What Is Privacy Act 1988 (Cth) + Australian Privacy Principles?
The Privacy Act 1988 (Cth) is Australia's federal data protection law, governing how Commonwealth agencies and private-sector organizations handle personal information. The law is built around 13 Australian Privacy Principles (APPs), which set baseline standards for collection, use, disclosure, security, access, and correction. A multi-year reform process culminated in two major amendment packages: the 2022 Enforcement and Other Measures Act dramatically raised penalties (previously capped at AUD 2.22M; now up to AUD 50M, 30% of adjusted turnover, or 3x benefit), and the 2024 Privacy and Other Legislation Amendment Act introduced the first tranche of substantive reforms — creating a statutory tort for serious invasions of privacy, additional transparency requirements for automated decision-making, and child-specific safeguards. Subsequent tranches are expected 2025-2026. The Office of the Australian Information Commissioner (OAIC) supervises compliance, with powers to investigate, issue determinations, apply to the Federal Court for civil penalties, and enter enforceable undertakings. The 2022 Optus and 2023 Medibank breaches catalyzed the reform movement — Medibank faces a separate civil penalty proceeding that could set records for Australian privacy fines.
At a glance
- Full name
- Privacy Act 1988 (Cth) + Australian Privacy Principles
- Short code
- Privacy Act 1988
- Jurisdiction
- Australia
- Enacted
- 1988
- Last major update
- Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022; Privacy and Other Legislation Amendment Act 2024
- Regulator
- Office of the Australian Information Commissioner (OAIC)
- Private right of action
- Limited
- Statutory citation
- Privacy Act 1988 (Cth)
Scope — who Privacy Act 1988 covers
Protected data
Data subject rights
Right to know what personal information is collected and how it will be used (APP 1, 5 — Privacy Notice)
Right to access personal information held (APP 12)
Right to correct personal information (APP 13)
Right to anonymity and pseudonymity where practicable (APP 2)
Right to opt out of direct marketing (APP 7)
Right to complain to the OAIC
Right to sue under the new statutory tort for serious invasions of privacy (2024 amendment, effective mid-2025)
Notable features
The 2022 Optus breach (9.8 million customers) and 2023 Medibank breach (9.7 million customers) fundamentally reshaped the Privacy Act's political landscape, driving the largest penalty increases in the law's history and triggering the ongoing reform process. The 2024 amendments' statutory tort is Australia's first direct privacy tort at the federal level. Australia also has a unique Notifiable Data Breaches scheme (mandatory since February 2018) with specific thresholds and timelines.
Enforcement & penalties
Regulator: Office of the Australian Information Commissioner (OAIC)
Penalties: Maximum civil penalties (2022 amendments) for serious or repeated interferences with privacy: the greatest of AUD 50 million; three times the value of the benefit obtained; or 30% of the entity's adjusted turnover in the relevant period. The OAIC can also issue infringement notices (administrative fines) for less serious contraventions and enter enforceable undertakings.
Private right of action: Historically, Privacy Act complaints went through OAIC determinations with limited individual damages. The 2024 amendment introduced a new statutory tort for serious invasions of privacy (set to commence by mid-2025), which creates a direct cause of action for individuals against any defendant (not just APP entities) for intentional or reckless privacy invasions. This is a significant expansion from the prior regime.
Relevance to data brokers
The Privacy Act applies to data brokers that are APP entities (generally, those with turnover over AUD 3M or that trade in personal information). Brokers trading in personal information are covered regardless of turnover (Privacy Act s 6D(4)(c)). The OAIC has prosecuted brokers — the Medibank and Optus proceedings include civil penalty applications — and the 2024 statutory tort gives individual Australians a direct route to sue brokers for serious privacy invasions.
Exercise your rights
Remove your data from 300+ brokers for $5
OfflistMe drafts opt-out emails citing Privacy Act 1988 and other applicable laws. Citations included. You send from your own inbox. No account, no ID upload.
Start for $5 →FAQ
Do small businesses need to comply with the Privacy Act?+
Most small businesses (annual turnover under AUD 3M) are exempt from the Privacy Act — a significant gap criticized by consumer groups. However, certain small businesses are still covered: health service providers, organizations that trade in personal information (including many data brokers), credit reporting bodies, and contracted service providers to the Commonwealth.
What is the Notifiable Data Breaches scheme?+
Since February 2018, APP entities must notify affected individuals and the OAIC when a data breach is likely to result in serious harm to any of the individuals whose personal information was involved. Notification must happen as soon as practicable after the entity becomes aware of the breach — typically within 30 days.
How do I file an OAIC complaint?+
Submit online at oaic.gov.au/privacy/privacy-complaints. The OAIC expects you to first complain directly to the APP entity and give them 30 days to respond. If unresolved, you can escalate to the OAIC, which can investigate, issue determinations, and apply to court for civil penalties.
What is the 'right to privacy' tort in the 2024 amendment?+
The Privacy and Other Legislation Amendment Act 2024 created Australia's first statutory tort for serious invasions of privacy — a direct cause of action available to individuals against any defendant. It requires the invasion to be serious, intentional or reckless, and balanced against competing public interests (e.g., freedom of expression). It is expected to commence mid-2025.
Official sources & citations
Other international privacy regimes
Privacy Act 1988 sits in a global ecosystem of data-protection laws. Compare with other jurisdictions that shape cross-border data flows: