If your business is still running on “set-and-forget” contracts drafted a few years ago, 2025 is the year to fix that. Legislative changes have reshaped what you can (and can’t) put in your agreements, especially around unfair contract terms, data security and privacy, and employment-related obligations. Below is a practical checklist of what to update before 2026 to reduce legal risk and protect your bargaining position.

1. Unfair Contract Terms (UCT)

Under the Australian Consumer Law (ACL), it is unlawful for businesses to propose, use or rely on an unfair term in a standard form contract with consumers or small businesses. 

A contract will generally be considered “standard form” if one party has substantially greater bargaining power, the agreement was pre-prepared before discussions began, and the other party was effectively required to accept it on a “take it or leave it” basis with little or no real opportunity to negotiate. Courts also look at whether the terms are tailored to the transaction or simply reused across customers. Even where minor amendments are allowed, the contract can still be standard form if there is no genuine negotiation or individual consideration.

Recent reforms have also broadened the definition of a small business, meaning more contracts are now caught by the regime. A business qualifies if it employs fewer than 100 people or has an annual turnover under $10 million. Under the Australian Securities and Investments Commission Act 2001 (Cth), the regime only applies where the upfront contract price does not exceed $5 million. Under the ACL, that monetary limit has been removed altogether.

While the legal test for what constitutes an “unfair term” remains the same, the consequences have changed dramatically. Each unfair term now amounts to a separate contravention, attracting significant penalties of up to $2.5 million for individuals, and for corporations, the greater of:

• $50 million;
• three times the value of any benefit obtained; or
• 30% of the corporation’s adjusted turnover during the breach period.

Practical Tips:

• Review all standard form contracts and identify, amend or remove potentially unfair terms. Common red flags include:

• one-sided termination, suspension or variation rights;
• automatic renewals with hidden notice periods;
• broad indemnities and liability caps protecting only one party; 
• unilateral price, product or service changes without exit rights; and
• set-and-forget rollover clauses limiting the other party’s remedies. 

• Balance clauses that allocate risk (indemnities, caps, service credits) and document the commercial rationale where asymmetry remains. 
• Use clear language and avoid broad or ambiguous drafting unless objectively necessary to protect your legitimate business interests.
• Be transparent: highlight key terms and ensure they are brought to the other party’s attention before signing.

2. Data Security & Privacy Clauses

The Privacy Act 1988 (Cth) (Privacy Act) has undergone important reforms following the Privacy and Other Legislation Amendment Act 2024 (Cth). These changes strengthen the accountability and enforcement framework for organisations handling personal information and expand the powers of the Office of the Australian Information Commissioner (OAIC). For businesses, this means that privacy compliance and the way it is reflected in contracts is now a critical legal and commercial priority.

Under the current law, penalties for serious or repeated interferences with privacy by corporations can reach the greater of: 

• $50 million; 
• three times the value of any benefit obtained; or 
• 30% of the organisation’s adjusted turnover. 

Individuals can be fined up to $2.5 million. The reforms also give the OAIC broader powers to investigate, issue infringement notices, and seek civil penalties for a wider range of contraventions.

At the same time, the Notifiable Data Breach (NDB) scheme continues to impose mandatory obligations where a breach is likely to result in serious harm. Businesses must assess suspected breaches within 30 days and if the breach meets the “eligible data breach” threshold, they must notify both the OAIC and affected individuals.

The 2024 reforms are just the first stage of a broader multi-year reform process. Businesses should therefore ensure that their contracts are compliant now and adaptable as further obligations take effect.

Key Risks

Vague or outdated privacy clauses can expose a business to serious risk. Agreements that fail to define security standards, incident-response timelines or accountability between parties may no longer meet the strengthened compliance expectations under the amended Privacy Act.

Practical Tips:

• When drafting or updating contracts, particularly with technology providers, suppliers and third-party service providers that handle personal information, include clauses that:

• Reference recognised security standards and include obligations to maintain, monitor and evidence compliance level. For high-risk processing, include explicit audit rights, remediation timelines, and cooperation obligations.
• Require notification of any suspected or actual data breach within a specified timeframe (e.g., 24–48 hours) of becoming aware of it, and mandate full cooperation to supply any information necessary for you to meet NDB obligations.
• Place limitations around data collection and retention and require the secure destruction or return of data at the end of the contract.
• Require prior written consent before any subcontractor is engaged and ensure equivalent privacy and security obligations ‘flow down’.
• Obtain warranties confirming where data will be stored or processed and what safeguards (contractual, technical or organisational) are in place to protect it.

• Map your data flows to understand what information you collect, how it moves through your systems, and which third parties process it.
• Avoid vague terms such as references to “industry standard” or “reasonable” security measures. Instead, use specific, measurable standards.

3. Employment-Related Terms in Commercial and Employment Contracts

The ‘Closing Loopholes’ reforms have introduced major changes under the Fair Work Act 2009 (Cth) that affect not only employment contracts but also the way businesses structure their client and supplier agreements. These reforms aim to improve work-life balance, strengthen employee protections, and ensure fair pay practices, all of which have direct contractual implications for employers.

Key Reforms

• Right to Disconnect: Eligible employees have the right to refuse unreasonable contact outside their ordinary working hours. Disputes can be escalated to the Fair Work Commission (FWC) if they cannot be resolved internally. 

• Criminalisation of Wage Theft: Intentional underpayment of wages or entitlements can now be a criminal offence. 

• Fixed-Term Employment Limits: Most fixed-term employment contracts have been restricted to a maximum duration of two years (including extensions) and no more than two consecutive contracts. 

Practical Tips:

Employment Contracts:

• Review employment contracts, position descriptions, and workplace policies to clarify expectations around after-hours contact and on-call duties. Service Level Agreements (SLAs) may also need adjusting to ensure staff are not contractually required to be available 24/7.
• Define reasonable availability expectations in line with the “Right to Disconnect”.
• Align probation, renewal, and conversion provisions with the latest fixed-term and casual employment rules.
• Consider adding clauses allowing for policy updates as new Fair Work reforms take effect.

Commercial Contracts (Clients and Suppliers)

• Avoid contractual obligations that assume continuous staff availability unless employment contracts expressly provide for it (and appropriate pay arrangements exist).
• Review service levels, response times, and escalation procedures to ensure they do not create obligations inconsistent with the “Right to Disconnect” or other workplace laws.

General

• Update labour-hire, subcontractor, and service agreements to include Fair Work compliance obligations and cooperation clauses if an investigation arises.
• Provide training to managers and supervisors to ensure they understand the practical implications of the “Right to Disconnect” and wage theft provisions.

Final Comments

The legislative landscape for Australian businesses is shifting rapidly, and contracts that were once “fit for purpose” may now expose you to unnecessary risk. Compliance is no longer just about ticking a box, it is about embedding fairness, transparency, and accountability into your commercial relationships. 

Reviewing your agreements before 2026 is not only prudent but essential to avoid penalties, protect your reputation, and maintain strong, compliant business partnerships. 

At Stone Group Lawyers, our experienced commercial team can guide you through this process with clarity and confidence, ensuring your agreements align with both your strategic goals and current legal requirements. To get started, contact one of our commercial lawyers today on (07) 5635 0180.