:PROPERTIES:
:ID:       834689e9-be0a-4822-9085-9b6b22294fd2
:ID:       auto-privacy-act-aus
:CREATED:  [2026-05-23 Sat]
:END:
#+title: Privacy Act 1988 (Australia)
#+filetags: :passepartout:compliance:framework:privacy:


Australia's federal privacy law (amended 2023-2025). Comprehensive reform in
progress — the Privacy Act Review (2023) proposes significant expansion:
tiered penalties up to $50M AUD (or 30% of turnover, or 3x benefit obtained),
direct right of action for individuals, new tort of serious invasion of privacy,
children's privacy code, automated decision-making transparency.

Who must comply: Most Australian businesses with >$3M AUD turnover; all
health service providers; all businesses handling tax file numbers. Extraterritorial
— applies to any organization with an Australian link.

Penalties: Current maximum $50M AUD (from amendments effective late 2024).
OAIC (Office of the Australian Information Commissioner) enforces. New direct
right of action will increase private litigation.

Why it matters: The Privacy Act Review's proposed automated decision-making
transparency requirements are unique — organizations must disclose the logic
and expected outcomes of AI decisions. The gate stack's ACL2 proof log is the
most defensible transparency artifact available. First-mover advantage: the
reforms are being legislated now; early adoption positions the gate stack as
the reference implementation.

** [[id:904f5f12-ec9a-4cbf-854a-0b9b1e11a521][APRA CPS 234 (Prudential Standard — Information Security)]]