Safetrac Logo
Search
Schedule a call

Privacy, data and cyber law reforms: What your business needs to know in 2025

  • 5 min

In the past financial year, Australia’s regulatory landscape has seen major shifts in privacy, data, and cybersecurity laws. With more changes just around the corner, it’s vital for businesses to understand what’s already in effect and what’s coming next. Below, we break down the key reforms to the Privacy Act, Consumer Data Right, and Cyber Security laws, and how they impact your compliance obligations.

Privacy Act reforms: Aligning with global privacy standards

In September 2023, the Australian Government released its response to the Privacy Act Review Report, proposing wide-ranging reforms to the Privacy Act 1988 (Cth). These changes aim to modernise Australia’s privacy framework and align it more closely with global standards like the EU’s GDPR.

Key confirmed changes include:

  • Expanded definition of personal information: Now includes technical and inferred data such as IP addresses, device identifiers and location data..
  • New privacy rights for individuals: Australians gain new statutory rights, empowering individual to have greater control over their own data:
    • The right to erasure (also known as the “right to be forgotten”).
    • The right to object to targeted advertising and profiling.
  • Stronger enforcement powers and accountability measures:
    • Increased civil penalties for serious privacy breaches.
    • Ability for individuals to seek compensation for serious invasions of privacy.
  • Criminalisation of Doxxing: A new criminal offence to tackle malicious online disclosures of personal information, with serious penalties for offenders.
  • Greater focus on organisational responsibility to mitigate privacy breaches.
  • Small business impact: Although changes were proposed to remove the current small business exemption, the government is currently consulting further on whether and how to phase in obligations on smaller entities, given the potential compliance cost.

Organisations should start reviewing their privacy policies, collection notices and consent mechanisms, while also strengthening data minimisation and retention practices. It’s essential to conduct risk assessments on how personal data is handled and to establish robust procedures for responding to individuals’ privacy rights.

Consumer Data Right (CDR): Expanding consumer control

In August 2024, the Treasury Laws Amendment (Consumer Data Right) Act 2024 came into effect, introducing “action initiation” capabilities into the CDR framework. This represents a shift from passive data access to authorised third-party action.

What’s new under the CDR reforms:

  • Action initiation: Consumers can now authorise accredited third parties to initiate payments, account switching, and more on their behalf.
  • Expanded sectors: The CDR has been extended beyond the banking sector to include the energy and non-bank lending sectors.
  • Regulatory oversight: Jointly administered by the Australian Competition and Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC), these reforms are part of a broader push for consumer empowerment through data portability.

Businesses in regulated sectors must equip their compliance and IT teams to handle the technical and legal requirements of initiating CDR actions.

Cyber Security Act 2024: New reporting obligations for ransomware

In November 2024, Australia introduced the Cyber Security Act 2024, establishing mandatory ransomware and cyber extortion reporting for certain businesses.

Key features of the legislation:

  • Who must report: All entities operating in Australia with an annual turnover above $3 million.
  • Start date: Reporting obligations commenced on 30 May 2025.
  • What must be reported:
    • Description of the ransomware or extortion incident.
    • Operational impact.
    • Payment details, including amount, currency, and method.

How to report: Submit reports through the portal managed by the Australian Signals Directorate (ASD).

Additional protections and guidance:

  • A new Cyber Incident Review Board will conduct confidential, no-fault reviews to share lessons learned across industries.
  • Limited use obligations protect businesses by limiting how regulators can use the data reported, increasing trust in the reporting process.

For further guidance, the Department of Home Affairs and the Australian Cyber Security Centre (ACSC) provide detailed updates on ransomware readiness and cyber resilience.

What businesses should do now

With major reforms taking effect and more on the horizon, proactive compliance is critical. Organisations should:

  • Review and update privacy policies to reflect enhanced individual rights.
  • Prepare for CDR action initiation workflows and accreditation requirements.
  • Establish internal ransomware reporting protocols

How Safetrac can help?

Safetrac helps organisations meet evolving legislative demands through:

  • Always up-to-date courseware
  • Integrated compliance tracking
  • Customisable solutions tailored to your industry

Whether you’re navigating the Privacy Act reforms, CDR updates, or mandatory cyber reporting, our platform and expert content can help ensure your team stays compliant.

Frequently Asked Questions

What are the key reforms proposed to the Privacy Act in Australia?
The key reforms include an expanded definition of personal information, new privacy rights for individuals such as the right to erasure and the right to object to targeted advertising, stronger enforcement powers with increased penalties for breaches, and criminalisation of doxxing.

How will the Privacy Act reforms impact small businesses?
While there are proposals to remove the current small business exemption, the government is still consulting on how to phase in obligations for smaller entities. Businesses should prepare for potential compliance costs and revise their privacy policies accordingly.

What is the Consumer Data Right (CDR) and how has it changed?
The CDR allows consumers to authorise third parties to access and act on their data. The recent reforms expanded its scope beyond banking to include sectors like energy and non-bank lending, introducing action initiation capabilities.

What steps can organisations take to ensure they are compliant with evolving regulations?
Organisations can ensure compliance by staying informed on regulatory updates, conducting regular risk assessments, revising privacy policies, investing in data protection training for staff, and implementing robust data security measures.

What future trends can we expect in Australia’s regulatory environment concerning data and cybersecurity?
Future trends may include further strengthening of privacy protections, expansion of consumer rights, increased regulatory scrutiny of businesses, and continued emphasis on accountability and transparency in data handling practices.

Start your compliance journey the right way

The new regulations might feel like a big shift, but starting early can make all the difference.

Let’s talk about your next steps
Back to blog

Get the latest news

Stay updated with the latest news and expert insights on compliance, legislation, and industry trends.

Share

Latest news & insights

View all news
  • 5 min

One team, one goal. Leadership’s role in compliance success

The second episode of Compliance Corner explores the crucial role of leadership in creating and sustaining a culture of compliance. Hosts Deborah Coram and...

Read more
  • 7 min

AML Compliance Training: Key steps for financial services

In 2023–24, AUSTRAC received more than 380,000 suspicious matter reports – a sharp increase from the previous year that reflects the rising complexity and...

Read more
Cart updated
Safetrac Logo
Schedule a call
Get in Touch

What are you looking for?

Schedule