What Didn’t Happen (Yet): The Privacy Reforms Still Waiting in the Wings

You could be forgiven for thinking Australia’s privacy law just had its big moment — and it did. But don’t get too comfortable. What we’ve seen so far from the December 2024 amendments to the Privacy Act 1988 (Cth) is just Round 1.

Welcome to the final instalment of our 9-part Privacy 2.0 series.

There’s a long queue of proposed changes that didn’t make it into the latest legislation, many of them quietly simmering in government inboxes, consultation drafts and “agreed in principle” footnotes.

Some of these postponed reforms could reshape the privacy landscape even more profoundly than the current crop. If you’re trying to future-proof your compliance or understand where the law is going next, here’s what to watch.

1. The Small Business Exemption — Still Alive (for Now)

Right now, businesses with an annual turnover under $3 million are generally exempt from the Privacy Act. That’s tens of thousands of data-handling entities with zero formal privacy obligations. The reform process flagged this as outdated — and it’s clear the exemption will eventually go. When it does, thousands of SMEs will be pulled into the privacy net for the first time. It’s not a question of if. It’s when.

2. Controllers vs Processors — Coming Soon to a Framework Near You

Unlike the GDPR(s), Australia’s privacy law still doesn’t distinguish between data “controllers” (who decide the purpose and means of processing) and “processors” (who process data on someone else’s behalf). That distinction brings clarity and proportionality in many overseas regimes. Expect pressure to harmonise with global norms — especially from businesses operating across borders who are tired of legal whiplash.

3. The Right to Object, Delete, Port — Not Yet, But On Deck

Australia still lacks a formal, standalone right to object to certain uses of data, to demand deletion (the famed “right to be forgotten”), or to port your data from one provider to another. These rights — core pillars of the GDPR(s) — have been agreed to in principle, are popular with the public, and would bring us closer to GDPR standards (and make life very interesting for adtech, fintech, and platform businesses).

4. De-Identified Data? Still A Grey Zone

The reform process acknowledged that re-identification of supposedly anonymous data is a real risk — and that de-identified information still needs regulation. But the law hasn’t caught up yet. Watch for future reforms to APPs 8 and 11 that would bring de-identified data into scope and make re-identification attempts a regulatory red flag.

5. Privacy by Design & Mandatory PIAs — Still Optional (for Now)

There was also discussion of codifying “privacy by design” and making Privacy Impact Assessments mandatory for high-risk activities. The idea? Embed privacy into planning, not just cleanup. It didn’t land this time, but expect it to return — particularly as AI, biometric tech and behavioural profiling go mainstream.

---

Bottom line? This is just the intermission. The Privacy Act is evolving — slowly, but deliberately — toward a framework that looks more like the GDPR(s) and less like its 1980s self. Businesses that treat the current reforms as the finish line are missing the point. The smart ones are already adapting to what’s next.

That’s a wrap on our Privacy 2.0 reform series. If you’ve made it this far, congratulations — you now know more about privacy law than most of Parliament.

Now, go fix your privacy policy — and maybe tell your AI to behave while you’re at it.

Black Box, Meet Sunlight: Australia’s New Rules for Automated Decision-Making

Automated decision-making is everywhere now — in the background of your credit check, your insurance quote, your job application, even the price you see for a pair of shoes. For a while, this opaque machine logic operated in a legal blind spot: useful, profitable, and often inscrutable. But no longer.

Welcome to part 8 of our 9-part Privacy 2.0 series.

Australia’s latest privacy reforms are dragging automated decisions into the daylight. Starting 10 December 2026, organisations will be legally required to disclose in their privacy policies whether and how they use automated decision-making that significantly affects the rights of individuals. It’s the first real attempt under Australian law to impose some transparency obligations on algorithmic systems — not just AI, but any automation that crunches personal data and outputs a decision with real-world consequences.

So what do these changes demand? Two key things:

1. Your privacy policy must (from 10 December 2026) clearly describe:

   • the types of personal information used in any substantially automated decision-making process, and

   • the kinds of decisions made using that information.

2. It will apply wherever those decisions significantly affect an individual’s rights or interests — eligibility for credit, pricing, recruitment shortlists, fraud flags, algorithmic exclusions from essential services like housing or employment, and more. It’s not limited to full automation either. Even “mostly automated” systems — where human review is token or rubber-stamp — are caught.

The goal here is transparency, not prohibition. The law doesn’t say you can’t automate — but it does say you will have to own it, explain it, and flag it. That means no more hiding behind UX, generic privacy blurbs, or vague disclaimers. And if your systems are complex, decentralised, or involve third-party algorithms? No excuses — you’ll need to understand them anyway, and track them over time so your policy stays accurate.

In short, if your business relies on automated decisions in any meaningful way, you’ll need to:

• Map those processes now (don’t wait until 2026),

• Build a system for tracking how and when they change, and

• Craft plain-language disclosures that are specific, truthful, and meaningful.

This isn’t just a ‘legal’ problem anymore — customers, regulators, and journalists are watching. No one wants to be the next brand caught auto-rejecting job applicants for having a gap year or charging loyal customers more than first-timers.

Tomorrow: we wrap our Privacy 2.0 series with what didn’t make it into the legislation (yet) — and where the next battle lines in Australian privacy reform are likely to be drawn.

For many years, privacy enforcement in Australia was a bit… polite. The OAIC could nudge, issue determinations, and make a bit of noise, but it often lacked the real teeth needed to drive compliance in the boardroom. That era is over.

11 December 2024 saw the commencement of amendments to the Privacy Act 1988 (Cth) which overhaul Australia’s enforcement toolkit — with bigger fines, broader court powers, faster penalties, and forensic-level investigative authority. It’s not quite the GDPR, but it’s getting close enough to make a lot of GCs uncomfortable.

In this 7th part of our Privacy 2.0 series, let’s start with the money. The maximum fine for a serious or repeated privacy breach by a company is now $50 million, or three times the benefit obtained, or 30% of adjusted turnover — whichever is greater. That’s serious deterrent territory, not just a regulatory slap. Even mid-tier breaches now carry $3.3 million maximums for corporates. Individuals? You’re looking at up to $2.5 million if you seriously mess it up. There’s a new hierarchy of penalties too — with lower thresholds and infringement notices for technical breaches like bad privacy policies or sloppy notifications.

But it’s not just about fines. The OAIC can now issue infringement notices, bypassing court for certain minor but clear-cut breaches. Think of it like a privacy speeding ticket — faster, cheaper, but still stings. And yes, you can fight it in court if you want. Just hope your documentation holds up.

Then there are the new powers of investigation and monitoring. The OAIC is now plugged into the Regulatory Powers (Standard Provisions) Act 2014 (Cth), meaning it can get warrants, enter premises, seize devices, and even apply reasonable force — all while preserving privilege. This puts the Privacy Commissioner on more equal footing with ASIC and the ACCC, especially when it comes to serious or systemic non-compliance. If your data handling is shady, half-baked or undocumented — now’s the time to clean it up.

And finally, court powers have been expanded. The Federal Court and the Federal Circuit and Family Court can now order not just fines, but anything else appropriate — including remediation, compensation, and public declarations. This opens the door for privacy class actions to get seriously strategic – not just possible, but powerful.

Here’s the bottom line: privacy compliance can no longer sit in the “legal” corner or be outsourced to the IT team. It’s now a cross-functional risk category — and it’s time businesses treated it that way. If you’re not audit-ready, breach-ready, or regulator-ready… you’re not ready.

Next week in our Privacy 2.0 series: how the law tackles automated decision-making — and why your pricing algorithm, hiring bot, or fraud engine might need to show its work.

Before the amendments to the Privacy Act 1988 (Cth) on 11 December 2024, if your Australian business wanted to send personal data overseas — say, to a CRM hosted in the US or a support centre in Manila — you had to jump through a slightly vague hoop. Under APP 8.1, you were supposed to take “reasonable steps” to ensure the recipient wouldn’t do anything that would breach the Australian Privacy Principles. And if they did? Thanks to section 16C, you were still on the hook.

There were a couple of workarounds, one of which was found in APP 8.2(a) – this let you off the liability hook if you “reasonably believed” the recipient country had a law or binding scheme that was “substantially similar” to the APPs — and had real enforcement mechanisms. But what does “reasonable belief” mean in that context? And how similar is “substantially similar”? The vagueness of the whole thing often felt like a false sense of security.

The December amendments bring structure and at least some clarity. We now have APP 8.2(aa) and 8.3, which allow for the creation of a whitelist: a formal, government-endorsed list of countries and binding schemes deemed to have privacy protections and enforcement powers equivalent to ours. If your recipient is on the list, you don’t have to prove a thing — just document that the transfer aligns with the rules and you’re good to go.

This is huge. It streamlines compliance and brings us closer to the way other jurisdictions, like the UK and the EU under their respective GDPRs, handle cross-border data flows via “adequacy” decisions. It also gives businesses clarity about who’s in the safe zone, who’s not, and what conditions might apply. For instance, a country might only make the list for health data, or only for financial services entities. The flexibility is there — but so is the scrutiny.

One catch? At the time of publishing this post, the list doesn’t exist yet. It’ll be created via regulation, which means the real-world usefulness of this reform hinges on how quickly and smartly that list gets built. Until then, businesses still have to do the old assessment under APP 8.2(a), with all the murkiness that comes with it.

So if your infrastructure, vendors, or data processors are offshore, now’s the time to:

• map your transfers,

• review your contracts,

• and prepare to align with the new safe-harbour system when it drops.

Because in the new privacy era, “we didn’t realise the US server was logging that” won’t fly anymore.

Next week in our Privacy 2.0 series: the enforcement overhaul — where civil penalties, infringement notices, and OAIC superpowers come roaring into view.

Reasonable Steps Just Got Real: What APP 11 Now Demands

For years, Australian Privacy Principle 11 has required businesses to take “reasonable steps” to protect personal information from misuse, interference, or loss. Sounds fair — but also vague. What exactly is “reasonable”? A locked filing cabinet? Two-factor authentication? Asking nicely?

In this 4th part of IP Mojo’s exclusive Privacy 2.0 blog series, we discuss how the latest privacy law amendments haven’t rewritten APP 11 — they’ve sharpened it. Specifically, they’ve clarified that “reasonable steps” include both technical and organisational measures. It’s a simple sentence, but it changes the conversation. Because now, the standard isn’t just what you thought was reasonable. It’s what you can prove you’ve done to make security part of your systems, your structure, and your staff’s day-to-day behaviour.

Let’s break it down. Technical measures? Think encryption, firewalls, intrusion detection systems, and strong password protocols. Organisational measures? Employee training, incident response plans, documented data handling procedures, and privacy-by-design baked into new systems and tools. It’s not just about buying tech — it’s about building a culture.

Of course, “reasonable” still depends on context: the nature of your business, the sensitivity of the data, the volume you handle. But this update sends a signal: the era of set-and-forget privacy compliance is over. If your team’s still using outdated software or storing customer records on someone’s laptop, that’s not going to cut it.

Here’s the kicker: while the amendment itself is modest — just a new clause (11.3) — the implications are not. It gives regulators clearer footing. It gives courts a stronger hook. And it gives businesses a chance to get ahead — by documenting what you’re doing, auditing what you’re not, and showing your privacy policies aren’t just legalese, but lived practice.

Tune in tomorrow for: a look at the new data breach response powers, and how the government can now legally share your customers’ personal information — yes, really — in a post-hack crisis.

For years, when an Australian company suffered a data breach, the script was pretty simple: notify the OAIC, maybe tell your customers, and brace for PR blowback. But in a landscape of ransomware gangs, deepfake scams, and real-world harm flowing from leaked personal info, that old approach started to feel… inadequate. The new privacy law amendments (to the Privacy Act 1988 (Cth)) try to fix that.

In this 5th instalment of our Privacy 2.0 series, we look at the new regime of EDB declarations and emergency declarations — new legal tools that give the government power to coordinate how personal data is shared during and after a crisis. If that sounds like overreach, it’s not. It’s actually quite surgical. These powers are about enabling targeted, temporary, lawful information sharing when the goal is harm minimisation — not surveillance.

Under new Division 5, Part IIIC, of the Act, which concerns EDB declarations and commenced with effect from 11 December 2024, the Minister can authorise specific entities to collect, use, or disclose personal information otherwise restricted by the APPs — but only for clearly defined, time-limited purposes like fraud prevention, identity verification, or cyber response, when there has been an eligible data breach that ticks certain boxes.

Banks, credit bureaus, and government agencies may be brought into the loop — but not media outlets.  There are some safeguards, mainly comprised of transparency requirements, consultation with the OAIC, and criminal offences for going rogue with the info.

Then there are emergency declarations — a reboot of existing powers to deal with natural disasters, pandemics, and national emergencies. These let the Prime Minister or a designated Minister approve personal data handling across public and private sectors for things like locating missing persons or coordinating aid.

Again, it’s tightly scoped: the declarations can’t be used for general surveillance, expire after 12 months unless renewed, and once again exclude media outlets entirely – so there are no free-for-alls, no “Minister for Metadata” moment.

The lesson for businesses? Don’t assume your data handling obligations end at “notify the OAIC.” In breach or emergency scenarios, you may now be authorised — or even expected — to share personal information, as long as it aligns with a declaration. Legal and compliance teams should track these developments — your incident response plan may need a serious update.

In short: breach response is no longer just about damage control. It’s about lawful coordination. And if you’re caught flat-footed without internal protocols for handling this new regime, you’re behind the curve.

Next week in the Privacy 2.0 series: how the law now reimagines overseas data transfers — and whether your Singapore-based SaaS platform still cuts it.