- within Privacy topic(s)
- with Senior Company Executives, HR and Finance and Tax Executives
- with readers working within the Media & Information and Law Firm industries
2025 proved to be another eventful year for privacy law and compliance in Australia with significant privacy developments. It was a year that firmly shifted privacy from a "policy exercise" to a live regulatory and litigation risk.
Several developments confirmed this shift.
Privacy penalties in 2025
- We saw the introduction of the long-proposed serious invasions of privacy tort, reinforcing that privacy risk is no longer confined to regulatory enforcement alone. It increasingly carries direct litigation exposure, including the prospect of class actions following the misuse of personal information.
- The year also delivered a landmark moment in enforcement, with the first $5.8 million privacy penalty by the Federal Court of Australia, signalling clearly that the regulator is prepared to use the tools available to them.
- Civil penalty proceedings in the Federal Court were commenced against Optus in relation to its 2022 data breach, underscoring that large and sophisticated organisations are firmly within the scope of enforcement.
- The Privacy Commissioner also accepted an enforceable undertaking from Oxfam Australia, demonstrating the continued use of negotiated outcomes where appropriate in the context of investigations, alongside litigation.
This enforcement activity sits against a significantly strengthened penalty framework. Since the commencement of the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Cth), the consequences of a serious or repeated interference with privacy have increased materially.
For bodies corporate, the maximum civil penalty is material. It is now the greater of $50 million, three times the value of any benefit obtained from the relevant conduct, or, where that value cannot be determined, 30% of adjusted turnover during the relevant period. For individuals who are not bodies corporate, the maximum penalty is $2.5 million.
Privacy risk in 2025
Beyond penalties, 2025 also highlighted the breadth of privacy risk across sectors.
- Vinomofo, an online retailer, was found to have not protected personal information from security risks ultimately leading to a data breach.
- Kmart's use of facial recognition to tackle refund fraud was found to be unlawful for not notifying shoppers or seeking their consent to obtain biometric information.
- Inquiries were also completed relating to I-MED's disclosure of medical imaging scans to Annalise.ai, a healthcare artificial intelligence company and former joint venture between I-MED and Harrison.ai, with a decision made not to pursue regulatory action noting that the disclosure was an example of privacy best practice, particularly in relation to the de-identification of data.
The Office of the Australian Information Commissioner released its regulatory action priorities for 2025/2026 following the Qantas cyber incident in July 2025, again emphasising it is "focusing its resources on the things that matter most and on the regulatory problems that pose the most harm" and would like to "increase public trust and confidence in the protection of personal information".
At the same time, organisations continued to grapple with the practical implications of emerging technologies. Questions around artificial intelligence and privacy transparency moved from theoretical to operational, particularly around how AI use is expected to be described in privacy policies.
In addition, OAIC published regulatory guidance for age-restricted social media platforms and age assurance providers on compliance with the privacy provisions for the Social Media Minimum Age scheme banning social media use for children under 16 years.
Parallel to this continues to be growing recognition that data hoarding is no longer defensible, particularly in the face of inevitable data breaches, with data minimisation increasingly viewed as both a compliance necessity and a way to limit downstream regulatory and litigation exposure.
2026: Practical Steps for Compliance for an Eventful Year Ahead
2026 is shaping up to be an even more challenging year for privacy compliance in Australia.
We expect heightened regulatory activity, including the Privacy Commissioner commencing the first active sweep of privacy policies in certain sectors, with a focus on whether they genuinely comply with the Australian Privacy Principles (APPs), rather than simply existing.
2026 will also see the introduction of the Children's Online Privacy Code, strengthening protections and obligations for online services handling children's personal information. In addition, the new disclosure requirements around the use of AI will become mandatory toward the end of the year, placing further pressure on organisations to understand and accurately describe their data practices.
Against this backdrop, a simple but often overlooked point is that it is never too late to get started or to lift your privacy compliance.
Once scrutiny begins, whether from a regulator due to a data breach or independently, or through private litigation, documentation such as privacy policies, collection notices and internal practices will be examined closely; and gaps between what an organisation says it does and what it actually does will likely be relied upon in both enforcement action and class action proceedings.
Importantly, management of privacy issues is not just about meeting regulatory obligations; it is also about protecting, managing, and ultimately unlocking the value of your data as a key organisational asset.
We recognise that organisations can be reluctant to take the first step. Privacy can feel complex, technical, and overwhelming. We offer below some practical tips – starting small but deliberately:
| Tips to get compliance right under the Privacy
Act 1. Work out what data (including personal information) you hold This can be achieved through internal confirmation processes or by engaging assistance with a formal data-mapping exercise. There are many tools and approaches available, and clarity here underpins both regulatory compliance and defensibility in enforcement or litigation. 2. Review your privacy policy and collection notices Ensure your privacy policy is accurate, APP-compliant, and reflective of actual practices. Just as importantly, check that collection notices are being used when required; they are often the forgotten sibling of the privacy policy, yet they play a critical role in meeting regulatory obligations. 3. Implement robust data security measures Safeguard personal information that you hold against loss, unauthorised access, or disclosure through industry best practice technical and organisational measures. 4. Rethink your data collection approach Consider only collecting personal information that is strictly necessary for your organisation's specific purposes, avoiding "just in case" data gathering. Regularly review and securely delete or de-identify data you no longer need. |
How we can help
Where there is uncertainty about whether regulatory requirements are being met, it may be appropriate to work to identify gaps so they can be addressed proactively, rather than under the pressure of regulatory attention or legal proceedings.
We see 2026 not only as a year of heightened risk, but also as an opportunity for organisations to embed better data practices, build trust, and move from reactive compliance to genuine privacy maturity.
Privacy and data are specialist areas for our legal team. Our experts assist organisations of all sizes to audit and assess current privacy policies, as well as advise on updates to ensure robust compliance and processes are in place.
If you require assistance with any of these tasks or guidance navigating compliance with the Privacy Act, please reach out to the team.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
