BlackFlag Advisory
Threat Scan Enquire
Sydney, NSW  ·  Asia-Pacific
Privacy Law  ·  Regulatory Compliance

The Privacy Act Has Changed.
Has Your Organisation?

The 2024 amendments introduced $50 million penalties and sharpened breach notification requirements. The OAIC is actively enforcing. The organisations that have not updated their privacy compliance posture are already exposed.

What Changed in 2024 — and Why It Matters Now

The Privacy and Other Legislation Amendment Act 2024 is the most significant change to Australian privacy law in over a decade. The changes are not aspirational. They are in force. And the organisations that have not updated their approach to privacy compliance are already exposed.

The headline change is penalties. Civil penalties for serious or repeated interference with privacy now reach $50 million, or three times the benefit obtained from the conduct, or 30% of adjusted turnover — whichever is greater. For a mid-market Australian business, these are not theoretical numbers. They are existential.

Mandatory Breach Notification — Tightened The Notifiable Data Breaches scheme now requires notification to the OAIC and affected individuals as soon as practicable after becoming aware of an eligible breach. The standard for "as soon as practicable" has been sharpened. Delays in notification are themselves a compliance failure, compounding the original breach.

What the OAIC Looks For in an Investigation

When the OAIC investigates a notifiable data breach, they are not primarily interested in how the breach occurred. They are interested in what your organisation did — and did not do — before the breach happened. Specifically: did you have a current, implemented, tested privacy compliance posture? Or did you have a privacy policy from three years ago that no one had reviewed?

The Australian Privacy Principles impose thirteen specific obligations on APP entities. They cover how personal information is collected, stored, used, disclosed, and protected. They require that your privacy policy accurately reflects your actual data practices — not an aspiration of what you intended to do. They require that third-party data sharing is documented and authorised. And they require that you can demonstrate, with evidence, that these obligations are being met.

The Thirteen Australian Privacy Principles — Key Obligations

  • APP 1 — Open and transparent management of personal information: current, accurate privacy policy
  • APP 3 — Collection of solicited personal information: collect only what is necessary
  • APP 5 — Notification of collection: individuals must be informed of why data is collected
  • APP 6 — Use or disclosure: data used only for the purpose it was collected
  • APP 8 — Cross-border disclosure: obligations when sharing data with overseas parties
  • APP 11 — Security of personal information: reasonable steps to protect from misuse, loss, or unauthorised access
  • APP 12 — Access to personal information: individuals have the right to access their data

What Your Public Presence Reveals About Your Compliance

A significant portion of Australian Privacy Principle compliance is observable from outside your organisation — without any access to your systems, your databases, or your internal processes. Your website, your mobile applications, your third-party integrations, and your domain infrastructure all reveal information about how you handle personal data.

Third-party trackers collecting personal data without adequate disclosure. Analytics platforms transferring data to overseas servers without documented consent. Privacy policies that reference practices no longer in use. Cookie consent mechanisms that do not function correctly. Email security configurations that allow domain spoofing — a direct vector for impersonating your organisation to extract personal data from your clients.

A BlackFlag Advisory privacy compliance assessment identifies these gaps from the outside — exactly as the OAIC, a privacy litigant, or a journalist conducting due diligence would. We map findings to the relevant Australian Privacy Principles and deliver a prioritised remediation roadmap within five to seven business days.

No Systems Accessed Every finding in a BlackFlag Advisory privacy assessment is derived from publicly available sources. No credentials. No system access. No active scanning. The assessment carries no operational risk — and delivers the evidence your organisation needs before a regulator does the same exercise with consequences.

Who Is Most Exposed Right Now

Any Australian organisation that collects personal information from clients, staff, or website visitors is an APP entity. That covers the vast majority of Australian businesses. The organisations at highest current exposure are those that have not reviewed their privacy practices since the 2024 amendments, those that operate mobile applications with data collection functionality, those that use third-party marketing or analytics platforms with cross-border data flows, and those in sectors targeted by OAIC enforcement — health, financial services, education, and professional services.

If your organisation falls into any of those categories and cannot currently produce independent evidence of privacy compliance, you have a gap that needs to be closed before it is closed for you.

Ready to Assess Your
Privacy Compliance?

A BlackFlag Advisory privacy compliance assessment maps your observable data practices against the Australian Privacy Principles — identifying gaps in your public-facing presence before a regulator or breach does it for you. Delivered within five to seven business days.

Request an Assessment →