Australia

Overview

Australia is a founding member of the Five Eyes (FVEY) intelligence-sharing alliance alongside the United States, United Kingdom, Canada, and New Zealand. The Australian Signals Directorate (ASD), Australian Security Intelligence Organisation (ASIO), and Australian Secret Intelligence Service (ASIS) maintain extensive surveillance and signals intelligence capabilities. Australia’s Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, the TOLA Act, grants agencies power to compel technology companies to build capabilities for accessing encrypted communications, drawing opposition from Apple, Google, Mozilla, and digital rights organisations worldwide.^[2] Despite an independent review recommending 33 significant reforms, most remain unimplemented as of early 2026.^[3]

Australia’s privacy framework is anchored by the Privacy Act 1988 and its 13 Australian Privacy Principles (APPs), enforced by the Office of the Australian Information Commissioner (OAIC). On the civilian privacy side, Australia has been engaged in significant reform following major data breaches at Optus (September 2022) and Medibank (October 2022) that exposed the personal information of millions of Australians.^[1] The landmark Privacy and Other Legislation Amendment (POLA) Act 2024 enacted the first tranche of long-awaited reforms, introducing a statutory tort for serious privacy invasions, anti-doxxing criminal offences, and significantly enhanced regulatory enforcement powers. A second tranche of reforms, including the potential removal of the small business exemption and the introduction of a right to erasure, remains pending.

Data Protection Authority: Office of the Australian Information Commissioner (OAIC)

Structure and Leadership

The Office of the Australian Information Commissioner (OAIC) operates under a three-Commissioner model as of 2024:^[4]

• Elizabeth Tydd – Australian Information Commissioner (commenced 16 August 2024)
• Carly Kind – Privacy Commissioner (commenced 26 February 2024; formerly inaugural Director of the London-based Ada Lovelace Institute)^[5]
• Toni Pirani – Freedom of Information Commissioner

The OAIC administers the Privacy Act 1988, the Freedom of Information Act 1982, and 39 other pieces of legislation. It has powers to investigate complaints, conduct assessments, issue determinations, accept enforceable undertakings, and bring civil penalty proceedings in the Federal Court.

Enforcement Powers (Expanded by POLA 2024)

The POLA Act 2024, which commenced on 10 December 2024, significantly expanded the OAIC’s enforcement toolkit:^[6]

• New tiered civil penalty regime with low-level, medium-level, and high-level penalties
• Power to issue compliance notices directly (requiring or prohibiting specific actions)
• Power to issue infringement notices for lower-level breaches
• Enhanced powers to compel production of information and documents
• Broader investigative scope to examine systemic practices, not just individual incidents
• Greater discretion to issue public determinations and statements

Maximum Penalties

Since December 2022, penalties for serious or repeated privacy breaches are the greater of:^[7]

• AUD $50 million
• Three times the value of the benefit obtained from the contravening conduct
• 30% of adjusted domestic turnover during the breach period (when the benefit cannot be determined)

Notable Enforcement Actions

Australian Clinical Labs / Medlab Pathology (October 2025): The OAIC’s first-ever civil penalty under the Privacy Act. AUD $5.8 million penalty for a February 2022 cyberattack by the Quantum Group that exfiltrated health data of 223,000 individuals. The penalty comprised $4.2M for failure to secure personal information (APP 11), $800K for failure to investigate the incident, $800K for failure to report a data breach promptly, plus $400K in legal costs.^[8]

Meta Platforms (Facebook/Cambridge Analytica): AUD $50 million enforceable undertaking payment programme.^[9]

Medibank Private (June 2024): Civil penalty proceedings filed in Federal Court over the October 2022 data breach affecting 9.7 million Australians. The OAIC alleges Medibank failed to take reasonable steps to protect personal information. Proceedings ongoing.^[10]

Optus (ongoing): Civil penalty proceedings filed in Federal Court seeking penalties and compensation in relation to the September 2022 data breach that exposed the personal information of up to 9.8 million current and former customers, including passport numbers, driver’s licence numbers, and Medicare IDs.^[33]

Clearview AI (October 2021): Determination that Clearview AI breached the Privacy Act by scraping biometric information from the web. Ordered to cease collecting facial images from Australian individuals and destroy existing data. Clearview appealed but withdrew in August 2023; the OAIC subsequently dropped further action in 2024.^[11]

Privacy Act 1988

The Privacy Act 1988 (Cth) is the principal federal privacy legislation. It regulates the handling of personal information by “APP entities,” Australian Government agencies and private sector organisations with annual turnover of more than AUD $3 million.^[12]

The 13 Australian Privacy Principles (APPs)

• APPs 1–2: Open and transparent management of personal information; anonymity and pseudonymity
• APPs 3–5: Collection of personal information (including sensitive information), notification of collection, and unsolicited information
• APPs 6–9: Use, disclosure, direct marketing, and cross-border disclosure of personal information
• APPs 10–11: Quality and security of personal information
• APPs 12–13: Access to and correction of personal information

Key Exemptions

Small business exemption: Organisations with annual turnover of AUD $3 million or less are generally exempt, with exceptions for health service providers, businesses trading in personal information, those holding accreditation under the Consumer Data Right, and others. The potential removal of this exemption is part of the pending second tranche of reforms.^[13]

Employee records exemption: Private sector employers are exempt from the APPs in relation to employee records where the act or practice is directly related to the employment relationship. This means millions of Australian workers have no federal privacy protections for their employment data, a gap that labour unions and privacy advocates have long criticised.^[12]

Other exemptions apply to journalism, state and territory government agencies (covered by their own state laws), registered political parties, and intelligence agencies (covered by separate legislation).

Privacy and Other Legislation Amendment (POLA) Act 2024

The POLA Act represents a major overhaul of Australia’s privacy framework. It passed both Houses of Parliament on 29 November 2024 and received Royal Assent on 10 December 2024, enacting the first tranche of reforms from the comprehensive Privacy Act Review that produced 116 proposals in February 2023.^[14]

Enacted Reforms

Statutory tort for serious privacy invasions: For the first time, Australians have a personal right of action to sue for privacy invasions, covering both intrusion upon seclusion and misuse of personal information. This provision commenced on 10 June 2025.^[15]

Strengthened APP 11 (security): Explicit requirements for both technical and organisational security measures, including multifactor authentication, encrypted storage, and access privilege structures.^[14]

Anti-doxxing provisions: A new criminal offence for sharing personal information with intent to harm, punishable by up to 7 years imprisonment.^[14]

Automated decision-making (ADM) transparency: Organisations must disclose in their privacy policies when automated processes make decisions significantly affecting individuals’ rights. This provision takes effect 10 December 2026.^[14]

Children’s Online Privacy Code: The OAIC must develop and register a code addressing online privacy protections for individuals under 18 by 10 December 2026.^[16]

Pending Second Tranche

Major reforms still awaiting legislation include: an expanded definition of “personal information,” a fair and reasonable test for data processing, removal or narrowing of the small business exemption, removal of the employee records exemption, minimum and maximum data retention periods, a right to erasure, and a direct right of action for all privacy breaches (not just serious invasions).^[17]

Consumer Data Right (CDR)

The Consumer Data Right is a sector-specific data portability framework established by the Treasury Laws Amendment (Consumer Data Right) Act 2019, inserting Part IVD into the Competition and Consumer Act 2010. The CDR gives consumers the right to access data held about them by businesses (“data holders”) and to authorise its transfer to accredited third parties (“accredited data recipients”) in a standardised, machine-readable format.^[18]

Sector Rollout

• Banking (Open Banking): CDR rules commenced February 2020; mandatory data sharing by the four major banks from July 2020
• Energy: Product data sharing commenced October 2022; consumer data sharing from November 2022
• Non-bank lenders: From 2026
• Telecommunications: Designated but not yet commenced

Action Initiation (2024 Expansion)

The Treasury Laws Amendment (Consumer Data Right) Act 2024 (passed August 2024) introduced action initiation, or “write access,” enabling consumers to authorise third parties to initiate actions such as payments, switching providers, or updating details, moving beyond the original read-only model.^[19]

The CDR is co-regulated by the ACCC (competition and conduct), the OAIC (privacy), and the Data Standards Body (DSB) within Treasury (technical standards).

Surveillance Laws

Telecommunications (Interception and Access) Act 1979 (TIA Act)

The TIA Act is the primary federal law governing lawful interception of telecommunications in Australia. It establishes several key mechanisms:^[20]

• Interception warrants: Authorise real-time interception of telecommunications, issued by a judge or member of the AAT. Available to ASIO, AFP, state and territory police, and other designated agencies.
• Stored communications warrants: Authorise access to stored communications (emails, text messages, voicemail), with a lower threshold than interception warrants.
• Preservation notices: Require telecommunications carriers to preserve stored communications for a specified period pending a warrant application.
• Telecommunications data access: Framework for agencies to access metadata (subscriber information, traffic data) without a warrant.

Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (TOLA Act)

The TOLA Act, Australia’s controversial “anti-encryption” law, was enacted in December 2018 with bipartisan support after Labor agreed to vote for it on the condition of future amendments. It creates a three-tier framework for compelling technology companies to assist law enforcement in accessing encrypted communications:^[2]

• Technical Assistance Requests (TARs): Voluntary requests to communications providers to use existing decryption or data access capabilities. Issued by agencies.
• Technical Assistance Notices (TANs): Compulsory notices requiring providers to use capabilities they already have. Issued by agency heads.
• Technical Capability Notices (TCNs): Compulsory notices requiring providers to build new capabilities to give assistance. Issued by the Attorney-General.

The “systemic weakness” controversy: The Act contains an express prohibition against requiring providers to build or implement a “systemic weakness” or “systemic vulnerability.” However, critics, including Apple, the EFF, Access Now, Digital Rights Watch, and Mozilla, argue this prohibition is vague and effectively unenforceable, since the government itself defines what constitutes such a weakness. They contend that requiring companies to build “targeted” access capabilities inevitably creates systemic vulnerabilities.^[21]

INSLM Review (June 2020): The Independent National Security Legislation Monitor (Dr James Renwick CSC SC) completed a review and made 33 recommendations, including requiring TANs and TCNs to be reviewed and approved by the AAT via a new Investigatory Powers Commissioner. As of early 2026, most recommendations remain unimplemented.^[3]

Australian Security Intelligence Organisation Act 1979 (ASIO Act)

The ASIO Act establishes ASIO as Australia’s domestic security intelligence agency and defines its warrant-based powers. All warrants require Attorney-General authorisation:^[22]

• Questioning warrants: In exceptional circumstances, ASIO can question individuals in connection with investigations into espionage, foreign interference, or politically motivated violence.
• Computer access warrants (Section 25A): Authorise remote access to computers to obtain data relevant to security matters, including use of telecommunications facilities for this purpose.
• Search warrants: Entry and search of premises for materials relevant to security.
• Surveillance device warrants: Installation and monitoring of optical, listening, and tracking devices.
• Telecommunications interception warrants: Real-time interception of communications.
• Identified person warrants: Allow multiple intelligence collection activities against a single target under one consolidated warrant.

All ASIO activities are subject to oversight by the Inspector-General of Intelligence and Security (IGIS) and the Parliamentary Joint Committee on Intelligence and Security (PJCIS).

Surveillance Devices Act 2004

The Surveillance Devices Act 2004 regulates four categories of surveillance devices used by federal law enforcement agencies:^[23]

• Listening devices: Devices capable of recording or monitoring conversations
• Optical surveillance devices: Cameras and visual monitoring equipment
• Tracking devices: GPS and other location-monitoring technology
• Data surveillance devices: Devices monitoring data input/output from computers

Warrants are required for most uses, issued by judges or AAT members. Limited warrantless use provisions exist for tracking devices in certain urgent circumstances and listening with participant consent. The Act operates alongside separate state and territory surveillance devices legislation, creating what has been described as “an inconsistent patchwork with no unifying principles of operation.”

Surveillance Legislation Amendment (Identify and Disrupt) Act 2021 (SLAID Act)

The SLAID Act granted three new offensive cyber powers to the AFP (Australian Federal Police) and ACIC (Australian Criminal Intelligence Commission) to combat serious online crime, particularly on the dark web:^[24]

• Data disruption warrants: Authorise the AFP/ACIC to add, copy, alter, or delete data to disrupt criminal activity facilitated online, without necessarily gathering evidence.
• Network activity warrants: Authorise access to data in computers used by criminal networks to collect intelligence about the group’s activities, identities, and methods of operation.
• Account takeover warrants: Authorise the AFP/ACIC to take control of a person’s online account without the account holder’s knowledge, to gather evidence for a criminal investigation.

Data disruption and network activity warrants must be issued by a judge or AAT member. Account takeover warrants can be issued by a magistrate. The Commonwealth Ombudsman oversees data disruption and account takeover warrants, while the IGIS oversees network activity warrants.^[25]

Intelligence Agencies

Australia’s National Intelligence Community (NIC) consists of ten agencies, expanded from six core agencies following the 2017 Independent Intelligence Review:^[26]

The Core Six Intelligence Agencies

• ASIO (Australian Security Intelligence Organisation) – Domestic security intelligence, counter-espionage, counter-terrorism
• ASIS (Australian Secret Intelligence Service) – Foreign human intelligence (HUMINT)
• ASD (Australian Signals Directorate, formerly DSD) – Signals intelligence (SIGINT), cybersecurity, cyberwarfare operations
• AGO (Australian Geospatial-Intelligence Organisation, formerly DIGO) – Geospatial intelligence (GEOINT)
• DIO (Defence Intelligence Organisation) – Defence intelligence analysis and assessment
• ONI (Office of National Intelligence, formerly ONA) – Community coordination, strategic assessment

Additional NIC Members

• AFP (Australian Federal Police) – Federal law enforcement, counter-terrorism
• AUSTRAC – Financial intelligence
• Department of Home Affairs – National security policy
• ACIC (Australian Criminal Intelligence Commission) – Criminal intelligence

Intelligence Services Act 2001

The Intelligence Services Act 2001 provides the statutory framework for the foreign intelligence agencies, ASIS, ASD, and AGO, which previously operated under executive prerogative without specific legislation. ASIS collects foreign human intelligence (HUMINT) about the capabilities, intentions, and activities of people and organisations outside Australia. ASD, which became a standalone statutory agency under the Intelligence Services Amendment Act 2018, is responsible for signals intelligence (SIGINT) collection, information security for the Australian Government, cyberwarfare operations, and cybersecurity for nationally significant systems. The Act requires ministerial authorisation before undertaking certain activities, and the IGIS reviews the activities of all three agencies.^[34]

Five Eyes and Pine Gap

As a founding member of the Five Eyes alliance, Australia shares signals intelligence under the UKUSA Agreement (dating to 1946). ASD’s specific role is monitoring SIGINT in South and East Asia. The Pine Gap Joint Defence Facility, operated jointly with the United States in central Australia, is a key SIGINT collection and satellite ground station.^[27]

Oversight of the intelligence community is provided by the IGIS (Inspector-General of Intelligence and Security), the PJCIS (Parliamentary Joint Committee on Intelligence and Security), and the Attorney-General’s Department.

Commercial Surveillance Procurement

Australia’s intelligence and law enforcement agencies have extensively procured commercial surveillance technologies from US and Israeli vendors, creating a parallel surveillance infrastructure that operates alongside the TOLA Act, TIA Act, and ASIO Act frameworks. These procurements raise questions about data sovereignty, oversight, and whether commercially acquired capabilities are subject to the same safeguards as domestic intelligence collection.

Palantir Technologies: Defence and Security Contracts

Australian defence and security agencies have procured Palantir analytics platforms under contracts valued at over AUD $100 million. The Department of Defence, ASD (Australian Signals Directorate), and AFP (Australian Federal Police) have all deployed Palantir systems for intelligence fusion, pattern analysis, and investigative support.^[36]

Palantir’s integration into Australian intelligence infrastructure creates potential US CLOUD Act exposure. As a US company, Palantir is subject to compulsory legal process by American law enforcement and intelligence agencies, which can compel production of data stored on Palantir systems regardless of where that data is held or which government collected it. This means Australian intelligence and law enforcement data processed through Palantir platforms could become subject to US warrants and national security letters, creating a pathway for American access that bypasses the UKUSA Agreement intelligence-sharing protocols Australia negotiated with the United States.

Clearview AI: Trials Despite OAIC Determination

Despite the Clearview AI case described above, in which the OAIC determined the company breached the Privacy Act, Australian law enforcement agencies conducted trials of Clearview AI’s facial recognition technology. Queensland Police, South Australia Police, and the AFP all tested the system, which matches faces against a database of over 10 billion images scraped from social media and public websites.^[37]

The trials occurred even as Clearview was under order to cease collecting facial images of Australians and destroy existing data. The episode illustrates a pattern: law enforcement agencies procure and test surveillance technologies from commercial vendors, and regulatory action, even when successful, comes years after deployment and may not result in lasting consequences for the vendor.

Cellebrite: Digital Forensics and Device Exploitation

The Australian Federal Police procured Cellebrite systems under contracts worth AUD $17 million. Cellebrite’s tools extract data from mobile devices, bypass encryption, recover deleted messages, and access encrypted messaging applications. State police forces have also deployed Cellebrite platforms for digital forensics and criminal investigations.^[38]

The use of Cellebrite raises questions about the TOLA Act’s necessity. When the Assistance and Access Act was debated in 2018, proponents argued it was essential for law enforcement to access encrypted communications in terrorism and serious crime investigations. Yet Australian agencies were already procuring endpoint exploitation tools like Cellebrite that provide access to encrypted data by compromising the device itself, suggesting that the TOLA Act’s requirements for technology companies to build lawful access capabilities may have been unnecessary, as commercial alternatives already existed.

The Oversight Gap

When ASIO deploys surveillance capabilities under the ASIO Act, those activities require Attorney-General warrants and are subject to IGIS oversight. When ASD conducts SIGINT operations under the Intelligence Services Act 2001, ministerial authorisation is required and IGIS reviews the activities. When AFP accesses telecommunications metadata under the Data Retention Act, the access is logged and reported annually.

But when these same agencies purchase analytics platforms, facial recognition systems, or device exploitation tools from commercial vendors, those procurements are treated as standard government contracts subject to normal administrative procurement rules. There is no equivalent requirement for IGIS review of commercial surveillance technology acquisition, no Attorney-General warrant for deploying Palantir analytics or Clearview facial recognition, and no independent assessment of whether these tools comply with the same necessity and proportionality standards that apply to domestic intelligence capabilities.

This creates a regulatory asymmetry: traditional intelligence collection faces robust oversight through IGIS, PJCIS, and ministerial authorization, while commercially procured surveillance capabilities bypass those accountability mechanisms by entering through the procurement process rather than the intelligence authorization framework.

TOLA Act and Commercial Surveillance Tools

As noted in the Cellebrite section above, Australian agencies were already procuring commercial endpoint exploitation tools before and during the TOLA Act’s passage. Beyond Cellebrite, agencies have had access to NSO Group products (used by Australian partners) and other exploitation technologies that provide endpoint access to encrypted data. Critics have argued that the TOLA Act formalises access capabilities that were already being procured commercially rather than addressing a genuine gap in intelligence capabilities.

Submarine Cable Surveillance and Asia-Pacific Interception

As a Five Eyes member, Australia operates extensive signals intelligence infrastructure, with ASD playing a critical role in monitoring internet and telecommunications traffic across the Asia-Pacific region. Australia’s geographic position, situated on major submarine cable routes connecting Asia to North America, Europe, and the Middle East, makes it a strategic chokepoint for global communications surveillance.

Australia’s Role in Five Eyes Cable Interception

Under the Five Eyes division of responsibilities, each member is assigned primary responsibility for signals intelligence collection in specific geographic regions. Australia’s area of responsibility covers the South Pacific, Southeast Asia, and portions of the Indian Ocean, a vast region encompassing Indonesia, Malaysia, Singapore, the Philippines, Papua New Guinea, and island nations across the Pacific.^[39]

This division of labor means that ASD intercepts communications passing through Australian territory and shares the collected intelligence with NSA, GCHQ, and other Five Eyes partners. The arrangement allows the alliance to achieve near-global coverage of international communications by pooling infrastructure, resources, and access points across member countries.

SEA-ME-WE Cable Systems and Asia-Pacific Access

Australia is a landing point for multiple SEA-ME-WE (South East Asia-Middle East-Western Europe) submarine cable systems, which carry the majority of internet and telecommunications traffic between Asia, the Middle East, Europe, and Australia. These cables pass through Australian territory en route to their destinations, giving ASD access to communications from across the region.^[40]

The SEA-ME-WE 3 cable system, one of the longest in the world, connects Australia to Southeast Asia, the Middle East, and Western Europe, with landing points in 39 countries. SEA-ME-WE 4 provides similar coverage. Documents from the Snowden disclosures indicate that Five Eyes agencies, including ASD, have access to traffic from these cable systems, intercepting communications as they pass through landing stations in Australia.

The cables carry traffic from some of the world’s most populous countries, including Indonesia (280 million people), the Philippines (117 million), Vietnam (100 million), and others. ASD’s interception of traffic from these cables affects hundreds of millions of internet users across the Asia-Pacific region, most of whom have no connection to Australia beyond the routing path chosen by their ISPs.

Pine Gap and Satellite Interception

The Pine Gap Joint Defence Facility, located near Alice Springs in the Northern Territory, is operated jointly by Australia and the United States. While officially described as a “ground station for satellite communications,” Pine Gap serves as a critical node in the NSA’s global signals intelligence network, intercepting satellite communications, radar signals, and missile telemetry across Asia, the Middle East, and the Indian Ocean.^[41]

The facility is staffed by both ASD and NSA personnel, with the NSA maintaining operational control over much of the infrastructure. Pine Gap’s intercept capabilities complement ASD’s cable access, providing coverage of satellite-based communications that do not pass through terrestrial cables. The facility has been described in leaked documents as playing a role in targeted drone strikes, providing geolocation data for targeted killing operations in Afghanistan, Yemen, and Somalia.

XKeyscore Deployment in Australia

The Snowden disclosures revealed that ASD operates the NSA’s XKeyscore system, allowing Australian analysts to search and query intercepted communications collected from cables, satellites, and other sources. XKeyscore provides a searchable database of internet activity, including emails, web browsing, searches, and social media activity, collected in bulk and filtered using selectors.^[42]

ASD’s deployment of XKeyscore means that communications intercepted from Asia-Pacific cables are not only shared with the NSA but are also directly searchable by Australian intelligence analysts. The system allows queries based on email addresses, IP addresses, or keywords, without requiring prior judicial authorization, a capability that operates entirely outside the framework of the TIA Act, which nominally requires warrants for interception of Australian communications.

Legal Framework and Oversight Gaps

ASD’s cable interception activities are governed by the Intelligence Services Act 2001, which authorises ASD to collect foreign intelligence, support military operations, and provide cybersecurity services. The Act prohibits ASD from targeting Australian persons without ministerial authorisation, but this prohibition applies only to targeting, not to the incidental collection of Australians’ communications that pass through cables ASD monitors.^[27]

When an Australian communicates with someone in Indonesia, Malaysia, or Singapore, that communication may pass through cables subject to ASD interception. The communication is collected in bulk, scanned using selectors, and, if it matches a search term, may be retained and shared with Five Eyes partners. The Intelligence Services Act’s prohibition on targeting Australians provides no protection against this “incidental” collection, because the interception is directed at foreign communications generally, not at specific Australians.

The Inspector-General of Intelligence and Security (IGIS) reviews ASD’s activities and can investigate complaints, but IGIS oversight is conducted in secret, and individuals have no way of knowing whether their communications have been intercepted. The Parliamentary Joint Committee on Intelligence and Security (PJCIS) provides legislative oversight, but it operates in closed sessions and does not publish details of ASD’s interception programs or the volume of communications collected.

For foreign nationals in the Asia-Pacific region, Australia’s cable interception infrastructure operates with virtually no legal constraints. Indonesian, Malaysian, Thai, and Singaporean users whose communications pass through Australian cables are not protected by Australian law, and their home countries have no jurisdiction over ASD’s activities. The result is a surveillance asymmetry: Australia intercepts regional traffic in bulk, while the affected countries have no comparable access to Australian communications and no recourse to challenge the interception.

International Data Sharing Agreements

Australia participates in extensive international data sharing frameworks that complement its domestic surveillance infrastructure under the TOLA Act, TIA Act, and Intelligence Services Act. These agreements allow Australian law enforcement and intelligence agencies to access data held abroad, while providing foreign agencies with pathways to obtain Australian person data, often through processes that bypass the safeguards Parliament imposed on domestic surveillance.

Australia-US CLOUD Act Agreement: The Second Executive Agreement

On January 31, 2024, the Australia-US CLOUD Act Agreement entered into force, making Australia the second country (after the United Kingdom) to finalize an executive agreement under the US Clarifying Lawful Overseas Use of Data Act. The agreement has a five-year term (expiring 2029) and allows Australian Federal Police and ASIO to directly serve legal process on US technology companies, including Google, Microsoft, Meta, Apple, and others, to obtain communications data.^[43]

Under the traditional MLAT system, Australian authorities seeking data held by a US company would submit a request through diplomatic channels to the US Department of Justice, with average processing times of 10 months. The CLOUD Act agreement eliminates this process, allowing Australian agencies to directly compel US tech companies to produce data within days or weeks.

Crime Threshold: The agreement applies only to “serious crimes” punishable by three or more years imprisonment, narrowing its scope compared to the broader UK-US agreement. It includes restrictions on death penalty cases and procedures for handling inadvertently obtained US person data.

Reciprocal Access: The agreement is reciprocal: US law enforcement can directly serve legal process on Australian companies to obtain data, bypassing Australian courts and the Attorney-General warrant process. This creates a bilateral bypass: Australian authorities can access data held by US companies without US judicial oversight, and US authorities can access data held by Australian companies without Attorney-General warrants or IGIS review.

Mutual Legal Assistance Treaty with the United States

Australia maintains a bilateral MLAT with the United States, created in the 1980s-1990s between Five Eyes partners. Despite the CLOUD Act streamlining access to tech company data, the traditional MLAT remains in force for other forms of evidence, asset freezing, witness testimony, and cases not covered by the CLOUD Act agreement.^[44]

The MLAT allows Australian law enforcement to request data on US persons, and US law enforcement to request data on Australian persons, through diplomatic channels. The Attorney-General’s Department serves as Australia’s central authority for processing MLAT requests.

Five Eyes Intelligence Sharing: Founding Member

Under the Five Eyes alliance, ASD shares all signals intelligence (SIGINT), human intelligence (HUMINT), military intelligence (MILINT), and geospatial intelligence (GEOINT) with the NSA, GCHQ, CSE, and GCSB by default. Intelligence collected from ASD’s Asia-Pacific area of responsibility is shared automatically with Five Eyes partners, who reciprocate by providing ASD with access to intelligence collected from other parts of the world.^[45]

The Five Eyes framework creates a reciprocal surveillance mechanism: ASD can collect data on US, UK, Canadian, or New Zealand persons and share it with those countries’ intelligence agencies, circumventing restrictions on domestic surveillance in those countries. Conversely, the NSA, GCHQ, CSE, and GCSB can collect on Australian persons and share with ASD, bypassing Australia’s Intelligence Services Act prohibitions on targeting Australians without ministerial authorization.

According to Privacy International, data collected via Five Eyes programs can be shared with law enforcement, bypassing warrant requirements. The Snowden disclosures revealed that ASD provides the NSA with access to cable intercepts from the Asia-Pacific region and receives NSA intelligence in return, with intelligence flowing between agencies by default and no individual notification to affected persons.

Five Eyes Expansion: Biometric and Criminal Data Sharing

M5 Fingerprint Sharing: The Five Eyes nations participate in a fingerprint sharing program for visa applications, refugee claims, and immigration processing. Millions of fingerprints are checked annually across Five Eyes databases, allowing Australian border authorities to query US, UK, Canadian, and New Zealand criminal and immigration records in real time.

Criminal Database Sharing Proposal: In recent years, Five Eyes countries have proposed expanding biometric sharing to include querying domestic criminal databases of partner countries for immigration purposes. Under this proposal, Australian authorities could query US, UK, Canadian, and New Zealand criminal databases when processing visa applications or assessing immigration eligibility. This would represent a significant expansion of data sharing beyond intelligence and border control into routine law enforcement records.^[46]

Passenger Name Record (PNR) Agreements

Australia maintains PNR agreements with the European Union and other countries, enabling transfer of passenger data from international air carriers. Every passenger on EU-Australia and similar flights has their name, travel dates, itinerary, seat assignment, baggage information, contact details, and payment method transferred to Australian authorities.^[47]

The data is ostensibly for counterterrorism, serious organized crime, drug trafficking, and child exploitation, but retention periods extend for years, and all passengers are subject to data sharing regardless of suspicion. The EU-Australia PNR agreement was negotiated alongside similar agreements with the US and Canada, creating a comprehensive passenger data sharing network among Western allies.

Interpol and Multilateral Frameworks

Interpol I-24/7 System: Australia participates in Interpol’s secure global communications network, which processes over 100,000 messages daily across 195 member countries. The system enables real-time sharing of Red/Blue notices, biometric data, lost documents, and stolen vehicle/weapons information between Australian Federal Police and law enforcement agencies worldwide.

Egmont Group (Financial Intelligence Units): AUSTRAC (Australian Transaction Reports and Analysis Centre) participates in the Egmont Group, a network of 164+ Financial Intelligence Units that share financial intelligence on money laundering, terrorist financing, and financial crimes. Suspicious transaction reports and financial intelligence flow between FIUs under bilateral and multilateral agreements.

The Privacy Backdoor Effect

Despite the Intelligence Services Act requiring Attorney-General warrants for targeting Australians, and the TIA Act requiring warrants for domestic interception, international data sharing agreements create alternative pathways for accessing Australian person data:

• CLOUD Act Bypass: US authorities can directly request data from Australian companies without Attorney-General warrants or IGIS oversight; Australian authorities can directly request data from US companies without US judicial review
• Five Eyes Laundering: NSA can collect on Australian persons and share with ASD, circumventing Intelligence Services Act domestic targeting restrictions; ASD can collect on US persons and share with NSA, circumventing US constitutional protections
• MLAT Lower Standards: Foreign MLAT requests may involve lower evidentiary standards than the Attorney-General warrant process under Australian law
• PNR Dragnet: All international travelers have comprehensive personal data shared with foreign governments regardless of suspicion

For Australian persons, this means data nominally protected by the Intelligence Services Act, ASIO Act, and TIA Act can be accessed through CLOUD Act requests (bypassing Attorney-General warrants), MLAT channels (with foreign evidentiary standards), Five Eyes intelligence sharing (default exchange with no notification), or PNR agreements (bulk passenger data collection). For foreign nationals in the Asia-Pacific region whose data passes through Australian cables or is held by Australian companies, the protections are even more limited: ASD’s cable interception operates under ministerial authorizations for foreign intelligence, and the CLOUD Act allows US authorities to compel Australian companies to produce data without Australian judicial oversight.

The result is a gap between domestic protections and international data sharing frameworks: While Australia’s domestic privacy framework (Privacy Act 1988, Intelligence Services Act, ASIO Act, TIA Act) provides procedural safeguards for domestic surveillance, international data sharing agreements create pathways for foreign access that operate outside these frameworks, undermining the expectation that Australian law protects Australian persons’ data.

Mandatory Data Retention

The Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015, enacted in April 2015 with full compliance required by April 2017, mandates that telecommunications carriers and internet service providers retain specified customer metadata for a minimum of two years from the date of creation.^[28]

What Is Retained

The scheme covers metadata only, not content. The following categories of data must be retained:^[28]

• Subscriber information (name, address, billing details)
• Source and destination of communications (phone numbers, email addresses, IP addresses)
• Date, time, and duration of communications
• Type of communication (voice call, SMS, email, internet session)
• Location of equipment at start and end of communication (cell tower data)

Content of communications and web browsing history are specifically excluded from the retention scheme.

Access and the Section 280 Loophole

Twenty-one agencies are formally authorised to access retained metadata without a warrant, including the AFP, state and territory police forces, ASIO, ACIC, ASIC, ACCC, and the Department of Home Affairs. However, more than 80 additional entities have used Section 280 of the Telecommunications Act 1997 as a loophole to access metadata, including local councils, the RSPCA, the Victorian Institute of Teaching, and the South Australian fisheries department.^[29]

Agencies make approximately 300,000+ metadata access requests annually. A journalist information warrant is required to access metadata for the purpose of identifying a journalist’s confidential source. The Australian Government committed AUD $131 million over two years to help carriers implement the scheme, and non-compliant carriers face penalties of up to AUD $250,000 per contravention.^[28]

In February 2023, the government accepted most of the PJCIS’s 22 recommendations for reforming the metadata retention regime, including tightening the Section 280 loophole.^[30]

Social Media Age Verification

The Online Safety Amendment (Social Media Minimum Age) Act 2024 received Royal Assent in December 2024, the first law of its kind globally. It sets a minimum age of 16 years for social media accounts in Australia, effective 10 December 2025.^[31]

Affected platforms, including Facebook, Instagram, Snapchat, Threads, TikTok, Twitch, X, YouTube, Kick, and Reddit, must take “reasonable steps” to prevent under-16s from creating or maintaining accounts. Notably, the law includes privacy safeguards: platforms are prohibited from requiring government-issued ID for age verification and must offer alternative verification methods. The law is enforced by the eSafety Commissioner.^[32]

Recent Developments

Privacy Act Reform Progress (2024–2026): The POLA Act 2024 enacted the first tranche of the Privacy Act Review’s 116 proposals. The second tranche, including the fair and reasonable test, expanded personal information definition, and potential removal of the small business exemption, remains pending. The statutory tort for serious privacy invasions commenced on 10 June 2025. The Children’s Online Privacy Code and ADM transparency provisions are due by 10 December 2026.^[14]

First Privacy Act Civil Penalty (October 2025): The AUD $5.8 million penalty against Australian Clinical Labs marked a turning point for OAIC enforcement, demonstrating the regulator’s willingness to pursue financial penalties for inadequate data security.^[8]

Facial Recognition: While the OAIC determined Clearview AI breached the Privacy Act in October 2021, no standalone facial recognition regulation has been enacted. The Australian Human Rights Commission has recommended a moratorium on facial recognition technology in high-risk decision-making.^[11]

TOLA Act Stagnation: The INSLM’s 33 recommendations from 2020 remain largely unimplemented. No significant amendments to the TOLA Act have been enacted as of early 2026, leaving Australia’s anti-encryption framework substantively unchanged since its controversial passage in December 2018.^[3]

Ongoing Proceedings: Civil penalty proceedings against Medibank Private and Optus remain before the Federal Court, with potential penalties reaching into the tens of millions of dollars under the enhanced penalty regime.^[10]

My Health Records: The national digital health records system, managed by the Australian Digital Health Agency under the My Health Records Act 2012, continues to operate under an opt-out model established in 2019. The Health Legislation Amendment (Modernising My Health Record – Sharing by Default) Act 2025 amended the sharing model, though patients retain the ability to opt out and permanently delete their record at any time. The OAIC oversees privacy aspects of the system.^[35]

2025–2026 Developments

Social Media Under-16 Ban Now In Effect (December 2025): Australia became the first country in the world to implement a social media minimum age ban when the Online Safety Amendment (Social Media Minimum Age) Act 2024 took effect on 10 December 2025. Platforms face penalties of up to AUD $50 million for failing to take reasonable steps to prevent under-16s from holding accounts. The eSafety Commissioner’s Age Assurance Trial final report, published in August 2025, found the age verification technology to be “private, robust and effective,” bolstering the government’s case that age restrictions can be enforced without requiring government-issued identification.^[48][49]

National AI Plan (December 2025): The Australian Government released its National AI Plan on 2 December 2025, explicitly rejecting the European Union’s risk-based regulatory model in favour of a standards-led approach. The plan sets three strategic goals: maximising economic opportunity from AI adoption, ensuring the benefits of AI are shared broadly across the population, and maintaining safety through existing legal frameworks and voluntary standards rather than AI-specific legislation. The plan positions Australia as seeking to attract AI investment by avoiding prescriptive regulation while relying on sector-specific regulators to address harms under existing powers.^[50][51]

AI Safety Institute (Early 2026): The Australian Government committed AUD $29.9 million to establish a national AI Safety Institute, which became operational in early 2026. Australia joined the International Network of AI Safety Institutes, aligning with comparable bodies in the United States, United Kingdom, Japan, and the European Union. The institute is tasked with evaluating frontier AI models, developing safety benchmarks, and advising government on emerging AI risks.^[52]

Meta $50 Million Cambridge Analytica Settlement: In the largest privacy compensation outcome in Australian history, Meta agreed to pay AUD $50 million to settle the OAIC’s Cambridge Analytica proceedings. The settlement covers 311,074 affected Australian users whose personal information was exposed to the “This Is Your Digital Life” app. Payments are expected to commence in August 2026, administered by KPMG. The settlement represents the most significant financial consequence any company has faced for privacy violations in Australia.^[53]

Kmart Facial Recognition Determination (August 2025): The Privacy Commissioner determined that Kmart’s deployment of facial recognition technology (FRT) across 28 stores was unlawful under the Privacy Act. The system collected biometric information, specifically faceprints, of every person who entered the stores, without obtaining consent and without adequate notice. The determination reinforced that biometric data constitutes “sensitive information” under the APPs and that covert collection of such data for loss-prevention purposes is not a proportionate response to retail fraud.^[54]

OAIC First Compliance Sweep (January 2026): The OAIC launched its first-ever privacy compliance sweep, targeting approximately 60 entities across six sectors: rental agencies, pharmacists, licensed venues, car rental companies, dealerships, and pawnbrokers. The sweep focuses on whether these entities’ privacy policies and data handling practices comply with the APPs, particularly around collection notices, data minimisation, and third-party disclosures. The initiative signals a shift toward proactive, systemic monitoring rather than complaint-driven enforcement.^[55]

Optus Civil Penalty Proceedings Filed (August 2025): The Australian Information Commissioner filed civil penalty proceedings against Optus in the Federal Court on 8 August 2025, in relation to the September 2022 data breach that affected 9.5 million Australians. Because the breach occurred before the December 2022 penalty enhancement, the proceedings are brought under the previous penalty regime with a maximum of AUD $2.22 million per contravention, dramatically lower than the current AUD $50 million cap.^[56]

Cyber Security Act 2024 Implementation: Australia’s first standalone cybersecurity law, the Cyber Security Act 2024, began taking effect in stages. Smart Device Security Standards commenced on 4 March 2025, imposing minimum security requirements on internet-connected consumer devices sold in Australia. Mandatory ransomware payment reporting commenced on 30 May 2025, requiring organisations that make ransomware payments to report them to the Australian Signals Directorate within 72 hours. The Act also establishes a Cyber Incident Review Board and creates limited-use protections for information shared with government during cyber incidents.^[57]

ASIO Amendment Bills – Compulsory Questioning Powers: Parliament considered legislation to make ASIO’s compulsory questioning powers permanent and to expand their scope beyond terrorism to include espionage and foreign interference. Under the proposed changes, ASIO could compel individuals to attend questioning sessions and detain them for up to 7 days in certain circumstances. The Law Council of Australia opposed the expansion, arguing that permanent compulsory questioning powers with extended detention represent a disproportionate intrusion on civil liberties without adequate judicial oversight.^[58]

Phase 2 Online Safety Codes (September 2025): The eSafety Commissioner registered nine Phase 2 industry codes on 9 September 2025, covering social media services, messaging platforms, app distribution services, and other online services. The codes impose new obligations on platforms to detect and remove child sexual exploitation material, prevent pro-terror content, and implement safeguards against online bullying. Notably, the codes require generative AI services to take reasonable steps to prevent the generation of explicit conversations with minors. Penalties for non-compliance reach AUD $49.5 million.^[59]

Scams Prevention Framework Act 2025 (February 2025): The Scams Prevention Framework Act 2025 established mandatory obligations for banks, digital platform providers, and telecommunications companies to prevent, detect, and respond to scams targeting their customers. Entities that fail to comply face penalties of up to AUD $50 million. The framework requires regulated entities to implement anti-scam measures, share intelligence with each other and with government, and compensate victims where the entity failed to meet its obligations.^[60]

Vinomofo Data Breach Determination (October 2025): The OAIC determined that the online wine retailer Vinomofo breached the Privacy Act in connection with a data breach affecting 928,760 individuals. The breach occurred during a data migration to a new platform, when customer data was exposed due to inadequate security measures during the transition. The determination reinforces that organisations bear responsibility for data security throughout system migrations and transitions, not only during steady-state operations.^[61]

Qantas Data Breach (June–October 2025): A data breach at Qantas Airways exposed personal information of approximately 5.7 million customers, making it one of the largest breaches in Australian aviation history. The breach was reported to the OAIC and affected individuals were notified as required under the Notifiable Data Breaches (NDB) scheme.^[62]

Digital ID Act 2024 Updates (November 2025): The Digital ID Act 2024 received updated accreditation rules in November 2025, requiring identity service providers to achieve ISO 27001 compliance as a condition of accreditation. The private sector expansion of the Australian Government Digital ID System is scheduled to commence from December 2026, enabling private companies to both accept and provide digital identity verification services under the regulated framework.^[63]

OAIC Regulatory Priorities 2025–26: The OAIC published its regulatory priorities for the 2025–26 period, identifying excessive data collection, facial recognition technology, location data, advertising technology (ad tech), and automated decision-making (ADM) as key enforcement focus areas. The priorities signal the OAIC’s intention to use its expanded POLA Act powers to address systemic privacy practices across entire sectors rather than pursuing individual complaint resolution.^[64]

Privacy Act Tranche 2 – Continued Delay: As of early 2026, the second tranche of Privacy Act reforms remains not tabled in Parliament. Attorney-General Mark Dreyfus’s successor, Mark Rowland, intensified rhetoric around the reforms, publicly stating the government’s commitment to removing the small business exemption, introducing a right to erasure, and establishing a fair and reasonable test for data processing. However, no legislation has been introduced, and privacy advocates have expressed growing frustration at the gap between government statements and legislative action.^[17]

Children’s Privacy Code Consultation: The OAIC’s public consultation on the Children’s Online Privacy Code, required under the POLA Act 2024, received 337 submissions from industry, civil society, parents, and young people. A draft code is expected in 2026, with the final code due for registration by 10 December 2026. The code will establish binding rules for how online services handle the personal information of individuals under 18, with particular attention to data minimisation, default privacy settings, and restrictions on behavioural advertising targeting children.^[16]

CDR Non-Bank Lender Expansion (March 2025): The Consumer Data Right expanded to cover non-bank lenders from March 2025, requiring these entities to share consumer data on request in the same standardised format as banks. The expansion broadens the CDR’s coverage to include a wider range of credit providers, enhancing consumers’ ability to compare financial products and switch providers.^[18]

ASIO Director-General on Encryption and Tech Company Compliance: ASIO Director-General Mike Burgess publicly raised concerns about technology companies’ compliance with lawful access requests, stating that some companies are failing to comply with existing warrant obligations by designing systems that prevent them from accessing user data even when presented with valid warrants. The comments reignited debate over the TOLA Act’s effectiveness and whether additional legislation may be sought to close perceived gaps in lawful access capabilities.^[58]

Sources