Australian Privacy Law in 2026: What Has Changed & Where Each State Stands

Australia's privacy laws have been through more change in the past 18 months than in the previous decade. If you work in government, manage records, or handle personal information on behalf of your organisation, the pace of that change matters. Some of it is already in force and affecting you today and some is arriving in the next 12 months. And a second, far-reaching wave of federal reform is in the pipeline with no firm date yet.

This post breaks it down jurisdiction by jurisdiction, so you can see where your organisation sits and what you actually need to be thinking about.

How Australian privacy law is structured

Australia uses a layered system. The federal Privacy Act 1988 (Cth) sets the baseline for Commonwealth agencies, the ACT government, and most businesses with annual turnover above $3 million. The Australian Privacy Principles (APPs), which sit within that Act, govern how personal information must be collected, used, stored and disclosed.

Each state and territory then has its own legislation covering their public sector agencies — councils, government departments, and statutory bodies. Some of those state laws are modern and closely aligned with the federal framework. Others have not been updated in years and are now considerably out of step.

What that means in practice: if you work for a Queensland government agency, you are bound by Queensland's laws (which have just had a major update). If you are a private sector organisation, you are most likely bound by the federal Privacy Act. And if you are a local council in Victoria, you are under a different regime again.

The picture is genuinely complex, which is why this kind of overview is useful.

Federal (Commonwealth) [Active]

The federal Privacy Act has undergone its most significant changes since it was introduced in 1988.

In December 2024, the Privacy and Other Legislation Amendment Act 2024 (Cth) received Royal Assent. This was the first of what the government has flagged as at least two tranches of reform. Most of the changes came into effect immediately upon assent, with two exceptions.

Key changes already in force:

• Right to sue for serious invasions of privacy (statutory tort): This commenced on 10 June 2025 and is significant. For the first time, individuals can take direct legal action against an organisation — or even another individual — for a serious invasion of their privacy. Previously, you could only complain to the OAIC and wait for enforcement action. Now, affected individuals can pursue civil claims, including in class actions. Courts can award damages and issue injunctions.
• Anti-doxxing criminal offence: The deliberate sharing of someone's personal information to cause harm, fear or harassment is now a federal criminal offence carrying up to seven years' imprisonment. This came into force in December 2024.
• Enhanced enforcement powers for the OAIC: The Office of the Australian Information Commissioner now has new search and seizure powers and a tiered civil penalty regime. A mid-level penalty can reach $3.3 million for companies. Serious or repeated breaches can attract fines of up to $50 million or more.
• Simpler international data transfers: Changes to the overseas disclosure rules mean there are cleaner pathways for compliant cross-border data sharing, including a ministerial "whitelist" mechanism for countries with equivalent protections.
• Automated Decision-Making (ADM) transparency: By 10 December 2026, all APP entities must update their privacy policies to explain when they use automated or AI-driven systems to make decisions that could significantly affect individuals' rights or interests. This is the one that will catch most organisations off-guard — many use AI tools without a full audit of where those systems make decisions affecting people.
• Children's Online Privacy Code: The OAIC must develop and register a legally binding code governing how personal information of children is handled. This must be in place by 10 December 2026. Consultation is underway.
• An expanded definition of personal information: Expanded to explicitly include technical identifiers such as IP addresses, device IDs and cookie data
• A "fair and reasonable" test for data processing: This means organisations cannot simply rely on consent; they must also consider whether their handling of personal information is fair
• Removal of the small business exemption: Currently, businesses with annual turnover under $3 million are exempt from the Privacy Act. That exemption has been flagged for removal, which would bring about 2.5 million additional businesses into scope
• Stronger consent requirements: Pre-ticked boxes and unclear consent mechanisms would be prohibited
• Rights to erasure, objection and data portability

Coming by December 2026:

Second tranche of reform in progress:

In February 2026, Attorney-General Michelle Rowland confirmed the government is progressing a second tranche of reform, but gave no firm timetable. This tranche is expected to be more substantial. Key items flagged as likely inclusions are:

Sources: Attorney-General's Department | MinterEllison | Ashurst | Salinger Privacy reforms tracker  

Queensland [Active]

Queensland has been through the most comprehensive state-level privacy reform in Australia, and most of it is already in force.

The Information Privacy and Other Legislation Amendment Act 2023 (Qld) — known as IPOLA — was passed in November 2023 and commenced on 1 July 2025. It is the most significant change to Queensland's privacy framework since the Information Privacy Act 2009 was first enacted.

What changed from 1 July 2025:

• Queensland Privacy Principles (QPPs): The old Information Privacy Principles and National Privacy Principles have been replaced by a single, consolidated set of 13 Queensland Privacy Principles. These align more closely with the federal APPs and apply to all Queensland public sector agencies and statutory bodies.
• Mandatory Notification of Data Breaches (MNDB) scheme: Queensland public sector agencies (excluding local councils) must now notify the OIC Queensland and affected individuals of eligible data breaches within a defined timeframe. An agency must assess a suspected breach within 30 days and notify if it is eligible. Agencies must also maintain a data breach register and publish a public-facing data breach policy.
• OIC Agency Portal: OIC Queensland launched a new online platform to support agencies in managing MNDB obligations, including voluntary and mandatory notifications.
• Updated right to information: Simplified application processes for access and amendment of personal information, all now managed under the RTI Act.

Coming 1 July 2026:

• MNDB scheme extends to Queensland local government: Councils have had a 12-month transition period. From 1 July 2026, they must comply with the MNDB scheme and all the associated obligations — data breach registers, data breach policies, notification to the OIC and affected individuals. This is weeks away. If you work with Queensland councils or support their information management, this should already be on your implementation list.

 Sources: OIC Queensland IPOLA overview | MinterEllison Queensland IPOLA summary

New South Wales [Active]

New South Wales public sector agencies are governed by the Privacy and Personal Information Protection Act 1998 (NSW) — the PPIPA — and the Health Records and Information Privacy Act 2002 (NSW). These Acts apply to NSW government agencies, statutory authorities, the police service, and local councils.

NSW introduced its own mandatory notification of data breach (MNDB) scheme through amendments to the PPIPA in November 2022. After a 12-month grace period, the scheme became fully operative in 2023. Under the NSW scheme, agencies are required to notify the Privacy Commissioner and affected individuals of eligible data breaches.

NSW has not announced a comprehensive reform program equivalent to Queensland's IPOLA or the federal POLA Act. The PPIPA framework remains in place. The Information and Privacy Commission NSW (IPC) continues to provide guidance and oversight, and privacy awareness activities run alongside the national PAW calendar.

NSW agencies should also note that the federal statutory tort for serious invasions of privacy (which commenced June 2025) creates a new litigation pathway. Individuals can now sue NSW government agencies, including councils, for serious privacy breaches under the federal tort even where the PPIPA applies – the two frameworks operate concurrently.

Sources: IPC NSW | OAIC state and territory legislation overview

Victoria [Developing]

Victoria's public sector privacy framework sits in the Privacy and Data Protection Act 2014 (Vic) – the PDPA – which is administered by the Office of the Victorian Information Commissioner (OVIC). Health information is covered separately under the Health Records Act 2001 (Vic).

The PDPA currently applies only to the Victorian public sector. Private sector organisations in Victoria are subject to the federal Privacy Act.

Victoria does not yet have a mandatory data breach notification scheme for the public sector, unlike Queensland, NSW and the Commonwealth. This is one of the most notable gaps in the current framework.

In May 2025, the Victorian Parliament's Economy and Infrastructure Committee tabled a report on workplace surveillance that includes significant privacy reform recommendations. While focused on the workplace surveillance context, the recommendations have broader implications. They include:

• Extending the PDPA to apply to private sector employers who conduct workplace surveillance. This means privacy obligations would follow the surveillance activity, not just the sector
• Expanding the definition of "sensitive information" to explicitly include biometric data including capturing facial recognition, fingerprints and similar data
• Introducing a mandatory incident notification scheme for Victorian public sector agencies
• Appointing OVIC or WorkSafe as regulator with enforcement and investigation powers for workplace surveillance

These are recommendations, not law yet. The Victorian Government has not yet introduced legislation in response. The Corrs Chambers Westgarth assessment from June 2025 described these changes as potentially "imminent" but the precise timeline remains subject to consultation.

In the meantime, Victorian local councils are already affected by the federal statutory tort that commenced in June 2025. As Maddocks noted in August 2025, individuals can now sue Victorian councils for serious privacy breaches under the federal tort, even though councils are governed by the PDPA rather than the Privacy Act. This is a new and real litigation risk for councils that maintain CCTV systems, share information with third parties, or handle sensitive information at scale.

Sources: Corrs Chambers Westgarth — Victorian workplace surveillance reforms | Maddocks — federal reforms and Victorian councils | OVIC

Western Australia [Upcoming]

Western Australia has long been one of the more notable gaps in the national privacy framework. Until recently, WA was the only state without its own dedicated public sector privacy legislation.

That changes on 1 July 2026.

The Privacy and Information Sharing Act 2024 (WA) was passed by the WA Parliament and will commence on 1 July 2026, administered by the Office of the Information Commissioner WA. This is a significant development — WA public sector agencies, including local government, will for the first time be subject to a dedicated state privacy regime.

The full details of the WA scheme are still being worked through ahead of commencement, but it represents a long-overdue alignment with the rest of the country. WA organisations that have been operating under federal guidelines only should be preparing for the new obligations.

Source: OAIC state and territory privacy legislation

South Australia [No state law]

South Australia does not have its own dedicated public sector privacy legislation. SA government agencies are primarily governed by the federal Privacy Act 1988 (Cth) through their relationship with Commonwealth programs and funding, and there are some sector-specific rules in health and other areas.

The SA Privacy Committee provides some oversight function but does not have the regulatory teeth of commissioners in other jurisdictions. SA has historically been the state with the least developed state-level privacy framework, and there is no announced reform process to change that at the time of writing.

SA organisations should remain focused on federal Privacy Act compliance and the changes flowing from the 2024 federal reforms, including the statutory tort that came into force in June 2025.

Tasmania, ACT and Northern Territory [Active]

These three jurisdictions each have their own privacy frameworks for the public sector, administered by their respective regulators (the Tasmanian Ombudsman, the ACT Information Privacy Commissioner, and the NT Information Commissioner respectively). All three operate within the broader national framework and are subject to the federal Privacy Act where applicable.

None of these jurisdictions has announced major standalone reform equivalent to Queensland's IPOLA. Their agencies are, however, affected by the federal statutory tort that commenced June 2025, and by the coming federal ADM transparency requirements in December 2026.

The ACT is of particular note because their government agencies are subject to the federal Privacy Act directly. This means the Tranche 1 federal reforms apply to ACT agencies as if they were Commonwealth agencies.

Source: ICLG Australia data protection report 2025–2026

 Key dates at a glance

What does this mean in practice?

A few things stand out from this picture.

First, the overall direction is clear: privacy obligations are expanding, enforcement is becoming more active, and the
exposure for organisations that get it wrong is growing. The statutory tort means individuals no longer have to wait for a regulator to act. Class actions are now a real possibility following a major data breach.

Second, the December 2026 ADM deadline is the one that most organisations are unprepared for. If your organisation uses AI tools for any decisions affecting individuals – content moderation, eligibility assessments, service prioritisation, data matching – you will need to understand those systems well enough to describe them in a privacy policy. That is not a small task for most organisations.

Third, information governance is the foundation that everything else rests on. You cannot comply with MNDB obligations if you do not know where your personal information lives. You cannot meet ADM transparency requirements if you do not have a map of where AI tools are touching personal information. You cannot respond to a privacy breach in 30 days if you do not have a data breach policy and response plan already in place.

None of that work starts with the law. It starts with understanding what information your organisation holds and how it flows.

If you work in Queensland government, local council, or regulated enterprise and are thinking about what the current reform cycle means for your information management, we are happy to talk through where to start.

References and further reading

All sources are cited in context above. Key reference points:

• Federal Attorney-General's Department: ag.gov.au/rights-and-protections/privacy
• OAIC state and territory legislation overview: oaic.gov.au/privacy/privacy-legislation/state-and-territory-privacy-legislation
• OIC Queensland IPOLA resources: oic.qld.gov.au/training-and-events/ipola
• Salinger Privacy reform tracker: heliossalinger.com.au/privacy-reforms
• MinterEllison POLA Act overview: minterellison.com/articles/privacy-and-other-legislation-amendment-act-2024-now-in-effect
• Ashurst Tranche 1 deep dive: ashurst.com/en/insights/australias-first-tranche-of-privacy-reforms-a-deep-dive-and-why-they-matter
• Corrs — Victorian workplace surveillance reform: corrs.com.au/insights/victorian-workplace-surveillance-and-privacy-reforms-on-the-horizon
• Maddocks — federal reforms and Victorian councils: maddocks.com.au/insights/recent-commonwealth-privacy-reforms-for-councils
• DLA Piper Australia data protection guide: dlapiperdataprotection.com/index.html?c=AU
• ICLG Australia data protection report 2025–2026: iclg.com/practice-areas/data-protection-laws-and-regulations/australia

Note: This post provides a general overview for information purposes. It is not legal advice. Organisations should seek specific legal guidance on how these reforms apply to their circumstances.