Last Updated: January 2024View Infographic (PDF)

This resource provides a brief overview of federal privacy reform efforts in Australia and what might be expected in 2024. The IAPP additionally hosts an "Australia and New Zealand" topic page, which regularly updates with the latest regional news and resources.


Navigate timeline:
1990s, 2000s, 2010s, 2020s, What to expect in 2024

1990s

View as Infographic

1 Jan. 1989

Privacy Act 1988

★ Established the Office of the Privacy Commissioner within the Human Rights and Equal Opportunity Commission.

★ Set forth the Information Privacy Principles applicable to Australian government departments and agencies.


24 Sept. 1991

Privacy Amendment Act 1990

★ Went into effect, regulating credit reporters and providers that handle consumer credit reports and data.


1 July 1997

Telecommunications Act 1997

★ Established the regulatory functions of the privacy commissioner for personal information held by telecom companies.

2000s

View as Infographic

1 July 2000

Privacy Amendment (Office of the Privacy Commissioner) Act 2000

★ Went into effect, creating the Office of the Privacy Commissioner, which took over privacy operations from the Human Rights and Equal Opportunity Commission.


21 Dec. 2001

Privacy Amendment (Private Sector) Act 2000

★ Went into effect, extending the scope of the Privacy Act to some private entities, including large businesses and health service providers.

★ Introduced the National Privacy Principles, applicable to private sector organizations, into the Privacy Act.

★ Clarified the distinction between personal information, sensitive information and health information under the Privacy Act.


14 Sept. 2006

Privacy Legislation Amendment Act 2006

★ Went into effect, adding genetic information to the definitions of health and sensitive information under the Privacy Act.

2010s

View as Infographic

1 Nov. 2010

Australian Information Commissioner Act 2010

★ Went into effect, creating the Office of the Australian Information Commissioner, which integrated the former Office of the Privacy Commissioner.


12 March 2014

The Privacy Amendment (Enhancing Privacy Protection) Act 2012

★ Went into effect, replacing the previous Information Privacy Principles and National Privacy Principles with a new set of 13 Australian Privacy Principles.

★ Granted new enforcement powers to the information commissioner.


22 Feb. 2018

The Privacy Amendment (Notifiable Data Breaches) Act 2017

★ Went into effect, requiring all entities subject to the Privacy Act to notify impacted individuals and the OAIC of data breaches likely to result in serious harm.


12 Dec. 2019

Review of the Privacy Act

★ Announced by the Attorney-General as a response to the inquiry conducted by the Australian Competition and Consumer Commission on digital platforms.

2020s

View as Infographic

1 July 2020

Consumer Data Right

★ Launched with the banking sector's sharing of consumer data when requested by the customer.


30 Oct. 2020

Review of the Privacy Act 1988

★ Published an issues paper as part of the Privacy Act comprehensive review.


25. Oct. 2021

Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (the Online Privacy Bill)

★ Published the online privacy bill exposure draft, explanatory paper and regulatory impact statement as part of the consultation process.


7 Feb. 2022

Facebook v. Australian Information Commissioner 2022

★ Confirmed an earlier ruling from a prima facie case that said Facebook (now Meta) "carries on business" and collects personal information in Australia.


12 Oct. 2022

Telecommunications Amendment (Disclosure of Information for the Purpose of Cyber Security) Regulations 2022

★ Went into effect, imposing greater privacy requirements.

★ Enabled the government and certain financial services providers to request customer data from telecom companies in response to cybersecurity incidents.


13 Dec. 2022

Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022

★ Went into effect for a period of 12 months, introducing increased penalties for serious and/or repeated privacy breaches.

★ Strengthened the powers of the OAIC to resolve breaches.

★ Introduced new information-sharing powers to facilitate engagement with domestic regulators and international counterparts.

★ Expanded the scope of compliance to include more foreign organizations.


16 Feb. 2023

Privacy Act Review Report

★ Released and proposed 116 recommendations that emerged from stakeholders' input since 2020.

★ Acknowledged that Australia's digital economy has led to innovation and increased productivity, but also raised concerns about data breaches and privacy.


7 March 2023

Facebook v. Australian Information Commissioner

★ Revoked Facebook's special leave to appeal on procedural grounds by the High Court.


3 May 2023

Restructuring of the OAIC

★ Announced the return to a three-commissioner format, including a standalone privacy commissioner dedicated to handling data breach matters, announced by the Attorney-General.

★ Expanded funding an additional AUD17.8 million for the agency.


28 Sept. 2023

Response to the Privacy Act Review Report

★ Outlined the government's response to the Privacy Act Review Report recommendations.

★ Agreed to 38 proposals, agreed in-principle to 68 proposals and noted 10 proposals out of the report's 116 recommendations.


27 Nov. 2023

Changing of the Guard

★ Appointed lawyer Carly Kind as Australia's new sole privacy commissioner, effective February 2024.

★ Noted incumbent commissioner Angelene Falk will serve the remaining six months of her term as the dedicated information commissioner after the reorganization of the OAIC.

What to expect in 2024

View as Infographic

★ The Attorney-General's department is expected to develop draft legislation on 38 proposals, including on:

  • Enhanced powers for the OAIC to conduct investigations.
  • New civil penalty provisions for mid-tier and low-tier breaches.
  • Enhanced transparency obligations for automated decision-making.
  • Mechanisms to introduce a data trader “adequacy” regime.

★ 68 proposals have been agreed in-principle and will undergo further stakeholder engagement and a comprehensive cost-benefit analysis to determine potential compliance costs and benefits for covered entities and individuals.

★ Outside of legislation, the government is also expected to focus on:

  • Complementing other reforms, such as the 2023-2030 Australian Cyber Security Strategy, Digital ID, and National Strategy for Identity Resilience and Responsible Artificial Intelligence in Australia.
  • Development of the Children's Online Privacy Code.