The second tranche of Privacy Act reforms: what's proposed and what's still uncertain

Australia's Privacy Act reform is being delivered in stages. As at mid-2026, the first tranche has been legislated and is progressively taking effect, while a second tranche remains a Government commitment rather than enacted law — no second-tranche Bill has been passed, and no firm commencement date has been fixed for its most consequential proposals. If you are searching for the state of "privacy act reforms 2026", the short answer is: some changes are already binding obligations, others are still proposals you should monitor but not treat as settled.

This explainer separates what is in force from what is merely proposed, and sets out a proportionate way to prepare. The governing law is the Privacy Act 1988 (Cth), administered by the Office of the Australian Information Commissioner (OAIC).

Where the Privacy Act reforms stand in 2026

The reform program follows the Government's response to the Attorney-General's Privacy Act Review. Rather than a single overhaul, it has been split into:

• a first tranche, passed in late 2024, with measures commencing across 2025 and into 2026; and
• a second tranche, which the Government has publicly stated it is progressing, but which had not been introduced as a Bill at the time of writing.

The practical implication for compliance teams is that 2026 is a year of *both* live obligations and live uncertainty. Treat the first tranche as binding, and the second tranche as a planning input.

What the first tranche already changed

These measures are enacted. Where dates matter, verify the exact commencement date for your obligation against the Privacy Act 1988 (Cth) and OAIC guidance, as different provisions commence at different times.

• A statutory tort for serious invasions of privacy. A new cause of action allowing individuals to sue for serious invasions of privacy — covering intrusion upon seclusion and misuse of information — commenced on 10 June 2025. A claimant must establish a reasonable expectation of privacy, that the invasion was serious, and that their privacy interest outweighs any countervailing public interest; financial loss need not be proven. We track this as the statutory tort for serious invasions of privacy.
• Transparency for automated decision-making (ADM). APP entities must update privacy policies to disclose where personal information is used in computer programs that make, or substantially assist in making, decisions that could significantly affect individuals. The OAIC has indicated organisations have until late 2026 to bring privacy policies into line (verify the exact date with the OAIC). See automated decision-making transparency under the Privacy Act.
• Stronger regulator powers and new penalty tiers, including tiered civil penalties and expanded enforcement and infringement-notice powers for the OAIC.
• Code-making powers, with a Children's Online Privacy Code among the first to be developed.
• A criminal offence for doxxing — the malicious release of personal data.

If you do nothing else this year, confirm your privacy policy and ADM disclosures meet the first-tranche requirements, because those are enforceable.

What the second tranche is expected to cover

The second tranche is where the deeper structural reforms sit. Based on the Government's response to the Privacy Act Review, proposals under discussion include:

• a "fair and reasonable" test for the collection, use and disclosure of personal information, applying regardless of consent;
• changes to the definition of personal information and clarification of when de-identified or inferred data is captured;
• a broadened or recast set of individual rights, potentially including rights to erasure and greater control over direct marketing and targeting;
• further consent and transparency reforms; and
• potential changes to the small business and employee-records exemptions.

Crucially, the scope, wording and timing of these items can change through consultation and drafting. None of them should be hard-coded into policies, contracts or system requirements as if they were final law. For background on the broader landscape, see our privacy topic hub.

The small business exemption: proposed, not settled

The Privacy Act currently exempts many small businesses (broadly, those under a turnover threshold) from the Australian Privacy Principles. Removing or narrowing this exemption is one of the most widely discussed second-tranche proposals — and one where reporting frequently overstates certainty.

What is accurate as at mid-2026:

• The Government has signalled support in principle for removing the small business exemption, subject to consultation and support for affected businesses.
• No Bill has been passed that removes the exemption generally, and no firm commencement date is settled. Any specific date circulating online should be treated as commentary, not law, until legislation confirms it.
• Separately, sector-specific changes can pull some small businesses into privacy obligations sooner — for example, where they take on regulated functions under other reform programs. Assess these on their own terms rather than assuming a single switch-over date.

In short: prepare for the *possibility* of the exemption being narrowed, but do not represent its removal to your board, clients or customers as a confirmed obligation with a fixed date.

Who should be preparing now

The first-tranche obligations apply broadly to APP entities. The second-tranche proposals are most relevant to:

• Currently-exempt small businesses that handle meaningful volumes of personal information (health, financial, children's or sensitive data), since they have the furthest to travel if the exemption narrows;
• Organisations using automated or AI-assisted decisioning, who must already address ADM transparency and may face further obligations;
• Data-intensive businesses — marketing, ad-tech, platforms and data brokers — most exposed to a "fair and reasonable" test and expanded individual rights; and
• Any organisation holding large personal-data sets, given the heightened litigation exposure from the statutory tort.

How to get ready without overcommitting

A proportionate approach lets you meet today's obligations while staying flexible on tomorrow's:

1. Map your personal information. Know what you collect, why, where it lives, who can access it and how long you keep it. This underpins every reform.
2. Close first-tranche gaps now. Update your privacy policy, document ADM uses, and review breach-response and data-retention practices.
3. Reduce litigation surface. Minimise unnecessary collection and tighten access controls to limit exposure under the statutory tort.
4. Run a readiness assessment. Our Privacy Act 2026 readiness tool helps you identify gaps and prioritise actions.
5. Monitor official sources. Watch the OAIC and legislation.gov.au for the second-tranche Bill before committing budget to speculative changes.

Common pitfalls

• Treating proposals as law. The second tranche is not enacted; building compliance projects around unpassed provisions or unconfirmed dates wastes effort and creates internal misinformation.
• Quoting a fixed small-business cut-over date. Until a Bill confirms it, any specific date is speculation.
• Ignoring already-binding measures. The statutory tort and ADM transparency are live; do not defer them while waiting for the "big" reforms.
• Conflating reform programs. Privacy changes flowing from other regulatory regimes commence on their own timelines and should be assessed separately.
• One-off compliance. Given the staged rollout, build a monitoring rhythm rather than treating privacy as a single project.