• Foundational privacy practices under scrutiny – the importance of openness and transparency

  OAIC’s privacy compliance sweep: The OAIC’s first privacy compliance sweep reflects a broader regulatory focus on whether privacy documentation accurately reflects how personal information is handled in practice. On 9 December 2025, the OAIC announced it would commence its first-ever compliance sweep starting in January 2026. This sweep targeted approximately sixty entities across six industry sectors where privacy practices involve ‘in person’ collections of personal information and are therefore considered to have significant “power and information asymmetries”. Entities were chosen based on their size, location and risk profile. The six sectors identified were:

  • rental and property; 
  • chemists and pharmacists; 
  • licensed venues; 
  • car rental companies; 
  • car dealerships; and 
  • pawnbrokers and second-hand dealers.

  Results from the sweep are expected to be announced soon with the OAIC signaling during Privacy Awareness Week significant non-compliance.

• Smart lessons from the OAIC Sweep: The basic’s matter in building trust

  Getting the basics right is now a regulatory expectation. Privacy reforms have expanded the consequences for non‑compliance with foundational requirements, including the obligation to maintain a privacy policy that meets the mandatory criteria of APP 1.4. The OAIC’s compliance sweep underscores a clear message: failures at the baseline level will increasingly attract regulatory attention, because they signal deeper issues with governance, accountability and privacy culture. 

  We know from helping clients deploy emerging technology and AI projects, that the smart choice is openness and transparency, and ensuring guardrails for Privacy Policies to remain up-to-date with changing information handling practices. 

  Further information of the OAIC Privacy Sweep can be found in our article - A clean sweep: the OAIC's New Year plans for Privacy Policy compliance checks. 

Cyber incidents and major projects as privacy risk pressure points

Recent enforcement activity continues to show that broader privacy issues often surface during periods of change, including large‑scale projects, reinforcing the need for privacy to be built into the organisation-wide culture. A series of enforcement activities have focused on the relationship between Australian Privacy Principle 11 and the obligation to take “reasonable steps” to keep information safe and secure, and obligations under the mandator y data breach scheme to promptly assess and notify of certain serious breaches. 

• First civil penalty under the Privacy Act

  In October 2025, the Federal Court ordered Australian Clinical Labs (ACL) to pay a $5.8 million civil penalty due to a data breach that compromised the personal information of 223,000 customers. This was a landmark decision because it is the first time a civil penalty has been considered or imposed under the Privacy Act. Note the penalties here were under the old regime and were also reduced because ACL was embarking on a cyber uplift program. The decision provides insight into regulatory expectations in relation to data breach response, as well as what constitutes “reasonable steps” in terms of securing personal information; with actions of the executive leadership team closely scrutinised.

• Vinomofo security failures during data migration

  In October 2025, the Privacy Commissioner also found that Vinomofo breached the Privacy Act due to a 2022 data breach that affected nearly a million people. The OAIC's determination highlighted Vinomofo's failure during a major data migration project to take reasonable steps to protect personal data, stemming from insufficient security controls, weak internal policies, and a poor privacy culture. The decision highlights the privacy risks associated with high‑risk projects, with executive oversight again forming part of the regulator’s assessment.

• The Australian Signal’s Directorate's Annual Cyber Threat Report

  These decisions sit against a broader threat environment. The Australian Signal’s Directorate Annual Cyber Threat Report for 2024-2025 reported a notable increase in cyber security incidents and malicious cyber activity, including rising risks associated with impact of third-party arrangements (a known, and ongoing vulnerability for organisation), as well as the growing role of AI in the prevalence and scale of attacks. 

• The smart lesson from ACL, Vinomofo and emerging cyber trends is clear: the risk landscape continues to evolve, the bar for “reasonable steps” is high, and proactive management of the Notifiable Data Breaches (NDB) scheme is a critical trust anchor.

  Taken together, this recent enforcement activity and the shifting cyber threat environment reinforce a consistent theme: privacy risk crystallises at predictable pressure points, most notably during cyber incidents and large‑scale transformation projects. These moments expose whether privacy has been genuinely embedded into organisational culture, governance and decision‑making, or treated as a set‑and‑forget, downstream compliance task.

  Against this backdrop, reforms to APP 11.3 now expressly requiring both technical and organisational measures and the OAIC’s characterisation of the NDB scheme as a “mature regime” signal a clear regulatory shift. Regulators are increasingly focused on how privacy and cyber risks are governed, overseen and responded to at an organisational level, not simply whether controls exist on paper.

  In both ACL and Vinomofo, the actions of executive and leadership teams were closely scrutinised, including how cyber risks were understood, resourced and addressed over time. The smart choice for organisations is therefore to embed accountability early and visibly, ensuring risk assessments, incident playbooks, response plans, and training and testing are actively maintained, regularly exercised and supported at an executive level. In the age of AI and emerging tech, trust is preserved through clear risk ownership and accountability. 

AI and other Emerging technologies exposing gaps in compliance basics

Recent regulatory activity illustrates how the adoption of emerging technologies can expose weaknesses in organisations’ foundational privacy practices. In particular, recent decisions and guidance over 2025 and Q1 2026 show that where transparency, notice, and governance are not well‑embedded considerations for organisations, the deployment of new technologies can quickly reveal these deficiencies and attract regulatory scrutiny.

• Kmart decision

  On 26 August 2025, the Australian Privacy Commissioner determined that Kmart had breached the Privacy Act through its use of facial recognition technology (FRT) which was designed to tackle refund fraud. The FRT system operated by capturing and analysing images of the faces of every individual who entered 28 of Kmart’s stores between June 2020 and July 2022 and presented at a returns counter. The images captured were used to match customers’ biometric information with images stored in a database containing the details of customers who were considered ‘persons of interest’. 

  The Privacy Commissioner found that Kmart failed to meet consent, notification and transparency obligations under the APPs, including by not adequately updating its privacy policy to reflect its use of FRT.

  The Privacy Commissioner also found that Kmart could not rely on consent exemption (which allows for collection of sensitive information without consent if a permitted general situation exists), as the use of FRT was not necessary or proportionate in the context due to the existence of less intrusive alternatives. Further details of this decision are available in our article on Key learnings from the OAIC's recent decision on Kmart's use of facial recognition. 

• Bunnings decision

  On 4 February 2026, the Administrative Appeals Tribunal set aside the determination of the Privacy Commissioner  which held that Bunnings had contravened various APPs. Between 6 November 2018 and 30 November 2021, Bunnings used FRT at a number of stores across Australia and New Zealand in a similar manner to Kmart, to address retail crime and protect staff and customers.

  The Tribunal upheld findings that Bunnings failed to meet transparency and notification obligations and should have undertaken a formal, documented privacy risk assessment, but disagreed that consent was required in the specific circumstances, accepting that the use of FRT was necessary and proportionate for a limited purpose. Notwithstanding, the Tribunal’s decision still reinforced that this exception is narrow, and does not exempt organisations from notification obligations. 

  An OAIC spokesperson highlighted that the decision is consistent with the “robust and technologically-neutral approach to privacy regulation enshrined in the Privacy Act and embodied by the OAIC’s regulatory approach”, reinforcing that emerging technologies are assessed by reference to existing privacy principles.

• APP 1 obligations for automated decision makings

  From 10 December 2026, amendments to the Privacy Act (Tranche 1 Privacy Reforms) will introduce new obligations under APP 1 in relation to automated decision‑making. This amendment will place additional obligations on APP entities to include information in its privacy policy if it “arranges for a computer program to use personal information to make decisions that could reasonably be expected to significantly affect the rights or interests of an individual”. 

  This will require the privacy policy to contain information about: 

  • the kinds of personal information used in the operation of the computer program; 
  • the kinds of decisions made solely by the operation of computer programs; and 
  • the kinds of decisions for which a thing, that is substantially and directly related to making the decision, is done by the operation of such computer programs.

  In the Explanatory Memoranda, it was stated that automated decision making systems “can be used to assist or replace the judgment of human decision makers”, thereby posing “privacy risks as they can use personal information about individuals in ways which may have significant impact”. Therefore, it is clear that these reforms will assist in increasing transparency in relation to automated decision making in understanding how APP entities handle their personal information and for what purposes. 

  It is expected that the OAIC will publish detailed guidance on these new obligations ahead of them becoming enforceable in December.

• Smart lessons from emerging tech and AI determinations and guidance – Take a privacy/AI by design approach

  The smart choice for organisations is to embed clear project ownership, require PIAs and AI assessments as standard gateways for high‑risk initiatives, and ensure these processes are supported by governance, training and escalation pathways at an executive level. This enables innovation to proceed with confidence, notices, consents and privacy policies to be clearly updated while demonstrating to regulators that privacy risks are being actively and responsibly managed. 

Signals from beyond privacy law 

The rapid adoption of emerging technology, including AI has accelerated the convergence of privacy law with other Australian regulatory regimes, as organisations use data in increasingly complex ways and cyber risks intensify. In this environment, trust cannot be considered in isolation from broader regulatory expectations. While this update focuses on privacy law, recent activity in adjacent regimes provides important context for how regulators are approaching transparency, fairness and accountability more broadly.

• Lululemon pays $702,900 for Spam Act breaches

  Following an Australian Communications and Media Authority (ACMA) investigation, activewear clothing company Lululemon Athletica Australia Pty Ltd (Lululemon) paid $702,900 in penalties for sending over 370,000 marketing emails without an unsubscribe option. Between 1 December 2024 and 5 January 2025, Lululemon sent emails containing sales or promotional content to consumers, disguised as ‘service messages’ (e.g. delivery and order confirmation emails). ACMA Member Samantha Yorke comments that “Businesses need to understand that marketing messages must have an unsubscribe option and the simplest way to comply is to keep transactional or service messages separate from sales content and links. This is the fifth enforcement action the ACMA has undertaken in the last 18 months against businesses that have incorrectly treated messages as non-commercial even though they contained or had links to clearly commercial material.”

• Proposed Unfair Trading Practices Bill

  Last month, the Government signalled its intention to introduce legislation to prohibit unfair trading practices to improve consumer protections. If the laws pass, they will start on 1 July 2027. While this is still at the exposure draft stage, the draft laws propose to amend Australian Consumer Law by “introducing a general prohibition on conduct that unreasonably manipulates consumers or distorts the environment they make decisions in, causing detriment”.  We are generally recommending that clients start mapping their end-to-end customer journeys to identify points in the UX/UI where a customer may be pressured, nudged or impeded in making decisions in respect of the services Where organisations undertake such an exercise, it is often sensible to also identify where personal information is collected along those journeys and ensure appropriate privacy collection notices are in place.

• ASIC action (Cyber risk and AFS licence obligations)

  ASIC is actively pursuing directors for failing to manage cyber risks and has significant investigative and enforcement powers under the Corporations Act 2001 (Cth) (currently the focus is on entities with an AFSL). On 9 February 2026, the Federal Court imposed civil penalties for cyber security failures under the general AFS licensee obligations for the first time. FIIG Securities was ordered by the Federal Court to pay $2.5 million in penalties after ASIC brought a case against the firm for failing to manage cybersecurity risks in breach of its licence obligations under s 912A(1) of the Corporations Act. The Court also ordered FIIG to undertake a compliance programme involving the engagement of an independent expert to ensure its cyber security and cyber resilience systems are reasonably managed. 

  In a separate proceeding, ASIC announced that it is suing Fortnum Private Wealth for failing to adequately manage cybersecurity risks. This is the third instance of ASIC taking enforcement action against an AFSL holder for failing to manage cybersecurity risks in breach of its licence obligations under s 912A(1) of the Corporations Act (after action taken against FIIG and RI Advice). For context, several of Fortnum’s authorised representative experienced cyber incidents, including a data breach that resulted in over 9,800 clients’ data being published on the dark web. 

  This trend in ASIC enforcement demonstrates to any AFSL holder, including smaller organisations which have a less mature cybersecurity posture, that they are at risk of breaching their licence if they do not manage cybersecurity risks properly. It is also clear that directors must actively oversee cyber resilience as part of their director duties.

Your smart choices checklist 

Building trust is about making smart choices, consistently. During Privacy Awareness Week, organisations have an opportunity to step back and consider how trust is being built in practice, not just through compliance, but through everyday decisions about data, technology and AI. Trust cannot be considered in isolation; it is shaped by how transparently decisions are made, how fairly data is used, and how clearly accountability is allocated across the business. The checklist below is designed as a practical tool to help organisations make informed, proportionate choices that strengthen trust with customers, regulators and the community.