Australia is experiencing the most significant shift in privacy law since the Privacy Act was first introduced in 1988. While public attention has focused on recently introduced nationwide social media ban for children under 16, that change is only one part of a much larger privacy reform already underway. Key elements of the Privacy and Other Legislation Amendment Bill 2024 are now in force, reshaping how personal information must be handled and what happens when it is misused.

These reforms reflect a clear change in direction. Regulators are moving toward stronger enforcement, individuals are gaining more rights, and organisations are being held to higher standards when it comes to protecting personal data.

One of the most impactful changes is the introduction of a new legal right allowing Australians to sue for serious invasions of privacy. This statutory “right to sue” came into effect on 10 June 2025. It allows individuals to take legal action when their privacy is deliberately or recklessly violated, even if no criminal offence has occurred.

To succeed in a claim, a person must show that their personal space was intruded upon or their personal information was misused, that they had a reasonable expectation of privacy, that the conduct was intentional or reckless, and that the invasion was serious rather than minor. Courts must also weigh whether the public interest in protecting privacy outweighs any reason for disclosure. Importantly, individuals do not need to prove financial loss. Emotional distress alone can be enough to support a claim.

Courts are now empowered to award damages for emotional harm, order the deletion of unlawfully obtained information, issue injunctions to stop further misuse, and even require public apologies. While punitive damages are reserved for exceptional cases, the expanded remedies significantly increase legal exposure for organisations that fail to safeguard personal data.

What qualifies as a “serious” privacy breach will depend on context. Courts will consider whether harm was caused or foreseeable, whether the conduct was deliberate or malicious, how sensitive the information was, and why the intrusion occurred. Factors such as age, vulnerability, and how data was handled will also play a role. This flexible standard gives courts discretion but leaves organisations with less room for error.

Alongside individual rights, the Office of the Australian Information Commissioner now has stronger powers to investigate privacy breaches without waiting for complaints. This marks a shift toward proactive enforcement and signals that privacy compliance is no longer reactive or optional.

Another major area of reform involves automated decision-making. As software and AI increasingly influence decisions that affect people’s lives, new rules will require organisations to clearly explain when automated systems are used and how those decisions may impact individuals. Greater transparency is expected by December 2026, though questions remain around how “significant” impact will be defined.

Additional reforms are on the horizon, including a legally binding Children’s Online Privacy Code and tougher penalties for doxxing, which may become a criminal offence carrying serious jail time. Together, these changes dramatically expand privacy rights and enforcement powers in Australia.

The message is clear: privacy risk is now legal risk, reputational risk, and operational risk. Waiting for a breach, a complaint, or a regulator knock is no longer a viable strategy.