It has been another significant 12 months across the Australian regulatory landscape, defined by notable penalties obtained against companies that are household names. The Australian Securities and Investments Commission (ASIC), Australian Competition and Consumer Commission (ACCC) and Office of the Australian Information Commissioner (OAIC) have secured record-breaking penalties over the last 12 months and continue to seek substantial penalties in all enforcement actions. While scrutiny from law makers, the media and politicians are perennial forces that set regulatory priorities, regulators are increasingly making investigation and enforcement decisions based on cost-of-living concerns that many Australians now face, in addition to protecting consumers from harm more generally. Regulators have also made inroads into executive accountability for failing to manage corporate risk. This has increased the complexity for individuals at both senior management and board level when navigating challenging commercial conditions.
Our overview of key themes is below, or you can skip to the specific sector regulatory risks here:
- Financial services
- Superannuation
- Supermarkets and retail
- Digital platforms and technology
- Healthcare and other data-intensive businesses
Overview of key regulatory themes and developments
- Increased individual accountability: regulators are increasingly seeking to hold individuals, not just corporations, accountable for their management and supervision of a company’s risks. On 5 March 2026, ASIC was successful in its proceedings against two former executive officers of The Star Entertainment Group Limited. The Court found that Star’s former Chief Executive Officer and former Chief Legal & Risk Officer had breached their duty of care and diligence owed to Star under s 180 of the Corporations Act. ASIC’s case was broad and complex, but at a high level, those breaches arose because management failed to inform the board about (i) suspicious conduct by a major client which elevated AML/CTF and law enforcement risks; and (ii) misrepresentations sent to one of Star’s major lenders which exposed Star to potential legal liability and reputational harm. On 17 June 2026 the Court ordered that Star’s former Chief Executive Officer and Managing Director pay a pecuniary penalty of $700,000 and be disqualified from managing corporations for six years, and that Star’s former Chief Legal & Risk Officer pay a pecuniary penalty of $400,000 and be disqualified from managing corporations for seven years. The ACCC also obtained a $1 million penalty against Qteq Pty Ltd’s executive chairman, Simon Ashton, for attempting to engage in cartel conduct. This represents the highest penalty awarded for a competition law breach by an individual in Australia under the Competition and Consumer Act. While regulators continue to investigate and bring enforcement actions against non-executive directors (NEDs), ASIC was not successful against independent board members in two recent cases – the Star matter and the proceedings brought against intelligence software provider Nuix Limited and its former directors. In the Nuix case, none of the former directors or executives were found liable for breach of duties as the company successfully defended all of ASIC’s claims. That said, the risk profile for boards and executives continue to increase. In the Star matter, the Court was critical of the limited record of the NEDs scrutinising or challenging management where emerging risks were obvious.
- Continuous disclosure and market misconduct: ASIC remains acutely focused on continuous disclosure and misleading and deceptive conduct for market announcements by listed entities. ASIC has repeatedly stated that continuous disclosure is a cornerstone of effective capital markets. However, those matters are highly fact-specific and the regulator recently failed in its case against Nuix Limited (and its former directors) on 23 April 2026. In that case, the Court held that Nuix did not breach its continuous disclosure obligations and did not mislead investors when reaffirming its financial forecasts in early 2021, following its initial public offering in December 2020. ASIC appealed the decision against the company, but not the decision to dismiss the case against the former directors. In another high-profile market disclosure case, on 15 June 2026, ASX Limited (ASX) admitted to making a misleading statement that its Clearing House Electronic Subregister System (CHESS) replacement project was “progressing well” in February 2022 despite indications from December 2021 that the CHESS replacement project was not on its critical path to ‘go live’ in April 2023. ASX and ASIC are jointly seeking a court-ordered penalty of $20.5 million be paid by ASX and an order that ASX contribute $3 million to ASIC’s legal costs. The proposed resolution is subject to approval by the Federal Court.
- Penalty doubling: on 28 March 2026 the maximum penalty for breaches of the Competition and Consumer Act and the Australian Consumer Lawincreased from $50 million to $100 million per contravention. The Explanatory Memorandum for the bill introducing the amended penalties noted that these increases are occurring in the context of the conflict in the Middle East and the increase in the global price of oil and petrol, with anticipated flow on price increases across all sectors of the economy. The increased penalties are designed to serve as a deterrent to companies that may seek to exploit this situation to unjustifiably increase their profits, by engaging in anti-competitive or false and misleading conduct to raise the price of goods or services beyond the increase in their input costs.
- Cross-regulator action: cross-regulatory action is increasingly common and can compound institutional and individual exposure, together with the risk of related non-regulatory actions, such as class actions or third-party litigation arising from the same conduct. Based on recent enforcement actions, it appears that regulators are sharing intelligence, working collaboratively and coordinating enforcement priorities and actions. Recent examples of coordinated regulatory action include the ASIC and Australian Prudential Regulation Authority (APRA) investigations into Cbus, the ASIC and Reserve Bank of Australia reviews and investigations into ASX Limited and competing actions by APRA and ASIC against ANZ (in relation to different conduct). This coordinated approach serves as a reminder to individuals and organisations that if one regulator is interested, others will be too.
- Scams Prevention Framework (SPF): while new mandatory scams prevention obligations will be imposed from 31 March 2027 on banks, telecommunications providers and digital platforms, the SPF rules will commence sooner on 1 September 2026. The draft rules were released on 28 May 2026 and propose (i) a $3,000 automatic reimbursement threshold (without a full investigation); (ii) that liability will generally be shared equally between breaching entities; and (iii) that cross-sector cooperation is required. The consultation period will close on 25 June 2026, which gives affected entities limited time to assess this very significant consumer protection reform package. From 31 March 2027, non-compliance with the SPF may result in civil penalties of up to $50 million per contravention, enforcement by three sector regulators (ASIC, ACCC and the Australian Communications and Media Authority) and a private right of action for damages – highlighting the exposure to potential class actions. See our article here.
- Cost of living: many regulators are now seeking to address household economic pressure through their investigation and enforcement powers. Several of ASIC’s enforcement priorities for 2026 are expressly aimed at the cost-of-living crisis, such as misleading pricing practices and misconduct exploiting consumers facing financial difficulty (including predatory credit practices). Similarly, the ACCC’s proceedings against Coles and Woolworths, which had their final hearings in early 2026, and the $100 million penalty awarded by the Court in the ACCC proceedings against Optus in September 2025, emphasise how consumer pricing conduct remains a key area of regulatory focus and potentially significant penalties.
- AUSTRAC regulatory changes: anti-money laundering and counter-terrorism financing (AML/CTF)compliance has been an enduring priority throughout 2025 and 2026. On 31 March 2026 major updates to the AML/CTF Act came into effect. These new requirements are designed to shift the focus from a compliance-based approach to a risk-based, outcomes-oriented approach that allows businesses to adopt effective measures tailored to the actual risks the business faces. We anticipate that AML/CTF audit and enforcement activity will increase in the second half of the year, as the AML/CTF regime is expanded, from 1 July 2026 to ‘Tranche 2’ entities including lawyers, accountants, real estate agents and trust/company service providers.
Financial services
Key risks: market misconduct and reporting failures, lending, private credit, financial hardship, Australian financial services licence (AFSL) holders.
- ANZ (Australia and New Zealand Banking Group) was ordered by the Federal Court to pay $250 million in penalties on 19 December 2025. The penalties related to four separate proceedings brought by ASIC for alleged misconduct across ANZ’s institutional and retail divisions. This represents the largest combined penalty that ASIC has ever secured against a single entity. Of the total penalty, ANZ was ordered to pay $135 million for institutional and market misconduct relating to the management of a $14 billion government bond deal and inaccurate reporting of secondary bond market turnover data to the Australian Government, $40 million for failing to respond to customer hardship notices, $40 million for false and misleading statements regarding interest rates and failure to pay promised interest rates to a significant customer cohort and $35 million for failing to refund fees charged to deceased customers.
- RAMS (RAMS Financial Group Pty Ltd) was ordered by the Federal Court to pay a $20 million penalty on 24 October 2025 after admitting to widespread compliance failures in relation to arranging home loans. The Court found that in the period between June 2019 and April 2023, RAMS breached its obligations as an Australian Credit Licensee and had contravened the Credit Act. The non-compliance that was found by the court included RAMS failing to supervise its representatives to ensure compliance with credit laws and failing to do all things necessary to ensure that the authorised credit activities were provided efficiently, honestly and fairly.
- NAB (National Australia Bank) was ordered by the Federal Court, along with its subsidiary AFSH Nominees Pty Ltd, to pay a pecuniary penalty of $15.5 million on 13 August 2025 for failing to respond to 345 hardship applications within the 21-day timeframe required under the National Credit Code.
- Macquarie Securities (MSAL) was ordered by the New South Wales Supreme Court to pay a $35 million penalty on 13 March 2026 after it was found that MSAL failed to correctly report at least 73 million short sales between 11 December 2009 and 4 February 2024 which resulted in between approximately 298 million and $1.5 billion short sales being misreported.
- Money3 Loans Pty Ltd, a provider of personal loans and consumer vehicle finance, was ordered by the Federal Court to pay $1.55 million in penalties on 27 April 2026 for breaching its responsible lending obligations when providing car finance in respect of five loans. In each case it was found that Money3 did not make reasonable inquiries about or verify each borrower’s living expenses.
- Westpac (Westpac Banking Corporation) was ordered by the Federal Court to pay $26 million in penalties on 26 May 2026. The Court found that over an eight-year period, Westpac had failed to respond to online financial hardship notices submitted by vulnerable customers within the timeframes required by law and had failed to maintain adequate systems, processes and controls to ensure compliance with those timeframes. Westpac submitted that a $10 million penalty was appropriate in the circumstances. However, the Court rejected that submission and imposed the penalty notwithstanding that Westpac had undertaken a remediation program under which it paid approximately $1.74 million in compensation to impacted customers and had already invested approximately $15 million in new technology systems. The Court found that the remediation did not warrant a significant reduction in penalty, particularly as some of the harm caused to customers was irreparable. In addition to the penalty imposed, the Court ordered Westpac to publish an adverse publicity notice and to implement system and process changes subject to independent expert review.
- Union Standard International Group Pty Ltd (Union Standard) and its former authorised representatives (Maxi EFX Global AU Pty Ltd (EuropeFX) and BrightAU Capital Pty Ltd (TradeFred)) were ordered by the Federal Court to pay record penalties totalling $300.2 million on 12 June 2026. The penalties relate to systemic unconscionable conduct and other contraventions of the law between 2018 and 2020 regarding contracts for difference (CFD) issued by EuropeFX and TradeFred under Union Standard’s AFSL. These are the highest penalties ever secured in connection with an ASIC matter, reflecting the very egregious nature of the CFD issuer misconduct. The Court found that EuropeFX and TradeFred operated business models that deliberately targeted inexperienced and vulnerable investors using aggressive sales tactics to pressure customers to trade in a risky financial product. Union Standard, as the Australian financial services licensee that authorised EuropeFX and TradeFred to operate, was found liable for their conduct – including their unconscionable conduct. This case demonstrates how AFS licensees cannot outsource responsibility for misconduct carried out under their licence and can be held accountable. The Court noted that high penalties were warranted as the contravening conduct occurred over a lengthy period and would likely have continued had ASIC not intervened. The penalties were also intended to deter other financial services providers from engaging in similar conduct.
Outlook for the rest of 2026
- We anticipate seeing further enforcement actions and outcomes in relation to fees and pricing transparency. This aligns with ASIC’s enforcement priorities for 2026. ASIC has also established a specialist team exclusively on pricing transparency in financial products, particularly where consumers cannot readily understand what a product truly costs.
- Australia has experienced a period of rapid expansion in its private credit market. Private credit, particularly private credit lending, now accounts for about 70% of all loans outstanding. ASIC recently concluded a year-long surveillance of private credit funds and has issued a suite of materials addressing the sector's practices and regulatory expectations. These include an independent expert review of the private credit market (REP 814), a thematic surveillance report examining 28 retail and wholesale private credit funds and setting out ten guiding principles for "private credit done well" (REP 820). ASIC has also released a response to its broader capital markets discussion paper, which outlines its regulatory roadmap for the next 12–18 months (REP 823). ASIC has also published a catalogue of key legal obligations for private credit fund operators and updated regulatory guidance on conflicts of interest management (RG 181) incorporating examples relevant to private market practices. It is likely that formal investigation activity and enforcement action against specific private credit providers will increase as ASIC seeks to address issues highlighted by its industry-wide surveillance activities.
Superannuation
Key risks: delays in processing claims or complaints, large scale collapses and system failures, superannuation trustees’ duties, breach reporting
- On 25 November 2025, United Super Pty Ltd, as trustee of the Construction and Building Unions Superannuation Fund (Cbus) was ordered by the Federal Court to pay a $23.5 million penalty after Cbus admitted that, in respect of approximately 7,402 claimants/beneficiaries, it failed to do all things necessary to ensure that death, terminal illness and total and permanent disability claims were processed within a reasonable time and it failed to breach report the delays within the statutory timeframe. This outcome follows APRA commencing an investigation into Cbus regarding possible breaches of the Superannuation Industry (Supervision) Act and expenditure management practice. APRA separately accepted a Court Enforceable Undertaking from Cbus. Under the terms of the Enforceable Undertaking, Cbus undertook to complete a holistic risk transformation program to rectify underlying behavioural, cultural and/or governance failures identified by APRA.
- In 2026, ASIC continued its investigations and enforcement activity in relation to the collapse of the First Guardian and Shield Master Funds. Approximately 12,000 investors invested into those managed investment schemes, which included retirement savings, before those funds collapsed. ASIC is investigating a number of individuals and entities connected to First Guardian and Shield, including the marketing lead generators, the financial advisers and the financial firms that authorised them, the superannuation trustees that made First Guardian and Shield available via platforms, the auditors of First Guardian, the research house that rated Shield and the operators of the managed investment schemes.
- On 25 August 2025, ASIC commenced its first enforcement proceedings against a superannuation trustee (Equity Trustees), alleging failures in due diligence concerning the Shield Master Fund. Equity Trustees oversaw the investment of around $160 million of retirement savings into Shield over 2023 and 2024 through its fund. ASIC alleges that by allowing its members to invest into Shield, Equity Trustees failed to exercise the same degree of care, skill and diligence as a prudent superannuation trustee would, failed to act in the best financial interests of its members and failed to do all things necessary to ensure the financial services covered by its Australian financial services licence were provided efficiently, honestly and fairly – in contravention of s52 and s54B of the Superannuation Industry (Supervision) Act and s912A of the Corporations Act.
- In relation to First Guardian, on 9 December 2025, ASIC commenced civil penalty proceedings against Diversa Trustees Limited (Diversa) as the trustee of the First Guardian Master Fund. ASIC alleges that Diversa contravened s52 and s54B of the Superannuation Industry (Supervision) Act and s 912A of the Corporations Act including by failing to conduct adequate due diligence before allowing its members to invest, failing to enforce a 50% holding limit it imposed for the First Guardian Master Fund and failing to have systems and processes to ensure that there was compliance with that holding limit.
- On 14 August 2025, ASIC commenced proceedings in the Federal Court against Mercer Super alleging that Mercer Super had inadequate systems in place to comply with the breach reporting regime, which requires Australian financial services licensees to promptly report ongoing investigations into significant breaches of their core obligations to ASIC. ASIC alleges that Mercer Super failed to report seven investigations in their entirety and another investigation was reported more than a year late. That includes investigations into insurance premiums not being refunded correctly after members had died, member accounts not being created with default insurance and updates to member information not being processed by the trustee. ASIC also alleges Mercer Super provided false or misleading information in reports to ASIC, which understated the number of members who were impacted.
Outlook for the rest of 2026
- We anticipate further investigation and enforcement activity against superannuation trustees, following the wave of cases commenced after the collapse of the Shield and First Guardian Master Funds. ASIC Chair Sarah Court stated “our first priority has been preserving assets for the benefit of investors, but the next phase will be holding key players to account”.
- Superannuation trustees should continue to expect regulatory interest, including trustees who were not involved with Shield and First Guardian, as both ASIC and APRA continue to make this sector an enforcement priority.
Supermarkets and retail
Key risks: misleading pricing and predatory sales practices, vulnerable customers, privacy and use of new technologies
- Optus (Optus Mobile Pty Ltd) was ordered to pay a $100 million penalty on 24 September 2025, in proceedings brought by the ACCC, for engaging in unconscionable conduct when selling phones and contracts to hundreds of customers. Many of those customers did not want or need the phones or contracts that they were sold or could not use or afford those phones or contracts. Many of the affected customers were also vulnerable or experiencing disadvantage and many of the consumers were First Nations Australians from remote parts of Australia.
- In September 2024 the ACCC commenced separate proceedings against Woolworths (Woolworths Group Limited) and Coles (Coles Supermarkets Australia Pty Ltd). In the proceedings the ACCC alleged that Woolworths and Coles sold certain products at regular, long-term prices. However, those products were then subject to price rises of at least 15% for brief periods, before being placed in the supermarkets’ respective promotion programs at a price lower than the allegedly ‘spiked’ price but higher than the original price before the ‘spike’. Both proceedings were heard in early 2026. Due to high levels of public interest in the hearings, the Federal Court livestreamed the hearings on the Court’s YouTube channel. On 14 May 2026, judgment was delivered in the Coles proceedings. The Court found that Coles made false or misleading representations in relation to 13 of the 14 products identified by the ACCC. The penalty for these contraventions will be determined at a subsequent hearing. Judgment is reserved in the Woolworths proceedings.
- In late 2025 the ACCC commenced separate proceedings against HelloFresh and YouFoodz. The proceedings allege that the companies breached the Australian Consumer Law by advertising to customers that they could easily cancel their subscriptions, provided it was done by a specified time. The ACCC alleges that customers were still charged for their subscription even if they cancelled the subscription by the identified deadline. The proceedings follow an investigation into HelloFresh and YouFoodz by the ACCC after the ACCC received many consumer complaints.
- Following a three-year investigation, in September 2025 the Privacy Commissioner issued a determination finding that Kmart (Kmart Australia Limited) breached the Privacy Act when it collected the biometric data of customers at store entrances and returns counters (i.e. facial recognition technology), to tackle return fraud in the period June 2020 to July 2022. The Privacy Commissioner found that the benefits of facial recognition technology in addressing refund fraud was proportionately outweighed by the impact on individuals’ privacy.
Outlook for the rest of 2026
- In January 2026 the ACCC foreshadowed that it expects to bring further legal action against Coles and Woolworths within the next twelve months, in light of new regulations that will ban supermarket price gouging. The new regulations come into effect on 1 July 2026.
- We anticipate further regulatory action focused on protecting consumers in the context of purchasing everyday essentials such as groceries and basic telecommunications access. Protecting individuals’ privacy will continue to be a major theme, particularly in response to any cyber security incidents or data breaches which may occur to any institution that collects and maintains digital records.
- Automated decision-making and the use of facial recognition technology will be continuing focus areas for the regulators. Businesses that are using facial recognition technology should ensure that they are carefully considering whether use of these technologies is proportionate, or whether it creates exposure to potential breaches of the Privacy Act. These technologies must also be considered together with the adequacy of existing privacy policies, collection notices and disclosures and other governance frameworks. Businesses should also familiarise themselves with the automated decision-making transparency obligations under the Privacy Act that come into effect on 10 December 2026 and will require entities to disclose in their privacy policies the personal information used in automated decision-making and how the decisions are made.
Digital platforms and technology
Key risks: subscription and pricing transparency, cryptocurrency and digital asset licensing, anti-competitive conduct, privacy
- In October 2025, the ACCC commenced proceedings in the Federal Court against Microsoft Australia and Microsoft Corporation. The ACCC alleges that the companies misled approximately 2.7 million Australian customers when it told subscribers that their only options were to renew their subscription at a higher cost and accepting the integration of Microsoft’s AI assistant, Copilot or to cancel their subscription. In fact, a third option existed, that the ACCC alleges that Microsoft deliberately omitted reference to in their communication, which allowed the user to continue their existing plan (without Copilot) but at the previous lower price.
- On 2 December 2025, Google Asia Pacific was ordered by the Federal Court to pay $55 million in penalties for engaging in anti-competitive conduct in the period between December 2019 and March 2021. In the period, Google admitted that it engaged in anti-competitive conduct when it required Telstra and Optus to only pre-install Google Search (and no other search engines) on the Android phones that they sold to consumers. Google and Google LLC also provided the ACCC with an enforceable undertaking pursuant to which they committed to remove certain pre-installation and default search engine restrictions from Google’s contracts with Android phone manufacturers and telcos.
- On 27 January 2026, the Federal Court ordered that BPS Financial Pty Ltd (BPS) pay $14 million in penalties for providing a financial services business without holding an Australian Financial Services Licence when it issued a non-cash payment facility (Qoin Wallet) and for providing financial product advice in relation to Qoin Wallet. The penalty also related to findings that BPS published false and misleading representations about the ability of Qoin Tokens to be exchanged for fiat currency and other crypto-assets, the growing number of Qoin merchants and the official approval and registration status of the Qoin Wallet.
- On 27 March 2026, Oztures Trading Pty Ltd (trading as Binance Australia Derivatives) (Binance) was ordered to pay a $10 million penalty after Binance admitted that it had exposed 524 retail investors to high-risk crypto derivative products, without the required consumer protections, when it misclassified those clients as wholesale clients. Binance had already paid approximately $13.1 million in compensation to impacted investors.
Outlook for the rest of 2026
- Businesses that provide subscription or membership services should carefully consider their cancellation and billing practices and disclosure to customers regarding those processes. The ACCC’s Digital Platform Services Inquiry final report (released in March 2025) identified that problems with difficult cancellations and subscription traps have increased for digital contracts and are creating harm for Australian consumers. Reforms that take effect from 1 July 2027 will also increase the compliance burden on consumer-facing business selling products and services in Australia. Where businesses use subscription contracts, they will need to ensure that every method available to the subscriber to end the contract is easy to find, straightforward and requires only steps that are reasonably necessary. We expect the ACCC to remain active in investigating these issues.
- The Office of the Australian Information Commissioner is in the process of developing a Children’s Online Privacy Code (the Children’s Code). While the Children’s Code is in a consultation phase, it must be finalised and registered by 10 December 2026. While the final form of the Code is not yet determined, it will apply to businesses if they are a provider of a social media service or the service is likely to be accessed by children or primarily concerns the activities of children. The businesses likely caught by the new Code are broad and businesses should carefully review the progress of the Children’s Code to ensure that their practices are compliant.
- On 8 April 2026 the Corporations Amendment (Digital Assets Framework) Bill 2025 (Bill) received Royal Assent. The Bill amends the Corporations Act to extend the Australian financial services licence framework to digital assets. These amendments provide clarity in the cryptocurrency space making it plain that operators of these platforms will be required to hold an AFSL and comply with the general obligations that apply to all AFSL holders. The framework will commence on 9 April 2027. While the new legislation more clearly identifies where a digital asset is a licensed financial product, it is likely that regulators will continue to investigate and take enforcement action against crypto-businesses if they do not comply with the new requirements. ASIC remains of the view that crypto-businesses are more likely to expose consumers to harm than other types of financial businesses.
Healthcare and other data-intensive businesses
Key risks: privacy compliance, data breaches and conduct regarding member claims
- On 8 August 2025, the Australian Information Commissioner (AIC) commenced civil penalty proceedings in the Federal Court against Singtel Optus Pty Ltd and Optus Systems Pty Ltd (together, Optus) in relation to the data breach that was disclosed by Optus on 22 September 2022. The AIC alleges that Optus seriously interfered with the privacy of approximately 9.5 million Australians by failing to take reasonable steps to protect their personal information from misuse, interference and loss and from unauthorised access, modification or disclosure, in breach of the Privacy Act. The AIC alleges that separate, individual contraventions occurred in relation to each of the 9.5 million individuals affected. As the Court can impose a penalty of up to $2.22 million for each contravention, we expect that any penalty ultimately sought by the Commissioner will be extremely high.
- On 8 October 2025, Australian Clinical Labs (ACL) was ordered by the Federal Court to pay $5.8 million in civil penalties in relation to a data breach in February 2022 that led to unauthorised access and exfiltration of the personal information of over 223,000 individuals. While the Court found that ACL’s contraventions were extensive and significant, several factors reduced the penalty that was imposed. These included ACL’s cooperation with the OAIC’s investigation, ACL’s program to uplift the company’s cybersecurity capabilities, the apologies made by ACL and the fact that ACL had admitted liability. These are the first civil penalties ordered under the Privacy Act. The total penalty was comprised of $4.2 million for failing to take reasonable steps to protect personal information, $800,000 for failing to conduct a reasonable and expeditious breach assessment and $800,000 for failing to notify the OAIC in a timely manner. The penalties were imposed under the previous penalty regime which was in force at the time of the contraventions, with a maximum penalty of $2.22 million per contravention. Since 13 December 2022, the Court has had the power to impose much higher penalties for serious interferences with privacy. The maximum penalties per contravention are now $50 million, three times the benefit derived from the conduct or up to the 30% of a business’s annual turnover per contravention.
- On 11 December 2025, Bupa HI Pty Ltd (Bupa) was ordered to pay $35 million in penalties for engaging in unconscionable conduct and making false or misleading representations to Bupa members, hospitals and medical providers about the members’ entitlements to private health insurance benefits for certain claims. In proceedings commenced by the ACCC, the Court found that between May 2018 and August 2023 Bupa engaged in misleading or deceptive conduct and made false or misleading representations in relation to members’ entitlements to benefits for treatments under their policies. The Court also declared that Bupa engaged in unconscionable conduct when it incorrectly assessed coverage, by rejecting in their entirety claims that were at least partly covered under members’ policies.
Outlook for the rest of 2026
- In January 2026, the OAIC launched its first ever sector-based compliance sweep across approximately 60 entities in six industries (real estate agents, chemists and pharmacists, licensed venues, car rental companies, car dealerships and pawnbrokers). The OAIC’s review is focused on how these businesses collect personal information in face-to-face settings and the adequacy of their privacy policies. In the context of several recent high-profile and large-scale data breaches, businesses should be seriously considering the adequacy of their data protection and privacy policies as this plainly remains a regulatory focus (with potentially significant penalties for contravening conduct). Any business that collects significant volumes of personal data should be acutely aware that the OAIC will be closely considering their business operations and how they are complying with the Privacy Act.
- On 10 June 2025 a new statutory tort for serious invasions of privacy was added to the Privacy Act. This creates a new avenue for individuals to sue for intrusion upon seclusion or misuse of private information. Data-intensive businesses should anticipate that any data or other significant privacy breaches may result in both regulatory action and class action risk, based on this new statutory tort.