The Privacy Act 1988 is Australia's primary federal privacy statute. It establishes the Australian Privacy Principles (APPs) — thirteen principles that govern how "APP entities" (broadly: federal government agencies and private sector organisations above the small business threshold) must collect, use, disclose, secure, and provide access to personal information. Significant reforms enacted in 2025 have expanded the law's reach, tightened its requirements, and increased penalties substantially.
Who the Privacy Act applies to
The Privacy Act applies to "APP entities" — a category that includes all Australian Government agencies and private sector organisations with an annual turnover above AUD $3 million. However, certain categories of organisation are covered regardless of turnover:
- All health service providers (including telehealth, digital health apps, and wellness platforms)
- Organisations that trade in personal information (data brokers, list sellers)
- Operators of a residential tenancy database
- Credit reporting bodies
- Contracted service providers to federal government agencies
- Organisations that opt in to the Privacy Act coverage
The 2025 reforms narrowed the small business exemption — expanding coverage to additional categories. Online businesses in health, education, or financial services should not assume they are exempt simply because they are small.
The Australian Privacy Principles in practice
The thirteen APPs can be grouped into five operational areas:
APP 1 — Open and transparent management: You must have an up-to-date privacy policy that describes your information handling practices. The policy must be freely available (typically on your website) and must describe what personal information you collect, why, who you disclose it to, how you manage cross-border data flows, and how individuals can access their information.
APPs 2-4 — Collection: You should collect only the personal information that is reasonably necessary for your stated purposes. At the time of collection, you must notify individuals of the collection through a Collection Notice — typically a short statement or link at the point where data is entered (sign-up forms, checkout, contact forms).
APPs 5-7 — Use and disclosure: Personal information may only be used for the primary purpose for which it was collected or for related secondary purposes the individual would reasonably expect. Direct marketing is a specifically regulated use — individuals have a right to opt out of direct marketing communications at any time.
APPs 8-9 — Cross-border disclosure: Before sending personal information overseas, you must take reasonable steps to ensure the overseas recipient complies with the APPs or the individual has consented to the transfer. Simply using a US-based SaaS tool without a data processing agreement raises potential issues under APP 8.
APPs 10-13 — Data quality, security, and access: You must take reasonable steps to ensure personal information is accurate, kept secure against misuse and unauthorised access, destroyed when no longer needed, and made accessible to individuals on request.
The 2025 reforms: what changed
The Privacy and Other Legislation Amendment Act 2024, which took effect in early 2025, introduced several significant changes: a statutory tort for serious invasions of privacy; strengthened requirements around automated decision-making affecting individuals; expanded children's privacy protections; a new requirement to include a summary of how to make a privacy complaint; and substantially increased penalties — up to AUD $50 million for serious or repeated breaches. These reforms signal a more active enforcement posture from the OAIC and a shift toward accountability requirements more aligned with GDPR.