Back to Blog

Privacy Law — 6 April 2026 — 7 min read

Australia's Privacy Act Reforms 2026 — What Changes and What Still Does Not

The reforms are real. The enforcement is still catching up. Here is what you need to know.

What is actually changing

The Privacy Act reforms introduce several meaningful changes for Australian consumers. The most significant is a strengthened right to erasure — meaning you can now formally request that a business delete your personal information, and they are obligated to comply unless they have a legitimate legal reason not to.

The reforms also increase penalties for serious privacy breaches. Previously, fines were capped at levels that large companies simply absorbed as a cost of doing business. The new regime introduces penalties up to $50 million or 30% of adjusted turnover — whichever is greater — for serious or repeated breaches.

The right to erasure — what it means in practice

Under the reformed Act, individuals can request erasure of their personal information from entities covered by the Act. The entity must comply unless one of several exceptions applies — including where retention is required by law, or where the information is necessary to complete a transaction.

The catch: enforcement takes time. Filing a complaint with the OAIC, waiting for investigation, and receiving a determination can take 12-24 months. The reforms give you the right. They do not give you instant results.

What the reforms still do not cover

Small businesses

Businesses with annual turnover under $3 million are still largely exempt from the Privacy Act. Most data brokers operating locally are structured to stay below this threshold.

Overseas brokers

International data brokers collecting Australian consumer data operate in a grey zone. The reforms strengthen Australian law but do not give the OAIC meaningful jurisdiction over companies incorporated abroad.

Aggregated data

Data that has been de-identified or aggregated is treated differently under the Act. Many brokers use this as a shield — the data is technically anonymous until it is combined with other sources.

Historical data

Data already collected and sitting in broker databases does not automatically become subject to erasure rights. You still need to request it actively.

Why you cannot wait for legislation

The reforms are a step forward. They are not a solution. The data that exists about you right now — in broker databases, on people-search sites, in aggregated marketing lists — will not disappear because the law changed. You still need to request removal actively, follow up when requests are ignored, and monitor for reappearance.

The reformed Act gives you stronger legal standing when brokers refuse to comply. It does not automate the process. It does not remove the data without your action.

Using the new rights effectively

The most powerful tool the reforms give individuals is the formal erasure request backed by APP 11.2. When we submit removal requests on behalf of our clients, we reference the relevant Australian Privacy Principles directly. Brokers that ignore these requests now face meaningful penalties — which changes how they respond.

If you want to use the new rights yourself, start with a formal written request citing APP 11.2 and the reformed erasure provisions. Give the entity 30 days to respond. If they do not comply, file a complaint with the OAIC. We include all of the templates for this in our DIY guide.

Get the legal templates — included in our DIY guide

APP 11.2 demand letters, OAIC escalation notices, and opt-out scripts for every major Australian broker — $75, one-time.

Get the DIY Guide — $75
More articles