Australia’s privacy and cyber regulation has entered a new phase. Over the past two years, regulators have significantly expanded their powers, courts have begun issuing meaningful penalties, and cyber risk is increasingly treated as a core governance issue.
For insurers, MGAs, brokers and financial services firms, privacy compliance is no longer just a legal obligation — it is becoming a core operational and governance risk.
This article explains the latest Privacy Act reforms in Australia, recent court decisions, regulator expectations and practical steps organisations should take now.
1. A Major Shift in Privacy Regulation
Australia’s Privacy Act reforms were passed in late 2024 and began shaping regulatory activity throughout 2025.
One of the most important changes is the expansion of enforcement powers for the Office of the Australian Information Commissioner (OAIC).
The OAIC now has broader authority to:
- investigate privacy breaches
- conduct public inquiries
- require organisations to address harm to individuals
- pursue civil penalties in court
Courts also have wider powers to impose remedies including:
- compensation
- corrective actions
- publication of statements
- remediation programs.
Source:
Privacy Act reforms – Australian Government
This marks a clear shift: privacy enforcement is no longer limited to major data breaches. Regulators can intervene where organisations fail to take reasonable steps to protect personal information.
2. A New Legal Risk: Serious Invasion of Privacy
Another major reform introduced in 2025 is the statutory tort for serious invasion of privacy.
Individuals can now bring legal claims where their privacy has been seriously invaded through:
- misuse of personal information
- intrusion into private life
- reckless or intentional privacy violations.
Importantly, financial loss does not need to be proven.
Courts can award remedies including:
- injunctions
- destruction of personal data
- correction orders
- apologies
- damages.
Source:
Privacy Act reform – serious invasion of privacy tort
Although the reform only applies to conduct occurring after June 2025, it is expected to generate increased litigation and class actions in coming years.
3. Mandatory Reporting of Ransomware Payments
Australia introduced a new cyber reporting regime under the Cyber Security Act 2025.
Businesses with annual turnover above $3 million must notify the government within 72 hours if they make a ransomware or cyber-extortion payment.
The report must include:
- the affected organisation
- details of the incident
- the ransomware demand
- the payment made
- communications with attackers.
Ransomware payments themselves are not illegal, but failure to notify may result in civil penalties.
Reports must be submitted to the Australian Signals Directorate (ASD) through the cyber incident reporting portal.
Submit ransomware notifications here.
The purpose of this requirement is to improve national cy
ber threat intelligence and law enforcement capability.
4. Privacy and Cybersecurity Regulators in Australia
Privacy compliance in Australia involves multiple regulators overseeing different aspects of data protection, cybersecurity and governance.
Understanding how these regulators interact is essential for insurance businesses.
OAIC – Office of the Australian Information Commissioner
ber threat intelligence and law enforcement capability.
The Office of the Australian Information Commissioner (OAIC) is Australia’s primary privacy regulator.
It enforces:
- the Privacy Act 1988
- the Australian Privacy Principles (APPs)
- the Notifiable Data Breaches (NDB) scheme
The OAIC investigates privacy breaches, oversees notification obligations and can pursue regulatory or court enforcement.
Source:
APRA – Australian Prudential Regulation Authority
The Australian Prudential Regulation Authority (APRA) supervises banks, insurers and superannuation funds to ensure financial system stability.
Although APRA does not regulate privacy directly, it enforces information security and operational resilience standards that are closely connected to data protection.
CPS 234 – Information Security
APRA CPS 234 requires regulated entities to maintain strong cybersecurity protections for their information assets.
Entities must:
- implement cybersecurity controls
- manage technology and information security risks
- monitor systems and detect incidents
- notify APRA of material information security incidents within 72 hours.
Source:
APRA CPS 234 Information Security
Many privacy breaches originate from weaknesses in cybersecurity controls, which is why CPS 234 plays a central role in protecting personal data.
CPS 230 – Operational Risk Management
APRA has also introduced CPS 230 – Operational Risk Management, which came into effect in 2025.
This standard expands the focus from internal systems to the entire service provider ecosystem, including:
- outsourcing providers
- cloud vendors
- technology platforms
- core systems storing customer data.
Under CPS 230, organisations must:
- identify critical operations
- manage risks across third-party suppliers
- maintain service continuity
- retain accountability for outsourced services.
Source:
APRA CPS 230 Operational Risk Management
In practice, CPS 230 connects the dots between cybersecurity, outsourcing risk and privacy protection. Even if personal data is processed by vendors, the regulated entity remains responsible for protecting it.
ASIC – Australian Securities and Investments Commission
The Australian Securities and Investments Commission (ASIC) regulates financial services conduct and corporate governance.
While ASIC does not enforce the Privacy Act, it can take action where cyber incidents indicate failures in:
- governance
- risk management
- operational resilience
- disclosure obligations.
ASIC typically relies on Section 912A of the Corporations Act, which requires financial services firms to maintain adequate risk management systems.
Increasingly, this includes cybersecurity and data protection risk management.
Source:
ASIC cyber resilience guidance
5. Court Decisions Are Setting New Standards
Recent enforcement cases show how regulators interpret privacy and cybersecurity obligations.
Australian Clinical Labs Case
One of the most significant privacy enforcement actions involved Australian Clinical Labs following a ransomware attack that exposed sensitive data.
The Federal Court imposed $5.8 million in penalties for failures including:
- inadequate cybersecurity controls
- poor breach assessment processes
- delayed regulatory notification.
Source link.
This case clarified that breaches of privacy obligations can apply per affected individual, significantly increasing potential penalties.
Vinomofo Determination
In another major case, the OAIC found that Vinomofo failed to take reasonable steps to protect personal information for nearly one million customers.
Even though the exposed data was relatively basic (names, contact details and purchase history), the regulator determined that the scale and structure of the database increased risk.
Link:
OAIC determination – Vinomofo
Facial Recognition Cases (Kmart and Bunnings)
The OAIC has also investigated the use of facial recognition technology in retail environments.
In cases involving Kmart and Bunnings, regulators examined whether biometric data collection was:
- necessary
- proportionate
- properly disclosed in privacy policies.
Sources:
Kmart facial recognition.
Bunnings determination.
These cases demonstrate increasing scrutiny of emerging technologies that process personal data.
6. Automated Decision-Making Rules Coming in 2026
From 10 December 2026, new transparency obligations will apply to automated decision-making systems.
Organisations must disclose when automated systems use personal information to make decisions that significantly affect individuals.
This includes systems used for:
- automated underwriting
- algorithmic claims decisions
- credit scoring
- AI risk modelling.
These obligations will be introduced through amendments to the Australian Privacy Principles.
7. Practical Steps for Insurance Businesses
Given the evolving regulatory environment, organisations should take a systemic approach to privacy and cyber governance.
Strengthen risk management frameworks
Privacy and cyber risks should be embedded within the organisation’s overall risk management system.
Map sensitive data
Businesses must understand:
- where customer data is stored
- who has access to it
- how it is protected.
Implement strong security controls
Examples include:
- multi-factor authentication
- network monitoring and detection
- system patching and updates
- access segregation.
Review documentation
Privacy policies, incident response plans and cybersecurity procedures should be reviewed regularly and tested.
Understand automated decision-making
Organisations should ensure algorithms and AI systems can be explained and audited.
The Bottom Line
Australia’s privacy framework is evolving rapidly.
Regulators now have stronger enforcement powers, courts are imposing significant penalties, and cyber incidents are increasingly treated as failures of governance and risk management.
For insurers, MGAs and brokers, privacy compliance must move beyond reactive legal responses.
It must become a core operational capability integrated into risk management, technology governance and organisational culture.
Authors: Nitesh Patel, Principal at Gilchrist Connell, Specialist in Cyber, Technology, Insurance, Financial Lines and Litigation. LinkedIn Profile.Tetiana George, CEO of Curium, Co-Chair of Insurtech Australia and member of ASIC Digital Finance Advisory Committee. LinkedIn Profile.