Data Privacy & Protection.
Australia's privacy landscape is changing faster than most organisations can keep pace with. We provide the specialist legal advice that keeps you compliant, prepared and protected.
OVERVIEW
The Privacy Act 1988 imposes significant obligations on Australian businesses — and the landscape has changed materially.
The Privacy and Other Legislation Amendment Act 2024 (Tranche 1) received Royal Assent on 10 December 2024 and is now in force, introducing a statutory tort for serious invasions of privacy, enhanced OAIC enforcement powers, cybersecurity uplift requirements and new automated decision transparency obligations commencing December 2026. A second tranche of reforms — expected to include removal of the small business exemption and a new "fair and reasonable" test — is being progressed by the Attorney General but has not yet been introduced as a Bill. At the same time, the Notifiable Data Breaches scheme, international frameworks including GDPR, and sector-specific requirements in financial services and health create a layered compliance environment that requires genuine specialist expertise to navigate.
For many of our clients, data privacy is where they first discover legal exposure they did not know they had. That is precisely why proactive legal advice in this area pays for itself.
What we advise on.
-
We advise on compliance with the Australian Privacy Principles under the Privacy Act 1988, including collection and handling obligations, privacy notices and policies, cross-border data flows and the rights of individuals. The Tranche 1 reforms now in force have expanded the obligations of APP entities in several areas — including cybersecurity uplift requirements, enhanced individual rights and new automated decision transparency obligations commencing December 2026. We advise on all of these.
-
The Privacy and Other Legislation Amendment Act 2024 (Tranche 1) is now in force. Key provisions already in effect include enhanced OAIC enforcement powers, cybersecurity uplift obligations, the statutory tort for serious invasions of privacy and anti-doxxing offences. Automated decision transparency requirements and the Children's Online Privacy Code follow in December 2026. A second tranche of more significant reforms — including potential removal of the small business exemption, a "fair and reasonable" test for data handling and expanded individual rights — is being progressed by the Attorney General but has not yet been introduced as a Bill. We advise clients on their current obligations under Tranche 1 and help them prepare for the Tranche 2 changes expected to follow.
-
When a data breach occurs, the clock starts immediately. We advise on the scope of the NDB scheme, how to assess whether a breach is notifiable, what notification obligations apply and how to manage the process of notification to the OAIC and affected individuals.
-
Australian businesses with operations, customers or data flows in Europe may have obligations under the GDPR. We advise on the scope of those obligations and what a compliant approach looks like for Australian-headquartered organisations.
-
We develop and review privacy policies, data breach response plans, data governance frameworks and privacy impact assessments — practical tools that help organisations manage their privacy obligations day to day.
-
The Privacy and Other Legislation Amendment Act 2024 introduced a statutory right of action for serious invasions of privacy, in force from June 2025. We advise organisations on their exposure under this new tort and how to minimise liability — particularly in the context of data breaches and cyber incidents.
Who is this for?
General counsel managing enterprise privacy compliance; CFOs and CROs assessing regulatory exposure; healthcare, financial services and legal businesses handling sensitive personal information at scale; and businesses of any size that have experienced or are concerned about a data breach.