Australia is now moving fast to reshape its legal landscape around privacy and AI. New laws, rules, and reforms are being rolled out. They aim to protect individuals, raise business accountability, and manage risks of AI in health and other high-stakes sectors. What follows is a detailed look at what has changed, whatโs coming next, and what organisations need to do now to stay compliant and trustworthy.
Australiaโs Privacy Laws: Whatโs New
On 10 June 2025, Australia enacted several key reforms to its privacy regime. One of the biggest shifts is the introduction of a statutory tort for serious invasions of privacy. This gives individuals, including employees, the right to sue organisations or other individuals when private information is misused or surveillance is unauthorised. (aca.org.au)
Also under the new rules:
- Penalties have increased. Organisations that breach privacy laws or suffer data breaches are under greater scrutiny. Fines can reach tens of millions of dollars depending on severity. (LexisNexis)
- Organisations must take proactive steps. They must have robust practices, procedures, and systems in place just to comply. Itโs no longer enough to respond after a breach. (Ashurst)
- New powers for regulators. The Office of the Australian Information Commissioner (OAIC) has more enforcement tools, including criminal offences in some circumstances (for example, doxxing), plus stronger oversight. (LexisNexis)
These reforms follow a series of concerning data breaches. One high-profile case is the 2022 Optus breach, in which about 9.5 million customers had sensitive personal data exposed. The OAIC has since brought litigation against Optus, alleging violation of duties under the Privacy Act. (Reuters)
AI in Health: Regulating for Trust and Risk
Artificial intelligence is no longer a future topic in Australiaโs healthcare systems. It is already in useโand regulators are catching up. (Department of Health)
The governmentโs โSafe and Responsible AI in Health Careโ Review, published recently, lays out a framework for how AI must be managed in high-risk healthcare settings. (Department of Health) Key findings include:
- Existing regulatory systems are fragmented. Laws vary across Commonwealth and states or territories. Some AI use falls outside current rules. (Department of Health)
- There is demand for mandatory guardrails. These are rules or standards for AI when the risk is high (e.g. AI that influences diagnosis or patient safety). General guidance is not enough. (Department of Health)
- Need for stronger governance and oversight. Organisations deploying AI in health should adopt clear ethical, safety, and data governance frameworks. Transparency is essential. (Department of Health)
The Therapeutic Goods Administration (TGA) has also reviewed how medical device softwareโincluding AI-powered systemsโshould be regulated. The TGAโs recent report, โClarifying and Strengthening the Regulation of Medical Device Software including AI,โ signals practical changes. (Therapeutic Goods Administration (TGA)) Some of the areas under scrutiny:
- Defining who is the โmanufacturerโ or โsponsorโ of software or AI systems, especially when development, hosting, or deployment are split among several parties. (KD&A)
- Clarifying what counts as โsupplyโ when we talk about software or AI components. (KD&A)
- Ensuring safety, traceability, liability. When AI makes a wrong suggestion or error, who is responsible? These questions are being addressed. (Department of Health)
Balancing Innovation and Accountability
Thereโs strong tension in Australia right now. On one hand, industries, academia, and government recognise huge promise in AI for productivity, diagnostics, efficiency. On the other, there is concern about harm: privacy breaches, bias, misuse, lack of trust, and legal uncertainty. (iapp.org)
The Productivity Commission, among others, is considering reforms to copyright rules to allow text and data mining as a fair dealing exception. This could unlock substantial value for AI development. But creators and rights holders are pushing back, asking for fair compensation and protections. (The Guardian)
Meanwhile, major companies like Meta are warning that overly broad privacy changes might hurt innovation and investment. They argue Australia should aim for rules aligned with global standards so that it remains an attractive location for AI research and deployment. But critics say public safety, equity, and rights should not be sacrificed. (The Australian)
What Organisations Must Do Now: Concrete Steps
If you are in a business, government, or healthcare organisation, here are key actions to stay ahead of the curve:
- Audit your data practices
Map out what personal data you collect. Where is it stored? Who sees it? Who processes it (internal, cloud, contractors)? Review third-party contracts for privacy risk. (Prosper Law) - Update policies and roles
Make sure privacy policies are clear and reflect the new laws (statutory tort, breach response, etc.). Assign a privacy officer or equivalent. Ensure internal accountability for privacy and AI compliance. (Prosper Law) - Strengthen security and incident-response procedures
Upgrade cybersecurity protections (encryption, access controls, monitoring). Prepare for breach response: how to notify regulators and affected individuals. Develop a โdeclaration protocolโ if a Ministerโs intervention may be needed when a breach occurs. (Johnson Winter Slattery) - Assess AI systems for risk especially in health settings
Determine whether your AI tools are โhigh risk.โ If so, implement guardrails: data governance, bias testing, transparency, human oversight. Ensure software classification is clear, and liability is assigned. (Department of Health) - Ensure compliance with copyright and data mining rules
Keep abreast of any changes granting text and data mining exceptions. If those pass, figure out what lawful data sources can be used, what compensation might be required, and how to document use. (The Guardian) - Train staff and build awareness
Everyone from leadership down must understand the risks. Run training on privacy obligations, data handling, AI governance. Make sure all teams know what a privacy breach looks like and what to do. (Aintree Group Legal) - Monitor regulatory developments and engage early
These reforms are rolling out in tranches. Some provisions are now law; others are still in consultation. Keep track of drafts, new guidance, and sector-specific obligations. If possible, participate in consultations or industry groups. (Ashurst)
Risks if You Donโt
Skipping these reforms is risky. Consequences may include:
- Legal liability: lawsuits under the new statutory tort for serious invasions of privacy. (aca.org.au)
- Large fines for breaches. OAIC has enhanced powers. (LexisNexis)
- Reputational damage: loss of trust from customers, patients, stakeholders. One breach can ruin credibility.
- Operational disruption: delays, costs from forced compliance, retrofits, or litigations.
Outlook: What to Expect Next
The legislative work is not over. Some reforms are complete. Others are in drafts or consultation. Laws around AI guardrails in high-risk settings are still being finalised. (Department of Health)
Expect:
- Stronger rules for companies that build or supply AI systems. Definitions will sharpen. Roles and responsibilities will be more clearly assigned.
- More required transparency: how AI models are trained, what data they use, how decisions are made.
- Increased regulator enforcement and oversight. OAIC is signaling that it will use its new powers. (Ashurst)
- Greater public and professional scrutiny, especially around bias, privacy invasions, and misuse of medical and personal data.
Conclusion
Australia is in the midst of a sweeping transformation in privacy and AI regulation. The country is aiming to protect individuals, uphold trust, and allow innovation. For organisations, the message is clear: adapt now or risk being left exposed. Taking concrete action on data audits, governance, security, staff training, and AI risk will be essential.
For professionals, regulators, and stakeholders, staying engaged with the reforms is not optional. It is critical.
