Data, Privacy and Cyber Overview (Australia) – (January to June 2025)

Reflecting on the increased number of data breach notifications in Australia, with 2024 having marked the highest number of notifications since the NDB Scheme commenced in 2018, the Australian Privacy Commissioner (Commissioner) warned businesses against the continuing security challenges perpetuated by unnecessary data collection practices. In the same keynote address held at the 2025 IAPP Privacy event during Privacy Awareness Week last month, Ms Kind reminded corporate entities of its obligations to collect personal information that is reasonably necessary for one or more of its functions (under APP 3.2) and only by lawful and fair means (under APP 3.5). In similar sentiment, ASIC Chair Joe Longo emphasised ASIC’s 2025 enforcement priority of taking action against AFS licensees who fail to have adequate cyber-security protections, as demonstrated in the regulator’s recent civil penalty proceedings against FIIG Securities Limited and Fortnum Private Wealth.

In addition to this timely reminder, we summarise in this alert the key developments in the data and privacy space over the past six months that businesses should be aware of.

1. Mandatory ransomware reporting obligations

The new requirement that business operation in Australia report ransomware payments commenced on 30 May 2025.

The new regime requires “reporting business entities” to give a ransomware payment report to the Australian Signal Directorate (ASD), within 72 hours of making a payment or benefit to an extorting entity (or becoming aware that the ransomware payment has been made).^[1]

“Reporting business entity” is defined under s 26(2) of the Cyber Security Act 2024 (Cth) as:

• an entity carrying on business in Australia with an annual turnover for the previous financial year that exceeds the $3 million, that is not a Commonwealth body or a State body, nor is responsible for critical infrastructure asset;^[2]or
• an entity responsible for a critical infrastructure asset to which Part 2B of the Security of Critical Infrastructure Act 2018 applies.

The Reporting Rules^[3] specify the information which must be provided with the ransomware payment report, being the following:

• the reporting business entity’s contact and business details;
• if another entity made the payment – the reporting business entity’s contact and business details;
• details of the cyber security incident - including when the incident occurred, when the reporting entity became aware of the incident, the incident’s impact on the reporting business entity and its customers, the variant of the ransomware, or malware (if any);
• what vulnerabilities (if any) in the reporting business entity’s system were exploited;
• the demand made by the extorting entity;
• the ransomware payment; and
• communications with the extorting entity relating to the incident, the demand and the payment.

Failure to report within the prescribed timeframe may attract a civil penalty of up to AU$19,800.

Helpfully the Australian Government (via Home Affairs) has confirmed that the implementation of the new reporting obligations will occur in two stages, being:

• Phase 1 (30 May 2025 to 31 December 2025) – where Home Affairs will prioritise an “education first approach” for the first 6 months. Regulatory action during Phase 1 will only be pursued in cases of egregious non-compliance against businesses that report on incidents and publish advanced guidance resources incorporating feedback from this phase; and
• Phase 2 (1 January 2026 onwards) – where Home Affairs has confirmed that it will adopt a compliance and enforcement approach and “graduate to a more active regulatory focus”.

2. Statutory tort for serious invasions of privacy now in force

Australia’s new statutory tort for serious invasions of privacy took effect from 10 June 2025.

As covered in our previous alert here, claimants must prove five elements to establish a cause of action under the new tort, including that: the invasion of the claimant’s privacy by intrusion upon seclusion and/or misuse of information had occurred, where the claimant had a reasonable expectation of privacy, and such invasion was intentional or reckless. The invasion of privacy must be serious and the public interest in the claimant’s privacy must outweigh the countervailing public interest.

The Privacy Act explicitly exempts groups of individuals and provides defences. Read our alert here for remedies available under this tort, the strategic defences and exemptions, limitation period, and key considerations for businesses.

3. Children’s online privacy code

As part of its development of the Children’s Online Privacy Code (Code), the Office of the Australian Information Commissioner (OAIC) concluded Phase 1 of its consultation phase with children, parents, teachers and relevant organisations focused on children’s welfare on 30 June 2025.  Phase 1 focused on gathering feedback on community expectations and views on children’s online privacy. Phase 2 commenced in April 2025, involving insight from industry, civil society and academia and will conclude on 31July 2025.

The OAIC has confirmed that a draft Code will be released in early 2026 for public consultation (i.e. Phase 3), with a view to have the Code ready and in place by 10 December 2026. The OAIC has confirmed that Phase 3 consultation will last a minimum of 60 days.

Social media services, electronic services or designated internet services accessed by children and/or regularly dealing with the personal information of children and young people are highly encouraged to review its current data collection and handling practices now to be ready to comply with the upcoming Code.

In particular, businesses operating or accessible in Australia should consider data practices such as profiling, direct marketing and targeted advertising, as well as any emerging harms from artificial intelligence (AI) affecting children.

Further updates from our team on developments in this area will be continued to be published here.

For assistance with preparing any submissions during the Phase 3 public consultation (in early 2026), please reach out to any of our team.

4. OAIC’s first Consumer Data Right determination

Businesses who are considered ‘designed data holders’ under Australia’s Consumer Data Right (CDR) regime^[4] are reminded of its APP 1 and APP 11 obligations in consideration of the OAIC’s recent CDR determination which clarified the position of liability for actions of third-party providers.

On 14 May 2025, the OAIC handed down its first CDR determination against Regional Australia Bank (RAB).^[5] The OAIC determined that RAB, in its capacity as a data holder had breached APP 1 and APP 11 through the conduct of its third-party service provider, Biza. This determination clarifies the OAIC’s position on liability for businesses where outsourcing is involved.

The Commissioner found that:

• RAB, who were in the process of transitioning to Biza’s software platform was liable for the fault in Biza’s software, which led to the co-mingling of up to 197 RAB consumer’s data, which was a privacy safeguard breach;
• Specifically, RAB was found to have breached APP 11 by failing to take reasonable steps to ensure that the CDR data it held was accurate when preparing for and implementing the upgrade;
• Despite RAB seeking via contractual provisions to shift liability for non-compliance with the CDR framework to Biza, the nature of the agreements between RAB and Biza, and the obligations contained in them had made Biza’s activities conduct engaged in on behalf of RAB; and
• Further, s 84(2) of the Competition and Consumer Act 2010 (Cth) provides that when a company acts as an agent of another, that conduct is deemed to have been engaged in by the other entity for the purposes of the CDR (i.e., even if RAB had no knowledge or awareness of any failings by Biza, or not in a position to take steps to prevent or address them, it was still liable).

The Commissioner declared that RAB review and consider opportunities to strengthen the terms of its contractual agreement with Biza and implement documented processes to ensure that it proactively reviews and monitors its compliance with the Privacy Safeguards and the APPs in circumstances where it continues to outsource CDR functions to a third party.

RAB, because of its remediation efforts, and lack of evidence of loss suffered by affected customers, did not face a fine from the privacy regulator.

5. Social Media Age Restriction

By 11 December 2025, certain social media platforms will be required to take reasonable steps to prevent children under the age of 16 from having accounts on its platforms under Australia’s new age-restriction laws. Specifically, “age-restricted social media platforms”, defined to include but not limited to electronic services which has a sole or significant purpose to enable online social interaction between 2 or more end-users, interaction with some or all other end-users, and allows end-users to post material on the services will be captured under the new regime.

There is a delayed effect of the requirement for age-restricted social media platforms to take reasonable steps to prevent age-restricted users having accounts, with civil penalty units for a contravention of this requirement to be taken place on a day specified by the Minister for Communications (to be no later than 11 December 2025). Once effective, the contravention will attract a  civil penalty of up to AU$9.9 million (s 63D of the Act). The regime also imposes additional obligations on age-restricted social media platforms relating to data collection and empowers the Commissioner with information gathering powers under Division 4 of the Act for the purpose of compliance with s 63D.

Expressions of interest to be consulted for the development of guidelines as part of the new Online Safety Amendment (Social Media Minimum Age) Act 2024 (the Act) ended on 18 May 2025. The Australian eSafety has confirmed that it will work with the OAIC to ensure that the guidelines interlock with the OAIC’s complementary regulatory guidance, and once the age restrictions come into effect, will be responsible for the monitoring, assessing and enforcing industry’s compliance with them.

As we move through 2025 and beyond, it is clear that the era of reactive compliance is over. The message from regulators is unambiguous - data protection is not a compliance checkbox but a fundamental business imperative that requires ongoing investment, attention, and strategic planning. The Australian Government continues to focus on implementing increased robust cybersecurity measures through legislative changes, demanding proactive attention and oversight by businesses. Our team is here to ensure that businesses are best positioned to navigate the changes in this evolving regulatory environment.

Stay tuned for the next alert covering period July to December 2025.

For any questions to any of the developments above, please do not hesitate to contact our Australia Data Privacy experts.