Privacy compliance - Queensland Law Society

AML/CTF: Privacy compliance from 1 July 2026

As practitioners prepare for AML/CTF commencement, they should be aware of changes to their privacy obligations.

Small businesses (defined in the Privacy Act 1988 (Cth) as having an annual turnover of $3 million or less) are generally exempt from the Privacy Act. However, from 1 July 2026, when a law practice becomes a 'reporting entity' under the AML/CTF Act, it also becomes subject to the Privacy Act in respect of personal information collected, used or disclosed for AML/CTF purposes — regardless of its annual turnover.

The practical effect of this change requires law firms to comply with the Australian Privacy Principles when handling personal information collected for or in connection with AML/CTF obligations under the AML/CTF Act or AML/CTF Rules.

QLS has published several resources for legal practitioners including:

a template privacy policy
a guide for clients regarding AML/CTF to support clients to understand information requests and collection requirements.

Note: It is important that you read the guidance, consider what regulated data your firm will collect and hold, then modify all templates accordingly.

Your Privacy Policy, Retainer Agreement and Collection notices should not accidentally extend your regulatory obligations unless this is a considered decision.

See the OAIC’s Privacy Guidance for reporting entities under the AML/CTF Act for further information