy Act. The OAIC has no direct administration role over it.

The cause of action covers intrusion upon seclusion or misuse of information where there is a reasonable expectation of privacy and the invasion is serious. Remedies include damages, injunctions, account of profits and apology orders. Individuals do not need to wait for OAIC to act, and class action plaintiff firms have already begun filing.

The small business exemption is technically still in place. APP entities are bound only if their annual turnover exceeds A$3 million (with carve-ins for health service providers, credit reporting bodies, contracted service providers and trading in personal information). However, the carve-out is being eroded by sector. From 1 July 2026, Tranche 2 of the AML/CTF reforms brings professional services firms (lawyers, accountants, real estate agents, trust and company service providers) into the reporting-entity perimeter, removing the small business exemption from the Privacy Act for that data handling.

Combined with the new statutory tort (which does not depend on Privacy Act coverage at all), a small Australian SaaS or BPO handling personal data is now squarely inside the risk perimeter. For Indian or global vendors processing Australian residents' data, the practical position is that the small business exemption should be treated as gone in any contract negotiation with an Australian customer. Our privacy compliance team regularly maps these obligations against Indian DPDP Act controls for cross-border SaaS.

The OAIC has been substantially re-resourced and restructured. The 2025 federal budget provided A$8.7 million over three years specifically for enforcement uplift tied to the new statutory tort and the broader Privacy Act reforms.

The enforcement posture has shifted from facilitation to litigation. Australian Clinical Labs was the first Federal Court civil penalty under the Privacy Act. Medibank (filed 5 June 2024) and Optus (filed 8 August 2025) are still on foot. The Optus pleading, in particular, is the test case: one contravention per affected individual, multiplied by approximately 9.5 million customers, against a per-contravention maximum of A$2.22 million for conduct in 2019-2022. The court's calibration of that pleading will reset penalty expectations across every subsequent breach.

For CISOs, this means two things. First, the facilitation era is over; assume any material breach will draw a Commissioner-led civil penalty proceeding rather than an enforceable undertaking. Second, expect the OAIC to plead breach-response failures, retention failures and inadequate-monitoring failures as separate contraventions, each carrying its own penalty calculation. The defensive posture is to build a control narrative that addresses each of those potential pleading lines independently rather than treating "did we have reasonable security?" as a single binary.

The other emerging trend is parallel-track regulator action. APRA imposed a A$250 million additional operational risk capital charge on Medibank in 2023 separately from the OAIC matter. APRA's June 2025 letter to all RSE licensee Board chairs, signed by Deputy Chair Margaret Cole, required board-attested self-assessment of authentication controls and MFA for all high-risk activities by 31 August 2025. CPS 234 incidents now flow to APRA within 72 hours, the OAIC under NDB, and the Cyber and Infrastructure Security Centre under SOCI Part 2B, each with its own clock and its own consequence ladder.

The 2024 Act inserted new ADM transparency obligations into the APPs, requiring privacy policies to disclose where computer programs are used to make, or to do something substantially and directly related to making, a decision that could reasonably be expected to significantly affect the rights or interests of an individual. The commencement date is 10 December 2026, giving organisations a defined runway.

"Significantly affect" is intentionally broad and tracks decisions about credit, insurance, employment, tenancy, access to government services, and provision of goods or services where refusal or disadvantage flows from the model's output. The disclosure must explain the kinds of personal information used and the kinds of decisions made or substantially informed.

The Government has explicitly rejected a standalone AI Act. The Voluntary AI Safety Standard published in September 2024 (10 guardrails covering accountability, risk management, data governance, cybersecurity protections, testing, human oversight, user transparency, contestability, supply-chain transparency, records and stakeholder engagement) was effectively superseded in October 2025 by "Guidance for AI Adoption" with six essential practices. Mandatory guardrails for high-risk AI remain proposed but uncertain.

The practical implication is that AI governance work has to land on existing tech-neutral law: Privacy Act ADM transparency, Australian Consumer Law misleading conduct, anti-discrimination law and sector regulation (APRA, ASIC, eSafety). For any organisation running an ML model that touches Australian individuals, the December 2026 deadline forces three workstreams: a model inventory mapping each system to the "significantly affect" test, a privacy policy rewrite, and a human-in-the-loop or contestability mechanism. A structured AI risk assessment aligned to the Voluntary AI Safety Standard's guardrails is the most efficient way to get this evidence built before the rule activates.

Three breaches define the current Australian regulatory posture. Optus (approximately 9.5 million customers affected over October 2019 to September 2022) drove the urgency on penalty uplift. Medibank (9.7 million Australians affected over March 2021 to October 2022, ransomware breach) drove the APRA A$250 million additional capital charge and the OAIC's first major s 13G action. Qantas (30 June 2025, 5.7 million customers, vishing attack on a Manila-based call centre operator exfiltrating data from a Salesforce platform) drove the supply-chain conversation.

The Qantas case is the canonical study for how reasonable-steps obligations under APP 11.1 extend to third-party SaaS and outsourced BPO. The attack was Scattered Lapsus$ Hunters running social-engineering scripts against Manila-based contact-centre agents, then using legitimate Salesforce credentials and Data Loader to exfiltrate customer records. The breach was part of a broader Salesforce OAuth and Data Loader campaign hitting more than 700 organisations globally.

Three lessons from the breach economics. First, contractual indemnities against a Manila BPO will not stop OAIC pursuing the controller for failing to take reasonable steps to oversee the processor under APP 11.1. The reasonable-steps test attaches to the APP entity that holds the information, not to where the compromised credential lived. Second, OAuth scopes, Data Loader API access and federated identity to SaaS platforms are now in scope of any meaningful audit; if your privacy programme has not enumerated every Salesforce, Workday, ServiceNow and Microsoft 365 integration with read-bulk privileges, it is incomplete. Third, vishing-resistant authentication (FIDO2 hardware keys, passkeys, Windows Hello for Business) on call-centre staff is no longer optional for any entity touching Australian customer data.

The control workload is significant. Phishing-resistant MFA across the call centre, application control and patch SLAs to Essential Eight Maturity Level 2, centralised event logging, and continuous penetration testing of the SaaS-to-IDP-to-BPO trust chain are the four immediate items. Red-team exercises that include social engineering of outsourced contact centres, what we describe as attack simulation, are the way to test whether the controls actually hold against the threat model that took Qantas down.

The reform package and the enforcement posture together create a defined, finite control roadmap. The 12-month build list, sequenced to the live and pending deadlines, looks like this.

By the next board cycle: a refreshed risk register that maps each personal information processing activity to a specific obligation (APP 11.1 reasonable steps, NDB assessment and notification clocks, statutory tort exposure, ADM transparency, SOCI 12-hour and 72-hour clocks, Cyber Security Act 72-hour ransomware-payment report, CPS 234 72-hour material incident, APRA CPS 230 critical operations register). The pleadings in Australian Clinical Labs make clear that the board paper needs each clock and each control owner identified by name.

By 30 June 2026: a documented "reasonable steps" evidence base covering Essential Eight Maturity Level 2 (with the November 2023 update for phishing-resistant MFA and centralised event logging). The Federal Court in Australian Clinical Labs treated Essential Eight as a benchmark for reasonable steps, so any ML2 gaps need either remediation or a documented compensating-control argument.

By 10 December 2026: ADM transparency disclosures live in the privacy policy, with an internal model inventory, human-oversight records and contestability mechanism behind each disclosure. Treat this as a hard date, not a soft one.

For Australian companies under cost pressure, and for global SaaS operators that need to demonstrate compliance to Australian customers, an offshore CERT-In empanelled partner can carry meaningful share of this work. Certbar is empanelled by the Indian Computer Emergency Response Team and runs penetration testing, attack simulation, SOC monitoring and privacy-mapping engagements for Australian organisations from our Surat and Mumbai delivery centres. The economic argument is straightforward: cost-effective offshore delivery, 24x7 SOC coverage that genuinely spans the Australian working day, and audit evidence formatted against OAIC, APRA CPS 234 and SOCI CIRMP expectations. The leadership argument is what most boards now ask about: a partner who will stand behind the evidence file if required.

The deadlines are real, the penalties are now collected through the courts, and the runway is a year. Building against the rules already in force is the cleanest defence against the rules still to come.