Australia’s privacy regulator is resetting expectations for how individual privacy complaints will be handled — and the message is blunt: the Office of the Australian Information Commissioner (OAIC) is shifting resources toward high-impact enforcement and systemic investigations, and that will change what happens to many one-off complaints.
In a new blog post, Privacy Commissioner Carly Kind outlines a “new approach for a new era,” explaining that while individual complaints remain an important pathway for Australians to seek redress, the OAIC is prioritising matters that drive meaningful market-wide change. The regulator is also being more explicit about delays, thresholds, and the level of information complainants must provide upfront if they want their complaint to move efficiently through the system.
Why the OAIC Is Changing Course
The OAIC says its pivot is driven by two realities. First, public expectations have shifted: Australians want to see a visible, assertive regulator that can deter harmful practices, not just resolve isolated disputes. Second, privacy harms increasingly occur in ways that are hard for individuals to detect — including behind-the-scenes tracking, large-scale data scraping, and complex ad-tech and data broker ecosystems.
In that environment, the OAIC argues it can protect more people by focusing on systemic issues and pursuing enforcement actions that reshape behaviour across sectors. The blog points to recent outcomes as evidence that this strategy can move the needle, including a $5.8 million civil penalty against Australian Clinical Labs, civil penalty proceedings involving Optus and Medibank, and a $50 million settlement with Meta Platforms. The OAIC also highlights determinations applying privacy law to emerging technology risks, including facial recognition matters involving Bunnings and Kmart.
Enforcement Is Expanding in 2026
The OAIC frames this as “only the beginning.” It signals a continued enforcement pipeline in 2026, including ongoing litigation related to major breach matters and a broader portfolio of Commissioner-initiated work. The regulator notes it is advancing investigations into high-profile tech and data practices such as:
- Rental technology and data practices in the housing market
- Connected cars and the privacy implications of vehicle telemetry
- Tracking pixels and covert data flows
- In-person data collection in sectors such as real estate and licensed venues (via the OAIC’s inaugural privacy sweep)
Importantly, the OAIC also flags new tools and mandates that may reshape compliance expectations — including the ability to issue infringement notices for specific breaches of the Privacy Act and a mandate to develop a Children’s Online Privacy Code intended to lift protections for minors in the digital environment.
The Trade-Off: Stricter Triage for Individual Complaints
The OAIC’s core point is that its proactive enforcement posture has a “flow on effect” for the way it manages individual complaints. Going forward, the regulator says it will apply more robust thresholds when deciding which complaints warrant an investigation, and it will be more stringent about complaint validity and completeness.
Not every complaint that alleges a breach will be investigated. The OAIC emphasises it has discretion under the Privacy Act to decline to investigate after assessing all the circumstances. Where a complaint is low impact, overlaps with other proceedings, or falls below a seriousness threshold relative to the regulator’s finite resources, the OAIC may determine that a formal investigation is not proportionate.
Reality Check: The Backlog and Timing Expectations
The OAIC is unusually direct about delays. As at February 2026, it states that it is unlikely to substantially progress newly lodged, valid individual privacy complaints for around 6 to 12 months after lodgement, unless exceptional circumstances justify faster handling.
For complainants, this is a critical planning detail. It means that even well-formed complaints may not move quickly, and outcomes may be delayed, particularly if the issues overlap with broader regulatory investigations or court proceedings.
Before You Complain to the OAIC: What You Must Do First
Australia’s privacy complaint pathway is structured. The OAIC reiterates that, in most cases, a complainant must first raise the issue directly with the organisation or agency involved and allow time for resolution before escalating to the regulator.
Step 1: Complain to the Organization First
Generally, you must complain to the entity you believe mishandled your personal information and give it 30 days to respond and propose a resolution. The OAIC presents this as a legal requirement and a practical filter: many disputes can be resolved faster without regulator involvement.
Step 2: Use an External Dispute Resolution Scheme Where Required
For certain industries, an approved external dispute resolution (EDR) scheme may be the expected next step before approaching the OAIC. The OAIC notes EDR pathways are relevant across multiple sectors, including:
- Banks, financial planners, insurance, mortgage brokers, and superannuation
- Electricity, gas, and water providers (in multiple jurisdictions)
- Telecommunications providers
- Public transport in Victoria
- Tolling in New South Wales, Queensland, and Victoria
If you can’t resolve your matter with the entity (or through an applicable EDR scheme), then the OAIC becomes the escalation point.
What the OAIC Now Expects in a “Regulator-Ready” Complaint
A recurring theme in the OAIC’s update is that complaints can only be processed efficiently when they are complete. The regulator says complainants should provide key information at the start, rather than expecting an iterative back-and-forth that slows triage and assessment.
What to Include Upfront
- Your name and contact details
- The full name of the organisation or agency you are complaining about (and the ABN if known)
- A clear description of what happened and when
- Information about the impact of the alleged breach on you
- Evidence that you complained to the entity first (and reference numbers if available)
- Copies of relevant correspondence and documents, including the entity’s response
- A statement of the outcome you want (for example: correction, deletion, apology, explanation, compensation, or process changes)
The OAIC’s practical message is that missing basics — especially an identifiable entity name and proof you tried to resolve the issue directly — may stall or prevent the regulator from progressing the complaint.
How the OAIC Will Decide What Happens Next
Under the new approach, the OAIC says it will conduct a strategic assessment of complaints based on the information provided and decide the appropriate pathway. That may include requesting further information, pursuing early resolution, commencing formal investigation steps, or deciding not to investigate and providing reasons for that decision.
The OAIC also highlights that some complaints may be better addressed through avenues other than an individual investigation — including Commissioner-initiated investigations, guidance to the market, direct engagement with regulated entities, or policy advocacy.
When Complaints May Be Put on Hold
A major operational detail is that individual complaints can be paused in certain circumstances — particularly where they relate to a notifiable data breach the OAIC is already investigating, or where there is an overlapping representative complaint. In those cases, the OAIC indicates that individual matters will usually be held until the broader investigation (and any related court proceedings) are finalised.
This may extend timelines significantly, but the OAIC’s reasoning is that the systemic pathway can produce broader outcomes and more durable change.
Compensation Expectations: Not Every Substantiated Complaint Leads to a Payout
The OAIC encourages complainants to be “clear-eyed” about outcomes. Even if a complaint is investigated and substantiated, compensation is not guaranteed. Remedies can vary by circumstance, and the regulator notes it may consider a matter effectively resolved if the organisation has offered a resolution the OAIC considers reasonable.
For complainants seeking monetary redress, this is an important practical constraint: the OAIC’s process is primarily an administrative privacy enforcement mechanism, not a guaranteed compensation pathway.
What This Means for Organisations: Privacy Governance Must Stand Up to Scrutiny
For businesses and agencies, the OAIC’s shift is a clear warning that a “complaints-only” compliance posture is no longer safe. As the regulator pivots toward systemic enforcement, organizations should expect more regulator-initiated investigations into market practices and technology-driven data flows.
At the same time, stricter complaint triage raises the stakes of internal dispute handling. If an organisation can resolve complaints fairly, promptly, and transparently at the first stage — including through strong evidence, clear explanations, and meaningful remediation — it reduces the chance of escalation and can limit exposure if the regulator later assesses the complaint’s seriousness and proportionality.
Bottom Line
The OAIC is explicitly rebalancing its workload: fewer resources for lower-impact, incomplete, or duplicative individual complaints — and more focus on enforcement actions that deter unlawful practices across the economy. For Australians, the update clarifies how to lodge a complaint that has the best chance of being progressed. For organisations, it signals a new compliance environment where enforcement visibility is rising and privacy failures are more likely to be treated as systemic governance problems, not isolated service issues.
