Privacy Act Reform: Preparing Your Startup for Australia's New Data Protection Rules

If your startup collects personal information — and virtually every startup does — Australia’s privacy landscape has changed significantly since December 2024. The Privacy and Other Legislation Amendment Act 2024 (Cth) represents the most substantial reform to the Privacy Act 1988 since its inception, and its effects are still rolling out.

Some changes are already in force. Others land later in 2026. A second tranche of reforms, expected to be even more sweeping, is on the horizon. If you’ve been treating privacy compliance as a “we’ll deal with it later” problem, later has arrived.

What Actually Changed

The reforms were passed by Parliament on 29 November 2024 and received Royal Assent on 10 December 2024. They address 23 of the 116 proposals from the Attorney-General’s Privacy Act Review Report 2022 — the “easy wins” that had broad support. The changes fall into six key areas.

1. Stronger Enforcement Powers for the OAIC

The Office of the Australian Information Commissioner (OAIC) now has significantly expanded regulatory tools. Before the reforms, the OAIC’s enforcement options were limited — essentially, it could investigate and, in serious cases, seek civil penalties through the courts. That process was slow, expensive, and rarely used.

Now, the OAIC can:

• Issue infringement notices directly, with penalties of up to $66,000 for individuals and $330,000 for companies — without going to court
• Issue compliance notices requiring specific remedial action within a set timeframe
• Conduct compliance assessments of the notifiable data breaches scheme
• Request information from APP entities about actual or suspected data breaches

The OAIC has made clear it intends to use these powers. Privacy Commissioner Carly Kind has publicly stated the office is taking “a more enforcement-based approach.” In January 2026, the OAIC launched its first-ever compliance sweep, targeting privacy policies in selected sectors to check whether they meet the requirements of APP 1.4. Non-compliant businesses face infringement notices and penalties.

For startups, this means a non-compliant privacy policy is no longer just a theoretical risk — it’s a live enforcement target.

2. Statutory Tort for Serious Invasions of Privacy

Since 10 June 2025, individuals in Australia have had a new personal right to sue for serious invasions of privacy. This is a standalone cause of action — separate from any complaint to the OAIC — and it’s available against any person or entity, including startups.

To succeed, a claimant must show that:

• their privacy was invaded (by intrusion upon seclusion or misuse of personal information)
• they had a reasonable expectation of privacy
• the invasion was intentional or reckless
• the invasion was serious
• the public interest in their privacy outweighs any countervailing public interest

Damages can include compensation for emotional distress, and courts can award exemplary or punitive damages in exceptional circumstances, capped at the greater of $478,550 or the maximum for non-economic loss in defamation proceedings.

What does this mean practically? If your startup mishandles personal data in a way that’s intentional or reckless — say, sharing user data with a third party without consent, or failing to secure sensitive information despite knowing the risks — affected individuals can now take you to court directly. They don’t need to go through the OAIC first. The existence of this tort also creates litigation risk that investors and acquirers will factor into due diligence.

3. Automated Decision-Making Transparency

This is the reform that will hit tech startups hardest. By 10 December 2026, any organisation that uses automated systems to make decisions that could “significantly affect the rights or interests” of an individual must disclose this in their privacy policy.

An “automated decision” is broadly defined: it covers any situation where a computer program uses personal information to make a decision — or to do something substantially related to making a decision — without meaningful human involvement. Examples include:

• Algorithmic credit or loan decisions
• Automated content moderation affecting user accounts
• AI-driven hiring or screening tools
• Automated pricing based on user data
• Fraud detection systems that block transactions or accounts

Your privacy policy will need to explain the types of personal information used, the kinds of decisions the automated system makes, and how the system is involved in the decision-making process.

Critically, this applies to all automated decisions once the provision commences — including those made by systems that were built or deployed before December 2026. If you’re using any form of algorithmic decision-making that touches personal information, you need to audit those systems now.

4. Children’s Online Privacy Code

The OAIC is required to develop and register a Children’s Online Privacy Code by 10 December 2026. This code will set specific obligations for social media platforms, apps, and websites that children (under 18) are likely to access.

If your startup operates a consumer-facing digital product, you should be watching this space closely. The code is expected to require child-friendly privacy notices, stricter consent mechanisms, and limits on data collection from minors. Even if your product isn’t aimed at children, if children could access it, you may be caught.

5. Simplified International Data Transfers

The reforms introduce a mechanism for the Minister to “whitelist” countries with substantially similar privacy protections. Transfers of personal information to recipients in whitelisted countries will be simpler — reducing the due diligence burden on Australian businesses that use overseas cloud providers, SaaS tools, or outsourced services.

No countries have been whitelisted yet, and regulations still need to be passed before the mechanism is operational. But for startups that rely heavily on US-based infrastructure (AWS, GCP, Stripe, etc.), this is a reform worth watching.

6. Criminal Offence for Doxxing

The malicious publication of someone’s personal data online — “doxxing” — is now a criminal offence under the Criminal Code. Penalties increase where the doxxing targets someone based on race, religion, gender, sexuality, or other protected characteristics.

What’s Coming Next: Tranche 2

The December 2024 reforms were explicitly described as a “first tranche.” The second tranche is expected to be significantly more impactful, potentially including:

• A “fair and reasonable” test for data handling — requiring that all collection, use, and disclosure of personal information be objectively fair and reasonable, not just disclosed in a privacy policy
• Removal of the small business exemption — currently, businesses with annual turnover under $3 million are exempt from the Privacy Act (with limited exceptions). If this exemption is removed, thousands of early-stage startups that currently fly under the radar will be brought into scope
• Employee records exemption reform — the current exemption for employee records held by private sector employers may be narrowed or removed
• Individual rights modelled on the GDPR — including rights to erasure, data portability, and objection to processing
• Mandatory privacy impact assessments for high-risk data activities

The timeline for tranche 2 remains unclear. The reforms were expected after the 2025 Federal election, but there’s been no confirmed introduction date as of February 2026. The Attorney-General’s Department has indicated further consultation is required on several proposals.

For startups, the removal of the small business exemption is the critical one to watch. If your annual turnover is under $3 million — as most early-stage startups are — you may currently be exempt from the Privacy Act entirely. If that exemption disappears, you’ll need to comply with the full suite of Australian Privacy Principles overnight.

What Founders Should Do Now

You don’t need to wait for tranche 2. Here’s a practical compliance checklist based on the law as it stands:

1. Audit your privacy policy. Does it accurately describe what personal information you collect, how you use it, who you share it with, and how individuals can access or correct their data? The OAIC is actively reviewing privacy policies — a generic template you downloaded three years ago won’t cut it.

2. Map your automated decisions. If your product uses any form of algorithmic or AI-driven decision-making that affects users, start documenting those systems now. By December 2026, you’ll need to disclose them in your privacy policy. The audit itself often reveals data flows you didn’t know existed.

3. Review your data breach response plan. The notifiable data breaches scheme has been in place since 2018, but the OAIC now has enhanced powers to assess your compliance with it. Make sure you have a documented response plan, that your team knows how to execute it, and that you can notify the OAIC and affected individuals within the required timeframes.

4. Check your data handling agreements. If you share personal information with third-party service providers — analytics platforms, payment processors, CRM tools — ensure your contracts include appropriate privacy protections. Under APP 8, you’re accountable for what happens to personal information you disclose overseas.

5. Consider the statutory tort exposure. Think about your highest-risk data practices. Are there areas where a user could argue their privacy was seriously invaded? Internal data access controls, logging, and consent mechanisms are your first line of defence against a tort claim.

6. Watch for the small business exemption. If you’re currently exempt because of the $3 million turnover threshold, don’t assume that will last. Building privacy compliance into your operations now — while you’re small and your data practices are still forming — is dramatically cheaper than retrofitting compliance after the exemption is removed.

7. Engage your board. Privacy is no longer just a legal or compliance issue — it’s a business risk that investors, acquirers, and enterprise customers will scrutinise. If you’re raising capital, expect questions about your privacy posture in due diligence.

The Bottom Line

Australia’s privacy reform journey is far from over, but the changes already in force are significant. The OAIC has more teeth, individuals can sue for privacy invasions, and automated decision-making transparency is coming fast. For startups — especially those building AI-powered products or handling sensitive consumer data — the window for reactive compliance is closing.

The good news: getting privacy right early is a competitive advantage. Enterprise customers, regulated industries, and international partners increasingly require it. Building privacy into your product from day one is easier and cheaper than bolting it on later.

If you need help reviewing your privacy obligations, updating your privacy policy, or preparing for the automated decision-making transparency requirements, get in touch. We work with startups at every stage to build practical, proportionate privacy compliance — not 200-page policies that no one reads.

For related reading, see our guides on AML compliance for fintech startups and intellectual property assignment — two areas that frequently intersect with data-handling obligations in early-stage companies.