An Interview with Angela McDonald, Director of Optimum Recoveries, and Craig Mason, Principal Lawyer at SMS Law.
Angela McDonald:
With major changes to Australia’s Privacy Act now in full effect, many businesses are asking: What do we need to do now? Even companies that were previously exempt may soon need to comply. To help unpack this, I’ve asked our Legal Partner Craig Mason of SMS Law to join me for a short Q&A.
Craig, some of our clients are only just realising these changes affect them. What’s changed?
Craig Mason:
As of 10 June 2025, several major reforms came into effect under the Privacy and Other Legislation Amendment Act 2024. These include:
- A statutory tort for serious invasions of privacy, giving individuals the right to sue for intentional or reckless privacy breaches.
- Enhanced powers for the Office of the Australian Information Commissioner (OAIC) to issue infringement notices and administrative fines directly.
- Stricter obligations around data security, requiring businesses to implement reasonable technical and organisational safeguards.
- New overseas data transfer rules, including a whitelist of countries deemed to have adequate privacy protections.
- The criminalisation of doxxing, or publishing someone’s private information without consent.
These changes are already in effect and are enforceable now.
There’s been a lot of talk about the small business exemption being removed. Has that happened?
Craig:
Not yet. The government has indicated that the removal of the small business exemption is likely, but it hasn’t been implemented at this stage. That said, businesses earning under $3 million annually should start preparing now, because the direction of reform is clear.
So if a business handles customer information, what are their obligations now?
Craig:
They need to:
- Be clear about how and why they collect personal information
- Apply appropriate security controls to protect that data
- Disclose if they use automated decision-making, such as AI or credit scoring
- Ensure any overseas data sharing complies with Australian standards
What documents should businesses review straight away?
Craig:
There are three main areas:
- Privacy Policies – Ensure both internal and external policies accurately reflect current practices.
- Website and Collection Notices – These must clearly state what data is collected, how it’s used, and who it’s shared with.
- Credit Application Terms & Client Agreements – If you collect financial or identity data, ensure consent and use are clearly addressed.
There’s also growing concern about privacy breaches and doxxing. How are those addressed?
Craig:
The new laws have raised the stakes significantly. Fines for serious breaches can now reach $50 million, or 30% of an organisation’s turnover. And under the new criminal provisions, doxxing is now a prosecutable offence. Businesses need to ensure their data handling practices are defensible.
We often see how poor documentation can snowball into bigger problems. What should a business do if they’re unsure?
Craig:
Get your documentation reviewed. We offer flat-fee privacy checks so businesses can ensure they’re compliant without blowing the budget. Proactive steps now can prevent costly problems later.
Thanks, Craig. We’ll continue to share updates as these reforms progress.
Need Guidance?
Optimum Recoveries helps businesses prevent risk, manage debt, and stay compliant. If you’re unsure where you stand, we can help. Contact us today!
