What’s really changed for directors since privacy law reform
Everything and nothing:
What's really changed for directors since privacy law reform
Everything:
New laws have teeth
On the surface, the transformation has been dramatic. The first tranche of Privacy Act 1988 (Cth) reforms became law in December 2024, turning proposed changes into an enforceable reality:
- Penalty structure overhaul:
What were once modest fines have become a tiered system ranging from $19,800 (body corporate) and $66,000 (listed) for basic compliance failures to $3.3 million for privacy interference, and up to $50 million, 3x the value of the benefit gained, or 30% of annual turnover for serious breaches. - Technical requirements with teeth:
APP 11’s “reasonable steps” to protect personal information explicitly include both technical measures (encryption, multi-factor authentication, antivirus) and organisational measures (training, procedures, policies). In effect, this means organisations must have appropriate people, processes and technology in place to protect themselves. - Direct legal action pathway:
The new privacy tort that commenced on June 10, 2025, opens a direct legal pathway for individuals to sue organisations for serious privacy invasions, creating opportunities with immediate commercial consequences. - Automated decision-making disclosures:
Automated decisions that significantly affect individual rights or interests (think Robodebt) – whether made by sophisticated algorithms or simple spreadsheets – will need to be disclosed in privacy policies, creating transparency obligations that many organisations haven’t yet grasped.
Nothing:
Largely business as usual
Despite these sweeping changes, corporate Australia is yet to see meaningful effects. In addition, ASIC’s bark regarding director cyber accountability has so far proven worse than its bite, with no proceedings brought against directors as at the time of this article.
ASIC Chairman Joe Longo was explicit about director accountability:
Brand reputation still drives consequences
The new penalty framework isn’t necessarily driving proactive risk management. Despite tiered penalties designed to reflect harm, brand reputation risk is still where it hurts most.
For example, when Qantas suffered a data breach of general data such as frequent flyer numbers and some limited personal information, a class action was launched almost overnight amidst a media frenzy. However, when Genea IVF clinic disclosed that deeply personal and sensitive fertility health records had been compromised (and published on the dark web), the legal and regulatory response was underwhelming, and the incident went comparatively under the radar.
High legal bar may limit impact
It remains to be seen whether the new privacy tort will accelerate consumer class actions. The fault element requires proving that defendants intentionally or recklessly invaded privacy – negligence will not be sufficient. The “recklessness” threshold, taken from criminal law, requires proof that companies were aware of substantial risk yet still proceeded unjustifiably. While class action attempts using this tort are inevitable, the heightened fault threshold may prove more challenging than anticipated given the complexities of data privacy and cybersecurity.
Organisations remain reactive
A Herbert Smith Freehills Cyber Risk Survey reveals telling contradictions: 83% of organisations are “very concerned” about data security, and 60% are concerned about class actions following a cyber incident.
Yet 58% believe it would take an actual cyber incident to meaningfully improve their focus on data risk management, and over half of legal teams have never participated in a breach simulation.**
Wait and see
is not a strategy
The gap between legislative reality and director understanding creates dangerous exposure. Rather than waiting for enforcement to clarify expectations, now’s the time to put the fundamentals in place:
Master your information lifecycle
Directors need to understand the complete journey of data through their organisation: How do they collect it? How is it used? Who has access? Where is it stored? For how long? While not difficult, answering this requires strong management and practical, usable policies with clear procedures. When data policies and management become complex, people find workarounds, scattering information across unknown systems.
Effective lifecycle management requires mapping data flows, testing policies with users, and fostering open dialogue where employees can report when procedures aren’t working.
Build a defensible position
You can’t eliminate cyber risks – the goal isn’t perfection. What you need is to reach a point where you are so defensible that if – or when – there is a breach, you can demonstrate effective and compliant mechanisms and procedures. This means building frameworks and audit trails that show you’ve done everything reasonable within your capability to prevent incidents.
Embed data security in business operations
Data security governance focuses on strategic business enablement rather than tick-box exercises. By embedding data security into core business processes, project planning, vendor assessments and operational decisions become opportunities to strengthen competitive advantage.
Competitive advantage
over compliance
Regulations will continue to evolve, with over 60 Privacy Act recommendations still pending. Thinking beyond compliance, leading directors are taking control and building a competitive advantage through data governance, stakeholder trust and operational resilience that will serve them regardless of regulatory or technological changes.
The business benefits are tangible: when you understand and control how data flows through your business, you not only manage risk and compliance effectively, but you gain operational efficiency, more informed decision-making, stronger stakeholder trust and hold the key to innovation through AI and analytics.
*ASIC: AFR Cyber Summit, 2023
**Herbert Smith Freehills:
Subscribe
for updates
for expert insights on cybersecurity strategy, trends, and implementation.