The privacy obligation lawyers didn’t see coming

This article was first published on 10 July 2026 in the Law Society of NSW Journal here.

The privacy obligation lawyers didn’t see coming

AML/CTF Tranche 2 reform has generated significant attention across the legal profession. What has received far less focus is the privacy consequence that arrives with it. For many law practices, 1 July 2026 does not just mark the start of anti-money laundering obligations, it marks the first time the Privacy Act 1988 (Cth) has ever applied to their practice.


Key Insights

  • From 1 July 2026, legal practices providing designated services under the AML/CTF Act become reporting entities and are simultaneously brought under the Privacy Act 1988 (Cth), regardless of annual turnover.

  • The privacy obligations that arise are not a separate compliance project sitting alongside AML/CTF reform, they are triggered by the same client onboarding and due diligence work the practice is already doing.

  • Legal practices that have not addressed privacy governance before 1 July 2026 face regulatory penalty exposure and Notifiable Data Breaches scheme obligations.


A structural change, not an administrative one

The small business exemption under the Privacy Act to date has historically meant that practices with an annual turnover below $3 million had no obligation to comply with the Australian Privacy Principles (APPs), publish a privacy policy, issue a collection notice, or maintain a data breach response plan. For the majority of smaller legal practices in Australia, privacy compliance has not been a statutory obligation.

That changed on 1 July 2026.

Under section 6E(1A) of the Privacy Act 1988 (Cth), any reporting entity under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) must comply with the Privacy Act in relation to personal information handled for the purposes of, or in connection with, AML/CTF obligations, regardless of turnover. The under $3 million threshold does not apply to a reporting entity.

This is not a narrow carve-out. The Office of the Australian Information Commissioner (OAIC) confirmed in its April 2026 guidance that where a practice collects personal information for an AML/CTF purpose and a non-AML/CTF purpose simultaneously, which will likely describe many client engagements in a practice providing designated services, the Privacy Act applies to all of that information (OAIC, Privacy guidance for reporting entities under the AML/CTF Act, April 2026, p6).

Because AML/CTF compliance requires those who provide designated services to collect and verify sensitive personal information from clients this collection is the trigger for the new privacy obligations. The two regimes do not sit alongside each other - they overlap at exactly the point where the client relationship begins.

Where the obligations arise

The AML/CTF reforms require practices providing designated services to conduct customer due diligence (CDD) before providing those services. CDD involves collecting, verifying and storing sensitive personal information: names, dates of birth, residential addresses, document details, beneficial ownership structures and, in some cases, information about political exposure or sanctions status.

This is precisely the information that the Privacy Act protects. The moment a practice begins collecting it, the APPs apply.

The APPs of most immediate practical significance for new reporting entities are as follows:

  • APP 1 requires a privacy policy and implementation of internal practices, procedures and systems to support and assure APP compliance.

  • APP 5 requires a collection notice to be provided to clients at or before the point of collection. In practice, this is typically embedded in engagement letters or onboarding documentation.

  • APP 6 governs use and disclosure - personal information collected for an AML/CTF purpose may generally be used and disclosed for that purpose, including disclosure to AUSTRAC via a suspicious matter report. Secondary uses and disclosures, however, require either consent or the operation of an applicable exception.

  • APP 8 requires reasonable steps to ensure that overseas recipients of personal information comply with the APPs – this requirement has direct relevance for practices using cloud-based practice management software with data hosted offshore or who engage staff or contractors offshore.

  • APP 11 requires reasonable steps to protect personal information from misuse, loss and unauthorised access, and requires destruction or de-identification of personal information once it is no longer needed. This now expressly includes appropriate technical and organisational measures.

While the Privacy Act does not expressly require the keeping of a document destruction schedule, in practice this should be done to prove that CDD documents were originally retained and then destroyed as required under APP 11.

Retention of VOI and CDD documents in property transactions

The OAIC’s April 2026 guidance makes one point on document retention that deserves specific attention. From 1 July 2026, the OAIC’s stated position is that practices should not retain scanned copies or photocopies of full identity documents such as driver licences or passports for AML/CTF record-keeping purposes, unless required under Australian law. The AML/CTF Act does not require this retention – what that statute requires is a record of the relevant personal information extracted from the document including name, date of birth, residential address, document type, expiry date and the outcome of the verification process. Retaining more than this creates unnecessary privacy risk (OAIC, Privacy guidance for reporting entities under the AML/CTF Act, April; Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) s 111).

While this general guidance will be useful to many lawyers required to comply under Tranche 2, it does not take into account legal requirements on property practitioners to collect and store verification of identity (VOI) records under e-conveyancing rules and real property legislation. National e-conveyancing rules administered by the Australian Registrars' National Electronic Conveyancing Council (ARNECC) state that copies of identity documents must be retained for at least seven years from the date of lodgment (ARNECC Model Participation Rules, Version 7, Part 6.6). This means that the same records that should not otherwise be retained for CDD purposes must be retained for the purposes of verification of identity requirements for e-conveyancing. While the OAIC prefers a more minimalistic approach to record-keeping, the opposite approach is taken by ARNECC in relation to the same documents.

There is a genuine tension here which practitioners need to understand. APP 11.2 provides the exception that reconciles these two regimes for the records ARNECC actually requires to be retained - because retention of those records is required by Australian law, the Privacy Act does not prohibit it. To that extent, there is no conflict.

What APP 11.2 does not do is extend that protection to surplus information collected incidentally during the VOI process that falls outside the ARNECC mandate. The Privacy Act continues to govern that surplus, and the OAIC's minimisation preference applies.

For property practitioners relying on the OAIC's April guidance to understand their Tranche 2 obligations, this is the gap the guidance does not address. The OAIC guidance has been prepared for reporting entities generally; it does not grapple with the layered position that applies to conveyancers and property lawyers operating simultaneously under AML/CTF record-keeping rules, ARNECC participation requirements, and the Privacy Act.

The practical risk sits in that gap. Practitioners who retain complete identity documents indefinitely on the assumption that this is required by ARNECC are carrying an exposure they may not have identified. It is the kind of gap that surfaces in a privacy incident review or a regulatory inquiry when the question asked is not whether you retained the document but whether you had a legal basis for retaining all of it.

The answer a practice needs to be able to give is precise: what information is retained, under which legal authority, for how long, and what happens to the rest. Practices that have not worked through that analysis at the level of their actual document-handling procedures, their VOI workflows, and their file destruction policies are not yet compliant in the full sense. Nor are practices whose privacy and collection notices do not accurately reflect what is actually retained and why.

Why scoping the privacy policy to AML/CTF information alone may not be a safe answer

This matters for how practices scope their privacy governance. The same identity document collected at onboarding typically satisfies VOI obligations under the ARNECC Model Participation Rules and CDD obligations under the AML/CTF Act simultaneously. It sits in one file, is handled by the same staff, and is stored in one system. On the OAIC’s own guidance on mixed-purpose collection, the Privacy Act applies to all of that information. A privacy policy scoped only to AML/CTF-collected information is likely to be technically defensible but practically inadequate. The more defensible position is to treat the client onboarding and identity verification file as a whole as within scope of the APPs.

There is a further point practice owners may not have turned their minds to. Where verification of identity has been outsourced to a third-party platform, as is now common, APP 8 has the effect of making the practice responsible for that third party’s compliance with the Australian Privacy Principles, including where the third party handles or stores data overseas. The practice cannot discharge this obligation simply by engaging a provider and assuming the provider’s own compliance is sufficient. That responsibility applied from 1 July, with no transitional period.

Suspicious matter reports and tipping off

The intersection of AML/CTF and privacy obligations creates one situation that warrants careful handling. Where a practice files a suspicious matter report (SMR) with AUSTRAC, disclosure of the client’s personal information to AUSTRAC is lawful under APP 6, because it is required or authorised by the AML/CTF Act. However, the tipping-off prohibition in section 123 of the AML/CTF Act overrides normal privacy transparency obligations. A practice must not disclose to a client that an SMR has been filed or is under consideration.

This has a practical consequence for access requests. If a client requests access to their file under APP 12 and SMR-related material is present, the practice cannot provide that material and cannot explain why access has been refused. The written notice of refusal must not identify the reason. Staff handling access requests need to understand this intersection.

The enforcement context

The OAIC’s regulatory posture has shifted materially in recent years. In Australian Information Commissioner v Australian Clinical Labs Limited [2025] FCA 36, the Federal Court ordered Australian Clinical Labs to pay a civil penalty of $5.8 million. The company was found to have failed to [1] take reasonable steps to protect personal information, [2] ensure it had carried out an expeditious assessment of whether there were reasonable grounds to believe that an eligible data breach had occurred and [3] notify the OAIC that an eligible data breach had occurred as soon as practicable. The court found that inadequate cybersecurity controls and the absence of an appropriate and tested data breach response plan and incident response training (among other breaches) constituted a failure to meet the APP 11 standard. This was the first civil penalty obtained under the Privacy Act, and it signals a regulator prepared to litigate.

The penalty framework applicable from 1 July 2026 is tiered. Administrative failures can attract infringement notices of up to $330,000 per contravention for a corporation under Tier 1 (it should be noted that the OAIC does not need to go to court to issue an infringement notice, and that the types of matters which could attract an administrative fine include not having a privacy policy which complies with the requirements of the Privacy Act). Interference with privacy at Tier 2 carries civil penalties of up to $3.3 million for a corporation. Serious or repeated interference by a corporation under Tier 3 carries penalties up to $50 million, three times the benefit obtained, or 30% of adjusted annual turnover, whichever is greatest. For an individual, the maximum penalty is $2.5 million (Privacy Act 1988 (Cth) ss 13, 13G).

For practices coming under the Privacy Act for the first time, the Notifiable Data Breaches (NDB) scheme applies from 1 July. Where a practice suspects that a data breach could result in serious harm to affected individual/s, it has 30 days from the time it suspects an eligible data breach has occurred to complete its assessment. Once it becomes apparent there is a likelihood of serious personal harm to an individual or individuals, both the OAIC and affected individual/s must be notified as soon as practicable. It is generally accepted that the breach of identity documents such as passports and drivers’ licences used for VOI and CDD purposes amount to a notifiable data breach because of the potential for serious personal harm in the form of financial crime resulting from identity fraud.

The statutory tort of serious invasion of privacy

The Privacy and Other Legislation Amendment Act 2024 (Cth) introduced a statutory tort of serious invasion of privacy, which commenced on 10 June 2025. The tort applies to intrusion upon seclusion and misuse of private information. Unlike the APP framework, the tort is not confined to APP entities - it applies to individuals and organisations alike, meaning it captures small practices regardless of their status as reporting entities. Only natural persons may sue, and plaintiffs are not required to establish financial loss. Documented privacy governance is perhaps the most effective evidence a defendant can lead to demonstrate that reasonable steps were taken to protect private information. For legal practices handling volumes of sensitive identity information from 1 July, this is a relevant emerging risk, consistent with a broader trend in Australian privacy law toward stronger individual protection and lower barriers to enforcement.

What governance looks like in practice

The OAIC’s April 2026 guidance sets out a practical compliance framework keyed to the APPs most relevant to reporting entities. From 1 July 2026 practices need to have in place a current APP privacy policy, a client-facing collection notice suitable for use at onboarding, internal procedures governing how staff handle, store and destroy personal information, a data breach response plan that addresses the NDB notification decision tree, a register of third-party providers who receive client personal information, including cloud storage providers, and a personal information destruction schedule that reconciles AML/CTF retention obligations with the destruction requirements under APP 11. The OAIC has published a Privacy Essentials Checklist for AML/CTF reporting entities, which provides a useful starting point for practices assessing their current position (OAIC, Privacy guidance for reporting entities under the AML/CTF Act, April 2026).

The practical challenge is that these obligations are not simply a privacy project. They sit at the intersection of AML/CTF requirements, the APPs, and, for practices using e-conveyancing platforms or other digital infrastructure, applicable technology and data retention obligations. Getting the governance framework right requires understanding how the regimes interact, particularly on onboarding, document retention, overseas cloud disclosure, and the handling of SMR-related material.

The time to act is now

The profession has been focused, correctly, on the AML/CTF reform program. The privacy consequence of becoming a reporting entity has received less attention, but now that gap needs to close urgently.

Practices that approach both obligations together are not doing more work. They are doing the same work, namely client onboarding, identity verification, document handling and ongoing monitoring, once, and doing it properly. Practices that treat privacy as an afterthought will find themselves starting from scratch on governance obligations that a regulator is actively enforcing, with a penalty regime that now has real teeth.

Simone Herbert-Lowe is a lawyer, digital risk specialist and director of Law & Cyber. She advises on technology law, privacy, cyber resilience and AML/CTF privacy compliance.

Law & Cyber has produced an AML Privacy Toolkit for Property Practices to assist property practitioners in meeting these new obligations. Full details of the Toolkit are here: AML Privacy Toolkit for Property Practices.

Next
Next

Generative AI and the Australian practitioner: an update on court expectations, professional risk and what your firm needs to do