Privacy Law at an Inflection Point
Australian privacy law is undergoing its most significant transformation since the Privacy Act was enacted in 1988.1 The Attorney-General's Privacy Act Review, concluded in 2023 after extensive consultation, recommended fundamental changes: new individual rights modelled on European approaches, strengthened enforcement powers, potential criminal penalties for serious privacy breaches, and expanded coverage to bring more organisations within the regulatory net.2
TLDR:
- The Privacy Act 1988 (Cth) and its 13 Australian Privacy Principles (APPs) govern how organisations collect, use, disclose, and secure personal information - but significant reforms are imminent
- The Notifiable Data Breaches scheme (Part IIIC) mandates assessment and notification within strict timeframes when breaches likely to cause serious harm occur
- The 2023 Privacy Act Review recommends fundamental changes including new individual rights, stronger penalties, and expanded organisational coverage - prepare now
- International data transfers require active compliance management; you may be liable for overseas recipients' handling of personal information
- Privacy-by-design is no longer optional - embed privacy into systems, processes, and culture before regulatory reform compresses transition timelines
While legislative implementation remains in progress, the direction of travel is unmistakable. Organisations that wait for final legislation before adapting their privacy practices will find themselves scrambling to meet compressed transition timelines. Those that act now - building privacy capabilities that anticipate strengthened requirements - will be better positioned when reforms take effect.
Daimon Legal advises organisations navigating this period of privacy law transition, helping build programs that satisfy current obligations while preparing for enhanced requirements ahead.
The Current Privacy Framework
The Privacy Act establishes the foundation for privacy regulation in Australia.1 The Australian Privacy Principles - thirteen principles governing the collection, use, disclosure, and security of personal information - apply to organisations with annual turnover exceeding $3 million, plus certain other entities regardless of size.3
Yet the APPs provide only a framework; their application to specific circumstances requires interpretation. What constitutes "reasonable steps" to protect personal information under APP 11?4 When is collection "reasonably necessary" for an organisation's functions under APP 3?5 What notice must be provided when collecting information in different contexts under APP 5?6 These questions turn on facts and circumstances that general principles cannot fully anticipate.
What You Need to Know: The "reasonable steps" standard under APP 11 is not static - what constitutes reasonable security measures evolves with technology, threat landscapes, and community expectations. The OAIC has made clear that organisations must continuously reassess their security posture, not merely implement controls and assume ongoing compliance.7 A security approach that was adequate five years ago may now be deficient.
The Office of the Australian Information Commissioner provides guidance through determinations, guidelines, and enforcement actions.8 Regulatory priorities shift over time; current focus areas include data breach notification compliance, automated decision-making transparency, and cross-border data flows.
Daimon Legal helps organisations interpret privacy obligations in their specific operational context and implement compliance measures proportionate to their risk profile.
Data Breach Response and the Notifiable Data Breaches Scheme
The Notifiable Data Breaches scheme, introduced in 2018 under Part IIIC of the Privacy Act,9 imposes mandatory assessment and notification obligations when data breaches occur. An "eligible data breach" arises when there is unauthorised access to, disclosure of, or loss of personal information that is likely to result in serious harm to affected individuals.10
The scheme requires organisations to conduct an assessment within 30 days of becoming aware of grounds to suspect a breach.11 Where the assessment confirms an eligible data breach, notification to both the OAIC and affected individuals must follow as soon as practicable.12 The notification must include specific information: a description of the breach, the kinds of information involved, and recommendations about steps individuals should take.13
What You Need to Know: The 30-day assessment period is a maximum, not a target. The OAIC expects organisations to complete assessments "much sooner" where possible, and has criticised organisations that treat the 30-day period as standard practice rather than an outer limit.14 For serious breaches, assessment and notification within days - not weeks - may be required to satisfy the "as soon as practicable" standard.
When breaches occur, time is compressed. Organisations must rapidly assess whether the threshold for notification is met, prepare notifications for the OAIC and affected individuals, implement containment measures, and often manage parallel communications with stakeholders, media, and regulators.
The hours and days immediately following breach discovery are critical. Decisions made under pressure - about scope assessment, notification timing, remediation offers - shape outcomes for months or years afterward. Having experienced privacy lawyers engaged early, ideally before any breach occurs through incident response planning, substantially improves outcomes.
Daimon Legal provides breach response support, from initial assessment through notification and regulatory engagement, helping organisations navigate crises while building defensible positions.
International Data Transfers
Modern business operations routinely involve cross-border data flows. Cloud services, global platforms, and distributed workforces mean personal information rarely remains within Australian borders. Each transfer creates privacy law obligations that organisations must actively manage.
Under APP 8, organisations must take reasonable steps to ensure overseas recipients handle personal information consistently with the APPs - or face potential liability for the recipient's conduct.15 This represents a significant exposure: the transferring organisation may be liable for privacy breaches by overseas recipients as if those breaches were its own acts.16
What You Need to Know: APP 8 accountability is strict. If you transfer personal information overseas, you may be held responsible for the recipient's privacy breaches unless you can demonstrate reasonable steps to ensure APP-consistent handling, or one of the limited exceptions applies (such as express informed consent to the transfer).15 Contractual protections alone may not suffice - you need genuine due diligence on recipient practices and ongoing monitoring.
For organisations with European exposure, GDPR transfer requirements add further complexity. Standard contractual clauses, supplementary measures, and transfer impact assessments may be required depending on destination country and data sensitivity.
Daimon Legal advises on international data transfer compliance, helping organisations structure global data operations within regulatory requirements.
Privacy in Emerging Technologies
Emerging technologies - artificial intelligence, biometrics, Internet of Things devices - create privacy challenges that existing frameworks struggle to address. AI systems process personal information in ways that may be opaque to affected individuals and difficult for organisations themselves to explain. Biometric data, once compromised, cannot be reset like a password. Connected devices collect information continuously, often without meaningful notice or consent opportunities.
The Privacy Act Review acknowledged these challenges, recommending enhanced protections for certain sensitive technologies.2 The Review specifically recommended that "sensitive information" be expanded to include biometric information and data collected from wearable devices,17 and that new provisions address automated decision-making with significant effects on individuals.18
Even before legislative implementation, organisations deploying these technologies face heightened scrutiny and should implement privacy-by-design approaches that anticipate both current obligations and likely future requirements.
Daimon Legal advises on privacy considerations for emerging technology deployments, helping organisations realise technological benefits while managing privacy risks.
Building Privacy Programs
Compliance requires more than policies. Effective privacy programs embed privacy considerations into business processes, technology systems, and organisational culture. This requires governance structures that assign accountability, training that builds staff capability, technical controls that enforce policy, and monitoring that identifies compliance gaps before they become breaches.
What You Need to Know: The OAIC's enforcement approach increasingly focuses on systemic issues rather than isolated incidents. Organisations that suffer breaches may face less severe regulatory consequences if they can demonstrate a mature privacy program that failed despite genuine compliance efforts, compared to those with paper policies but no operational implementation.8 Investing in genuine privacy capability - not just documentation - pays regulatory dividends.
Program design should be proportionate to risk. A small business collecting basic customer details requires different controls than a healthcare provider processing sensitive health information or a technology platform profiling user behaviour at scale. Over-engineering privacy compliance wastes resources; under-engineering creates unacceptable exposure.
Daimon Legal assists organisations building and maturing privacy programs - from initial gap assessments through governance design, policy development, and ongoing compliance support.
The Privacy Act Review and Coming Reforms
The 2023 Privacy Act Review represents the most comprehensive examination of Australian privacy law in decades.2 The Review's 116 proposals, if implemented, would fundamentally reshape privacy obligations for Australian organisations.
Key recommendations include: a new "fair and reasonable" test limiting collection and use of personal information;19 individual rights to erasure, correction, and access modelled on GDPR provisions;20 expanded coverage to remove the small business exemption for higher-risk activities;21 a statutory tort for serious invasions of privacy enabling direct individual action;22 and significantly increased penalties including potential criminal liability for egregious breaches.23
The government has indicated support for many of these recommendations, though the legislative pathway and implementation timeline remain uncertain. What is certain is that privacy compliance will become more demanding - and more consequential - in the years ahead.
Organisations that begin preparing now, building capabilities aligned with the Review's recommendations, will face smoother transitions when reforms take effect.
Privacy Compliance Checklist for Australian Organisations
The following checklist provides a practical starting point for organisations seeking to assess and strengthen their privacy compliance posture. It is not exhaustive, but covers the foundational elements most organisations should address.
Data Governance and Mapping
- Compile a comprehensive inventory of all personal information collected, held, and disclosed
- Map data flows including collection points, storage locations, internal access, and external disclosures
- Identify all overseas transfers and the countries to which personal information is sent
- Document the purposes for which each category of personal information is collected and used
- Assess whether collection is "reasonably necessary" for each stated purpose (APP 3)
- Review retention periods and implement deletion schedules for information no longer needed
Privacy Policies and Notices
- Review and update your APP-compliant privacy policy (APP 1)24
- Ensure collection notices are provided at or before the time of collection (APP 5)
- Assess whether privacy notices are clear, current, and accessible to affected individuals
- Implement specific notices for any collection of sensitive information (APP 3.3)
- Review website privacy disclosures, cookie notices, and consent mechanisms
Security and Access Controls
- Implement technical security measures appropriate to the sensitivity of information held (APP 11)
- Establish access controls limiting personal information access to those with genuine need
- Deploy encryption for personal information in transit and at rest
- Conduct regular security assessments and penetration testing
- Implement secure disposal procedures for information no longer required (APP 11.2)
Data Breach Preparedness
- Develop a documented data breach response plan aligned with the NDB scheme (Part IIIC)9
- Establish clear escalation pathways and decision-making authority for breach response
- Prepare template notifications for OAIC and affected individuals
- Conduct breach response exercises to test plan effectiveness
- Identify and brief external advisers (legal, forensic, communications) for rapid engagement
International Transfers
- Identify all overseas recipients of personal information
- Assess privacy protections in each destination country
- Implement contractual protections through data transfer agreements
- Document due diligence on overseas recipient privacy practices (APP 8)
- For EU-exposed operations, assess GDPR transfer mechanism requirements
Individual Rights and Complaints
- Establish processes for responding to access requests within required timeframes (APP 12)
- Implement correction request procedures (APP 13)
- Develop a complaints handling process meeting APP 1.4(e) requirements
- Train staff on recognising and escalating privacy requests and complaints
- Document and track all requests and complaints for regulatory reporting
Governance and Training
- Designate a privacy officer or equivalent with clear accountability
- Establish board or executive oversight of privacy compliance
- Implement privacy training for all staff handling personal information
- Conduct periodic privacy compliance audits or assessments
- Monitor OAIC guidance, determinations, and enforcement trends
Preparing for Privacy Act Reforms
- Review the Privacy Act Review proposals and assess likely impact on your organisation2
- Conduct gap analysis against proposed new requirements
- Budget for compliance investment as reforms progress through Parliament
- Consider early implementation of "fair and reasonable" collection standards
- Assess readiness for potential new individual rights (erasure, portability)
How Daimon Legal Can Help
Navigating Australian privacy law requires more than generic compliance advice - it demands lawyers who understand your operational context, your risk profile, and the trajectory of regulatory reform. Daimon Legal provides practical, commercially-focused advice across the full spectrum of privacy compliance challenges.
Privacy Program Development We help organisations build privacy programs proportionate to their risk profile and operational complexity. This includes governance framework design, policy development, procedure documentation, and training programs - creating genuine privacy capability, not just paper compliance.
Privacy Act Compliance Review We assess your current practices against APP requirements, identifying gaps and recommending prioritised remediation. Our reviews examine collection practices, notice and consent mechanisms, security measures, third-party arrangements, and cross-border transfers.
Data Breach Response When breaches occur, we provide rapid-response legal support. This includes assessing notification obligations under the NDB scheme, preparing OAIC and individual notifications, advising on containment and remediation, and managing regulatory engagement. Our breach response retainers enable pre-arranged engagement for faster activation when incidents occur.
International Data Transfer Compliance We advise on structuring cross-border data flows within APP 8 requirements and, where applicable, GDPR transfer mechanisms. This includes due diligence frameworks, contractual protections, and transfer impact assessments.
Privacy Act Review Readiness We help organisations prepare for coming reforms, conducting gap analyses against proposed requirements and developing implementation roadmaps. Early preparation avoids compressed transition timelines and positions organisations as privacy leaders.
OAIC Investigations and Regulatory Response When the OAIC initiates inquiries or investigations, we provide strategic advice and advocacy. Our approach emphasises constructive regulatory engagement, remediation where appropriate, and robust defence where warranted.
Privacy Impact Assessments For new projects, systems, or initiatives involving personal information, we conduct privacy impact assessments identifying risks and recommending controls. PIAs are increasingly expected by regulators and provide defensible evidence of privacy-by-design practice.
Emerging Technology Privacy Advice We advise on privacy considerations for AI systems, biometric deployments, IoT implementations, and other emerging technologies. Our advice addresses current APP requirements, likely reform implications, and reputational risk management.
For a confidential discussion about your privacy legal requirements, contact Daimon Legal.
The information on this page is general in nature and does not constitute legal advice. Please review our Legal Disclaimer for important information about the limitations of this content and the terms governing your use of this website.
Footnotes
-
Privacy Act 1988 (Cth), Federal Register of Legislation. ↩ ↩2
-
Attorney-General's Department, Privacy Act Review Report (February 2023), Attorney-General's Department. ↩ ↩2 ↩3 ↩4
-
Privacy Act 1988 (Cth), s 6C (APP entity definitions) and s 6D (small business exemption). ↩
-
Privacy Act 1988 (Cth), Schedule 1, Australian Privacy Principle 11 (security of personal information). ↩
-
Privacy Act 1988 (Cth), Schedule 1, Australian Privacy Principle 3 (collection of solicited personal information). ↩
-
Privacy Act 1988 (Cth), Schedule 1, Australian Privacy Principle 5 (notification of the collection of personal information). ↩
-
Office of the Australian Information Commissioner, Guide to Securing Personal Information (2024), OAIC. ↩
-
Office of the Australian Information Commissioner, Regulatory Action Policy (2023), OAIC. ↩ ↩2
-
Privacy Act 1988 (Cth), Part IIIC (Notifiable Data Breaches scheme). ↩ ↩2
-
Privacy Act 1988 (Cth), s 26WE (meaning of eligible data breach). ↩
-
Privacy Act 1988 (Cth), s 26WH (assessment of suspected eligible data breaches). ↩
-
Privacy Act 1988 (Cth), s 26WK (notification to the Commissioner) and s 26WL (notification to individuals). ↩
-
Privacy Act 1988 (Cth), s 26WK(3) (contents of notification to Commissioner). ↩
-
Office of the Australian Information Commissioner, Data Breach Preparation and Response (2024), OAIC. ↩
-
Privacy Act 1988 (Cth), Schedule 1, Australian Privacy Principle 8 (cross-border disclosure of personal information). ↩ ↩2
-
Privacy Act 1988 (Cth), s 16C (acts and practices of overseas recipients of personal information). ↩
-
Attorney-General's Department, Privacy Act Review Report (February 2023), Proposal 4.4 (expanding the definition of sensitive information). ↩
-
Attorney-General's Department, Privacy Act Review Report (February 2023), Proposals 19.1-19.3 (automated decision-making). ↩
-
Attorney-General's Department, Privacy Act Review Report (February 2023), Proposal 12.1 (fair and reasonable test). ↩
-
Attorney-General's Department, Privacy Act Review Report (February 2023), Proposals 18.1-18.5 (individual rights). ↩
-
Attorney-General's Department, Privacy Act Review Report (February 2023), Proposals 7.1-7.4 (small business exemption). ↩
-
Attorney-General's Department, Privacy Act Review Report (February 2023), Proposals 27.1-27.3 (statutory tort for serious invasions of privacy). ↩
-
Attorney-General's Department, Privacy Act Review Report (February 2023), Proposals 28.1-28.3 (criminal offences for egregious breaches). ↩
-
Privacy Act 1988 (Cth), Schedule 1, Australian Privacy Principle 1.4 (privacy policy requirements). ↩