Asia-Pacific · updated 2026-06-15
Australia
Australia exempted most small businesses (under AUD 3M turnover) — but after the Optus and Medibank mega-breaches, penalties jumped to AUD 50M+, the small-business exemption is slated for removal, and a statutory tort now allows privacy lawsuits.
- Law:
- Privacy Act 1988 + Australian Privacy Principles (APPs)
Cookie consent
No banner mandate
Breach deadline
30 days to assess; notify ASAP
DPA with vendors
Not mandated
Max fine
The greater of AUD 50,000,000, 3× the benefit obtained, or 30% of adjusted turnover in the breach period
What Australia requires
Compliance items with their statutory basis. Stamps mark whether each applies to every business or only above certain thresholds.
-
Applicability check
Privacy Act s.6C–6DThe Act covers businesses with AUD 3M+ annual turnover, plus all health providers and data traders regardless of size. Foreign companies 'carrying on business in Australia' are covered too.
How to implement Don't bank on the small-business exemption: the government has agreed in principle to remove it, and it never applied to health data or businesses selling personal information.
Conditional -
Privacy policy
APP 1A clearly expressed, up-to-date policy covering what you collect, why, overseas disclosure countries, and how to complain.
How to implement APP 1 uniquely requires naming the countries where overseas recipients are likely located — list your hosting and vendor regions explicitly.
Required -
Notice of collection
APP 5At or before collection, notify individuals of purposes, consequences of not providing data, and overseas disclosures.
How to implement A short just-in-time notice at signup linking to the policy satisfies this — same pattern as California's notice at collection.
Required -
Overseas disclosure accountability
APP 8Before disclosing personal information overseas, take reasonable steps to ensure the recipient complies with the APPs — and you remain liable for their breaches.
How to implement Sign APP-equivalent contract clauses with non-Australian processors (your GDPR DPAs largely work) and list recipient countries in your policy.
Required -
Data breach response plan
NDB scheme, Part IIICAssess suspected eligible breaches within 30 days; notify the OAIC and individuals when serious harm is likely and can't be remediated.
How to implement The 30-day assessment window is generous compared to GDPR's 72 hours — but Australian Clinical Labs was prosecuted for blowing it. Keep the same incident runbook you use for GDPR with an Australian branch.
Required -
Direct marketing controls
APP 7 + Spam Act 2003Marketing messages need consent or an existing relationship, a functional unsubscribe, and sender identification. ACMA enforces the Spam Act aggressively.
How to implement ACMA's multi-million-dollar penalties against Commonwealth Bank and others make email/SMS compliance the most-enforced rule in Australia: honor unsubscribes within 5 business days.
Required
The details
- Cookie consent
- No consent-banner requirement. APP 5 requires notice of collection, and direct marketing needs opt-outs under APP 7 and the Spam Act. Reform proposals would introduce consent for targeted advertising, so watch this space.
- Data Protection Officer
- Not legally required for private companies, but the OAIC's accountability guidance expects a designated privacy contact, and APP entities must have a privacy policy and complaint process someone actually owns.
- Processing agreements
- No mandatory DPA equivalent — but APP 8 makes you accountable for overseas recipients' handling of data, so contracts imposing APP-equivalent obligations on processors are the standard way to discharge that liability.
- Breach notification
- The Notifiable Data Breaches scheme requires assessing suspected breaches within 30 days, and notifying the OAIC and affected individuals as soon as practicable when serious harm is likely.
- Enforcement in practice
- Penalties were raised from AUD 2.2M to AUD 50M+ in 2022 after the Optus (10M customers) and Medibank (9.7M) breaches; Australian Clinical Labs faced the first civil penalty proceedings under the NDB scheme.
Data subject rights
What users can demand from you in Australia, and the engineering that satisfies each right.
Right to access
APP 12Individuals can access their personal information, with responses within a reasonable period (usually 30 days).
Small charge permitted but access itself can't be refused except on listed grounds (legal privilege, frivolous requests, others' privacy).
Right to correction
APP 13Correction of inaccurate, out-of-date, incomplete, or misleading information, with notification to third-party recipients on request.
If you refuse, provide written reasons and note the individual's disagreement on the record — similar to Canada's model.
Anonymity and pseudonymity
APP 2A distinctive Australian right: individuals must have the option of not identifying themselves where lawful and practicable.
Don't demand real names or full identity where the service works without it — support pseudonymous accounts where feasible.
Marketing opt-out
APP 7Absolute right to opt out of direct marketing, with a simple, free mechanism.
Working unsubscribe links plus internal suppression lists; scrub against opt-outs before every campaign.
Statutory tort for serious invasion of privacy
Privacy Act Sch. 2 (2024 reforms)Since June 2025, individuals can sue directly for serious invasions of privacy — intrusion or misuse of information — with damages up to AUD 478,550.
This bypasses the OAIC entirely: negligent data handling can now land in court. Document security measures; recklessness is the liability trigger.
Automated decision transparency (incoming)
2024 reform trancheFrom December 2026, privacy policies must disclose automated decisions that significantly affect individuals — no erasure or portability rights yet, but both are agreed in principle for future tranches.
Audit which of your decisions are automated now and draft the policy disclosure before the 2026 deadline.
Tools that cover Australia
Services we'd shortlist for this jurisdiction. Links may be affiliate links.
-
privacy policy
Termly
Generates APP-compliant policies including the overseas-recipients disclosure Australia uniquely requires.
Visit Termly → -
compliance suite
OneTrust
Breach assessment workflows matching the NDB scheme's 30-day clock and OAIC notification forms.
Visit OneTrust → -
cookie consent
iubenda
Region-aware consent and notice management — notice-mode for Australia, opt-in for EU visitors.
Visit iubenda →
Frequently asked questions
My startup turns over less than AUD 3M — am I exempt?
Possibly for now, but don't build on it: the exemption never covered health data or selling personal information, foreign companies serving Australians are covered regardless, and the government has agreed in principle to abolish it. Comply with the APPs now and the transition costs nothing.
How did Optus and Medibank change Australian privacy law?
The 2022 mega-breaches took maximum penalties from AUD 2.2M to AUD 50M-plus, funded a more aggressive OAIC, and drove the 2024 reform package: a statutory privacy tort, criminal doxxing offences, and automated-decision transparency. Enforcement posture shifted from educational to punitive.
Does Australia require cookie consent banners?
Not currently — notice in your privacy policy suffices for analytics, and marketing needs opt-outs rather than opt-ins. Proposed reforms would require consent for targeting and trading of personal information, so EU-style consent flows are the safe long-term bet.
Can Australians sue me directly over privacy?
Since June 2025, yes — the new statutory tort covers serious, intentional or reckless invasions of privacy, with damages up to about AUD 478,000, and class actions are expected. Reasonable security measures and documented processes are the defence.
Similar jurisdictions
Free download
Get GDPR updates for Australia
A one-page privacy audit checklist covering the requirements that regulators actually fine for — cookie consent, breach runbooks, DPAs, and data subject request handling. We email occasional updates when the law changes; unsubscribe anytime.
No spam. Unsubscribe anytime — we practice what we document.