Published: 29 July 2025

Privacy focus heats up as new weapons unleashed

Firms have been warned to expect tougher privacy actions - Newsreel
Activity to protect data privacy is heating up in 2025. | Photo: Andrey Popov (iStock)

By McCullough Robertson Lawyers

Australia’s federal privacy regulator has a new enforcement toolkit and a clear-eyed vision about how to deploy it in a strategic and proportionate way.

The regulator is aiming to address privacy harms, clarify the current law and deter some of the privacy invasive practices that Australians experience daily.

With privacy enforcement heating up and a new statutory tort for serious invasions of privacy coming into effect last month, the time to level up your privacy practices and make privacy your business is now.

What has changed?

The need for Australia’s privacy laws and regulatory enforcement to adapt to meet the requirements of the digital era are well understood by government, the community and corporate Australia.

This need is only being exacerbated by the speed and widespread adoption of recent technological advances.  Just look at explosion of AI and how quickly it is being embedded in the products and services we interact with daily.

After a multi-year review of the Privacy Act 1988 (Cth) (Privacy Act), the first tranche of reforms to the Privacy Act became law in December last year.  While the first tranche of reforms may have been a scaled down package, they included (amongst other changes – which you can read about here) a significantly expanded range of regulatory powers and civil penalties that the Privacy Commissioner may call on when investigating potential privacy violations and enforcing the Privacy Act.

This expanded enforcement toolkit now includes the following.

  • New civil penalty tiers for interferences with privacy that significantly lower the bar for holding entities accountable for breaches of the Privacy Act.
  • New compliance and infringement notices (including civil penalties) that can be issued without going to court for certain less serious privacy breaches.
  • Bolstered monitoring and investigation powers, including entry, search and seizure powers to improve regulatory enforcement outcomes.
  • The ability to issue a greater scope of determinations following investigations and require a respondent entity to take steps to prevent or reduce any reasonably foreseeable loss or damage.
  • New powers to conduct public inquiries on the direction or approval of the Minister, which may enable the Privacy Commissioner to investigate a specific industry or market practice.
  • New powers for the courts to make orders, including compensation orders, where the court determines that an entity has contravened a civil penalty provision and the individual has suffered, or is likely to suffer, loss or damage as a result of the contravention.

While there is much anticipation about the second tranche of privacy reforms following the recent federal election, in her opening address for Privacy Awareness Week 2025, Privacy Commissioner Carly Kind made it clear that the Office of the Australian Information Commissioner (OAIC) does not intend to wait.

What have we seen so far?

Cyber related litigation

With data breaches, particularly those caused by malicious actors, remaining stubbornly common, it is of no surprise that we continue to see enforcement action and litigation flowing from these events.

Notably, the OAIC continues to prosecute civil penalty proceedings against Medibank and Australian Clinical Labs alleging serious interferences with the privacy of individuals in connection with their respective large scale data breaches.  ASIC, too, continues to bring proceedings against its regulated population in relation to failures to implement adequate cybersecurity measures.

Separate to these regulatory actions, class actions against Medibank and Optus continue to progress, with both proceedings shining a light on the complexities of establishing and maintaining legal professional privilege over reports procured in the aftermath of a cyber event.

Strategic OAIC determinations

In the last 12 months, we have seen several investigations and determinations targeting key areas of priority for the OAIC, including:

  • In October last year, the Privacy Commissioner issued an adverse determination against Bunnings Group Limited in relation to its use of facial recognition technology in at least 62 Bunnings stores in Victoria and New South Wales between 2018 and 2021.
  • In November last year, the Privacy Commissioner issued adverse determinations against Master Wealth Control Pty Ltd t/a DG Institute and Property Lovers Pty Ltd. That company collected and used publicly available information from daily court listings across Australia and published death or funeral notices to create lead lists for property investors of potentially distressed properties where the owner may be willing to sell below fair market value due to their personal circumstances.  This decision follows the OAIC’s focus on data scraping and misuse of publicly available information.

What should organisations be doing now?

In the face of these developments, organisations and their leadership should focus their attention on the following matters:

Ensure your house is in order

  • Revisit your privacy compliance framework, assess your level of compliance and privacy risk, and ensure you have effective and embedded policies, practices, procedures and systems in place to comply with the Privacy Act and the APPs; and
  • Keep an eye out for new and refreshed OAIC guidance, determinations and any court and tribunal decisions, and review your practices if needed.

Focus on data governance and security

  • Only collect the personal information you need and ensure you have embedded effective data retention and destruction practices.
  • Invest in data governance to ensure your management and use of personal information complies with the APPs. In addition to the compliance and risk benefits, this will be an important enabler of safe innovation and adoption of AI.
  • Consider whether your cyber security risk management framework and resources are adequate to manage cyber risks and respond to potential weaknesses in your organisation’s technical and organisational security measures; and
  • Have up-to-date and tested incident response plans which details the steps your organisation will take in the event of a cyber incident (including immediately and until the matter is resolved), which may include swift engagement with relevant regulators.

Undertake privacy impact assessments on high risk or privacy invasive technologies and practices

  • Assess the privacy risks and impacts associated with any high-risk practices or privacy invasive technology (including AI and biometric enabled technology) and carefully weigh the benefits against the privacy impacts.
  • Ensure safeguards are implemented and appropriate ongoing assurance is in place.

Ensure you are prepared for regulatory engagement

  • Expect to be required to show, not tell. Regulators will expect to see relevant policies and procedures as well as evidence of their ongoing implementation
  • In the event of a cyber security breach, regulators will want to see that you have acted promptly to contain the breach and minimise risk of harm to individuals, and that you understand the root cause and have fully remediated the root cause to prevent reoccurrence.

McCullough Robertson Partners Alex Hutchens and Peter Stokes authored this article with support from Special Counsel Jane Davies, Senior Associate Grace Ball and Lawyer Chelsea Bodimeade.

Partner content

Tags

Related articles

Lions help Queen Street Mall roar back to life

Lions help Queen Street Mall roar back to life

Read more
Grabba Technologies delivers on ADF drone mission

Grabba Technologies delivers on ADF drone mission

Read more
‘Trendy’ Kmart top brand for budget-conscious Gen Z

‘Trendy’ Kmart top brand for budget-conscious Gen Z

Read more
Beattie new Chair of Brandon BioCatalyst

Beattie new Chair of Brandon BioCatalyst

Read more

Continue reading

Australian Defence telescope scans for threats from space

Australian Defence telescope scans for threats from space

Read more
19 August 2025
Energy retailers a designated target for ACCC

Energy retailers a designated target for ACCC

Read more
19 August 2025
Council steels itself to open Story Bridge footpath

Council steels itself to open Story Bridge footpath

Read more
19 August 2025
The Wharf hits the market after 10-year ‘passion project’

The Wharf hits the market after 10-year ‘passion project’

Read more
19 August 2025