Privacy Act Reform: What Australian Small Businesses Need to Know

The Privacy Act 1988 is undergoing its most significant reform in a generation. Following a comprehensive government review, changes are being introduced in stages — some are already law, others are before Parliament, and more are planned.

For Australian small businesses, the reforms represent both a compliance challenge and a signal about where the regulatory bar is heading. The direction is clear: higher standards, higher penalties, and greater individual rights over personal data.

This guide explains what's changed, what's coming, and what small businesses need to do.

What Has Already Changed

1. Substantially Increased Civil Penalties (In force)

The most immediate impact of the reform process was a dramatic increase in maximum civil penalties for serious or repeated interferences with privacy.

Previous maximum: $2.22 million for serious or repeated breaches

Current maximum (from 2023):

For bodies corporate: the greater of:

• $50 million
• Three times the value of the benefit obtained by the contravention (if determinable)
• 30% of the body corporate's adjusted turnover in the relevant period

For individuals: $2.5 million

This is not a theoretical risk. The OAIC is actively using its enhanced powers. For small businesses — which often assume they're too small to attract regulatory attention — the $50 million maximum is a ceiling, not a floor. Penalties are proportionate, but the signal is clear: privacy compliance is no longer optional.

2. Enhanced OAIC Enforcement Powers (In force)

The OAIC now has strengthened investigative and enforcement powers, including:

• Greater ability to conduct own-motion investigations
• Enhanced information-gathering powers
• Ability to make determinations and seek court orders more efficiently

The OAIC has signalled that it will use these powers to build a record of enforcement actions — creating case law that clarifies where the boundaries are.

What Is Being Reformed

3. The $3 Million Turnover Exemption May Change

Currently, the Privacy Act's small business exemption applies to most businesses with annual turnover below $3 million — meaning they don't need to comply with the APPs at all (with certain exceptions, including healthcare providers and credit providers).

The government has committed to reviewing this exemption with a view to potentially extending the Privacy Act to cover more small businesses.

What this means for you:

If your business currently benefits from the small business exemption (turnover below $3 million, and not a healthcare provider, credit provider, or other included category), you may eventually be required to comply with the full Privacy Act.

Businesses should begin building good privacy practices now — not because they're required to today, but because the direction of reform is clear, and building sound data practices is cheaper to do proactively than reactively.

4. Strengthened Individual Rights

Proposed reforms include stronger individual rights over personal data, including:

Right to object to processing: Individuals may gain the right to object to the processing of their personal information in certain circumstances.

Right to explanation for automated decisions: Where decisions about individuals are made using automated processes, affected individuals may have the right to request an explanation.

Enhanced access and correction rights: Stronger rights to access personal information and have errors corrected.

These rights, if enacted, will require businesses to have processes for receiving and responding to them — adding to the operational compliance burden.

5. Direct Action Right for Individuals

A significant proposed reform is giving individuals a direct right of action — the ability to seek compensation from entities that breach their privacy, without having to go through the OAIC's complaints process.

This reform would be transformative for privacy compliance in Australia. Currently, individuals can only seek redress via the OAIC, which has limited resources and cannot take action in every case. A direct right of action would open businesses to class actions and individual legal claims for privacy breaches.

6. New Data Security Obligation

Currently, the Privacy Act requires organisations to take "reasonable steps" to protect personal information. Proposed reforms may introduce a more specific, outcome-focused security obligation — requiring businesses to actively assess and address data security risks.

7. Privacy by Design

There are proposals to introduce a requirement for privacy by design — building privacy considerations into systems and processes from the outset, rather than retrofitting them. This would affect how new IT systems, products, and processes are developed.

What Small Businesses Should Do Now

Regardless of whether your business currently falls within the Privacy Act (i.e., whether you're above or below the $3 million exemption threshold), there are things you should be doing:

For businesses currently subject to the Privacy Act (including all healthcare providers):

1. Review your Privacy Policy — ensure it's current, accurate, and accessible
2. Review your data breach response plan — ensure it covers the current NDB scheme requirements
3. Audit your data security practices — encryption, access controls, secure disposal
4. Train your staff on privacy obligations and data breach response
5. Assess your use of offshore cloud services — if you're using overseas-hosted services (including SaaS applications), consider whether you're meeting your cross-border data transfer obligations

For businesses currently exempt (below $3 million, not healthcare):

1. Start building good privacy habits now — if the exemption is removed, you'll be ahead
2. Review what personal data you collect and hold — map your data flows
3. Assess your data security — even if not required, a data breach is damaging regardless of legal liability

The International Context

Australia is moving to align its privacy framework more closely with international standards — particularly the EU's General Data Protection Regulation (GDPR). Australian businesses that deal with EU residents may already have GDPR obligations. The reforms make the Australian framework more GDPR-like over time.

If you're an Australian business with customers in the EU (or planning to expand there), understanding both the GDPR and the Australian reforms together is important.

How Reguladar Helps

Privacy Act reform is one of multiple regulatory changes affecting Australian small business compliance. Reguladar tracks your compliance obligations across privacy, employment, tax, and WHS — so you stay informed as the regulatory landscape changes.

Start your free compliance check at Reguladar →