OAIC Steps Up Privacy Enforcement Following Optus Data Breach
Privacy compliance is firmly back in the regulatory spotlight, with recent action by the Office of the Australian Information Commissioner (OAIC) underscoring a tougher enforcement approach under the Privacy Act 1988 (Cth).
The OAIC has commenced its first broad privacy policy compliance sweep, focusing on businesses operating in sectors it considers higher risk, including:
- property and rental services,
- pharmacies,
- licensed venues,
- car rental businesses,
- dealerships and
- second-hand traders.
The review assesses whether privacy policies comply with the transparency and content requirements outlined in the Australian Privacy Principles.
For businesses that fall short, the consequences can be significant. Amendments passed in late 2024 increased the penalties available for non-compliance, with fines of up to $330,000 now available for certain contraventions. According to the OAIC, the purpose of the sweep is not only enforcement, but also to push organisations toward stronger privacy governance and clearer communication with customers.
This regulatory activity cannot be viewed in isolation. It follows years of growing concern about how organisations collect, store and protect personal information, particularly in the wake of major data breaches.
The Optus Proceedings
That context is critical to understanding the OAIC’s decision to commence civil penalty proceedings against Optus in August 2025. The proceedings arise from the well-publicised 2022 data breach, which affected approximately 9.5 million current and former customers.
The personal information exposed was extensive. In addition to names and contact details, some individuals had government-issued identification compromised, including driver’s licences and passport numbers. The OAIC alleges that Optus failed to take reasonable steps to protect this information, as required by Australian Privacy Principle 11.1.
The Commissioner has argued that these failures increased the risk of identity theft and fraud for affected individuals and that stronger security safeguards could have reduced the impact of the breach.
Under the law as it stood at the time of the incident, serious or repeated interferences with privacy could attract penalties of up to $2.22 million per contravention. In the Optus case, the OAIC has alleged a separate contravention for each affected individual, with the outcome to be determined by the Federal Court.
A Much Harsher Regime Going Forward
If a similar breach were to occur today, the potential exposure would be far greater. Legislative reforms introduced since 2022 have dramatically increased maximum penalties and expanded the OAIC’s enforcement toolkit.
The regulator now has broader powers to compel information, enter premises, issue compliance notices and require remedial action. From June 2025, individuals also gained the right to bring claims for serious invasions of privacy where conduct is intentional or reckless, with damages available even where no financial loss can be shown.
What This Means for Businesses
Taken together, the Optus proceedings and the OAIC’s compliance sweep send a clear message. Privacy compliance is no longer a background administrative issue. Regulators expect businesses to actively understand where personal information sits within their systems, how it is protected, and who is accountable for managing risk.
Regular security reviews, clear internal ownership of privacy obligations, careful oversight of third-party providers and tested incident response plans are no longer best practices and are becoming baseline expectations.
For many organisations, now is the right time to revisit privacy policies, governance frameworks and data security arrangements before the regulator comes knocking.
Contact Us
For more information, contact Bambrick Legal today. We offer a free, no-obligation 30-min consultation for all enquiries.
- Fill in our enquiry form here
- Call us on 08 8362 5269
- Like us on Facebook
- Follow us on LinkedIn
Read more about our business and commercial law services here
Related Blog – What the Bakers Delight Case Means for Franchisor Liability