Australian Privacy Law 2025: What are the Changes and How to be Compliant

By Argon Law Special Counsel Rachel Martin

Australia’s privacy landscape shifted dramatically in 2025, with the Privacy Act 1988 amendments introducing steeper fines, a new statutory tort for serious invasions, and heightened Office of the Australian Information Commissioner (OAIC) enforcement. 

From data breaches costing millions of dollars to individuals suing directly for privacy violations, these updates demand proactive compliance from large businesses handling customer or employee data.

As commercial law solicitors at Argon Law, we break down the essentials: what’s changed, the real-world risks like the Australian Clinical Labs (ACL) penalty, and steps to safeguard your operations under Australian Privacy Principles (APPs).

What Are the Privacy Law Changes in Australia 2025?

These new reforms target accountability in an AI-driven, data-heavy economy and attempt to provide recourse for individuals affected by the new digital landscape:

• Higher Penalties for Breaches: Post-December 2022, serious violations under the Privacy Act can now exceed $50 million per incident (or 3x the benefit gained, or 30% of turnover – whichever is greater).
• New Statutory Tort for Serious Invasions: From June 10, 2025, individuals can sue for intentional or reckless privacy breaches, even for breaches outside the scope of the Act. 
• Automated Decision-Making Disclosures: By December 2026, businesses will be required to notify users when an AI has processed and individuals’ personal data when making decisions (for example in hiring algorithms).
• Doxxing Criminal Offenses: New penalties are now in place for maliciously sharing private info online.

These changes have shifted the existing legislation from a reactive set of regulations to empowering individuals and regulators, and businesses have already been stung as a result of not complying with the new laws. 

Australian Clinical Labs Hit With $5.8 Million Penalty for Data Breach

In October 2025, the Federal Court ordered Australian Clinical Labs (ACL) to pay $5.8 million in civil penalties after a significant data breach involving its Medlab Pathology business in 2022. More than 223,000 individuals had their personal information accessed without authorisation as a result of a cyberattack. 

This is a landmark case – it’s the first civil penalty issued under the Federal Privacy Act 1988 (Cth) and highlights how businesses and organisations need to understand their obligations as part of the new legislation. 

What Does This Mean for Your Business?

Australian Information Commissioner Elizabeth Tydd welcomed this result, reminding all organisations to be vigilant and proactive in managing personal information. The outcome makes it clear: all businesses must take privacy obligations seriously or face significant penalties.

In fact, penalties for privacy breaches have increased sharply. For breaches after 13 December 2022, fines can be as high as $50 million per breach (or even more, in certain scenarios).

Why Australian Clinical Labs Received This Penalty

It’s important to understand that ACL were not penalised for being a target of a data breach. Instead the civil penalties were a result of not complying with their obligations. The Federal Court’s decision highlighted three main failures:

• Failing to take reasonable steps to secure personal information on their IT systems as required by Australian Privacy Principle 11 (APP 11).
  
• Delaying their assessment of whether a notifiable data breach had occurred following a cyberattack.
  
• Failing to promptly notify the Australian Information Commissioner after discovering the breach.

This landmark case is a wakeup call for businesses with the Commissioner emphasising that business owners need to be vigilant and to expect more OAIC actions in 2026.

Key Takeaways for Business Owners

Businesses should understand their new obligations and the potential risks for not being compliant. These new obligations include:

• APP 11 Protection: Implementing risk-based security (such as access controls, encryption of IT systems and performing regular audits).
• Breach Response Timing: Businesses must assess “notifiable” status within 30 days and report to both the OAIC and potentially impacted individuals “as soon as practicable” if serious.
• Turnover Threshold: Mandatory written response plans are required for organisations which handle sensitive data or who see more than $3M in revenue.

A New Privacy Right of Action

The Privacy Act now includes a statutory right for individuals to sue for a serious invasion of privacy – this is called a “tort” of privacy. This is a big change as individuals no longer have to wait for the regulator to act. The basics:

• There must be a reasonable expectation of privacy
• The invasion must be intentional or reckless
• The invasion must be serious (based on what a person of ordinary sensibilities would consider offensive or harmful)
• The public interest in privacy must outweigh other factors

What are the New Risks for Employers?

Significantly, this new tort applies even when conducts fall outside the scope of the Privacy Act (which typically exempts most employee records) and covers “serious” invasions like unauthorised surveillance or data leaks. Employers and business owners should be aware of:

• Surveillance and monitoring at work
• Data breaches involving staff information
• Collecting or using employee data without proper transparency or consent

Third-Party Platforms, AI, and Offshore Data

With higher penalties and new opportunities for legal action, business owners must be careful with third-party service providers, including AI vendors. There are a range of risks that come with businesses engaging in the digital ecosystem including:

• Losing control over data stored overseas (see APP 8)
• AI training using identifiable personal data (APP 6, APP 11)
• Automated decisions without telling clients or customers (APP 1)
• Data breaches at a third-party provider (APP 11)
• Repurposing your data for their own marketing (APP 6)

How to Reduce Your Risk

• Perform tailored privacy due diligence before onboarding new vendors (for example, by reviewing certifications, location, and breach history)
• Make sure your contracts cover:
  • Data use purpose & limits
  • Data ownership and return/destruction requirements
  • Notification timeframes for data breaches
  • Approval of sub-processors
  • Strong indemnities for privacy breaches
• When sending data overseas, get informed consent, check for equivalent privacy protections, and document your reasonable steps. Remember: you’re still accountable for what happens.

How Can I Ensure My Business is Compliant with Privacy Law Changes?

Although the changes are significant, there are steps businesses can take to ensure compliance with the new laws and mitigate potential risks. 

• Review and update your risk management plans – including how you handle both customer and employee data
• Make consent processes specific, transparent, and robust
• Ensure team communication across your privacy, HR, legal, and risk departments

Ask yourself:

• Are you taking reasonable steps to protect personal information? (See APP 11 for your obligations)
• Do you have a process for handling potential data breaches quickly and thoroughly?
• Are you reporting data breaches to the Australian Information Commissioner as soon as practicable?

Regardless of whether your data stays in Australia, you may need a formal data breach response plan (especially if you turn over more than $3 million or handle sensitive data).

For more information on Australian Privacy Principles (APPs) and ongoing reforms, visit the OAIC’s official resource page.

Frequently asked questions about the 2025 Privacy Law Changes

Q: What are the biggest privacy law changes in 2025?

A: Introduction of much higher penalties and a new privacy tort that allows individuals to sue directly for “serious invasion of privacy.”

Q: What’s the penalty for a privacy breach now?

A: Serious breaches can cost up to $50 million per incident (or more, depending on profits/turnover).

Q: How do I know if I’m compliant with APP 11?

A: APP 11 requires you to take reasonable steps to protect personal information. This includes securing your IT systems, training staff, and regularly reviewing privacy policies.

Q: Does the new privacy tort affect how we monitor employees?

A: Yes. Even if employee records are not covered by the Privacy Act, inappropriate surveillance or data handling can result in a tort claim.

Q: What should our contracts with vendors include?

A: Purpose of data use, limits on use, breach notification, requirements for destruction or return of data, consent for sub-processors, and strong indemnity clauses.

Q: If we use AI or offshore vendors, what do we need to do?

A: Obtain explicit consent, check for equivalent overseas privacy protections, and have solid agreements covering all privacy risks.

Q: Do we need a data breach response plan?

A: If your business turns over more than $3 million or handles sensitive information, yes – you should have a written plan ready including assessment, notification, and remediation protocols.

Q: Where can I learn more about Australian Privacy Principles (APPs)?

A: Visit the OAIC’s APP resource page for details and updates.

Q: Do we need a data breach response plan?

A: If your business turns over more than $3 million or handles sensitive information, you should have a written plan ready.

Q: Where can I learn more about Australian Privacy Principles (APPs)?

A: Visit the OAIC’s APP resource page for details and updates.

With penalties rising and tort claims emerging, don’t wait for a breach like ACLs.  If you’re looking to ensure your business is compliant with the new Privacy Law changes, get in touch with the Argon Law team, who can help to review your business compliance and mitigate any risks.