Amendment timeline
Privacy Act 1988
Privacy Act 1988 (Cth)
About this Act
The federal Act that regulates how Australian Government agencies and APP entities (private-sector organisations with annual turnover over $3 million, plus carve-ins for health service providers, credit reporters, contractors and trading in personal information) handle personal information. Sets out the 13 Australian Privacy Principles (APPs), the Notifiable Data Breaches scheme, credit reporting rules and tax file number provisions. The Privacy Act has been amended more times than almost any other Commonwealth Act since 2017 — and the small business exemption removal is still on the table for the next tranche of reform.
- Original Royal Assent
- 14 December 1988
- Original commencement
- 1 January 1989
- Administered by
- OAIC
Amendment timeline
Chronological list, oldest to newest. Each entry cites the legislation.gov.au compilation or as-made source and, where available, regulator guidance.
Privacy Amendment (Notifiable Data Breaches) Act 2017
Royal Assent
22 February 2017
Commencement
22 February 2018
What changed
Introduced the mandatory Notifiable Data Breaches (NDB) scheme. APP entities must notify both the OAIC and affected individuals about 'eligible data breaches' likely to result in serious harm — 'as soon as practicable' after becoming aware. Replaced the OAIC's voluntary breach notification guidance with a statutory regime backed by civil penalties.
Who's affected
All APP entities (every organisation already subject to the Australian Privacy Principles).
Privacy Amendment (Public Health Contact Information) Act 2020
Royal Assent
15 May 2020
Commencement
16 May 2020
What changed
Created a stand-alone Part VIIIA of the Privacy Act protecting COVIDSafe app data. Made it an offence to coerce someone to download the app, to upload data without consent, or to use COVID app data for any non-COVID purpose. Largely spent now that the COVIDSafe app has been decommissioned, but Part VIIIA remains on the statute book.
Who's affected
Anyone who handled COVIDSafe app data (state and federal health authorities, the National COVIDSafe Data Store operator).
Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022
Royal Assent
12 December 2022
Commencement
13 December 2022
What changed
Lifted the maximum civil penalty for serious or repeated interferences with privacy from $2.22M (for a body corporate) to the greater of $50M, three times the benefit derived, or 30% of adjusted turnover — modelled on Competition and Consumer Act 2010 thresholds. Extended the Privacy Act extraterritorially (foreign companies that carry on business in Australia are now caught even without collecting data here) and gave the Information Commissioner expanded information-gathering and assessment powers.
Who's affected
All APP entities, including offshore operators with an Australian customer base.
Read more
Privacy and Other Legislation Amendment Act 2024
Royal Assent
10 December 2024
Commencement
Staged: most provisions 11 Dec 2024; statutory tort 10 Jun 2025; ADM transparency + Children's Online Privacy Code 10 Dec 2026
What changed
First tranche of the Government's response to the 116-recommendation Privacy Act Review. Created a statutory tort for serious invasions of privacy (live from 10 June 2025), required automated decision-making (ADM) transparency disclosures in privacy policies (from 10 Dec 2026), authorised the OAIC to develop a Children's Online Privacy Code (deadline 10 Dec 2026), introduced a doxxing criminal offence, and gave the OAIC new infringement-notice powers and a tiered civil penalty regime for low-level breaches. Did not remove the small business exemption — that's still parked for a future tranche.
Who's affected
All APP entities; operators of online services likely to be accessed by children; any organisation that uses substantially automated decision-making with legal or similarly significant effects.
What's coming next
Tranche 2 reforms (no Bill yet, expected late 2026 or 2027): removal or narrowing of the small business exemption (s 6D), narrowing the employee records exemption (s 7B), a fair-and-reasonable test for collection and use, and a direct right of action for individuals to seek compensation in court. The Government's October 2024 response to the Privacy Act Review accepted these proposals 'in principle' but has not yet introduced legislation. Watch for the announced Children's Online Privacy Code — the OAIC must register it by 10 December 2026.
Why this matters now
Penalties are now at competition-law levels ($50M+ per breach), the statutory tort lets individuals sue directly without going through the OAIC, and the ADM transparency obligations require every privacy policy to be rewritten before 10 December 2026. Boards should also be tracking the Children's Online Privacy Code consultation — anything that's 'likely to be accessed by children' is in scope, which is broader than 'targeted at children'.
Frequently asked
Does the Privacy Act apply to my business if turnover is under $3M?
Generally no — the small business exemption in s 6D excludes businesses with annual turnover below $3M. But carve-ins still apply: health service providers, credit reporters, contractors to Australian Government agencies, businesses that trade in personal information, and operators of TFN recipient services are caught regardless of turnover. The exemption itself is on the chopping block in Tranche 2.
When does the statutory tort start?
The statutory tort for serious invasions of privacy commenced on 10 June 2025 (six months after Royal Assent of the Privacy and Other Legislation Amendment Act 2024). Individuals can now sue in the Federal Court or Federal Circuit and Family Court without needing to lodge an OAIC complaint first.
What is the ADM transparency obligation?
From 10 December 2026, APP entities that use 'computer programs' to make decisions (or do something substantially and directly related to making a decision) that could reasonably be expected to significantly affect the rights or interests of an individual must include information about that ADM use in their privacy policy. Hiring, lending, insurance pricing and welfare decisions are core targets.
What is the Children's Online Privacy Code?
An APP code that the OAIC must develop and register by 10 December 2026, applying to social media services, relevant electronic services and designated internet services that are 'likely to be accessed by children'. It will impose age-assurance, default-privacy and dark-pattern obligations. Consultation opened in late 2025.
What are the current maximum penalties under the Privacy Act?
For serious or repeated interferences with privacy by a body corporate: the greater of $50 million, three times the benefit derived from the breach, or 30% of adjusted turnover during the breach period. Individuals face up to $2.5M. The Information Commissioner can also issue infringement notices for lower-level breaches under the new tiered penalty regime.
Other amendment timelines
Rules Mate summarises and links to legislation.gov.au and regulator guidance. We do not republish statutory text. Every date in this timeline has been verified against the Federal Register of Legislation as at 6 June 2026. Always verify against the live source before acting. Compliance tools, not legal advice. Consult a qualified professional.