Australians are increasingly concerned about how their personal data is collected, shared, and protected in 2025. With significant updates to the Privacy Act and stronger consumer rights on the horizon, it’s vital to understand what’s changing, who’s covered, and how to take action if your privacy is breached.
Recent high-profile data breaches affecting millions of Australians—from Optus to Medibank—have highlighted serious gaps in our current privacy protections. The Australian Government is responding with the most comprehensive privacy law reforms in decades.
This guide breaks down the Privacy Act basics, your rights under Australian privacy law, Australia 2025 reforms, and the practical steps to protect your information and seek redress when things go wrong.
Understanding the Privacy Act in Australia (2025 update)
The Privacy Act 1988 (Commonwealth) forms the backbone of Australia’s privacy protection framework, governing how organisations collect, use, and disclose personal information. However, significant reforms are reshaping this landscape in 2025.
Why privacy law matters today
Digital transformation has fundamentally changed how Australians interact with technology. We’re sharing personal data through social media platforms, health apps, online banking, and countless digital services daily.
The Australian Competition and Consumer Commission (ACCC) found that the average Australian has personal data held by over 50 organisations. This digital footprint creates unprecedented privacy risks, making robust legal protections essential for everyday Australians.
Without adequate privacy safeguards, Australians face identity theft, financial fraud, and unauthorised surveillance of their most intimate personal information.
Key changes expected in 2025
The Attorney-General’s Department has outlined sweeping privacy law Australia 2025 reforms that will strengthen consumer protections significantly.
- Enhanced penalties: will increase maximum fines to $50 million for corporations or 30% of turnover—whichever is greater. Individual penalties may reach $2.5 million, creating genuine deterrence for privacy breaches.
- Expanded coverage: will likely capture small businesses currently exempt from privacy obligations, particularly those handling sensitive health or financial data.
- New consumer rights: include a statutory right to data erasure (similar to Europe’s “right to be forgotten”), mandatory data breach notifications for all covered entities, and strengthened consent requirements for data collection.
The reforms respond directly to incidents such as the 2022 Optus data breach, which exposed the personal information of 9.8 million customers, and the Medibank cyberattack, affecting 9.7 million current and former customers.
Who is covered under the Privacy Act?
Understanding which organisations must comply with Australian privacy law helps you know when your rights apply and where to direct complaints.
1. Organisations and agencies
The Privacy Act currently covers several key categories:
- Australian Government agencies must comply with privacy obligations when handling personal information in their operations, from Centrelink to the Australian Taxation Office.
- Private sector organisations with annual turnover exceeding $3 million face comprehensive privacy obligations, including banks, telecommunications companies, retailers, and tech platforms.
- Health service providers are covered, regardless of size, including individual practitioners, clinics, and hospitals that handle health information.
- Credit reporting bodies and credit providers must follow specific privacy rules when managing credit-related personal information.
A Melbourne GP clinic, for example, must comply with privacy obligations when storing patient records, even if it’s a small practice, because health services have no turnover threshold exemption.
2. Small business exemptions
Currently, small businesses with annual turnover under $3 million are generally exempt from Privacy Act obligations, unless they’re health services or handle credit information.
However, Privacy Law Australia 2025 reforms may eliminate or reduce these exemptions, particularly for businesses handling sensitive data or operating online platforms.
The Office of the Australian Information Commissioner (OAIC) estimates that reforms could bring an additional 160,000 small businesses under privacy obligations, significantly expanding consumer protections.
Your privacy rights under Australian law
Australian privacy law provides several key rights, with additional protections coming through 2025 reforms.
1. Right to access your data
You can request copies of personal information any covered organisation holds about you. This includes banks, telcos, employers, and government agencies.
Organisations must respond within 30 days and provide information in a readily accessible format. They can charge reasonable fees for complex requests, but simple access requests should be free.
2. Right to correct or delete
When personal information is inaccurate, out-of-date, or incomplete, you can request corrections. Organisations must take reasonable steps to ensure accuracy.
Privacy law Australia 2025 reforms will likely introduce a statutory “right to erasure,” allowing Australians to request deletion of personal information in specific circumstances, similar to European privacy rights.
3. Right to complain
If organisations breach privacy obligations, you can lodge complaints through a structured process, starting with the organisation itself and escalating to the OAIC if necessary.
Your key privacy rights include:
• Access to your personal information
• Correction of inaccurate data
• Understanding how your information is used
• Notification of eligible data breaches
• Complaints process for privacy violations
• Withdrawal of consent (where applicable)
• Anonymity and pseudonymity options
• Protection of sensitive information
• Limits on direct marketing
• Cross-border data transfer protections
Practical steps to protect your privacy in 2025
Taking proactive steps helps safeguard your personal information and minimises privacy risks in an increasingly digital world.
1. Everyday steps Australians can take
- Strengthen your digital security by using unique, complex passwords for each account and enabling multi-factor authentication wherever possible. The Australian Cyber Security Centre recommends passphrases over traditional passwords for better security.
- Review app permissions regularly, limiting access to personal information like location, contacts, and photos. Many apps request unnecessary permissions that create privacy risks.
- Use government security tools effectively, including myGov security settings, which allow you to monitor access to your government services and receive alerts about suspicious activity.
- Check privacy settings on social media platforms and online accounts regularly, as companies often change default settings or introduce new data collection features.
2. Requesting your data from an organisation
To request personal information from an Australian organisation, submit a written request specifying what information you want and confirming your identity.
Include your full name, contact details, account numbers or reference numbers, and specific time periods if relevant. For complex requests, consider narrowing your scope to essential information.
Most major Australian banks and telcos have online forms for privacy requests, streamlining the process. For example, Commonwealth Bank provides a dedicated privacy request portal, while Telstra accepts requests through their privacy team email.
How to complain if your privacy is breached – OAIC process explained
When organisations mishandle your personal information, Australia’s privacy complaint system provides structured redress options.
Step 1: Complain directly to the organisation
Initially, contact the organisation’s privacy officer or customer service team with your complaint. Clearly explain what happened, when it occurred, and what resolution you’re seeking.
Organisations must acknowledge complaints promptly and investigate thoroughly. They have 30 days to respond with their findings and any remedial action.
Keep detailed records of all communications, including dates, names of representatives you spoke with, and copies of written correspondence.
Step 2: Escalate to OAIC
If the organisation’s response is unsatisfactory or they fail to respond within 30 days, you can complain with the Office of the Australian Information Commissioner.
OAIC complaints are free and can be submitted online through their website. Include copies of your original complaint to the organisation and their response (if any).
The OAIC will assess whether your complaint has merit and may attempt conciliation between you and the organisation. In serious cases, they can launch formal investigations and impose penalties.
What outcomes to expect
Privacy complaints can result in various outcomes, from apologies and policy changes to financial compensation and regulatory penalties.
In 2023, the OAIC secured $450,000 in compensation for affected individuals following the Facebook-Cambridge Analytica investigation, demonstrating that privacy breaches can have real financial consequences for organisations.
Penalties for organisations that breach privacy law
Privacy law violations can result in substantial financial and reputational consequences for non-compliant organisations.
1. Current penalties
Under amendments introduced in 2022, maximum penalties for serious or repeated privacy breaches include up to $50 million for corporations, three times the benefit obtained from the breach, or 30% of turnover during the breach period—whichever is greatest.
Individual penalties can reach $2.5 million for serious contraventions, creating personal liability for executives and decision-makers involved in privacy violations.
2. Stronger enforcement in 2025
The Australian Government has signalled intentions to increase privacy enforcement significantly, with additional OAIC resources and expanded investigative powers.
Privacy law Australia 2025 reforms will likely introduce mandatory breach notification requirements for all covered entities, not just those affecting ‘eligible data breaches’ under current thresholds.
Following the Medibank cyber attack, the organisation faces potential penalties under the strengthened framework, with OAIC investigations ongoing into their privacy compliance and breach response procedures.
Future of privacy law in Australia
Australian privacy protection is evolving rapidly, with significant changes anticipated over the next decade.
- Stronger consumer rights will likely align Australian privacy protections more closely with international standards, including expanded erasure rights and enhanced consent requirements.
- Digital platform regulation will increase, with specific obligations for social media companies, search engines, and online advertising networks operating in Australia.
- Artificial intelligence governance will become increasingly important as AI systems process vast amounts of personal data, requiring new privacy frameworks and algorithmic transparency requirements.
The Australian Government has committed to reviewing privacy law regularly, ensuring protections keep pace with technological change and community expectations.
What’s next for Australians’ privacy?
• Enhanced cross-border data transfer restrictions
• Mandatory privacy impact assessments
• Children’s privacy protections
• AI-specific privacy obligations
• Expanded small business coverage
Conclusion
Privacy law in Australia is entering a transformative era in 2025, with stronger protections and expanded rights for everyday Australians. Understanding these changes under the Privacy Act, knowing how to protect your personal data, and learning how to take action when things go wrong will help you navigate the digital age confidently.
The upcoming privacy law Australia 2025 reforms represent the most significant privacy protections upgrade in decades, giving Australians unprecedented control over their personal information.
Stay informed about privacy developments, exercise your rights proactively, and don’t hesitate to complain when organisations fail to protect your personal information appropriately.
Take action today: Review your privacy settings on major platforms, submit data access requests to understand what information organisations hold about you, and bookmark the OAIC complaint portal for future reference.
What privacy concerns matter most to you in 2025? Share your thoughts in the comments below and help other Australians understand their privacy rights better.
FAQS
Q1. What is the Privacy Act in Australia?
The Privacy Act 1988 is the main law that regulates how Australian organisations and government agencies handle personal information.
Q2. What changes are expected in Australian privacy law in 2025?
Proposed reforms include stronger penalties, a possible “right to be forgotten,” and extending coverage to more small businesses.
Q3. Does the Privacy Act cover all Australian businesses?
Not all. Currently, most small businesses under $3 million are exempt, though reforms may reduce this exemption.
Q4. How can I request my personal data from an organisation?
You can submit a written request under the Privacy Act. Organisations usually must respond within 30 days.
Q5. What should I do if my privacy is breached in Australia?
First, complain directly to the organisation. If unsatisfied, escalate the matter to the Office of the Australian Information Commissioner (OAIC)
Q6. What penalties do companies face for breaching privacy law?
As of recent updates, penalties can reach $50 million for corporations, with even stronger enforcement expected in 2025.
Q7. How does Australian privacy law compare to GDPR in Europe?
Australia’s reforms are moving closer to GDPR, focusing on stronger consumer rights, transparency, and tougher penalties for breaches.
