Australia is undergoing a pivotal transformation in its approach to privacy regulation. With a series of high-profile data breaches and rising public concern over the misuse of personal information, the government is driving reforms to modernise outdated privacy laws and better address the realities of the digital age.
Carly Kind, Privacy Commissioner at the Office of the Australian Information Commissioner (OAIC), spoke yesterday at the IAB Leadership Summit, detailing how the reforms signal a significant shift for businesses needing to align with evolving regulations while adapting to growing consumer expectations surrounding transparency and accountability.
This period of reform, she explained, is an opportunity for both industry and regulators to work together toward a shared goal: safeguarding personal data while enabling innovation.
“We are at a really important time—maybe the end of the beginning or the beginning of the end—but certainly a time of change when it comes to personal information,” she said.
Public Demand for Reform and Industry Impact
Recent data breaches, such as the Medibank incident that exposed the sensitive information of 14 million Australians, have dramatically shaped public sentiment and awareness around privacy laws.
A survey by the OAIC found that nearly half of Australians had experienced a data breach in the past year, fueling dissatisfaction with existing protections.
“We hear that the majority of Australians want a better deal when it comes to privacy; almost all of them would like the government to do more to legislate for it,” Kind explained.
The government’s initial reforms, introduced in the first tranche of Privacy Act amendments, include stronger enforcement mechanisms and a new Children’s Online Privacy Code to address vulnerabilities in digital environments.
These changes, while vital, mark only the beginning of a broader legislative overhaul. The forthcoming second tranche is expected to tackle more comprehensive issues, such as ensuring data practices are “fair and reasonable,” a concept Kind highlighted as a crucial expectation from both regulators and the public.
Embedding Privacy in Business Practices
For businesses, meeting these expectations requires proactive measures. Transparency, accountability and a commitment to privacy by design must become central to operations. Kind emphasised that “organisations need to look at their data practices and consistently ask whether they align with what the community expects. Do they pass the pub test?” This means ensuring that data collection, storage, and usage are not only compliant with legal requirements but also resonate with public trust.
A critical area of focus is the use of tracking technologies such as pixels, which have drawn regulatory attention due to their potential to expose sensitive information. “Consent is non-negotiable for sensitive data,” Kind explained. “Sensitive information should not be collected via tracking pixels without explicit consent. Businesses must seek opt-in consent from users if sensitive information is likely to be collected”.
Kind added that businesses must implement clear, accessible privacy policies and regularly review their data practices to adapt to emerging technologies and regulations.
The Role of Regulators: Guidance and Enforcement
While legislation provides the framework, regulators like the OAIC are shaping the practical implementation of reforms. Kind highlighted the agency’s dual focus on enforcement and education.
“We’re trying to move ourselves into that space where we’re saying, ‘Here’s how you should comply,’” she explained. “At the end of the day, what we all want to achieve is compliance—you don’t want enforcement action knocking at your door, and we don’t need to waste resources”.
The OAIC has already released updated guidance on several key issues, including the use of facial recognition technology, AI, and tracking pixels. These resources are designed to help organisations navigate the complexities of compliance while maintaining public trust. “We want to ensure that our guidance reflects the here and now, not the landscape we used to live in,” Kind said.
Building Trust Through Collaboration
Collaboration between industry and regulators is essential for the successful implementation of privacy reforms. Kind encouraged businesses to engage actively with the regulatory process, noting that the OAIC is committed to providing clarity and support. This approach includes offering grace periods for compliance and listening to industry feedback on practical challenges.
“We want to make sure that we’re speaking to the regulated community and are hearing back from you about what you need,” she said.
However, businesses should not wait for reforms to take effect before taking action. Kind urged organisations to prioritise trust and transparency now, as these are increasingly valuable commodities in the digital economy.
“Trust has been a really key thing in the public attitudes research that we’ve done,” she noted. “Less than half of people trust organisations to only collect the information they need, use it as they say they will, and store it securely”.
A Balanced Future for Privacy and Innovation
The Australian privacy reform agenda is not about limiting innovation but creating a foundation of trust that allows businesses to thrive responsibly. Kind rejected the notion that regulation stifles progress, likening it to brakes on a car enabling faster, safer driving. “We believe entities can confidently innovate when they know what the regulation is and have certainty about that regulation,” she said.
“Getting privacy right is about transparency, trust, and an approach of privacy by design. Together, we can improve transparency, improve trust, and see those companies that strive to get it right recognised, supported, and thriving”.
Ultimately, privacy reform is about aligning industry practices with societal values. By embedding privacy into operations and collaborating with regulators, businesses can position themselves as leaders in this evolving landscape. For regulators, the focus remains on enabling compliance through clear guidance and targeted enforcement, fostering a digital environment that benefits everyone.