The Office of the Australian Information Commissioner launched its first privacy sweep in January, with plans to investigate the personal data collection practices of approximately 60 organizations. The sweep marks the OAIC's latest efforts to flex its enhanced enforcement powers under the amended Privacy Act.
The probes aim to review the in-person data collection, deletion and transparency standards of rental organizations, pharmacies, venues, pawnbrokers, car rental companies and dealerships. The latest sweep follows the OAIC's participation in the Global Privacy Enforcement Network's yet to be released children's privacy sweep in 2025, taking inspiration from GPEN's methodology of examining specific organizations to identify key risks for consumers.
The enforcement work was foreshadowed in the OAIC's previously released regulatory priorities for 2025-26, which focused on increasing public trust and protecting consumers in situations where there might be power imbalances or meaningful consent concerns.
In an interview with the IAPP, Australian Privacy Commissioner Carly Kind noted her office is trying to show regulated entities what strong Privacy Act compliance means for their organizations and demonstrate that the OAIC is "willing and able to take strong and swift action when we see noncompliance that rises to a particular level of egregiousness. We have really been keen to use our full range of regulatory tools to demonstrate that."
Kind added the sweep is ongoing, with results and enforcement undertakings expected to be released in the coming months.
Enforcement posture
The sweep is supported by new enforcement tools bestowed upon the OAIC in the first tranche of Privacy Act amendments approved December 2024. The added powers include entry and search and seizure rights as well as the ability to conduct public inquiries as approved or directed by the minister into any specified matters relating to privacy.
Another key component of the office's powers is the ability to issue infringement notices for certain technical breaches of the law, including deficiencies in privacy notices.
"We are seeing the OAIC take a much more assertive approach to enforcement, signaling that privacy compliance must be treated as a priority," said Deloitte National Privacy Leader, Cyber Technology and Transformation Partner Lucy Mannering. "The regulator now has the power to issue infringement notices of up to AUD66,000 per breach for administrative noncompliance, as well as civil penalties and compliance notices. While these measures fall short of enforceable undertakings, they represent a significant strengthening of the OAIC's enforcement toolkit."
The focus on in-person data practices is a novel approach. During in-person interactions with organizations, consumers are often asked to hand over personal information in ways that could be unclear, though consumers may feel more inclined to provide companies with their personal information in-person without knowing how the data could be used.
Compared to digital channels, "in-person data collection carries a higher risk of personal information being misplaced, lost or improperly stored," Mannering said. "This can limit an organization's ability to conduct effective post-collection audits and increases the risk of hard-copy identification documents being retained in poorly governed or unstructured systems."
To identify some of these potential data security concerns, the OAIC draws on complaint data, research and coordination with other regulators to determine where privacy harms are most likely to occur. Commissioner Kind noted the OAIC has "a lot of intelligence about the kinds of privacy harms people are experiencing and the kinds of privacy harms they care about, and they complain about," combined with the regulator's own assessment of emerging risks.
Fostering meaningful change
One particular focus of the sweep is to examine whether organizations have implemented and followed clear and transparent privacy notices.
In a December 2025 statement introducing the enforcement sweep, Kind argued a notice "that transparently communicates how an individual can expect their information to be collected, used, disclosed and destroyed" must be "the first building block of better privacy practices."
"When the privacy laws first came in, there was a real focus on simply having a privacy policy. Many organizations adopted generic or downloaded policies without fully assessing whether they actually met the Act's requirements," Russell Kennedy Lawyers Principal Gina Tresidder said.
She noted this is no longer sufficient. Rather than relying on individual complaints to reveal privacy or transparency concerns, the OAIC is now proactively reviewing notices across targeted sectors to assess whether they genuinely comply with the Privacy Act.
"The focus is on ensuring that organizations collecting personal information use it responsibly and in ways that align with people’s reasonable expectations," Tresidder said. "Requiring organizations to clearly explain in their privacy policies how they will use the information they collect helps prevent that information from being used in unexpected or inappropriate ways."
Beyond transparency, the sweep also places renewed emphasis on data minimization and retention practices. According to Tresidder, excessive or poorly governed data collection can significantly increase organizational risk.
"The more information you collect and hold, the more likely you're going to have a data breach, and the more severe the fallout from any breach is likely to be," she said. "Organizations should only collect data they actually need and ensure they have clear data-retention processes in place, so information is disposed of once it's no longer required."
Deloitte's Mannering claimed changes in enforcement patterns also reflect broader changes in how organizations are approaching privacy governance and could signal a need for organizational change.
"Australia's privacy laws have been significantly strengthened over the past five years, including through expanded enforcement powers," she said. "Organizations are increasingly aware of these changes and the expectations that come with them. Privacy remains a key point of differentiation in the market, and many organizations are placing a strong emphasis on their compliance posture."
Lexie White is a staff writer for the IAPP.
