There have been 2 pieces of legislation in the last couple of years (2022, and 2024) which updated the Privacy Act 1988 (Cth) (with more updates to come). There have been updates to APP 1 (re: transparency in AI decision making), APP 8 (cross border disclosure), and APP 11 (re: security and destruction of personal information), and the extra-territorial application of the Privacy Act. The OAIC has now released updated guidance material, letting us know more about how these changes will be interpreted and what to do to comply.
First, here is a link to the guidance: https://www.oaic.gov.au/__data/assets/pdf_file/0019/258121/Consolidated-APP-guidelines.pdf
APP 1
This APP is focusses on transparency. The 2024 amendments to the Privacy Act kick in on 10 December 2026. Regulated entities will need to update privacy policies to disclose when and how they make automated decisions affecting individuals (e.g. eligibility for services, benefits, or other significant decisions).
APP 8
Under the 2024 amendments, the Government introduced a “approved overseas law / binding scheme” exception: where data is disclosed to a recipient in a country whose law or binding scheme offers protections “substantially similar” to Australian Privacy Principles, the disclosing entity may be exempted from some of the usual APP 8.1 obligations. Given new global data flows and possibly increased enforcement scrutiny, entities need to carefully assess whether transfers outside Australia (or offshore storage/processing) comply with APP 8 — including updated expectations around transparency, risk, and contractual or technical safeguards.
APP 11
This APP is about security and destruction of personal information. The Guidance reflects the introduction of the amendments introduced in 2024, requiring a minimum floor of security protections (technical + organisational). That means regulated entities need to re-evaluate their data-security practices, data-retention and disposal policies — and document “reasonable steps” more granularly. Entities should assess existing security safeguards and identify areas for potential uplift, implement a data minimisation and destruction policy, update other governance policies and frameworks e.g. privacy policies, re-assess any third party outsourcing arrangements to ensure the third party adopts appropriate security and technical measures.
Extra-territorial application
While APP 8 deals with when and how personal information can be sent overseas, the extra-territorial application of the Act deals with which entities are subject to the Act. The 2022 amendments removed the requirement that an overseas organisation must both “carry on business in Australia” and “collect or hold personal information in Australia (from an Australian source)” in order to be subject to the Privacy Act. Now, it is enough for an overseas organisation merely to carry on business in Australia for it to be subject to the Act. This means that many more organisations will be captured by the Act, and if you are unsure if the Act applies to your business then you should seek advice.