Australian Privacy Act 2024 changes: what SMEs need to do now

Most provisions of Australia's Privacy and Other Legislation Amendment Act 2024 are already in force, with the remaining automated decision-making (ADM) transparency obligations commencing 10 December 2026. The Office of the Australian Information Commissioner (OAIC) now has new infringement notice powers of up to AU$66,000 per contravention and launched its first ever privacy compliance sweep in January 2026. For Australian SMEs, the small business exemption that has shielded most operators since 2000 is widely expected to be removed in the next tranche of reforms.

Key facts

• The Privacy and Other Legislation Amendment Act 2024 received Royal Assent on 10 December 2024, with most amendments commencing immediately.
• The statutory tort for serious invasions of privacy commenced 10 June 2025, allowing Australians to sue for serious privacy invasions for the first time.
• The OAIC can now issue infringement notices of up to AU$66,000 per contravention, plus compliance notices that mandate specific remediation.
• Maximum civil penalty for serious or repeated interference with privacy: AU$3.3 million for a body corporate.
• Automated decision-making transparency obligations commence 10 December 2026, requiring businesses to disclose ADM use in their privacy policies.
• The OAIC began its first ever privacy compliance sweep in January 2026, targeting roughly 60 organisations across six sectors.
• The current AU$3 million annual turnover small business exemption is expected to be removed in tranche 2 reforms.

What is the Privacy and Other Legislation Amendment Act 2024?

The Privacy and Other Legislation Amendment Act 2024 (POLA Act) is the most substantial reform of Australian privacy law since the Privacy Act 1988 was enacted. It received Royal Assent on 10 December 2024 and represents the first of two planned tranches of privacy reform, with tranche 2 expected during 2026 or 2027.

The Act introduces a statutory tort for serious invasions of privacy, expands OAIC enforcement powers, requires "reasonable steps" for personal information security to include explicit technical and organisational measures, mandates new disclosure obligations around automated decision-making, and creates the framework for a Children's Online Privacy Code due to be registered by 10 December 2026.

Most SMEs we talk to think privacy law doesn't apply to them because of the small business exemption. That position is becoming harder to defend, both because the exemption is widely expected to be removed and because contractual obligations from larger customers and global suppliers increasingly require GDPR-equivalent compliance regardless of statutory scope.

Which Privacy Act changes are already in effect?

Three changes have real teeth right now: the statutory tort, expanded OAIC enforcement powers, and an active compliance sweep that began January 2026.

The OAIC's enforcement toolkit changed materially in late 2024. The Commissioner can now issue infringement notices of up to AU$66,000 per contravention, bypassing the slower civil penalty process and letting the regulator move on administrative breaches quickly. The maximum civil penalty for serious or repeated interference with privacy now sits at AU$3.3 million for a body corporate. The OAIC also gained the power to issue compliance notices that prescribe exactly how a privacy failure must be fixed.

The OAIC has signalled clearly that it intends to use these powers. The compliance sweep launched in January 2026 targeted around 60 organisations across six sectors where personal information is commonly collected in person: real estate agents, chemists, licensed venues, car rental, car dealers, and pawnbrokers. The sweep specifically assesses privacy policies for compliance with APPs 1.3 and 1.4. The signal to the rest of the market is fairly clear.

What's the new statutory tort for serious privacy invasions?

The statutory tort for serious invasions of privacy commenced 10 June 2025 and gives Australians the personal right to sue parties that intentionally or recklessly invade their privacy. This is the first time in Australian law that privacy has existed as a personal right with a direct cause of action.

The tort applies where conduct is intentional or reckless, the invasion is serious, and the public interest in the plaintiff's privacy outweighs any countervailing public interest. "Misuse" of personal information is broadly defined and includes over-collection, inappropriate disclosure, and interference with personal information. The framing borrows from defamation law, and damages for non-economic loss are capped at the limits applicable to defamation.

An accidental data breach probably doesn't trigger the tort. A breach handled negligently might. The bigger structural shift is that "no win, no fee" lawyers can run privacy actions in similar fashion to defamation cases, which we expect to materially change risk calculus around how breaches are responded to.

What happens on 10 December 2026?

From 10 December 2026, APP entities must include specific information about automated decision-making in their privacy policies under new APP 1.7. The disclosure obligation applies wherever computer programs make, or contribute to making, decisions that significantly affect a person's rights or interests, using personal information about that individual.

Privacy policies will need to disclose the kinds of personal information used in automated decisions, the kinds of decisions being made or contributed to, and how the system works in plain language. "Significant" effect is broadly defined and includes both positive and negative impacts on rights or interests.

In practical terms, that captures credit decisions, insurance pricing, hiring screens, dynamic loan terms, AI-assisted customer routing, fraud detection systems, and any AI tool that produces output a human relies on to make a customer-affecting decision. If you've integrated an AI tool into a customer-facing workflow this year and not thought about how it makes decisions, the next 12 months is your window to do something about it.

Does the small business exemption still apply?

Yes, but probably not for long. The current AU$3 million annual turnover threshold exempts roughly 95% of Australian businesses from most Privacy Act obligations, and the Government has indicated in-principle support for removing the exemption in tranche 2 reforms.

Even if your turnover is under the threshold today, three things still apply. First, you're typically already contractually bound to GDPR-equivalent obligations whenever you handle data on behalf of a multinational, large enterprise, or government client. Second, you're already covered under the Notifiable Data Breaches scheme if you handle health information or trade in personal information, regardless of turnover. Third, you'll be in scope when tranche 2 lands, and building good practice now is materially cheaper than retrofitting under enforcement pressure later.

In our experience reviewing privacy policies for Sydney SMEs across 2025 and 2026, the most common gap we see is policies that haven't been updated since the business was founded. A 2018 privacy policy is no longer compliant against the standard the OAIC's compliance sweep is enforcing.

What should SMEs do now?

Six practical steps any SME can take in the next 90 days, whether currently in scope or not.

1. Review your privacy policy. If it hasn't been updated in the last 18 months, it's almost certainly behind. Add a section on automated decision-making now, even if December 2026 feels distant. The OAIC is judging policies on clarity, accuracy, and currency.

2. Audit what personal information you collect. Most SMEs collect substantially more than they need. Field by field, ask why each piece of data is collected and what it's used for. Anything without a clear answer should come off the form.

3. Verify your technical security measures meet APP 11. The amended APP 11 explicitly references "technical and organisational measures." MFA on every admin and email account, encryption at rest, access reviews, and a working backup that's been tested in the last quarter are now the floor, not the aspiration.

4. Map your automated decision-making. Where does software make decisions about people in your business? CRM lead scoring. AI-assisted hiring filters. Insurance or finance integrations. Note them down. By December 2026 you'll need to explain them in your privacy policy.

5. Review your supplier and processor list. If they touch your customer data, they're an extension of your privacy posture. Ensure data processing agreements are in place and that your suppliers themselves have appropriate controls.

6. Get a privacy incident response plan in writing. Notification timelines under the NDB scheme are short. Knowing in advance who calls who, who notifies the OAIC, and who talks to affected individuals will save you days at exactly the point you don't have them.

Frequently asked questions

Does the Privacy Act apply to my small business?

If your annual turnover is below AU$3 million, you're currently exempt from most Privacy Act obligations under the small business exemption. Exceptions apply if you handle health information, trade in personal information, contract with the Commonwealth, or operate as a credit reporting body. Tranche 2 reforms expected during 2026 or 2027 are likely to remove this exemption entirely, so building compliant practices now is recommended.

What is the maximum penalty under the new Privacy Act?

The OAIC can issue infringement notices of up to AU$66,000 per contravention without going to court. For serious or repeated interference with privacy, the maximum civil penalty is AU$3.3 million for a body corporate, or roughly AU$660,000 for a person. The Commissioner can also issue compliance notices specifying mandatory remediation steps.

What does "automated decision-making" mean under the Privacy Act?

Under the new APP 1.7 commencing 10 December 2026, automated decision-making refers to any computer program that makes, or substantially contributes to making, a decision that could reasonably be expected to significantly affect an individual's rights or interests, using their personal information. This includes AI tools, rules-based engines, and machine learning systems. Examples include credit scoring, hiring filters, insurance underwriting, and dynamic pricing.

When do I need to notify the OAIC of a data breach?

Under the Notifiable Data Breaches scheme, eligible data breaches must be reported to the OAIC and to affected individuals as soon as practicable after the entity becomes aware that the breach is likely to result in serious harm. The default position is within 30 days of becoming aware. Some entity types and certain breach scenarios have shorter timeframes.

Do I need a Privacy Impact Assessment for my AI tools?

Privacy Impact Assessments (PIAs) are not strictly mandatory for most private sector entities, but they're strongly recommended where automated decision-making is involved, particularly in light of the December 2026 transparency obligations. PIAs help identify privacy risks before they become breaches and provide evidence of "reasonable steps" under APP 11.

If you'd like a hand reviewing your privacy policy, mapping automated decision-making across your tools, or hardening the technical controls APP 11 now expects, we can run a privacy and security review tailored to where your SME sits today and where the regulatory landscape is heading.