/Passle/5db069e28cb62309f866c3ee/SearchServiceImages/2026-02-24-15-20-38-577-699dc1c6cc1938ab7f029ff2.jpg)
Authors
Introduction
Australia's privacy regulatory landscape presents a distinct framework that organizations operating in or targeting the Australian market must carefully navigate. Unlike the European Union's General Data Protection Regulation or more prescriptive regimes in jurisdictions such as Brazil or certain U.S. states, Australia's Privacy Act 1988 takes a principles-based approach that affords organizations greater flexibility in how they achieve compliance. The framework does not draw the familiar controller-processor distinction found in many modern privacy laws, nor does it impose the same breadth of individual rights that characterize newer regulatory models.
However, organizations should not mistake this flexibility for leniency. Australia has demonstrated a clear willingness to enforce its privacy requirements, and the penalties for non-compliance are substantial. A body corporate that contravenes the Privacy Act may face the greater of $50 million, three times the value of the benefit obtained from the contravening conduct, or 30% of the body corporate's adjusted turnover during the breach period. These penalty thresholds place Australia among the jurisdictions with the most significant financial exposure for privacy violations, rivaling even the GDPR's penalty regime in potential impact. Accordingly, while the substantive compliance requirements may be less granular than those found elsewhere, the consequences of non-compliance demand that organizations treat Australian privacy law with the same rigor they would apply in any major jurisdiction.
This blog post is an installment in Reed Smith's series examining the current state of data privacy laws in major jurisdictions across the United States and around the world. In this post, we will explore the key regulatory challenges and considerations presented by Australia's data privacy and AI legal landscape. Reed Smith has previously analyzed Canada and Japan as part of this series.
Privacy Act of 1988
Processing of personal information
Australia's comprehensive data privacy law is the Privacy Act 1988 (No. 119, 1988) (the "Privacy Act"). The Privacy Act applies to any entity or organization that collects, processes, or uses personal information, regardless of the location or conduct of the organization (Privacy Act, 5B(1), 6(1), 16(c)(1)). In particular, foreign organizations that conduct business in Australia, such as by providing or advertising products or services in Australia, are deemed to be conducting business in the country and thus are subject to the Privacy Act (Id.). The Privacy Act defines personal information broadly to include any information or opinion about an individual who is reasonably identifiable (Privacy Act, 6(1)). However, unlike many privacy laws, the Privacy Act does not distinguish between controllers and processors. Instead, the Privacy Act treats any entity that processes personal information, even in a processor relationship, as an "APP Entity" and thus subject to controller-like obligations as outlined under the Privacy Act (Id.).
In addition, the Privacy Act restricts how an APP Entity may use the personal information collected for a secondary purpose unless the individual consents to the secondary use (Privacy Act, Australian Privacy Principle 6.1). However, consent is not necessary if the secondary use is related to the primary purpose, or in the case of sensitive information, directly related to the primary purpose (Privacy Act, Australian Privacy Principle 6.2(a)(i),(ii)).
Privacy policy
As with most privacy laws, APP Entities must have a clear privacy policy that contains key information on how the APP Entity handles personal information, including the purposes of the processing, how complaints may be processed, and overseas transfers (Privacy Act, Australian Privacy Principle 1.4). The information required in this policy or notice must be presented to the individual at or before the time of collection (Privacy Act, Australian Privacy Principles 5.1, 5.2). In addition, APP Entities cannot collect personal information unless it is reasonably necessary for the entity's functions or activities (Privacy Act, Australian Privacy Principle 3.2). However, the APP Entity must obtain consent if the APP Entity is processing sensitive personal information (Privacy Act, Australian Privacy Principle 3.3). Sensitive information means information or an opinion about an individual's racial or ethnic origin, political opinions or membership of a political association, religious beliefs or affiliations, trade association or union membership, sexual orientation, criminal record, health information, genetic information, or biometric information or templates (Privacy Act, 6(1)).
One of the more distinctive aspects of the Privacy Act relates to unsolicited personal information. If an APP Entity receives personal information and the entity did not solicit the information, then the APP Entity must destroy or de-identify the personal information as soon as practically possible (Privacy Act, Australian Privacy Principles 4.1, 4.2). Such a requirement highlights the necessity for many organizations to implement and maintain a record retention policy to understand and know what data the organization is collecting.
International data transfers
As with other privacy laws, the Privacy Act regulates how APP Entities send data outside of Australia. There are three primary methods by which a data transfer may occur:
APP Entities may conduct international data transfers if the APP Entity takes reasonable steps to ensure that the overseas recipient does not breach the principles and obligations of the Privacy Act (Privacy Act, Australian Privacy Principle 8.1).
A data transfer may occur if the APP Entity reasonably believes that the recipient is subject to a law or other binding scheme that at least substantially binds the recipient to principles and obligations similar to the Privacy Act and there is a mechanism for the individual to take action to enforce the law or binding scheme (Privacy Act, Australian Privacy Principle 8.2(a)(i),(ii)).
If the APP Entity obtains consent from the individual, then the data transfer may occur to the overseas recipient (Privacy Act, Australian Privacy Principle 8.2(aa)(b),(i),(ii)).
Data subject rights
The Privacy Act allows data subjects certain rights relating to their personal information. In addition to the right to be notified through the privacy policy requirements, the Privacy Act allows individuals to request access to the information that APP Entities hold on that individual (Privacy Act, Australian Privacy Principles 12.1). Moreover, an individual may request that an APP Entity correct information held by the APP Entity when such information is incomplete, incorrect, or out of date (Privacy Act, Australian Privacy Principles 13.1). The APP Entity must, to the extent reasonable, notify third parties of such correction requests (Privacy Act, Australian Privacy Principles 13.2).
Direct marketing
The Spam Act 2003 establishes the primary regulatory framework for commercial electronic messages, including SMS and email communications. Under the Act, a person must not send, or cause to be sent, a commercial electronic message that has an Australian link unless the message complies with the statutory requirements (Spam Act 2003 §16(1)). A commercial electronic message may only be sent where the sender has obtained consent from the recipient (Spam Act 2003 §16(2)). Consent may be either express or inferred from the recipient's conduct and the business or other relationship between the parties (Spam Act 2003 §16(2); Schedule 2, §2).
Express consent arises where the recipient has explicitly agreed to receive messages, while inferred consent may arise from an existing business relationship or the conspicuous publication of an electronic address by the recipient (Spam Act 2003, Schedule 2, §4). Every commercial electronic message must include accurate information identifying the individual or organization responsible for sending the message (Spam Act 2003 §17(1)). The sender must also ensure the message contains a functional unsubscribe facility that allows the recipient to send a message indicating they do not wish to receive further commercial electronic messages (Spam Act 2003 §18(1)). The unsubscribe facility must remain functional for at least 30 days after the message is sent (Spam Act 2003 §18(1)(c)), and upon receipt of an unsubscribe request, the sender must give effect to the request within five business days (Spam Act 2003 §18(1)(d)).
In addition to the Spam Act, organizations that are APP Entities must comply with APP 7, which governs the use and disclosure of personal information for direct marketing purposes. An organization must not use or disclose personal information it holds for the purpose of direct marketing unless an exception applies (Privacy Act, Australian Privacy Principles 7.1). Where the personal information was collected directly from the individual, direct marketing is permitted where the individual would reasonably expect their information to be used for that purpose, a simple means of opting out is provided, and the individual has not made such a request (Privacy Act, Australian Privacy Principles 7.2). Where personal information was collected from a third party, stricter requirements apply, including that the individual has either consented to the use or it would be impracticable to obtain such consent (Privacy Act, Australian Privacy Principles 7.3). All direct marketing communications must provide a simple means by which the individual may request not to receive further direct marketing communications (Privacy Act, Australian Privacy Principles 7.5). Where an individual makes such a request, the organization must give effect to the request within a reasonable period (Privacy Act, Australian Privacy Principles 7.6). An individual may also request that an organization provide its source of the personal information used for direct marketing, and the organization must notify the individual of that source within a reasonable period, unless it is impracticable or unreasonable to do so (Privacy Act, Australian Privacy Principles 7.6(c)).
Penalties
Under the Australian Privacy Act, a body corporate that contravenes the Act may be subject to significant financial penalties. The maximum penalty is the greatest of the following amounts: $50,000,000; three times the value of the benefit obtained directly or indirectly by the body corporate and any related bodies corporate that is reasonably attributable to the conduct constituting the contravention; or, if the court cannot determine the value of that benefit, 30% of the body corporate's adjusted turnover during the breach turnover period for the contravention (Privacy Act, Section 13G(3)).
AI
Australia's National AI Plan 2025 establishes a whole-of-government framework anchored in three core goals: capturing AI opportunities through infrastructure and investment, spreading benefits to all Australians, and maintaining safety through robust legal and ethical frameworks. The plan commits over $460 million to AI initiatives, introduces a sovereign AI platform called GovAI for government agencies, and establishes an AI Safety Institute to monitor and test emerging AI capabilities and risks. Rather than introducing AI-specific legislation, the plan builds on existing technology-neutral legal frameworks with sector-specific guidance. Privacy considerations are central to the plan's governance approach, including modernization of the Privacy Act, workplace protections requiring meaningful consultation and transparency about algorithmic management tools, and dedicated reviews of AI's impact on healthcare regulation and consumer protections.
Conclusion
Australia's privacy framework, anchored by the Privacy Act 1988 and supplemented by laws such as the Spam Act 2003, reflects a principles-based regulatory philosophy that provides organizations with meaningful flexibility in achieving compliance. The absence of certain prescriptive requirements found in other jurisdictions, such as detailed processor obligations or expansive individual rights catalogs, may create an impression that Australian privacy law is less demanding. That impression, however, must be tempered by the reality of Australia's enforcement posture and penalty regime. With maximum penalties reaching $50 million, three times the benefit obtained, or 30% of adjusted turnover, organizations face financial exposure that rivals or exceeds many of the world's most stringent privacy frameworks.
As Australia continues to modernize its regulatory approach, including through updates to the Privacy Act and the development of AI governance frameworks, organizations should anticipate that compliance expectations will continue to evolve. Proactive engagement with these requirements is essential, particularly for multinational organizations that must integrate Australian obligations into their broader global privacy programs. For guidance on navigating Australia's privacy landscape and developing a compliance strategy tailored to your organization's operations, please reach out to your Reed Smith attorneys.