Australia Privacy Act Reform: Tranche 2 AML/CTF Rollout, Children's Privacy Code, and Broader Statutory Reforms

Australia's privacy and data protection landscape is undergoing its most significant expansion in decades, driven by both the implementation of the Privacy and Other Legislation Amendment Act 2024 (Tranche 1) and the impending rollout of major regulatory expansions in 2026.

Key milestones in early 2026 show how the federal government, under Attorney-General Michelle Rowland, is rapidly shifting from consultation to active enforcement and strict data-minimization mandates, particularly regarding small businesses and online platforms.

1. AML/CTF Tranche 2 Privacy Expansion (July 1, 2026)

On February 27, 2026, the Office of the Australian Information Commissioner (OAIC) released updated privacy guidance for reporting entities under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act). This guidance prepares for a massive expansion of the Privacy Act 1988 to an estimated 100,000+ small businesses.

• In-Scope Entities: From July 1, 2026, "Tranche 2" entities—including real estate professionals, conveyancers, dealers in precious metals and stones, lawyers, accountants, and trust and company service providers—will be brought under the Privacy Act when collecting and handling personal information for AML/CTF purposes. This obligation overrides the standard small business exemption (for businesses with an annual turnover under A$3 million).
• Strict ID Retention Limits (Data Minimization): The OAIC clarified that businesses should not retain copies of full ID documents (such as passports or driver's licenses) for AML/CTF record-keeping. This practice must cease for current "Tranche 1" entities as of March 31, 2026, and for Tranche 2 entities as of July 1, 2026. The AML/CTF regime only requires verifying identity and keeping transaction records, not keeping copies of the physical documents.

2. Children's Online Privacy Code Draft Released (March 31, 2026)

On March 31, 2026, Attorney-General Michelle Rowland and the OAIC released an exposure draft of the Children’s Online Privacy Code for a 60-day public consultation.

• Scope & Impact: The Code applies to online services (such as apps, games, educational tools, and websites) that expose children to high privacy risks or are primarily directed at children.
• Timeline & Penalties: The Code must be formally in place by December 10, 2026. It carries significant civil penalties (up to $49.5 million for corporations, matching the social media minimum age ban passed in late 2025). A breach of the Code will constitute a formal breach of the Privacy Act.

3. National AI Plan & AI Safety Institute (December 2025)

In December 2025, the Australian Government officially introduced its National AI Plan. Rather than enacting a standalone "AI Act" similar to the European Union, the government has opted to regulate AI technologies through existing frameworks, including the Privacy Act and consumer protection laws. To support this, an AI Safety Institute was launched in early 2026 to monitor AI development, safety guardrails, and compliance.

4. Broader Tranche 2 Statutory Reforms Progress

The broader "Tranche 2" statutory privacy bill remains under active development by the Attorney-General's Department. In early 2026, Attorney-General Michelle Rowland confirmed that the second set of reforms is being prepared for cabinet approval. Based on the government's prior agreements in principle, this package is expected to:

• Formally abolish the small business exemption across all sectors (affecting 2.5 million businesses).
• Introduce a robust "fair and reasonable" test for all data processing activities.
• Remove or heavily restrict the employee records exemption.
• Expand individual rights (such as the right to erasure).

Verbatim Evidence

"From 1 July 2026, real estate professionals, dealers in precious metals and stones, and professional service providers such as lawyers, conveyancers, accountants, and trust and company service providers (also known as ‘Tranche 2’ entities) will be brought into the Privacy Act." — OAIC Media Release, February 27, 2026

"From 31 March 2026, and from 1 July 2026 for tranche 2 entities, businesses should not retain copies of full ID documents for AML/CTF record-keeping purposes. The AML/CTF regime does not require copies of ID documents to be kept, and entities' obligations under the Privacy Act require them to minimise the data they’re retaining." — OAIC Media Release, February 27, 2026

"Today, the Office of the Australian Information Commissioner (OAIC) has released an exposure draft of the Children’s Online Privacy Code for public consultation... The Code, which will be in place by 10 December 2026, will complement other initiatives to protect our children online..." — Attorney-General Michelle Rowland Media Release, March 31, 2026

What It Means for Compliance Teams

Compliance teams managing Australian operations must execute immediate gap analyses.

1. Ditch ID Retention: Any organization collecting Australian customer IDs for verification must immediately transition to secure verification systems that do not retain full copies or scans of ID documents. This is a top-tier regulatory priority for Privacy Commissioner Carly Kind.
2. Small Business Readiness: Small professional service firms and real estate offices must develop full Australian Privacy Principle (APP) compliance programs, including drafting compliant privacy policies, collection notices, and breach response plans before the July 1, 2026 deadline.
3. Automated Decision-Making and Children's Data: Online platforms must prepare for two major December 10, 2026 deadlines: implementing transparent disclosures for any automated decision-making systems (passed under Tranche 1) and complying with the strict new Children's Online Privacy Code.