Australian Privacy Act 2026: A CISO's Checklist

The Privacy and Other Legislation Amendment Act 2024, passed on 29 November 2024 and granted Royal Assent on 10 December 2024, is the largest update to the Australian Privacy Act 1988 in a decade. Three sets of changes matter most to CISOs in 2026: the statutory tort of serious invasions of privacy (active since 10 June 2025), the children's privacy reforms and Children's Online Privacy Code (commencing 10 December 2026), and the new OAIC enforcement powers backed by tiered civil penalties. The OAIC has signalled that AI, automated decision-making, and data brokers are at the top of its 2026 enforcement priorities. Updated 2026-05-20.

The Privacy and Other Legislation Amendment Act 2024 sits inside the Australian Government's two-tranche response to the Privacy Act Review Report released in February 2023. The Attorney-General's Department published the Government Response in September 2023 endorsing 106 of the 116 review proposals; this 2024 amendment Act implements the first tranche, with further tranches expected in 2026 and beyond. The Office of the Australian Information Commissioner (OAIC) is the regulator; civil penalty provisions are enforced through the Federal Court.

Six change clusters in the 2024 Act matter to CISOs. First, a statutory tort of serious invasions of privacy is created, giving individuals a direct cause of action against organisations for intrusion upon seclusion or misuse of personal information. Second, a Children's Online Privacy Code is mandated, with the OAIC required to register the Code within 24 months of commencement (by 10 December 2026), and APP entities providing online services accessed by children must comply. Third, transparency obligations for automated decision-making are introduced into Australian Privacy Principle 1 (APP 1), requiring entities to disclose substantially automated decisions that significantly affect individuals. Fourth, tiered civil penalty provisions extend the OAIC's enforcement toolkit beyond the existing serious or repeated interference penalty, with mid-tier and low-tier civil penalty offences for breaches of specific APPs. Fifth, criminal offences are created for doxxing - menacing or harassing release of personal information - with significantly higher penalties when the conduct targets people on the basis of a protected attribute. Sixth, the OAIC receives expanded information-gathering and code-making powers, including the power to issue compliance notices and to require entities to undertake privacy impact assessments.

The headline penalty regime that already applied since December 2022 - up to AUD 50 million, or three times the benefit derived, or 30 percent of adjusted turnover during the breach period (whichever is greater) for serious or repeated interferences with privacy - remains. The 2024 Act adds graduated civil penalty tiers below that ceiling so the OAIC can match the response to the severity of the conduct.

The statutory tort of serious invasions of privacy was active from 10 June 2025, six months after Royal Assent. It creates a direct cause of action that individuals can bring against organisations (and other individuals) for an invasion of privacy that was intentional or reckless, where the invasion was serious, and where the public interest in protecting the plaintiff's privacy outweighs any countervailing public interest.

For CISOs the operational implication is significant. Pre-tort, regulatory enforcement was the only credible exposure - the OAIC had limited individual remedy power, and class actions for privacy breaches were procedurally fraught. The tort enables individual and class plaintiff actions in the Federal Court, with damages including non-economic loss capped at the same general damages cap that applies to defamation (currently around AUD 459,000 in 2025-26). Aggravated and exemplary damages are available in addition.

Two categories of invasion are covered: intrusion upon seclusion (such as unauthorised surveillance, intrusion into private affairs, interception of communications) and misuse of personal information (publication, disclosure, or other misuse of information about an individual that is not in the public interest). Both categories map to AI failure modes. An agentic system that scrapes social profiles to enrich a sales lead, a customer-facing assistant that surfaces another customer's records, a model trained on personal data without lawful basis, or a synthetic content generation tool that produces deepfakes of identifiable individuals all map cleanly to the tort's covered conduct.

The defences include lawful authority, statutory authority, journalism in the public interest, and consent. Reasonable belief in consent is not a complete defence; the courts will require evidence-grade consent records. Our earlier Australian privacy guide covers the consent framework in depth.

The Children's Online Privacy Code provisions commence 10 December 2026, two years after Royal Assent. The OAIC is required to develop and register the binding Code by that date. Once registered, APP entities providing online services likely to be accessed by children (under 18) must comply with the Code on top of their existing APP obligations.

The Code's substance has been broadly signalled through the Government Response and through the OAIC's consultation work in 2024-2025. Expected requirements include default privacy settings calibrated to a child user's age, age-appropriate transparency notices, prohibitions on profiling for direct marketing, restrictions on dark patterns that encourage children to disclose personal information, special handling for biometric data of children, and parental notification mechanisms for high-impact processing.

For CISOs the practical implication is that any AI feature - copilot, recommendation engine, search assistant, content generation tool - inside a consumer product likely to be accessed by children must be reviewed against the Code before 10 December 2026. Three preparation steps stand out. First, identify which of your products are in scope (any service likely to be accessed by children, not only services aimed at children). Second, run a children's privacy impact assessment that covers data flows, AI-driven personalisation, and engagement design patterns. Third, build the operational pipeline for age assurance, defaulting to the strictest setting where age is unknown, and rolling back consequential AI features for unverified-adult users.

The 2024 Act amends Australian Privacy Principle 1 (APP 1.2) to require APP entities to include in their privacy policy information about decisions made by substantially automated means that significantly affect an individual's rights or interests. The disclosure obligation commences 10 December 2026 (24 months after Royal Assent) but the OAIC has signalled that it expects organisations to begin preparing immediately.

The required disclosure covers the kinds of personal information used in the decision-making, the kinds of decisions that the entity makes using substantially automated means, and information about how affected individuals can seek a review. The threshold "substantially automated means" and "significantly affects" are intentionally aligned with comparable thresholds in the EU GDPR Article 22 framework, which the OAIC is expected to draw on for guidance.

For CISOs the practical implication is that the privacy policy is now a controlled document with AI-system content - and a CISO must be involved in drafting it. AI workloads in scope typically include credit decisioning, insurance underwriting, fraud detection, employment screening, education admissions, dynamic pricing, and content moderation actions. A CISO who finds their organisation's privacy policy still references "automated tools" in generic language, without naming the substantive decision categories, has a 2026 work item.

The Areebi audit log captures the model, policy version, and inputs that drove each automated decision, so the review mechanism the privacy policy commits to can actually be operated end-to-end without separate reconstruction work.

The OAIC publishes a corporate plan annually and signals enforcement priorities through Privacy Awareness Week materials, regulatory action statements, and direct guidance. Reading across the 2024-2025 materials and the Information Commissioner's public statements, three priorities dominate the 2026 outlook.

Priority 1: AI and automated decision-making. The OAIC's Generative AI guidance (October 2024) set out expectations for use of personal information in commercial AI deployments and in employer use of AI tools. The 2026 enforcement programme is expected to test those expectations with concrete actions, particularly where consent was assumed rather than collected, where automated decisions affect access to credit or services, and where training data of identifiable individuals was used without a lawful basis.

Priority 2: Data brokers and third-party data flows. The Privacy Act Review identified data broker activity as a significant compliance gap. The OAIC has signalled that organisations relying on bought or scraped personal data sets - including AI training corpora obtained from third parties - should expect closer scrutiny.

Priority 3: Notifiable Data Breaches and AI-related incidents. The OAIC's biannual Notifiable Data Breach reports through 2024-2025 highlighted a steady increase in incidents tied to AI-enabled attacks (phishing personalisation, credential stuffing, social engineering aided by deepfakes) and to AI configuration errors (retrieval pipelines exposing data, agents calling tools without authorisation). Notification timelines remain 30 days from awareness; the 2024 Act gives the OAIC stronger information-gathering powers to test the notification timeliness.

The checklist below is the one Areebi recommends to Australian CISOs preparing for the 10 December 2026 substantive commencement. It is organised as four quarters of work across the 2026 calendar year, with the substantive commencement date as the gate.

At Areebi, we built the policy engine, audit log, and DLP layer specifically because the Australian privacy regime now expects the same evidence-grade controls as the European, US federal, and state regimes - and reconciling those evidence streams quarter by quarter is what consumes the privacy office's budget when the controls are implemented in disparate tools.

Pitfall 1: Treating the statutory tort as a future concern. The tort has been active since 10 June 2025. Class actions for privacy invasions tied to AI workloads are now procedurally viable in the Federal Court. CISOs who deferred tort-readiness pending the 10 December 2026 substantive commencement are operating without insurance against the most likely individual remedy pathway.

Pitfall 2: Confusing the AI Act trajectory with the Privacy Act trajectory. Australia does not have an EU AI Act analogue. The Privacy Act is the principal AI-relevant regime, supplemented by the voluntary AI Ethics Principles, the Voluntary AI Safety Standard (DISR, September 2024), the proposed mandatory guardrails for high-risk AI (consultation closed October 2024), and sector-specific guidance (APRA CPS 230 for prudentially regulated entities, ACMA online safety guidance). The CISO checklist must cover the Privacy Act and the proposed mandatory guardrails together; relying on either alone leaves a gap.

Pitfall 3: Treating the Children's Online Privacy Code as a consumer-product-only concern. The Code applies to any APP entity providing an online service likely to be accessed by children, which includes B2B SaaS products that have any consumer-facing surface (support portal, customer onboarding, billing), education-sector products, gaming, social platforms, and any product with a free or freemium tier accessible without age verification. Scoping the Code narrowly to "children's products" misses the larger compliance footprint.

Pitfall 4: Underestimating the OAIC's new code-making and compliance-notice powers. The 2024 Act gives the OAIC the ability to require entities to develop or implement privacy impact assessments, to issue compliance notices on identified contraventions, and to register binding APP codes for specific industries. The OAIC's regulatory action posture in 2025 has been notably more assertive than in the pre-amendment period. CISOs who modelled the OAIC on its 2018-2022 posture have miscalibrated the 2026 outlook.

Areebi is an AI control plane built on AnythingLLM that ships with the policy, audit, and DLP primitives Australian CISOs need to discharge the 2026 obligations without bolting them on after the fact.

Audit log for APP 1.2 and statutory tort. Every AI interaction is recorded with model identifier, policy version, user identity, retrieval provenance, and the data classes touched, with retention configurable to match the Notifiable Data Breach evidence horizon. Reviewers can reconstruct an automated decision end-to-end, which is what the APP 1.2 review-mechanism commitment actually requires in practice. See the audit log overview.

Policy engine for Children's Online Privacy Code and AUP enforcement. Children's-product policies (age assurance defaults, profiling restrictions, dark-pattern prohibitions) and the broader AI Acceptable Use Policy live as machine-readable rules enforced at the prompt layer. Each rule is git-versioned, so the policy state at the time of any decision is reconstructable. See the policy engine overview.

DLP for personal information protection. Per-class DLP rules prevent specific categories of personal information (health data, child identifier patterns, biometric markers) from leaving the perimeter regardless of which AI provider receives the payload. See the DLP controls overview.

The Areebi AI Governance Assessment includes an Australian Privacy Act 2026 readiness module aligned to the 12-item quarterly checklist above and produces a documented remediation plan inside 30 minutes.

The references below are the primary sources cited throughout this post. All URLs verified at publication.

• Office of the Australian Information Commissioner (OAIC) - the regulator. Privacy Awareness Week, corporate plan, and Notifiable Data Breach reports are published here.
• Privacy and Other Legislation Amendment Act 2024 on the Federal Register of Legislation - the canonical legislative text.
• Attorney-General's Department privacy reform portal - the Government Response and reform programme documents.
• OAIC guidance on generative AI and personal information - the regulator's published expectations on commercial AI deployments.
• DISR Voluntary AI Safety Standard (September 2024) - the companion voluntary regime that complements Privacy Act enforcement.
• Australian Treasury consultation - mandatory guardrails for high-risk AI - the proposed AI-specific regime in development.
• OAIC Privacy Awareness Week materials - the canonical source for annual enforcement priorities and guidance updates.

To go from Privacy Act understanding to operational programme, work through this cluster.

• Australia AI Privacy Act 2026 - the original Areebi long-read on the broader Australian privacy and AI regime.
• AI compliance landscape 2026 - the cross-jurisdiction view including the APAC framing.
• AI compliance checklist enterprise - the audit-evidence list applicable across regions.
• NIST AI RMF implementation guide - the framework Australian CISOs increasingly adopt as the operational baseline.
• Build an AI governance programme - the operating model that wraps the Privacy Act requirements in a sustainable structure.
• DORA + AI for financial institutions - the European parallel that informs APRA-regulated entities operating cross-jurisdiction.