For many years, privacy enforcement in Australia was a bit… polite. The OAIC could nudge, issue determinations, and make a bit of noise, but it often lacked the real teeth needed to drive compliance in the boardroom. That era is over.
11 December 2024 saw the commencement of amendments to the Privacy Act 1988 (Cth) which overhaul Australia’s enforcement toolkit — with bigger fines, broader court powers, faster penalties, and forensic-level investigative authority. It’s not quite the GDPR, but it’s getting close enough to make a lot of GCs uncomfortable.
In this 7th part of our Privacy 2.0 series, let’s start with the money. The maximum fine for a serious or repeated privacy breach by a company is now $50 million, or three times the benefit obtained, or 30% of adjusted turnover — whichever is greater. That’s serious deterrent territory, not just a regulatory slap. Even mid-tier breaches now carry $3.3 million maximums for corporates. Individuals? You’re looking at up to $2.5 million if you seriously mess it up. There’s a new hierarchy of penalties too — with lower thresholds and infringement notices for technical breaches like bad privacy policies or sloppy notifications.
But it’s not just about fines. The OAIC can now issue infringement notices, bypassing court for certain minor but clear-cut breaches. Think of it like a privacy speeding ticket — faster, cheaper, but still stings. And yes, you can fight it in court if you want. Just hope your documentation holds up.
Then there are the new powers of investigation and monitoring. The OAIC is now plugged into the Regulatory Powers (Standard Provisions) Act 2014 (Cth), meaning it can get warrants, enter premises, seize devices, and even apply reasonable force — all while preserving privilege. This puts the Privacy Commissioner on more equal footing with ASIC and the ACCC, especially when it comes to serious or systemic non-compliance. If your data handling is shady, half-baked or undocumented — now’s the time to clean it up.
And finally, court powers have been expanded. The Federal Court and the Federal Circuit and Family Court can now order not just fines, but anything else appropriate — including remediation, compensation, and public declarations. This opens the door for privacy class actions to get seriously strategic – not just possible, but powerful.
Here’s the bottom line: privacy compliance can no longer sit in the “legal” corner or be outsourced to the IT team. It’s now a cross-functional risk category — and it’s time businesses treated it that way. If you’re not audit-ready, breach-ready, or regulator-ready… you’re not ready.
Next week in our Privacy 2.0 series: how the law tackles automated decision-making — and why your pricing algorithm, hiring bot, or fraud engine might need to show its work.