Skip to content
Last reviewed: 2026-05-05 Reviewer: M.K., CIPP/E Methodology Report inaccuracy
Editorial reference emblem — AUStylized regulator-jurisdiction emblem for editorial reference. Not affiliated with or endorsed by any government, regulator, or institution.AU
Privacy Act AU Office of the Australian Information Commissioner

REGULATION · NATIONAL · IN FORCE SINCE 1988

Privacy Act 1988 (Cth) + Australian Privacy Principles

The EU's baseline privacy law since May 2018. Defines six lawful bases, eight data-subject rights, and fines up to 4% of global annual turnover.

EUR-Lex official text Reviewed 2026-05-05 Free reference · sources cited

Scope and territorial reach

Scope

Australia’s Privacy Act 1988 (Cth) is the federal privacy law administered by the Office of the Australian Information Commissioner (OAIC). It binds Commonwealth agencies and private-sector organisations with annual turnover ≥AUD$3M (with some exceptions, including all health-service providers regardless of size).

The 13 Australian Privacy Principles (APPs) form the operative core: APP 1 (open privacy management), APP 5 (notification of collection), APP 6 (use and disclosure), APP 8 (cross-border accountability), APP 11 (security), APP 12-13 (access and correction).

The APPs use a mixed consent model — express consent for sensitive information (APP 3) and bundled implied consent often relied on for cookies and standard tracking, provided the privacy notice is clear. There is no explicit cookie-banner mandate.

OAIC guidance (2024 update) recommends transparent notice and easy opt-out for non-essential trackers, but does not require pre-consent gating — putting Australia in a more pragmatic position than the EU/UK.

Data subject rights (APP 12-13)

  • Access to personal information held — 30 days response, low-cost
  • Correction of inaccurate information
  • Anonymity / pseudonymity option (APP 2) — must be offered where practicable
  • No statutory right of erasure equivalent to GDPR Art 17 — pending in current reform proposals

Cross-border transfers (APP 8)

Accountability-based model: an Australian entity sending personal information overseas remains responsible for its handling, unless: (a) the recipient is bound by a “substantially similar” privacy regime, or (b) the individual has consented after being expressly told the protections will not apply. There is no list of adequate countries — each transfer is assessed on its facts.

Notifiable Data Breaches (NDB scheme)

Mandatory since February 2018. An “eligible data breach” — likely to result in serious harm — must be reported to OAIC and affected individuals “as soon as practicable”. 30-day assessment window allowed if the incident is not yet confirmed as eligible.

Enforcement

The 2022 amendments raised maximum civil penalty for serious or repeated interferences to the greater of:

  • AUD$50 million,
  • 3× the benefit obtained from the conduct,
  • 30% of adjusted turnover for the relevant period.

This brings Australia into the top-tier penalty range globally. Notable enforcement: Optus telecom breach 2022 (~9.8M records exposed) — multi-year regulatory and civil litigation. Medibank breach 2022. Both accelerated the 2022 amendments.

Reform pipeline

The Privacy Act Review (Attorney-General’s Department, 2023) recommended ~116 reforms — including a GDPR-style erasure right, removing the small-business exemption, and explicit children’s-data protections. Implementation is staged through 2025-2026.

Key references

  • OAIC: oaic.gov.au
  • Australian Privacy Principles: APPs 1-13 (Privacy Act Schedule 1)
  • Privacy Act Review final report (2023)

Where it applies — 1 jurisdictions

🇦🇺Australia
AU

Seven principles (Article 5)

The constitutional backbone — every processing activity must satisfy all seven simultaneously.

  1. 01
    Open and transparent management of personal information APP 1

    Have a clearly expressed and up-to-date APP privacy policy; manage personal info openly and transparently.

  2. 02
    Anonymity and pseudonymity APP 2

    Give individuals the option of dealing with you anonymously or under a pseudonym, where lawful and practicable.

  3. 03
    Collection of solicited personal information APP 3

    Only collect personal info that is reasonably necessary for your functions or activities; collect by lawful and fair means.

  4. 04
    Dealing with unsolicited personal information APP 4

    If you receive info you didn't solicit, decide whether you could have collected it under APP 3 — if not, destroy or de-identify it.

  5. 05
    Notification of the collection of personal information APP 5

    At or before collection, notify the individual of identity, purposes, consequences of not providing, recipients, and overseas disclosure.

  6. 06
    Use or disclosure of personal information APP 6

    Only use or disclose for the primary purpose of collection — or a related secondary purpose the individual would reasonably expect, or with consent.

  7. 07
    Direct marketing APP 7

    Use personal info for direct marketing only with consent or where reasonably expected; always offer a simple opt-out.

  8. 08
    Cross-border disclosure of personal information APP 8

    Before disclosing overseas, take reasonable steps to ensure the recipient does not breach the APPs — sender remains accountable (Sec 16C).

  9. 09
    Adoption, use or disclosure of government related identifiers APP 9

    Don't adopt, use, or disclose government identifiers (e.g., Medicare, TFN) as your own identifier — narrow exceptions only.

  10. 10
    Quality of personal information APP 10

    Take reasonable steps to ensure personal info is accurate, up-to-date, complete, and relevant for the purpose of use or disclosure.

  11. 11
    Security of personal information APP 11

    Protect personal info from misuse, interference, loss, unauthorized access, modification, or disclosure; destroy or de-identify when no longer needed.

  12. 12
    Access to personal information APP 12

    Give individuals access to their personal info on request — within 30 days for APP entities (OAIC standard).

  13. 13
    Correction of personal information APP 13

    Correct personal info that is inaccurate, out-of-date, incomplete, irrelevant, or misleading — on request or proactively.

Six lawful bases (Article 6)

You must identify and document one before processing — and consent isn't always the right one.

APP 6.1(a)

Consent

Individual gives express or implied consent for the use or disclosure.

Common for: Marketing, sensitive info, secondary purposes
APP 6.1

Primary purpose of collection

Use or disclosure is for the purpose for which the info was originally collected.

Common for: Order fulfillment, account servicing, contracted analytics
APP 6.2(a)

Related secondary purpose (reasonably expected)

Secondary purpose is related to the primary, and the individual would reasonably expect it (directly related for sensitive info).

Common for: Internal analytics, fraud detection, service improvement
APP 6.2(b)

Required or authorised by law

Use/disclosure is required or authorised by an Australian law or court/tribunal order.

Common for: Tax records, AML/CTF, subpoena response
APP 6.2(e)

Enforcement related activities

Reasonably necessary for an enforcement body's activities (e.g., police, regulators).

Common for: Investigations, fraud reports
APP 6.2(c) + Sec 16A

Permitted general situation (incl. health/safety emergency)

Necessary to lessen or prevent a serious threat to life, health, or safety; or to locate a missing person; or for legal claims.

Common for: Medical emergencies, missing persons
Cookie banner under GDPR Consent Mode v2

Eight data-subject rights (Articles 12–22)

What individuals can demand from you, with the response window and scope.

RightArticleResponseScope
Right to be notified at collection APP 5 At collection Notice given at or before collection — identity, purposes, recipients, overseas disclosure.
Right to anonymity / pseudonymity APP 2 At collection Option to interact anonymously or under a pseudonym where lawful and practicable.
Right of access APP 12 30 days Request copy of all personal info held — APP entities respond within 30 days (OAIC standard).
Right to correction APP 13 30 days Correct inaccurate, out-of-date, incomplete, irrelevant, or misleading info; notify third parties of correction on request.
Right to opt out of direct marketing APP 7 At collection Simple, free opt-out from marketing — must be honored without delay.
Right to complain to OAIC Privacy Act s 36 30 days Lodge complaint with OAIC after attempting resolution with the entity (typically 30 days response time).
Right to erasure (proposed reform) Privacy Act Review 2023 — Recommendation 18 No standalone statutory erasure right currently exists. APP 11.2 requires destruction/de-identification when info no longer needed for any permitted purpose. A direct erasure right is recommended in the 2023 Privacy Act Review and is part of the staged reform package being implemented through 2025-2026 — verify current status before relying on it.
Topic: DSARs in practice Template: DSR reply (Art 15)

National addons

GDPR is a Regulation — directly applicable, no transposition required. But Member States layer additional rules on top via national acts.

CountryNational actStricter than GDPR baseline?Note
🇦🇺 Australia AU Privacy Act 1988 (Cth) + APPs Aligned Primary jurisdiction. Federal scheme; some states have additional public-sector privacy laws (e.g., NSW PPIPA, VIC PDPA).
🇳🇿 New Zealand NZ Privacy Act 2020 Aligned Separate but closely aligned regime; 13 IPPs (Information Privacy Principles); Office of the Privacy Commissioner. Trans-Tasman data flows common.
🇸🇬 Singapore SG PDPA 2012 Aligned Personal Data Protection Act; PDPC enforcement; consent-based with notable exceptions.
🇯🇵 Japan JP APPI Aligned Act on the Protection of Personal Information; PPC oversight; mutual adequacy with EU since 2019.
🇰🇷 South Korea KR PIPA Stricter Personal Information Protection Act — among the strictest in APAC; PIPC enforcement; criminal penalties.
🇮🇳 India IN DPDP Act 2023 Aligned Digital Personal Data Protection Act 2023; Data Protection Board; staged commencement through 2024-2026.
🇵🇭 Philippines PH Data Privacy Act 2012 Aligned RA 10173; National Privacy Commission; modeled partly on EU directive.
🇹🇭 Thailand TH PDPA 2019 Aligned Personal Data Protection Act (in force June 2022); PDPC enforcement; GDPR-influenced.

Compared to other laws

Side-by-side rule comparison with the same field on each side.

COMPARE · 2 ENTITIES
GDPR vs CCPA / CPRA
Opt-in EU baseline against opt-out California — same rows on each side.
COMPARE · 2 ENTITIES
GDPR vs UK GDPR
Post-Brexit divergence — DPA 2018, ICO, UK Extension to DPF.
COMPARE · 2 ENTITIES
GDPR vs LGPD
EU baseline vs Brazilian privacy law modeled on it.

Common questions

Does the Privacy Act apply to my US-based site?
Yes, if you have an Australian link under section 5B — i.e., you carry on business in Australia and collect or hold personal info in Australia. Targeting Australian customers via marketing, AU-domain, AUD pricing, or shipping to AU triggers extraterritorial application. APP 8 also extends accountability to overseas recipients you disclose data to.
What is the maximum fine under the Privacy Act?
After the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (in force 13 December 2022), the civil penalty for a serious or repeated interference with privacy (s 13G) is the greater of: AUD$50 million; three times the value of the benefit obtained from the breach; or 30% of the entity's adjusted turnover during the breach period. Pre-2022 cap was AUD$2.22M.
What is the Notifiable Data Breaches (NDB) scheme?
Since 22 February 2018, APP entities must notify the OAIC and affected individuals 'as soon as practicable' after becoming aware of an eligible data breach — defined as unauthorized access/disclosure or loss of personal info likely to result in serious harm, where remedial action hasn't prevented that harm. Statement to the Commissioner via the OAIC online form within a reasonable time.
Does the small-business exemption apply to my analytics setup?
Maybe. Businesses with annual turnover ≤ AUD$3 million are generally exempt from the Privacy Act — but exceptions kick in for: health service providers, businesses that trade in personal info, contractors providing services under a Commonwealth contract, related entities of a covered business, and credit reporting. The 2023 Privacy Act Review recommended removing the small-business exemption entirely (Recommendation 6); reform is in progress through 2025-2026.
What is the Privacy Act Review and when does reform land?
The Attorney-General's Department published the Privacy Act Review Report (Feb 2023) with 116 recommendations. The Government's response (Sep 2023) agreed/agreed-in-principle to 106. Tranche 1 reforms passed as the Privacy and Other Legislation Amendment Act 2024 (in force from late 2024 / staged 2025). Tranche 2 — covering the major recommendations (small-business exemption removal, fair-and-reasonable test, statutory tort, direct erasure right, employee record reform) — is expected to be introduced in 2025-2026. Status changes frequently — verify before relying.
What's the difference between OAIC investigation and civil penalty proceedings?
OAIC has a graduated toolkit: conciliated complaints (s 36), determinations (s 52, can require compensation), enforceable undertakings, infringement notices, and civil penalty proceedings in the Federal Court for serious or repeated interferences (s 13G). Civil penalties — only the Federal Court can impose. The 2022 amendments introduced new mid-tier infringement notices for less serious breaches.
How does APP 8 cross-border accountability work?
Before disclosing personal info to an overseas recipient, you must take reasonable steps to ensure the recipient does not breach the APPs (APP 8.1). You then remain accountable for the recipient's acts under section 16C (treated as if you did them yourself). Limited exceptions: individual gives informed consent (8.2(b)); recipient subject to substantially similar law/binding scheme (8.2(a)); required by Australian law. Practically, this means a contract clause + due diligence on the recipient's privacy posture.
Are employee records covered by the Privacy Act?
Currently no — section 7B(3) exempts acts directly related to a current or former employment relationship for private-sector employers. Government employers and prospective employees (recruitment) remain covered. The 2023 Privacy Act Review recommended removing this exemption (Recommendation 7); reform is part of the staged Tranche 2 package.
Do I need consent for analytics under the Privacy Act?
The Privacy Act doesn't have an EU-style opt-in default for cookies. Use must align with APP 6: primary purpose of collection or related secondary purpose the user reasonably expects, with transparency under APP 5. Most analytics fits via the related-secondary-purpose pathway with clear notice. Sensitive info (health, racial/ethnic origin, sexual orientation, etc. — s 6) requires explicit consent under APP 3.3.
Is the Privacy Act stricter than GDPR or CCPA?
Less prescriptive than GDPR — no standalone erasure right (yet), no DPO mandate, no DPIA mandate, more flexible lawful basis under APP 6. Stricter on penalties since 2022 (AUD$50M / 30% turnover matches or exceeds GDPR's 4% in some cases). Comparable to CCPA in scope but with broader extraterritorial reach via section 5B and APP 8 chain accountability. Reform is closing the gap with GDPR through 2025-2026.