Australia Data Privacy Regulations
Overview
The main privacy law in Australia is the Privacy Act 1988, which includes the 13 Australian Privacy Principles (APPs). Recent amendments significantly increased maximum penalties following massive national data breaches.
Australian Government agencies, businesses with an annual turnover over $3 million, and specific entities holding health data.
Key Rules & Obligations
Breach Notification
As soon as practicable (Notifiable Data Breaches scheme).
Maximum Penalties
Up to $50 million AUD, or 3x the value of the benefit obtained, or 30% of adjusted turnover in the breach period.
Data Transfers
Entity must take reasonable steps to ensure foreign recipient does not breach the APPs (APP 8).
Individual Rights
- •Right to know why data is collected
- •Right to ask for access
- •Right to correct data
- •Option to remain anonymous
Enforcement Authority
Office of the Australian Information Commissioner (OAIC)
Contact: 1300 363 992
Notable Breaches in Australia
Official Sources
- OAIC Official SiteVerified: 2024-03-01
- Privacy Act 1988 textVerified: 2024-03-01
Frequently Asked Questions
Is the Australian Privacy Act equivalent to GDPR?
No. The Privacy Act is generally less stringent and only applies to businesses with over $3M AUD revenue, though the government is currently reviewing proposals to align it closer to GDPR standards.
What happens if a company breaches the Australian Privacy Act?
Following 2022 amendments, maximum fines surged to $50 million AUD or 30% of turnover for serious or repeated interferences with privacy.
How do I report a data breach in Australia?
Organizations must notify the OAIC via an online form when an eligible data breach that is likely to result in serious harm occurs.
Last updated: March 5, 2026
Notice an error? Report a correction