info@gablelawyers.com.au
0478 041 646

Five Practical Things to Think About as Australia’s Privacy Laws Change

12 May 2026
0

Australia’s privacy laws have changed in a big way, and more changes are coming through 2026. If you run a business that collects information about customers, staff or anyone else, here are five practical things to think about.

1. Know where you are using AI and automated tools to make decisions about people

From 10 December 2026, if your business uses a computer program (including AI) to make, or help make, decisions that could reasonably be expected to significantly affect a person’s rights or interests, you will need to explain this in your privacy policy. That covers things like automated credit and lending decisions, AI-assisted screening of job applicants, automated tenancy or insurance assessments, automated fraud blocking, and decisions about access to a benefit or service. Before you can explain it, you need to know where it is happening in your business. Walk through your systems and write a simple list of what each tool does, what information it uses, and whether a human checks the outcome.

2. Treat your privacy policy as a real document, not just website fine print

The privacy regulator (the Office of the Australian Information Commissioner, or OAIC) has started its first ever round of spot checks. About 60 businesses across six sectors are being reviewed right now on whether their privacy policies actually meet the law’s requirements: rental and real estate, pharmacies, licensed venues, car rental, car dealerships, and pawnbrokers and second-hand dealers. A generic policy copied from a template is a risk. Read yours and ask: does it explain what we collect, how we collect it, what we use it for, who we share it with, and how someone can complain or correct their information? If not, fix it.

3. Update your plan for what happens when something goes wrong

Two things have changed the stakes. First, individuals can now sue your business directly for serious invasions of their privacy, with damages of up to about $478,550 for emotional and other non-financial harm, including any punitive damages a court orders. Second, fines for serious or repeated privacy breaches can now reach up to $50 million, three times the benefit gained, or 30 percent of adjusted turnover, whichever is highest. That means a privacy incident is no longer just a regulator problem. You need a written plan that covers who is called, who decides, what you tell customers, and how you handle both regulator questions and the possibility of individual lawsuits.

4. Look closely at who you share customer information with, especially overseas

If you use cloud software, an offshore call centre, a marketing platform or any provider that stores or accesses customer information outside Australia, you are responsible for what happens to that information. The law now expressly requires you to take “technical and organisational” steps to keep data safe. In plain terms, that means having both the right technology (encryption, access controls, backups) and the right business practices (staff training, written procedures, supplier contracts that spell out privacy obligations). Pull out your supplier list and check what you actually have in writing.

5. Get ready for more reforms, not fewer

A second round of changes is being prepared. The exemption that currently lets businesses with under $3 million in annual turnover skip most of the privacy rules is expected to be removed over time. In the meantime, from 1 July 2026, more than 100,000 small businesses, including lawyers, conveyancers, accountants and real estate agents, will be brought into the Privacy Act for their anti-money laundering activities, regardless of turnover. There are also likely changes ahead to how employee records are treated, along with a new test that all personal information handling must be “fair and reasonable.” If your business has been operating on the basis that the Privacy Act does not apply to you, that position may not hold for much longer. It is far cheaper to build good habits now than to scramble later.

The takeaway

The common thread is that privacy has moved from a website page to a real business risk. The businesses that do best will be the ones that treat 2026 as a chance to tidy up, not a tick-box exercise.

If you would like to talk through what this means for your business, get in touch on info@gablelawyers.com.au or 0478 041 646.

#PrivacyLaw #SmallBusiness #AustralianBusiness #DataProtection #PrivacyAct #AI #GableLawyers

About Post Author

Jane has over 20 years’ experience in all aspects of franchising, intellectual property and corporate law. Jane’s practice focuses on commercial law, franchising, distribution and licensing on a domestic and international basis, leasing and protection of intellectual property.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to Updates via Email

Enter your email address to subscribe to our updates and receive notifications of new posts by email.