Privacy, data and cyber law reforms: What your business needs to know in 2025

In the past financial year, Australia’s regulatory landscape has seen major shifts in privacy, data, and cybersecurity laws. With more changes just around the corner, it’s vital for businesses to understand what’s already in effect and what’s coming next. Below, we break down the key reforms to the Privacy Act, Consumer Data Right, and Cyber Security laws, and how they impact your compliance obligations.

Privacy Act reforms: Aligning with global privacy standards

In September 2023, the Australian Government released its response to the Privacy Act Review Report, proposing wide-ranging reforms to the Privacy Act 1988 (Cth). These changes aim to modernise Australia’s privacy framework and align it more closely with global standards like the EU’s GDPR.

Key confirmed changes include:

• Expanded definition of personal information: Now includes technical and inferred data such as IP addresses, device identifiers and location data..
• New privacy rights for individuals: Australians gain new statutory rights, empowering individual to have greater control over their own data:
  • The right to erasure (also known as the “right to be forgotten”).
  • The right to object to targeted advertising and profiling.
• Stronger enforcement powers and accountability measures:
  • Increased civil penalties for serious privacy breaches.
  • Ability for individuals to seek compensation for serious invasions of privacy.
• Criminalisation of Doxxing: A new criminal offence to tackle malicious online disclosures of personal information, with serious penalties for offenders.
• Greater focus on organisational responsibility to mitigate privacy breaches.
• Small business impact: Although changes were proposed to remove the current small business exemption, the government is currently consulting further on whether and how to phase in obligations on smaller entities, given the potential compliance cost.

Organisations should start reviewing their privacy policies, collection notices and consent mechanisms, while also strengthening data minimisation and retention practices. It’s essential to conduct risk assessments on how personal data is handled and to establish robust procedures for responding to individuals’ privacy rights.

Consumer Data Right (CDR): Expanding consumer control

In August 2024, the Treasury Laws Amendment (Consumer Data Right) Act 2024 came into effect, introducing “action initiation” capabilities into the CDR framework. This represents a shift from passive data access to authorised third-party action.

What’s new under the CDR reforms:

• Action initiation: Consumers can now authorise accredited third parties to initiate payments, account switching, and more on their behalf.
• Expanded sectors: The CDR has been extended beyond the banking sector to include the energy and non-bank lending sectors.
• Regulatory oversight: Jointly administered by the Australian Competition and Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC), these reforms are part of a broader push for consumer empowerment through data portability.

Businesses in regulated sectors must ensure their compliance and IT teams are equipped to handle the technical and legal requirements of CDR action initiation.

Cyber Security Act 2024: New reporting obligations for ransomware

In November 2024, Australia introduced the Cyber Security Act 2024, establishing mandatory ransomware and cyber extortion reporting for certain businesses.

Key features of the legislation:

• Who must report: All entities operating in Australia with an annual turnover above $3 million.
• Start date: Reporting obligations commenced on 30 May 2025.
• What must be reported:
  • Description of the ransomware or extortion incident.
  • Operational impact.
  • Payment details, including amount, currency, and method.

How to report: Reports must be submitted via a portal managed by the Australian Signals Directorate (ASD).

Additional protections and guidance:

• A new Cyber Incident Review Board will conduct confidential, no-fault reviews to share lessons learned across industries.
• Limited use obligations protect businesses by limiting how regulators can use the data reported, increasing trust in the reporting process.

For further guidance, the Department of Home Affairs and the Australian Cyber Security Centre (ACSC) provide detailed updates on ransomware readiness and cyber resilience.

What businesses should do now

With major reforms taking effect and more on the horizon, proactive compliance is critical. Organisations should:

• Review and update privacy policies to reflect enhanced individual rights.
• Prepare for CDR action initiation workflows and accreditation requirements.
• Establish internal ransomware reporting protocols

How Safetrac can help?

Safetrac helps organisations meet evolving legislative demands through:

• Always up-to-date courseware
• Integrated compliance tracking
• Customisable solutions tailored to your industry

Whether you’re navigating the Privacy Act reforms, CDR updates, or mandatory cyber reporting, our platform and expert content can help ensure your team stays compliant.