Skip to content
GDPR by Law

Asia-Pacific · updated 2026-06-15

Australia

Recommended

Australia exempted most small businesses (under AUD 3M turnover) — but after the Optus and Medibank mega-breaches, penalties jumped to AUD 50M+, the small-business exemption is slated for removal, and a statutory tort now allows privacy lawsuits.

Law:
Privacy Act 1988 + Australian Privacy Principles (APPs)
Regulator:
OAIC (Office of the Australian Information Commissioner)

Cookie consent

No banner mandate

Breach deadline

30 days to assess; notify ASAP

DPA with vendors

Not mandated

Max fine

The greater of AUD 50,000,000, 3× the benefit obtained, or 30% of adjusted turnover in the breach period

What Australia requires

Compliance items with their statutory basis. Stamps mark whether each applies to every business or only above certain thresholds.

  1. Applicability check

    Privacy Act s.6C–6D

    The Act covers businesses with AUD 3M+ annual turnover, plus all health providers and data traders regardless of size. Foreign companies 'carrying on business in Australia' are covered too.

    How to implement Don't bank on the small-business exemption: the government has agreed in principle to remove it, and it never applied to health data or businesses selling personal information.

    Conditional
  2. Privacy policy

    APP 1

    A clearly expressed, up-to-date policy covering what you collect, why, overseas disclosure countries, and how to complain.

    How to implement APP 1 uniquely requires naming the countries where overseas recipients are likely located — list your hosting and vendor regions explicitly.

    Required
  3. Notice of collection

    APP 5

    At or before collection, notify individuals of purposes, consequences of not providing data, and overseas disclosures.

    How to implement A short just-in-time notice at signup linking to the policy satisfies this — same pattern as California's notice at collection.

    Required
  4. Overseas disclosure accountability

    APP 8

    Before disclosing personal information overseas, take reasonable steps to ensure the recipient complies with the APPs — and you remain liable for their breaches.

    How to implement Sign APP-equivalent contract clauses with non-Australian processors (your GDPR DPAs largely work) and list recipient countries in your policy.

    Required
  5. Data breach response plan

    NDB scheme, Part IIIC

    Assess suspected eligible breaches within 30 days; notify the OAIC and individuals when serious harm is likely and can't be remediated.

    How to implement The 30-day assessment window is generous compared to GDPR's 72 hours — but Australian Clinical Labs was prosecuted for blowing it. Keep the same incident runbook you use for GDPR with an Australian branch.

    Required
  6. Direct marketing controls

    APP 7 + Spam Act 2003

    Marketing messages need consent or an existing relationship, a functional unsubscribe, and sender identification. ACMA enforces the Spam Act aggressively.

    How to implement ACMA's multi-million-dollar penalties against Commonwealth Bank and others make email/SMS compliance the most-enforced rule in Australia: honor unsubscribes within 5 business days.

    Required

The details

Cookie consent
No consent-banner requirement. APP 5 requires notice of collection, and direct marketing needs opt-outs under APP 7 and the Spam Act. Reform proposals would introduce consent for targeted advertising, so watch this space.
Data Protection Officer
Not legally required for private companies, but the OAIC's accountability guidance expects a designated privacy contact, and APP entities must have a privacy policy and complaint process someone actually owns.
Processing agreements
No mandatory DPA equivalent — but APP 8 makes you accountable for overseas recipients' handling of data, so contracts imposing APP-equivalent obligations on processors are the standard way to discharge that liability.
Breach notification
The Notifiable Data Breaches scheme requires assessing suspected breaches within 30 days, and notifying the OAIC and affected individuals as soon as practicable when serious harm is likely.
Enforcement in practice
Penalties were raised from AUD 2.2M to AUD 50M+ in 2022 after the Optus (10M customers) and Medibank (9.7M) breaches; Australian Clinical Labs faced the first civil penalty proceedings under the NDB scheme.

Data subject rights

What users can demand from you in Australia, and the engineering that satisfies each right.

Right to access

APP 12

Individuals can access their personal information, with responses within a reasonable period (usually 30 days).

Small charge permitted but access itself can't be refused except on listed grounds (legal privilege, frivolous requests, others' privacy).

Right to correction

APP 13

Correction of inaccurate, out-of-date, incomplete, or misleading information, with notification to third-party recipients on request.

If you refuse, provide written reasons and note the individual's disagreement on the record — similar to Canada's model.

Anonymity and pseudonymity

APP 2

A distinctive Australian right: individuals must have the option of not identifying themselves where lawful and practicable.

Don't demand real names or full identity where the service works without it — support pseudonymous accounts where feasible.

Marketing opt-out

APP 7

Absolute right to opt out of direct marketing, with a simple, free mechanism.

Working unsubscribe links plus internal suppression lists; scrub against opt-outs before every campaign.

Statutory tort for serious invasion of privacy

Privacy Act Sch. 2 (2024 reforms)

Since June 2025, individuals can sue directly for serious invasions of privacy — intrusion or misuse of information — with damages up to AUD 478,550.

This bypasses the OAIC entirely: negligent data handling can now land in court. Document security measures; recklessness is the liability trigger.

Automated decision transparency (incoming)

2024 reform tranche

From December 2026, privacy policies must disclose automated decisions that significantly affect individuals — no erasure or portability rights yet, but both are agreed in principle for future tranches.

Audit which of your decisions are automated now and draft the policy disclosure before the 2026 deadline.

Tools that cover Australia

Services we'd shortlist for this jurisdiction. Links may be affiliate links.

  • privacy policy

    Termly

    Generates APP-compliant policies including the overseas-recipients disclosure Australia uniquely requires.

    Visit Termly →
  • compliance suite

    OneTrust

    Breach assessment workflows matching the NDB scheme's 30-day clock and OAIC notification forms.

    Visit OneTrust →
  • cookie consent

    iubenda

    Region-aware consent and notice management — notice-mode for Australia, opt-in for EU visitors.

    Visit iubenda →

Frequently asked questions

My startup turns over less than AUD 3M — am I exempt?

Possibly for now, but don't build on it: the exemption never covered health data or selling personal information, foreign companies serving Australians are covered regardless, and the government has agreed in principle to abolish it. Comply with the APPs now and the transition costs nothing.

How did Optus and Medibank change Australian privacy law?

The 2022 mega-breaches took maximum penalties from AUD 2.2M to AUD 50M-plus, funded a more aggressive OAIC, and drove the 2024 reform package: a statutory privacy tort, criminal doxxing offences, and automated-decision transparency. Enforcement posture shifted from educational to punitive.

Does Australia require cookie consent banners?

Not currently — notice in your privacy policy suffices for analytics, and marketing needs opt-outs rather than opt-ins. Proposed reforms would require consent for targeting and trading of personal information, so EU-style consent flows are the safe long-term bet.

Can Australians sue me directly over privacy?

Since June 2025, yes — the new statutory tort covers serious, intentional or reckless invasions of privacy, with damages up to about AUD 478,000, and class actions are expected. Reasonable security measures and documented processes are the defence.

Similar jurisdictions

Free download

Get GDPR updates for Australia

A one-page privacy audit checklist covering the requirements that regulators actually fine for — cookie consent, breach runbooks, DPAs, and data subject request handling. We email occasional updates when the law changes; unsubscribe anytime.

No spam. Unsubscribe anytime — we practice what we document.