Australia · Last reviewed April 2026

Does the Australian Privacy Act Apply to Your Business? [2026 Guide]

Free applicability checker with statutory citations — covers Australian Privacy Act scope, obligations, and penalties.

Quick Australian Privacy Act applicability check

Do you have users or customers in Australia?

Does your annual turnover exceed AUD $3 million?

Are you a health service provider?

Do you have a government contract involving personal information?

About Australian Privacy Act

The Privacy Act 1988 (Cth) is Australia's primary federal data protection law. It establishes 13 Australian Privacy Principles (APPs) that govern how organisations handle personal information. The Office of the Australian Information Commissioner (OAIC) is the primary regulator.

Who it applies to: The Privacy Act 1988 applies to: (1) Australian government agencies; (2) organisations with annual turnover exceeding AUD $3 million; and (3) certain organisations regardless of size including health service providers, businesses that trade in personal information, businesses with a government contract, and credit reporting bodies (Privacy Act 1988, s.6C).

Significant 2022 reforms and beyond: Following significant data breaches (Optus, Medibank), Australia substantially amended the Privacy Act. Key changes include: increased penalties to AUD $50 million; expanded regulatory powers for the OAIC; new serious interference with privacy provisions; and significant reforms to the Notifiable Data Breaches scheme. Further reforms including automated decision-making transparency requirements (effective December 10, 2026) are underway.

The 13 APPs cover: open and transparent management; anonymity and pseudonymity; collection of solicited personal information; dealing with unsolicited personal information; notification of collection; use or disclosure; direct marketing; cross-border disclosure; adoption, use or disclosure of government identifiers; quality; security; access to personal information; and correction of personal information.

Key obligations under Australian Privacy Act

Immediate

Publish a clearly expressed and up-to-date Privacy Policy

Privacy Act 1988, APP 1 — open and transparent management of personal information

Immediate

Only collect personal information that is reasonably necessary

Privacy Act 1988, APP 3 — collection of solicited personal information

Ongoing

Respond to access requests within 30 days

Privacy Act 1988, APP 12 — access to personal information

Ongoing

Report eligible data breaches to the OAIC and affected individuals

Privacy Act 1988, Part IIIC — Notifiable Data Breaches scheme (within 30 days)

Max: AUD $50,000,000Breach: As soon as practicable — generally within 30 daysAuthority: Office of the Australian Information Commissioner (OAIC)

Frequently asked questions

Does the Australian Privacy Act apply to businesses outside Australia?

Yes, if an overseas organisation carries on a business in Australia and collects or holds personal information. The Privacy Act applies to organisations that have an "Australian link" — which includes having an Australian establishment or collecting or holding personal information in Australia. Foreign organisations that target Australian consumers, have Australian operations, or collect data from Australian individuals should seek specific legal advice on their obligations.

What is the AUD $3 million turnover threshold?

The Privacy Act 1988 generally exempts "small business operators" — organisations with annual turnover of AUD $3 million or less. However, even small businesses are covered if they: are a health service provider; trade in personal information; have a government contract; are a reporting entity for anti-money laundering purposes; or are a contracted service provider for a Commonwealth agency.

What is the Notifiable Data Breaches scheme?

Part IIIC of the Privacy Act 1988 establishes the Notifiable Data Breaches (NDB) scheme. Covered entities must notify the OAIC and affected individuals when an eligible data breach occurs — that is, when personal information is accessed or disclosed without authorisation and is likely to result in serious harm. Notification must occur as soon as practicable, generally within 30 days of becoming aware of an eligible breach.

What are the penalties under the Australian Privacy Act?

Following 2022 amendments, serious or repeated interference with privacy can attract civil penalties of up to AUD $50,000,000 for a body corporate. For individuals, penalties of up to AUD $2,500,000 apply. The OAIC also has powers to conduct assessments, accept enforceable undertakings, and apply for injunctions.

What is the December 2026 automated decision-making requirement?

APP 1 is being amended to require entities to include in their privacy policy a description of the kinds of personal information used in substantially automated decisions that have significant effects on individuals. This change is effective December 10, 2026, and applies to entities covered by the Privacy Act 1988 that use personal information in automated decision-making.

Not sure if Australian Privacy Act applies?

Run the full assessment — covers all major privacy laws with exact statutory citations. Free, no account required.

Start free assessment →

Compare with other laws

GDPR vs CCPA vs PIPEDA →Full law comparison matrix →

Last reviewed: April 2026
Not legal advice — educational information only