Australia's Privacy Act Reforms and AI: What the New Obligations Mean for Your Organisation

What changed in 2024 and what it means for AI

The Privacy and Other Legislation Amendment Act 2024 received royal assent in late 2024 and introduced the most significant changes to Australian privacy law since the Privacy Act 1988 was enacted. For AI governance, three reforms are immediately relevant: the statutory tort for serious privacy invasions, the children's online privacy framework, and the OAIC's expanded enforcement powers.

The statutory tort creates a new civil cause of action for individuals whose privacy has been seriously invaded. An AI system that enables surveillance, that profiles individuals without their knowledge or consent, that enables stalking through location data, or that publicly exposes sensitive personal information may now give rise to civil liability — not just regulatory enforcement. The tort requires that the invasion be "serious" and that a reasonable person in the plaintiff's position would have a legitimate expectation of privacy. These are contested standards that will be developed by courts over time, but organisations deploying AI that processes sensitive personal data should treat the tort as a material risk.

The Children's Online Privacy Code

The 2024 reforms created the framework for a Children's Online Privacy Code — mandatory protections for the privacy of children online, to be developed by the OAIC and given legal force through regulation. While the specific Code is still being developed, the framework establishes that age-appropriate design, meaningful consent for data collection from children, and prohibition on certain practices (targeted advertising based on children's data, deceptive design patterns) will be statutory requirements. AI systems used in contexts where children may be present — educational platforms, gaming, social media, streaming services — should begin assessing their compliance posture now.

The 'fair and reasonable' test: the reform that will most affect AI

The most significant recommended reform yet to be legislated is a requirement that the collection, use, and disclosure of personal information be "fair and reasonable" in the circumstances. This would replace the current purpose-based framework with a broader reasonableness assessment — directly affecting AI training data practices, behavioural analytics, and the use of personal data in AI systems. An AI model trained on data that individuals provided for a different purpose, without their meaningful awareness, may not satisfy a fair and reasonable test. Organisations planning AI initiatives that depend on broad personal data use should factor this reform into their roadmap.

OAIC enforcement posture in 2026

The OAIC's expanded powers — including own-motion investigations, increased civil penalties, and a strengthened complaint process — are being actively used. The Commissioner has specifically flagged AI and privacy as a priority area. The enforcement pattern emerging in 2026: the OAIC is willing to investigate AI privacy issues without waiting for individual complaints, is applying the expanded powers seriously, and is publishing findings in sufficient detail that the AI governance expectations are becoming clearer. Organisations that engage proactively with the OAIC on AI privacy issues — rather than waiting for enforcement — achieve significantly better outcomes.