Skip to content
LegalVision

The New Privacy Act Reforms: What Your Business Need to Know About Major Changes

By Phoebe Chester
Practice Leader

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn

In Short

Australia’s privacy laws have been strengthened through amendments to the Privacy Act that commenced on 10 December 2024. The reforms introduce higher penalties for breaches, new rights for individuals, and additional transparency obligations for businesses using automated decision-making. Businesses should review their data practices, privacy documents and staff training to ensure they meet the updated requirements.

Tips for Businesses

Review how your business collects, stores and uses personal information to ensure your practices reflect the updated Privacy Act. Check that your privacy policy clearly explains any automated decision-making processes. Update privacy notices and response plans, confirm international data transfers follow the new framework, and train staff to manage personal information consistently and lawfully.

Summary

This guide explains recent reforms to Australian privacy law and how they affect businesses operating in Australia. It is prepared by LegalVision, a commercial law firm that specialises in advising clients on privacy law and regulatory compliance.

Summarise with:
ChatGPT logo ChatGPT Perplexity logo Perplexity

Open now
On this page

Australian privacy law has undergone major changes to bring it into the digital age, improve clarity for businesses, transparency and individual rights, and strengthen enforcement mechanisms. These reforms result from significant amendments to the Privacy Act, reflecting recommendations from the Attorney-General’s Department’s Privacy Act Review Report 2022

The new privacy law changes commenced on 10 December 2024. As a result, it is essential that your business understands the changes and complies as required. This article explains the changes, how they affect your business, and what actions you should take.

What are the Proposed Privacy Changes? 

The following summarises six key reforms:

1. Changes to Civil Penalties 

The Privacy and Other Legislation Amendment Act 2024 (Cth) introduces new and stronger financial penalties for privacy breaches. It clarifies what counts as a “serious” privacy breach and introduces new penalties for less serious breaches. For example, not having a proper privacy policy could result in fines of up to $66,000 for individuals or $330,000 for companies. The Information Commissioner can issue on-the-spot fines for some breaches, so ensuring your privacy documents are compliant and current is essential. 

2. Children’s Online Privacy Code (COP Code) 

A Children’s Online Privacy Code will respond to government calls for greater protections for children online. The Australian Information Commissioner is required to develop and register the code within 24 months. It will apply to social media platforms and websites that anyone under 18 is likely to access, including social media platforms, apps, and websites that children often use. The code will explain how these services should handle children’s personal information to comply with privacy laws. For example, it might require child-friendly privacy notices or stricter rules about collecting children’s data.

3. Automated Decision Making 

The Privacy Act now requires increased transparency around automated decision-making. For many businesses embracing AI in day-to-day operations, this is an important change to be aware of. If an organisation uses automated systems to make decisions that could significantly impact someone’s rights or interests, they must explain this in their privacy policy. This explanation needs to include the kinds of personal information these systems use, what types of decisions they make, and how they are involved in the decision-making process. The goal is to help people understand when and how automated systems use their personal information to make decisions about them.

4. Legal Action For Serious Invasions of Privacy 

Individuals can now sue for serious invasions of privacy. This applies to two main types of privacy breaches: intrusion upon seclusion (for example, by spying on someone) and misusing private information. To make a claim, a person must show that:

  1. their privacy was invaded;
  2. they had a reasonable expectation of privacy;
  3. the invasion was intentional or reckless;
  4. the invasion was serious; and
  5. protecting their privacy outweighs any public interest in the invasion.

If successful, an individual could seek compensation or an injunction to stop the invasive behaviour. Businesses have some defences available, such as if the action was legally required or done with consent. 

This new right aims to give people more control over their privacy and a way to seek justice if their privacy is seriously violated.

5. Overseas Disclosure

International data sharing is now more straightforward, with an official list of countries and privacy schemes considered to have privacy protections similar to Australia’s. This “whitelist” makes it easier for Australian organisations to share personal information with overseas recipients in these approved countries or schemes. Organisations now have less work to check if the overseas recipient has sufficient privacy protections. The goal is to make international data sharing simpler and safer while still protecting people’s privacy. 

6. Criminal Offence for Doxxing 

The intentional malicious exposure of an individual’s personal data online, known as ‘doxxing’, is now a criminal offence. It is illegal to use the internet or phone services to publish or distribute someone’s personal data (like their address, phone number, or photo) in a way that a reasonable person would consider threatening or harassing. There is an even stronger penalty if this is done to target someone because of their race, religion, gender, sexuality, or other protected characteristics. These new laws aim to protect people from the serious harms that can come from having their private information exposed online, such as harassment, stalking, or threats to their safety. 

What Does This Mean for My Business?

To ensure you comply, we recommend you: 

  • audit your data and privacy processes and:
    • undertake an audit of your information collection processes. Check how your business collects, stores, uses, discloses, and monitors personal information; 
    • identify any obvious gaps in your processes and implement policies and procedures to fill them; 
    • check how compliant you are with your existing privacy obligations; and 
    • ensure your employees understand the correct procedures and implement training if required.
  • Check your Privacy Toolbox for currency and compliance. Ensure you have:
Front page of publication
2025 Key Data and Privacy Developments

This factsheet outlines the Australian Government’s strengthened consumer privacy laws in 2025 following major data breaches and their alignment with global standards.

Download Now
Continue reading this article below the form
Need legal advice?
Call 1300 544 755 for urgent assistance.
Otherwise, complete this form, and we will contact you within one business day.

Key Takeaways

The new privacy reforms impose more substantial penalties for breaches, with fines up to $330,000 for companies. A new Children’s Online Privacy Code will enhance protections for minors, and businesses must disclose the impact of automated decision-making on individual rights. Individuals can now sue for serious invasions of privacy, and doxxing is a criminal offence. Businesses should audit their data processes, update privacy documentation, and train staff as soon as possible.

If you need help understanding the Privacy Act reforms, our experienced privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today at 1300 544 755 or visit our membership page.

Frequently Asked Questions

What are the key privacy changes businesses should prepare for?

The reforms introduce stronger penalties for privacy breaches, create a new Children’s Online Privacy Code, and require businesses to increase transparency around automated decision-making. They also criminalise doxxing and simplify international data sharing.

How can businesses comply with the Privacy Act reforms?

Businesses should audit their data collection and privacy processes, update privacy documents, and train staff on compliance. These actions will help meet the new requirements and avoid penalties.

What is the Children’s Online Privacy Code?

The Children’s Online Privacy Code will apply to social media platforms, apps, and websites likely to be accessed by people under 18. It will explain how children’s personal information must be handled and may require child-friendly privacy notices and stricter limits on collecting children’s data. The Code must be developed within 24 months.

What are the new penalties for privacy breaches?

The Privacy and Other Legislation Amendment Act 2024 (Cth) introduces stronger financial penalties. Less serious breaches, such as failing to have a compliant privacy policy, may attract fines of up to $66,000 for individuals or $330,000 for companies. The Information Commissioner can also issue on-the-spot fines for some breaches.

Register for our free webinars

Scaling AI at Work: Responsible Strategies for Legal Counsel and Leaders

Online
Learn how to scale AI responsibly in your organisation with ethical practices and governance frameworks. Register for our free webinar.
Register Now

Stop Brand Copycats: Trade Mark Protection for the Fashion Industry

Online
Learn how to protect your fashion brand from copycats and counterfeiters with trade mark protection. Register for our free webinar.
Register Now

Employer-Sponsored Visas: Common Issues and How to Manage Them

Online
Learn how to manage common employer-sponsored visa issues and sponsor overseas workers successfully. Register for our free webinar.
Register Now

Key Contracts Every Manufacturing Business Needs (and How to Get Them Right)

Online
Avoid contract gaps in your manufacturing business. Register for our free webinar.
Register Now
See more webinars >

Phoebe Chester

Practice Leader | View profile

Phoebe is a Practice Leader in LegalVision’s Commercial team. Phoebe has accumulated 6 years of valuable experience in the legal profession as a paralegal and lawyer working at a top-tier law firm, specialising in intellectual property and in-house in the medical scientific research field.

Qualifications: Bachelor of Laws (Hons), Bachelor of Arts, University of Notre Dame.

Read all articles by Phoebe

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

How Do I Comply With the Privacy Act?

Privacy Laws: Your Obligations as a Business

What is ‘Personal Information’ Under Australian Privacy Law?

What Should I Do if I Think My Business Has Had a Data Breach?

LegalVision is an award-winning business law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards