Privacy Act Reform Tranche 2: Is Your Business Ready? - de.iterate

If Attorney-General Michelle Rowland’s recent interview with Sky News didn’t trigger alarm bells in your organisation, it probably should have.

In just a few measured sentences, Rowland confirmed what privacy professionals have been anticipating since the first wave of privacy law reform hit in 2024: Tranche 2 is coming. And it’s coming fast.

No draft bill. No timeline. No open consultation. Just this from the Attorney-General:

INTERVIEWER: “You’re planning reform of the Privacy Act. What does this involve, particularly around the tech giants?”

ROWLAND: “Well, this is the second tranche of privacy reforms. I think it’s fair to say, Andrew, that Australians are sick and tired of their personal information not only being exploited for benefit by third parties, but also the way in which that information is not being protected. We’ve seen that in recent times with data breaches, both by Australian companies as well as multinational tech giants.”

“Now, the point that I have made, and I will continue to make, is that we will not have our privacy reforms dictated by multinational tech giants who are trying to assert that you can either have innovation or you can have privacy protection, but not both. I reject that completely. The Government rejects that. We will always ensure that reform in this area is in the best interests of Australians, that it’s workable, that it does provide a basis for both innovation and the protection of people’s personal data. That’s what Australians would expect.”

The declaration comes after Mark Zuckerberg’s Meta urged against “overly broad” privacy laws so that it could use its clients’ personal data to train its artificial intelligence models.

Translation? The government isn’t waiting around anymore. Everything that was left out of Tranche 1 (but “agreed in principle”) is now fair game, and could become law before you’ve had time to schedule a kick-off meeting.

Tranche 1 Wasn’t a Dress Rehearsal

Many businesses treated the 2024 Privacy and Other Legislation Amendment Act as a gentle precursor. It wasn’t. Tranche 1 introduced major changes:

• Civil penalties of up to AU$50 million or 30% of turnover
• A new statutory tort of privacy
• Anti-doxxing provisions
• A Children’s Privacy Code (in consultation)
• OAIC powers to issue infringement notices without court involvement

Enforcement is already underway. Privacy Commissioner Carly Kind has made it clear that the Office of the Australian Information Commissioner (OAIC) now has sharper tools and isn’t afraid to use them. Pixel audits, consent sweeps, and “show cause” notices are becoming standard.

Tranche 2 won’t replace this cadence. It will accelerate it.

Why Tranche 2 Could Be a Shock to the System

Unlike Tranche 1, which took four years to wind through reviews and redrafts, Tranche 2 is arriving with significantly more velocity, and potentially less room for industry negotiation. Several key proposals could cause major upheaval:

• Expanded definition of personal information (Proposal 4.1): “Relates to” will replace “about” as the threshold. That means even seemingly anonymous data (like device fingerprints, screen resolutions, or A/B test variations) may now be regulated.
• Fair and reasonable processing test (Proposal 12.1): Every data use will need to be justifiable in terms of consumer benefit, not just commercial convenience.
• Specific and unambiguous consent (Proposal 11.1): Blanket tick boxes won’t cut it. Expect channel-by-channel, purpose-by-purpose opt-ins.
• Right to erasure and deletion by default (Proposal 18.3): Soft deletes? Not good enough. Prepare to permanently purge user data (including trained AI models and backups) on demand.
• Controller-processor liability (Proposal 22.1): You could be on the hook for the actions of every vendor in your martech stack.

For marketers, engineers, and legal teams alike, this isn’t an update, it’s a system shock.

The Three Pronged Approach

A compliant privacy program relies on three pillars: policy, operations, and technology.

Shave a few centimetres off any one of them and the whole system risks tipping over.

• Policy: Your privacy notice may no longer meet consent requirements. That “legitimate interest” clause? It may not pass the new fairness test.
• Operations: Can you shut off all marketing channels within 24 hours of an opt-out? Do you track where personal data flows across systems? Are vendors keeping up?
• Technology: Is your customer data platform (CDP) built to hard-delete? Are cohort IDs and testing platforms built with new definitions in mind?

The OAIC will notice the wobble—even if your customers don’t.

Don’t Wait for the Legislation to Pass

Waiting for the legislation to pass before acting isn’t just risky, it’s potentially expensive. Enforcement powers already exist, and the OAIC has made it clear it expects organisations to take a proactive approach.

Here’s how you can start preparing today:

1. Catalogue your data flows and map them to internal policies, operational processes, and technology tools.
2. Assess your deletion capabilities. Can you fully remove a user from all systems? From AI training data? From backups?
3. Run an opt-out simulation. How long would it take to silence all channels across all systems after a user withdraws consent?
4. Audit your vendors. Give them 90 days to prove they’re compliant, or have a roadmap to get there.
5. Budget for remediation. Privacy programs are now capex-worthy investments. A rushed rebuild after enforcement is far costlier than steady improvement.

Small Businesses Aren’t Safe Either

The longstanding exemption for small businesses with under AU$3 million in annual turnover is on the chopping block. If you’ve used this exemption as a shield in the past, it may soon disappear.

Even if you’re not directly regulated, your partners and clients might be. If your business processes personal data on their behalf (say, as part of a supply chain), you’re already in the firing line.

de.iterate: Compliance at the Speed of Change

The sheer volume and complexity of upcoming changes is daunting, but it doesn’t have to be paralysing.

de.iterate is built for exactly this moment.

Our platform helps businesses:

• Track and evidence compliance across frameworks (including the Privacy Act, ISO 27001, SOC 2 and more)
• Identify, manage and control risks and assets
• Automate consent processes and opt-out tracking
• Flag gaps in evidence and data control coverage
• Demonstrate continuous improvement

With real-time controls, audit-ready trails, and a centralised system for managing obligations, de.iterate helps you stay ahead of regulators, and build trust with customers.

The Bottom Line

Tranche 2 is coming. It won’t wait for you to catch up. And it won’t be dictated by tech giants or marketing timelines.

The era of performative privacy is ending. The age of practical, proactive compliance is here.

Don’t wait for the legislation to land. Start your conversations now, with your legal teams, your technology partners, and with us. Book a demo now.