AU Privacy Act

Privacy and Other Legislation Amendment Act 2024

Act 2024A00128 (Cth)Active — In effect 10 December 2024 — phased to December 2026

Australia's landmark privacy reform amends the Privacy Act 1988 with a new statutory tort for serious privacy invasions, tiered civil penalties, mandatory automated decision-making disclosures, and anti-doxxing criminal offences. Implementation is phased: most provisions took effect immediately, with the statutory tort commencing June 2025 and automated decision provisions in December 2026.

Privacy Principles

AUD 3.3M

Max Civil Penalty

7yr

Max Criminal Sentence

Dec 2024

In Effect

Implementation Timeline

29 November 2024

Bill passed both Houses of Parliament

10 December 2024

Royal Assent — most amendments in effect

10 June 2025

Statutory tort for serious privacy invasions commences

10 December 2026

Automated decision-making provisions fully enforceable

Who's In Scope

Private Sector

Companies with AUD 3M+ annual turnover
Health service providers (regardless of turnover)
Entities trading in personal information

Government

All Commonwealth government agencies
ACT government agencies

Exempt Entities

Small businesses under AUD 3M turnover (with exceptions)
Employee records (private sector)
Media organisations meeting journalism standards

Key Requirements

Sections 1-14

Australian Privacy Principles (13 APPs)

Comply with principles governing collection, use, disclosure, storage, data quality, openness, access, and correction of personal information.

Section 139E

Statutory Tort for Privacy Invasions

New civil cause of action for serious privacy breaches via intentional intrusions upon seclusion or misuse of personal information, with court-awarded damages.

Sections 1C, 5

Automated Decision-Making Disclosure

Update privacy policies to disclose use of automated decision-making processes, implement human review mechanisms for substantially automated decisions.

Sections 19A-19C

Notifiable Data Breaches

Notify OAIC and affected individuals of eligible data breaches likely to result in serious harm, within required timeframes.

Criminal Code

Anti-Doxxing Measures

Criminal offence for sharing personal information with intent to cause harm — up to 7 years imprisonment.

Penalties & Enforcement

Serious/Repeated Interference

AUD 3.3 million (body corporate)

Maximum civil penalty (10,000 penalty units)

Medium-tier Interference

AUD 660,000 (individual) / AUD 3.3M (corporate)

Non-serious privacy interference

Low-tier Infringement Notices

AUD 330,000 (body corporate)

Issued directly by OAIC without court proceedings

Anti-Doxxing

Up to 7 years imprisonment

Criminal offence for malicious personal data sharing

How Orizon Can Help

Compliance Management

We provide structured preparation and compliance support for AU Privacy Act.

Learn more

Official Sources

Assess Your Readiness

Schedule a consultation with our regulatory experts to assess your AU Privacy Act compliance posture and build a practical roadmap.

Get Started