The OAIC Is Done Warning: What Australia's First Privacy Compliance Sweep Means for Your Business

For the better part of a decade, Australia's Office of the Australian Information Commissioner took a largely educative approach to privacy enforcement. Guidance was published, breach notification obligations were explained, and most businesses that fell short received little more than a stern letter. That era is over. In January 2026, the OAIC launched its first-ever privacy compliance sweep, reviewing the privacy policies of approximately 60 businesses across six sectors — and it did so armed with enforcement powers that didn't exist 18 months ago.

What the compliance sweep actually targets

The OAIC's inaugural sweep focuses on businesses that collect personal information in person: rental and property agencies gathering details at open inspections, pharmacies collecting identity documents for medication, licensed venues scanning IDs at the door, car rental companies and dealerships processing driver information, and pawnbrokers recording transaction details. These six sectors were selected because of the volume of personal information — particularly identity documents — they routinely handle and the privacy breaches that have already occurred within them.

The sweep assesses compliance with Australian Privacy Principle (APP) 1.4, which requires organisations to have a clearly expressed, up-to-date privacy policy that explains what personal information is collected, how it's used, how individuals can access and correct it, and how complaints are handled. It sounds basic, and it is. But the OAIC clearly expects that a significant number of the 60 entities under review will fall short — otherwise there would be little point in conducting the exercise.

What makes this sweep different from previous regulatory activity is the consequence. Entities found to have non-compliant privacy policies now face infringement notices carrying penalties of up to $66,000 per contravention, issued directly by the OAIC without court proceedings.

The enforcement toolkit has fundamentally changed

The Privacy and Other Legislation Amendment Act 2024, which received Royal Assent on 10 December 2024, represents the most significant expansion of the OAIC's enforcement powers since the Privacy Act was introduced. The amendments created a tiered penalty system that gives the regulator options it previously lacked.

At the top end, a serious interference with privacy still carries maximum penalties of $50 million, three times the benefit obtained, or 30% of annual turnover — whichever is greatest. But the new framework fills what was previously a gap between that nuclear option and doing nothing. Non-serious interferences with privacy now attract civil penalties of up to $3.3 million for a body corporate. Below that, the OAIC can issue infringement notices of up to $66,000 for publicly listed companies and $19,800 for other bodies corporate, for breaches of foundational requirements like maintaining a compliant privacy policy.

Critically, the OAIC can now issue these infringement and compliance notices without going to court. The regulator also gained enhanced investigative powers under the Regulatory Powers (Standard Provisions) Act 2014, including entry, search, and seizure powers for documents relevant to investigations. The practical effect is that the OAIC can now operate more like ASIC or the ACCC — identifying non-compliance, issuing penalties, and escalating where necessary — rather than relying almost entirely on voluntary cooperation.

The breach numbers show why this matters

The OAIC's Notifiable Data Breaches statistics for January to June 2025 reported 532 breach notifications, a 10% decrease from the record 595 in the second half of 2024 but still elevated by historical standards. Human error accounted for 37% of all breaches — up from 29% in the prior period — while malicious or criminal attacks remained the leading cause at 59%. The health sector continued to report the most breaches at 18%, followed by finance at 14%.

Those human error figures are particularly relevant to the compliance sweep. A business that doesn't have a clear privacy policy is also unlikely to have adequate staff training, data handling procedures, or breach response processes. Poor privacy governance and data breaches are not separate problems — they're different symptoms of the same underlying gap.

This is just the beginning

The compliance sweep is the OAIC's opening move, not its endgame. The statutory tort for serious invasions of privacy commenced on 10 June 2025, giving individuals a direct right of action in the courts — a mechanism that didn't previously exist in Australian law. A Children's Online Privacy Code is under development, with public consultation expected in 2026. And the OAIC has signalled that future sweeps will extend beyond in-person data collection to other high-risk sectors and practices.

For businesses covered by the Privacy Act — which includes any organisation with annual turnover above $3 million, along with health service providers, certain small businesses that trade in personal information, and government contractors — the message is clear. The regulator has the tools, the mandate, and the stated intention to enforce. The gap between what the law requires and what many organisations actually do is about to become expensive.