Australia Privacy Act 2023–2024 Reform Proposals

Australia's Privacy Act 1988 (Cth) is undergoing its most comprehensive reform since the 2014 Australian Privacy Principles (APPs) were introduced. The Attorney-General's Department released the Privacy Act Review Report in February 2023 with 116 proposals, and the government's September 2023 response accepted, accepted in principle, or agreed to further consider the vast majority. Key accepted proposals include: a statutory tort of serious invasion of privacy (allowing individuals to sue without AG intervention), a "fair and reasonable" test for data collection and use supplementing the existing notice/consent framework, enhanced individual rights including a limited right to erasure and a right to object to direct marketing and targeted advertising, mandatory privacy impact assessments for high-risk activities, and a direct right of action for APP entity breaches.

The engineering implications of the proposed reforms are substantial. The "fair and reasonable" test — modeled on equivalent GDPR proportionality analysis — will require organizations to document why data collection and use is objectively justifiable, not merely disclosed. This elevates data minimization from best practice to a legal standard enforceable by the OAIC. Enhanced security obligations are proposed to require entities to take "reasonable steps" to protect personal information from misuse, interference, loss, unauthorized access, modification, or disclosure — the existing APP 11 obligation — but with greater OAIC enforcement willingness signaled in recent determinations. The proposed Children's Online Privacy Code would impose GDPR Children's Code-equivalent obligations on online services likely to be accessed by under-16s.

Australia's mandatory data breach notification scheme (Notifiable Data Breaches scheme, Part IIIC of the Privacy Act) already requires notification to the OAIC and affected individuals within 30 days of becoming "aware" of an eligible data breach. The reform proposals would tighten this timeline, increase penalties — the maximum penalty for serious or repeated interferences was raised to AUD 50 million (or three times the benefit obtained, or 30% of adjusted turnover) by the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 — and broaden the OAIC's enforcement powers including infringement notice capability for lower-level violations. Organizations with Australian operations should prepare for a substantially more enforceable regime by 2025–2026.

We conduct gap assessments against Australia's proposed "fair and reasonable" standard by mapping existing collection practices against proportionality criteria, documenting purpose justifications at the data element level. Our NDB playbooks already meet the 30-day window; we are engineering toward the likely tightened timeline and pre-building privacy impact assessment templates aligned to the high-risk activity categories proposed in the Review Report.

Compliance-Native Architecture Guide

Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.