Privacy reform is an operating model problem

What changed, what changes next, and the design decisions you should already be making.

Share
Privacy reform is an operating model problem

What changed, what changes next, and the design decisions you should already be making.

SECTION ONE

Why this matters

Australian privacy law has moved meaningfully since late 2024 and shifts again in December 2026. The direction is consistent: higher stakes, narrower exemptions, and more transparency required from the systems making decisions about people.

If your platform collects information from clients, members, participants or the public (not just employees), these changes apply to design decisions you are making right now. The small business turnover exemption is shrinking in practical effect, and is widely expected to disappear in the next tranche of reforms.

Pre-AI, a weak process produced occasional errors, the kind a person in the loop might catch. AI runs the same process at machine scale, so a latent flaw stops being an incident and becomes a pattern. The amplifier doesn’t choose what it scales. Designing for Australian Privacy Principles (APP) compliance from day one isn’t hygiene; it’s the difference between amplifying a sound operating model and amplifying a determination.

Privacy reform is not a legal problem to be solved by lawyers. It is an operating model problem that shows up in product decisions, vendor contracts, and the rules that govern how your business uses data.
SECTION TWO

The four shifts to design around

Four legal changes (two already in force, two coming in December 2026) define the new posture. Each one lands somewhere different in the business. Read them as design constraints, not legal trivia.

When What changed What it means for the operating model
Late 2024 Penalty tiers expanded Maximum civil penalty is now the greater of A$50M, three times the benefit obtained, or 30% of turnover. Mid-tier penalties up to A$3.3M for companies. Cyber risk is now a board-level financial exposure, not an IT line item.
10 June 2025 Statutory tort for serious invasion of privacy Individuals can sue directly, without proving loss. Mishandling user data is now a direct legal exposure, not only a regulator exposure. The threat model widens.
10 December 2026 Automated decision-making transparency (APP 1.7–1.9) If a program uses personal information to make, or substantially assist, a decision significantly affecting someone, the privacy policy must disclose what data and what decisions. The definition catches AI, ML and rule-based systems. A failure to decide counts.
10 December 2026 Children’s Online Privacy Code A new code is registered by this date. If under-18s are in scope, expect additional design and consent constraints. Many teams are scoping under-18s out of v1 deliberately.
SECTION THREE

What this changes in how you design

Seven design decisions follow directly from the new posture. None of them are optional. All of them are cheaper to design in than to retrofit.

01
Consent

Treat sensitive information as a separate consent layer.

Health, mental wellbeing, ethnicity and similar fields are sensitive under APP 3. They need their own explicit consent, captured and timestamped, not bundled into a single terms acceptance.

02
Decisions

Inventory every automated decision before December 2026.

The APP 1.7 definition is broad. Rule-based logic counts. Scoring counts. Anything that substantially assists a human decision counts. Build the inventory now and document inputs and outputs.

03
Human review

Build a human review pathway.

Not strictly mandated, but strongly signalled by OAIC guidance and the Robodebt backdrop. Expect to need a documented route for someone to challenge an automated outcome, and to evidence it.

04
Vendors

Bind your LLM and cloud vendors contractually.

If inference routes overseas, APP 8 requires contractual safeguards. A data processing agreement that prevents training on user data is non-negotiable. A vendor policy decision, not a procurement one.

05
Access control

Role-scope access from day one.

The statutory tort changes the maths on access. Least-privilege access with logging is now the minimum defensible posture. Retrofitting this is painful. Designing it in is not.

06
PIA budget

Budget for a Privacy Impact Assessment.

A qualified Australian privacy lawyer, not a project manager. Typical cost A$5,000–A$15,000. Cheaper than an OAIC determination, and faster than rebuilding a feature that should not have shipped.

07
Biometrics

Keep biometrics out unless they are essential.

The 2024 Bunnings determination set a clear marker. If your product does not need facial recognition or biometric data, keep it out of scope. The risk surface is rarely worth the feature.

SECTION FOUR

Where teams most often get it wrong

Four recurring mistakes, each one a function of treating privacy as a compliance task rather than an operating model design input.

The assumption The reality
01
The exemption trap

Small business exemption covers us.

Under the turnover threshold, so the Privacy Act doesn’t apply to what we’re building.

Handling sensitive data? The exemption may already not apply.

And it is likely to disappear entirely in the next tranche of reforms.

02
Set and forget

The privacy policy is a launch artefact.

Lawyer drafts it, it ships with v1, we revisit it if something material changes.

Policy quality is an active enforcement priority.

The OAIC ran its first compliance sweep in January 2026. It is not a launch checklist item.

03
The rubber-stamp defence

A human signs off, so AI is out of scope.

The model recommends, a person approves. APP 1.7 sits one step away from the decision.

If the AI substantially assists, APP 1.7 still applies.

A rubber-stamp human review does not move the work outside the regime.

04
Scrape first, ask later

Aggregate broadly. Permission is friction.

If it’s online, we can collect it. Third-party data is fair game for training and enrichment.

Scraping triggers Privacy Act obligations and breaches terms of service.

Permission-based partner integrations are the safer path.

SECTION FIVE

How we think about it

Privacy law lives at the intersection of the two Chatsworth Street practices. Most of the December 2026 requirements are operating model questions in legal clothing: automated decisions, sensitive data flows, vendor obligations, human-in-the-loop design. Those questions belong in the policy layer of the operating model, written deliberately, before the system is built.

The penalty regime and the statutory tort are digital risk questions. They demand a risk profile, a documented control set, and independent assurance that the controls are operating. That is the TasCyber lifecycle (Risk, then Capability, then Assurance) applied to privacy specifically.

Two practices, one principle: order before automation. Define how the business creates value and how it handles personal information. Write the policies. Then decide what gets automated, what gets reviewed, and what gets escalated.

If your product handles personal information from non-staff users, the privacy posture is not a launch task. It is an operating model decision, and the decisions you make now will compound.
NEXT STEP

Let’s talk

If you are building, scaling or buying a product that handles personal information (and the December 2026 deadline is in the rear-view of your roadmap), start a conversation. The work is cheaper before the system ships than after.

This is informed commentary, not legal advice. Before launching a product that handles personal information from non-staff users, commission a Privacy Impact Assessment from a qualified Australian privacy lawyer. If you need a recommendation, please connect with us, we have a local Tasmanian firm that we recommend.


Performance is made, not found.

Chatsworth Street · hello@chatsworthstreet.ai · chatsworthstreet.ai

Performance is made, not found.