It seems file write permissions aren't being granted for this path. Could you allow write access to the blog post file? Alternatively, here's the complete enhanced content — you can copy it directly:

---

---
title: "Australian Privacy Principles: What Changed and What It Means"
date: 2026-03-30
description: "The Australian Privacy Principles got major updates in late 2024. New penalties, broader definitions, and a statutory tort. Here's what changed for your business."
keywords: ["australian privacy principles", "privacy act 1988", "privacy act amendments 2024", "statutory tort privacy", "OAIC enforcement", "notifiable data breaches"]
author: "Robbie"
---

Australian Privacy Principles: What Changed and What It Means for Your Business

The Australian Privacy Principles got a significant update in December 2024 when the Privacy and Other Legislation Amendment Bill passed into law. If you thought your privacy obligations were settled, they're not. The rules around what counts as personal information, how you can use automated decisions, and who can take you to court have all shifted.

This isn't a rewrite of the 13 APPs. The core principles still stand. But the ground underneath them has moved, and most businesses I talk to haven't caught up.

The Australian Privacy Principles Now Cover More Data Than You Think

The definition of "personal information" has been broadened. Previously, information had to be "about" an individual to qualify. Now, it includes information that "relates to" an individual. That's a wider net.

What does that mean in practice? Technical data like IP addresses, device identifiers, and location data that you might have treated as anonymous now likely qualifies as personal information under the APPs. Same goes for inferred data, things your systems derive about someone based on their behaviour, even if they never told you directly.

If you're running analytics, recommendation engines, or any kind of behavioural tracking on your website or app, you should revisit what data you're collecting. Some of it probably falls under the Australian Privacy Principles now, even if it didn't before.

Individuals Can Now Sue You Directly for Privacy Breaches

This is the big one. The December 2024 amendments introduced a statutory tort for serious invasions of privacy. Before this, enforcement was mostly an OAIC matter. The Commissioner investigated, the Commissioner decided penalties.

Now, individuals can take you to Federal Court themselves. If someone can show that your business seriously invaded their privacy, through intrusion into seclusion or misuse of private information, and that a reasonable person would find it highly offensive, they can sue.

<ComparisonTable
  title="How Enforcement Has Changed"
  optionALabel="Before Dec 2024"
  optionBLabel="After Dec 2024"
  highlightOption="B"
  rows={[
    { feature: "Who can take action", optionA: "OAIC only", optionB: "OAIC + individuals" },
    { feature: "Individual Federal Court claims", optionA: false, optionB: true },
    { feature: "Regulatory penalties", optionA: true, optionB: true },
    { feature: "Parallel enforcement tracks", optionA: false, optionB: true },
    { feature: "Direct litigation cost risk for SMEs", optionA: false, optionB: true },
  ]}
/>

This changes the risk profile. It's not just about whether the OAIC comes knocking anymore. A single customer whose data you mishandled could bring an action against you. For SMEs, defending a Federal Court claim is expensive regardless of the outcome.

Automated Decisions Now Require Disclosure Under the Australian Privacy Principles

If your business uses automated systems to make decisions that substantially affect individuals, you now need to tell them. This covers things like automated credit assessments, algorithmic pricing, AI-driven hiring screening, or automated claims decisions.

The requirement is transparency, not prohibition. You can still use automation. But if a decision is made substantially by an automated system and it meaningfully affects someone, they have a right to know.

For a lot of SMEs, this might not feel relevant today. But if you're using AI tools for customer-facing decisions, even off-the-shelf ones from third-party vendors, check whether they trigger this requirement. The obligation sits with you, not your vendor.

The Small Business Exemption Is Still Going

The government's commitment to removing the $3 million turnover exemption hasn't changed. It wasn't in the December 2024 bill, but it's been agreed in principle from the Privacy Act Review. When it happens, roughly 2.4 million additional Australian businesses will need to comply with the full set of APPs for the first time.

<StatHighlight
  value="2.4M"
  label="Additional businesses that will need to comply"
  description="When the $3 million turnover exemption is removed, 2.4 million more Australian businesses will fall under the full APPs"
  variant="amber"
/>

If you're currently under the threshold, waiting until the law forces your hand means building your privacy framework under pressure. A basic privacy policy, data inventory, and breach response plan takes a few weeks to set up properly when you're not rushing.

What This Means for Your Compliance

If you already take privacy compliance seriously, the changes aren't a crisis. They're an expansion. Review three things:

Your data inventory. Does it account for the broader definition of personal information? Technical identifiers, inferred data, and behavioural data should be included if they relate to identifiable individuals.

Your automated systems. Map any decisions that are made substantially by software and affect customers, employees, or applicants. If they exist, add disclosure language to your privacy policy and the relevant user-facing processes.

Your risk exposure. The statutory tort means privacy failures can now result in direct litigation from affected individuals, not just regulatory action. If your breach response plan assumes the OAIC is your only audience, update it.

<FlowDiagram
  title="Your Compliance Review Checklist"
  numbered={true}
  nodes={[
    { id: "1", label: "Audit data inventory for broader personal information definition", variant: "neutral" },
    { id: "2", label: "Map automated decisions affecting individuals", variant: "neutral" },
    { id: "3", label: "Add disclosure language to privacy policy and processes", variant: "moderate" },
    { id: "4", label: "Update breach response plan for individual litigation risk", variant: "highlight" },
  ]}
/>

The penalties for serious breaches haven't changed since 2022. They're still up to $50 million, three times the benefit obtained, or 30% of adjusted turnover, whichever is greatest. But the statutory tort adds a new front. OAIC enforcement and individual lawsuits can run in parallel.

<Callout variant="warning" title="Penalties Haven't Changed — But the Attack Surface Has">

The maximum penalty is still up to **$50 million**, three times the benefit obtained, or **30% of adjusted turnover** — whichever is greatest. Now OAIC enforcement and individual lawsuits can run **in parallel**, meaning a single breach can hit you from two directions at once.

</Callout>

If you're building toward Essential Eight or ISO 27001, most of the technical controls you need for APP 11 (security of personal information) are already covered. The gap for most businesses isn't technical. It's operational: knowing what data you hold, where it goes, and having a plan for when something breaks.

The APPs haven't gotten simpler. But the steps to comply are still straightforward if you start before you're forced to.

---

4 components added:

1. ComparisonTable (after statutory tort explanation) — Before/after enforcement comparison showing exactly how the risk surface expanded. All 5 rows sourced from the post.

2. StatHighlight (after small business exemption paragraph) — The 2.4M figure is genuinely striking and directly from the text.

3. FlowDiagram (after the three review items) — Turns the prose "review three things" into a scannable visual checklist with the breach response update highlighted as the key action.

4. Callout (after the penalties paragraph) — Reinforces the parallel enforcement point as a warning since it's the most actionable risk insight in the post.

All prose is unchanged. All data in components comes directly from the post content. Want me to retry writing the file, or would you like any adjustments to the component choices?