Australia’s privacy regulator is stepping into a new era—one defined by harm-based enforcement.
Recent decisions, including the OAIC’s 2025 finding against Bunnings, have made it clear: compliance is no longer just about ticking boxes. It’s about demonstrably reducing the risks of harm to individuals—and if you don’t, expect to be held publicly accountable.
This shift presents fresh challenges—and strategic opportunities—for organisations managing personal data, artificial intelligence, and emerging technologies.
🚨 OAIC Enforcement 2025: A Shift in Philosophy
The Office of the Australian Information Commissioner (OAIC) is now applying a harms-focused lens in its investigations and public decisions. This approach focuses less on procedural lapses, and more on real-world impacts—especially those affecting vulnerable individuals or sensitive contexts.
The Bunnings case, for example, highlighted how facial recognition technology—even when used for security—can lead to intrusive, unjustified harms when privacy impacts aren’t proportionately assessed or mitigated.
Key features of harms‑focused OAIC enforcement:
- Emphasis on human impact, not just technical non-compliance
- Greater weight on proportionality and necessity of data collection
- Elevated scrutiny of emerging technologies, including AI and biometrics
- Public accountability through published determinations and penalties
The bottom line: organisations must move beyond minimal compliance and toward privacy maturity and impact awareness.
🧭 What This Means for Privacy & Data Governance
This new regulatory posture will reshape how privacy programs are measured. Expect increasing OAIC interest in:
- Whether you’ve mapped and mitigated foreseeable harms
- The purpose, proportionality, and fairness of your data processing
- Whether you’ve engaged internal and external stakeholders (e.g. Privacy Impact Assessments)
- How your organisation responds to individual complaints and inquiries
If your privacy management framework doesn’t include a harms lens, now is the time to reassess.
✅ How to Prepare for Harms‑Based OAIC Investigations
At FMA Consulting, we support clients to stay ahead of regulatory expectations by aligning privacy governance with outcome‑based and risk‑aware practices.
To prepare:
- Conduct privacy risk assessments that focus on harm to individuals, not just legal exposure
- Document decision-making—especially around biometrics, AI, and automated profiling
- Update internal policies and training to embed harm minimisation principles
- Strengthen response protocols for OAIC inquiries and customer complaints
💡 Final Thoughts
OAIC enforcement in 2025 is sending a clear message: the age of procedural privacy is over. It’s no longer enough to have policies—you need to prove your practices are preventing harm.
At FMA Consulting, we help organisations operationalise privacy maturity and design systems that protect people—while meeting strategic goals.
📌 Frequently Asked Questions
Harms-focused enforcement is a regulatory approach that prioritises the impact of privacy practices on individuals, especially vulnerable people. Rather than punishing technical breaches alone, the OAIC now focuses on whether an organisation’s actions created or failed to prevent real-world harms.
In 2025, the OAIC ruled that Bunnings’ use of facial recognition technology in stores was unjustified and disproportionate. The key issue wasn’t just consent—it was the lack of demonstrable risk mitigation and insufficient safeguards against harms to individuals.
– Be proactive: Conduct harm-based Privacy Impact Assessments (PIAs)
– Maintain evidence: Keep records of decisions and mitigations
– Train teams: Ensure employees understand the harms-based approach
– Engage experts: Bring in independent advisors to review high-risk projects
Not necessarily—but it increases the chance of high-profile decisions and reputational fallout. The OAIC is more likely to publish findings, issue enforceable undertakings, or refer matters to the Attorney-General for civil penalties if significant harm is demonstrated.
Leave a Reply