Privacy Act vs GDPR: what Australian businesses actually need to know
How Australia's Privacy Act and Australian Privacy Principles compare to the EU's GDPR — thresholds, consent, breach notification, penalties, and what changes for AU businesses in December 2026.
The short answer
If your Australian business handles personal information about people in the EU or UK, you may need to comply with both the Australian Privacy Act 1988 (and its Australian Privacy Principles, or APPs) and the EU General Data Protection Regulation (GDPR). They overlap heavily in principle but differ in important detail. GDPR is generally stricter on consent, individual rights and breach-notification timeframes; the Privacy Act is catching up fast with the 2024-2026 reforms.
Who each law covers
| Dimension | Australian Privacy Act | EU GDPR |
|---|---|---|
| Who it binds | APP entities — agencies + organisations over the small-business exemption | Any organisation processing EU residents' personal data |
| Small-business exemption | Yes (turnover under $3M) — removed 10 December 2026 | No exemption |
| Extraterritorial reach | AU businesses + some overseas with an "Australian link" | Anyone targeting or monitoring EU residents |
| Core framework | 13 Australian Privacy Principles | 7 principles + 6 lawful bases |
Key differences
- Consent. GDPR requires a clear lawful basis (often explicit, freely-given consent) for most processing. The Privacy Act is more flexible — collection must be "reasonably necessary" and notified, but bundled or implied consent has historically been more accepted (the 2024-2026 reforms tighten this).
- Individual rights. GDPR grants strong rights: access, rectification, erasure ("right to be forgotten"), portability, and objection. The Privacy Act grants access + correction under APP 12-13; a broader suite is being phased in.
- Automated decision-making. GDPR Article 22 restricts solely-automated decisions with legal/significant effect. Australia is introducing ADM transparency requirements that crystallise through 2026 — if you use algorithmic decisioning, build an ADM register now.
- Cross-border transfers. GDPR uses adequacy decisions + Standard Contractual Clauses. The Privacy Act's APP 8 makes you accountable for overseas recipients unless an exception applies.
Breach notification
| Australian NDB scheme | GDPR | |
|---|---|---|
| Trigger | "Eligible data breach" likely to cause serious harm | Personal-data breach (risk-based) |
| Regulator notice | OAIC "as soon as practicable" after assessment | Supervisory authority within 72 hours |
| Individual notice | Required for eligible breaches | Required where high risk |
| Assessment window | Up to 30 days to assess | No fixed assessment window; clock is tight |
Track both the 30-day assessment window and the notification trigger with the NDB notification timer.
Penalties
- Privacy Act: up to $50M, or 3× the benefit obtained, or 30% of adjusted turnover during the breach period — whichever is greatest — for serious or repeated interferences with privacy. A statutory tort for serious invasions of privacy is also now in force.
- GDPR: up to €20M or 4% of global annual turnover, whichever is higher.
What changes in December 2026
From 10 December 2026, the Privacy Act's small-business exemption is removed and around 2 million Australian SMBs become APP entities for the first time. If you've relied on the under-$3M exemption, that ends — you'll need a privacy policy, a data inventory, a breach-response plan, and APP-compliant collection notices.
Score your readiness with the Privacy Act 2026 readiness tool, and see the full picture in the Privacy Act 2026 hub.
Frequently asked
Do Australian businesses have to comply with GDPR?
Only if you offer goods/services to, or monitor the behaviour of, people in the EU. A purely domestic AU business with no EU customers generally doesn't — but it still must comply with the Australian Privacy Act if it's an APP entity.
Is the Australian Privacy Act stricter than GDPR?
Not yet, but the gap is closing. GDPR is currently stricter on consent, individual rights and the 72-hour breach window. Australia's 2024-2026 reforms (statutory tort, exemption removal, ADM transparency, higher penalties) move it closer.
When does the small-business exemption end?
10 December 2026. From that date, businesses under $3M turnover that previously relied on the exemption become APP entities with full obligations.
Related
Free tools