Australia's Privacy Act Reform 2024: What SaaS Founders Globally Need to Know
Australia passed its most significant privacy reform in two decades in late 2024, driven by the public outrage following the Optus breach (9.8 million customers affected) and the Medibank breach (9.7 million customers affected). The Privacy and Other Legislation Amendment Act 2024 received Royal Assent in December 2024 and is now rolling out in phases through 2026.
If you have Australian users — or you "carry on a business in Australia" in any meaningful sense — these changes affect you. Here's what's actually new and what to do about it.
Key Reforms in the 2024 Amendment Act
1. New Statutory Tort for Serious Privacy Invasion
This is the headline change. Australia now has a civil tort for serious invasion of privacy — the first of its kind in Australian law. An individual can sue a controller directly for damages without needing to rely on contract or equity claims.
The tort requires:
- A serious invasion of privacy — either intrusion upon seclusion OR misuse of private information
- The plaintiff had a reasonable expectation of privacy in the circumstances
- The invasion was intentional or reckless
- The public interest in privacy outweighs any countervailing public interest
Defences include: public interest journalism, law enforcement activities, national security, and acts required or authorised by law.
For SaaS founders, the practical effect: an Australian user can now sue you directly if you misuse their data — not just complain to OAIC. This significantly raises the litigation risk profile.
2. Removing the AU$3 Million Turnover Threshold
Historically, the Privacy Act applied only to organisations with annual turnover above AU$3 million, plus those handling health information or trading in personal information regardless of size. The 2024 reform proposes to remove the turnover threshold entirely — commencement is pending OAIC and Treasury guidance.
When this commences, every SaaS with Australian users will fall under the Privacy Act, regardless of revenue. Most international SaaS were already covered by the "trades in personal information" exception. This change simply removes the last refuge.
3. Extraterritorial Reach — "Australian Link" Test
The Privacy Act applies to organisations that "carry on a business in Australia" — a deliberately low threshold. You don't need a physical presence. Indicators include:
- Having Australian users who pay you
- Marketing specifically to Australian audiences
- Localised content (.com.au domains, AUD pricing, Australian English)
- Collecting personal information from individuals in Australia
OAIC has been increasingly willing to assert jurisdiction over overseas organisations. The bar is lower than GDPR's "targeting" test in many ways.
4. 13 Australian Privacy Principles (APPs) — Key Ones for SaaS
| APP | Name | Key Requirement | GDPR Equivalent |
|---|---|---|---|
| APP 1 | Open and transparent management | Public privacy policy required | Art. 12–14 |
| APP 3 | Collection of solicited PI | Only collect what's reasonably necessary | Art. 5(1)(c) |
| APP 5 | Notification of collection | Notice at collection (similar to GDPR Art. 13) | Art. 13 |
| APP 6 | Use and disclosure | Purpose limitation | Art. 5(1)(b) |
| APP 8 | Cross-border disclosure | Must ensure equivalent protection overseas | Art. 44–49 |
| APP 11 | Security of PI | Reasonable security + destroy/de-identify when no longer needed | Art. 5(1)(f), 32, 17 |
| APP 12 | Access | Provide access on request | Art. 15 |
| APP 13 | Correction | Correct inaccurate data | Art. 16 |
5. Mandatory Data Breach Notification — Enhanced
Australia's Notifiable Data Breaches (NDB) scheme has existed since 2018, requiring notification to OAIC and affected individuals for eligible breaches. The 2024 reform tightens this:
- 72-hour notification to OAIC for serious breaches (previously "as soon as practicable," which had drifted to weeks in practice)
- Affected individuals must be notified "as soon as practicable" — typically also within the 72-hour window
- Direct notification required — no more general website notice unless direct contact is impracticable
- OAIC can now share breach notifications with international regulators (e.g. ICO, IAPP, EU DPAs) — a notable shift
6. New Children's Privacy Rules
A mandatory Children's Online Privacy Code (COPC) is being introduced, with technology and social media platforms required to follow it. Commencement details are still being finalised by OAIC.
The COPC raises effective minimum standards for any platform likely to be accessed by under-18s. It's similar in spirit to the UK Age Appropriate Design Code (AADC) and California's Age-Appropriate Design Code Act.
7. Penalties
The 2022 Privacy Legislation Amendment Act had already raised the maximum penalty for serious or repeated interferences with privacy to:
- AU$50 million, OR
- Three times the value of the benefit obtained from the contravention, OR
- 30% of the adjusted turnover during the relevant period
The 2024 reform retains these levels and adds new mid-tier civil penalties for less serious breaches. OAIC also has new investigation powers to conduct proactive assessments without needing a complaint.
GDPR vs Australia Privacy Act 2024 — Quick Comparison
| Aspect | GDPR | Australia Privacy Act 2024 |
|---|---|---|
| Scope threshold | No turnover threshold | Removing AU$3M threshold (pending) |
| Extraterritorial test | Art. 3 — offering goods/services to EU | "Carry on business in Australia" |
| Legal bases | 6 explicit lawful bases | Purpose limitation + consent emphasis |
| DPO equivalent | Optional (trigger-based) | None mandated |
| Breach notification | 72h to DPA + individual | 72h to OAIC + individual |
| Maximum fine | €20M or 4% global turnover | AU$50M or 3× benefit or 30% turnover |
| Children's privacy | Art. 8 + national law | COPC (mandatory code, pending) |
| International transfers | Art. 44–49 with adequacy/SCCs | APP 8 — equivalent protection required |
| Right to sue directly | Yes (Art. 79–82) | Yes (new statutory tort, 2024) |
Practical 6-Step Checklist for SaaS Serving Australian Users
- Update your Privacy Policy to reference the 13 Australian Privacy Principles. Disclose your APP 5 notification, APP 8 cross-border disclosure mechanism, APP 11 security commitments, and the contact channel for APP 12/13 access and correction requests. Privacy Policy Generator →
- Add a Notice at Collection at every data collection point. APP 5 requires identifying yourself, the purposes of collection, the consequences if PI is not collected, and how individuals can access/correct it.
- Update your Incident Response Plan to include 72h OAIC notification for serious breaches and direct individual notification. Train your team — the old "as soon as practicable" mindset will fail an audit now. IRP Generator →
- Document international transfer mechanisms (APP 8). Where does Australian user data go physically? If it leaves Australia, you remain accountable under APP 8 unless the recipient is subject to a substantially similar law (limited list). Practical mechanism: binding contractual clauses with overseas processors. DPA Generator →
- Implement data access and correction workflows for APP 12 and APP 13. 30-day response is the practical standard. DSR Response Generator →
- Assess children's data exposure. If your product can plausibly be used by under-18s, prepare for the Children's Online Privacy Code. Audit your default privacy settings, consider age-appropriate UI, and document your design decisions. The UK AADC is a reasonable proxy until COPC details are finalised.
The Bottom Line
Australia is moving aggressively toward GDPR-equivalent protection — with one key addition the EU doesn't have: a direct civil right to sue. Combined with maximum penalties of AU$50M or 30% of turnover, the risk profile is now serious enough that "we'll deal with Australia later" is no longer a defensible position.
If you've built for GDPR, you're 80% of the way to Privacy Act compliance. The remaining 20% is the APP-specific language in your policy, the 72-hour breach drill, and a defensible position on the new statutory tort.
Related guides: PDPA Thailand and Singapore · PIPEDA vs GDPR (Canada) · LGPD (Brazil) Compliance · CCPA vs GDPR for SaaS
Tools: Privacy Policy · Incident Response Plan · DSR Response Template · Data Retention Policy
⚠️ This guide is for informational purposes and does not constitute legal advice. The Privacy and Other Legislation Amendment Act 2024 is rolling out in phases — verify current commencement dates and OAIC guidance before relying on any compliance approach.