rulesmate.com.au — Compliance reference
https://rulesmate.com.au/insights/privacy-act-vs-gdpr-australia
Printed 12 July 2026
Privacy Act vs GDPR: what Australian businesses actually need to know
How Australia's Privacy Act and Australian Privacy Principles compare to the EU's GDPR — thresholds, consent, breach notification, penalties, and what changes for AU businesses in December 2026.
The short answer
If your Australian business handles personal information about people in the EU or UK, you may need to comply with both the Australian Privacy Act 1988 (and its Australian Privacy Principles, or APPs) and the EU General Data Protection Regulation (GDPR). They overlap heavily in principle but differ in important detail. GDPR is generally stricter on consent, individual rights and breach-notification timeframes; the Privacy Act is catching up fast with the 2024-2026 reforms.
Who each law covers
| Dimension | Australian Privacy Act | EU GDPR |
|---|---|---|
| Who it binds | APP entities — agencies + organisations over the small-business exemption | Any organisation processing EU residents' personal data |
| Small-business exemption | Yes (turnover under $3M) — removal proposed but not yet law (no commencement date) | No exemption |
| Extraterritorial reach | AU businesses + some overseas with an "Australian link" | Anyone targeting or monitoring EU residents |
| Core framework | 13 Australian Privacy Principles | 7 principles + 6 lawful bases |
Key differences
- Consent. GDPR requires a clear lawful basis (often explicit, freely-given consent) for most processing. The Privacy Act is more flexible — collection must be "reasonably necessary" and notified, but bundled or implied consent has historically been more accepted (the 2024-2026 reforms tighten this).
- Individual rights. GDPR grants strong rights: access, rectification, erasure ("right to be forgotten"), portability, and objection. The Privacy Act grants access + correction under APP 12-13; a broader suite is being phased in.
- Automated decision-making. GDPR Article 22 restricts solely-automated decisions with legal/significant effect. Australia is introducing ADM transparency requirements that crystallise through 2026 — if you use algorithmic decisioning, build an ADM register now.
- Cross-border transfers. GDPR uses adequacy decisions + Standard Contractual Clauses. The Privacy Act's APP 8 makes you accountable for overseas recipients unless an exception applies.
Breach notification
| Australian NDB scheme | GDPR | |
|---|---|---|
| Trigger | "Eligible data breach" likely to cause serious harm | Personal-data breach (risk-based) |
| Regulator notice | OAIC "as soon as practicable" after assessment | Supervisory authority within 72 hours |
| Individual notice | Required for eligible breaches | Required where high risk |
| Assessment window | Up to 30 days to assess | No fixed assessment window; clock is tight |
Track both the 30-day assessment window and the notification trigger with the NDB notification timer.
Penalties
- Privacy Act: up to $50M, or 3× the benefit obtained, or 30% of adjusted turnover during the breach period — whichever is greatest — for serious or repeated interferences with privacy. A statutory tort for serious invasions of privacy is also now in force.
- GDPR: up to €20M or 4% of global annual turnover, whichever is higher.
What changes in December 2026
From 10 December 2026, the Privacy Act's new ADM transparency requirements and the binding Children's Online Privacy Code commence for existing APP entities.
Separately, removing the Privacy Act's small-business exemption — which would bring around 2 million Australian SMBs into APP scope for the first time — was recommended in the Privacy Act Review and agreed in principle by the Government. It is deferred to a future reform tranche, is not yet law, and has no commencement date. If enacted, businesses that relied on the under-$3M exemption would need a privacy policy, a data inventory, a breach-response plan, and APP-compliant collection notices.
Score your readiness with the Privacy Act 2026 readiness tool, and see the full picture in the Privacy Act 2026 hub.
Frequently asked
Do Australian businesses have to comply with GDPR?
Only if you offer goods/services to, or monitor the behaviour of, people in the EU. A purely domestic AU business with no EU customers generally doesn't — but it still must comply with the Australian Privacy Act if it's an APP entity.
Is the Australian Privacy Act stricter than GDPR?
Not yet, but the gap is closing. GDPR is currently stricter on consent, individual rights and the 72-hour breach window. Australia's 2024-2026 reforms (statutory tort, ADM transparency, higher penalties — plus a proposed but not-yet-law exemption removal) move it closer.
When does the small-business exemption end?
There is no commencement date. Removing the exemption was recommended in the Privacy Act Review and agreed in principle by the Government, but it is deferred to a future reform tranche and is not yet law. If enacted, businesses under $3M turnover that relied on the exemption would become APP entities with full obligations.
Related
Free tools
© Rules Mate · Source citations at the end · Information current as at 28 May 2026
Printed from https://rulesmate.com.au/insights/privacy-act-vs-gdpr-australia