As privacy concerns take center stage in workplaces and businesses across the globe, two recent developments—one in the European Union and another in Australia—are highlighting the complex balancing act between transparency and data protection. On January 28, 2026, both the Pay Transparency Directive in the EU and a new compliance sweep by the Office of the Australian Information Commissioner (OAIC) were in the spotlight, each raising important questions about how organizations handle personal data in an era of increasing regulatory scrutiny.
The European Union’s Pay Transparency Directive aims to bridge the gender pay gap by requiring employers to disclose average wages of male and female employees within specific categories. But as reported by Employment Law Worldview, this well-intentioned effort is running headlong into the robust privacy protections of the General Data Protection Regulation (GDPR). The crux of the issue? Sharing wage averages in categories with very few employees of a particular gender could inadvertently reveal individual salaries—a clear privacy risk.
The Directive acknowledges this challenge, stating that any information provided—whether as part of individual rights to information, tri-annual pay reporting, or joint pay assessments—must comply with the GDPR. It further specifies that personal data disclosed under the Directive cannot be used for any purpose other than enforcing the principle of equal pay. Still, the Directive stops short of offering concrete solutions, instead suggesting that Member States may consider limiting access to potentially identifying pay data to workers’ representatives, labor inspectorates, or equality bodies. These bodies could then advise employees about possible claims under the Directive without disclosing exact pay levels.
However, as Employment Law Worldview notes, this suggested workaround has not gained traction among Member States. Most have opted to ignore the issue, with the notable exception of Germany. The German Commission tasked with reducing the administrative burden of implementing the Directive has recommended that comparisons should only be made among groups of at least six employees to safeguard privacy. This threshold, already present in other German legislation, is likely to be included in the country’s implementation of the Directive.
So what does this mean for employers in countries that haven’t addressed the issue in their local laws? The answer isn’t straightforward. The GDPR, as a regulation, takes precedence over both the Directive and any national implementing legislation. According to the GDPR, processing personal data is only lawful if it is necessary for compliance with a clear and specific legal obligation. Yet, the Pay Transparency Directive does not explicitly require the disclosure of individual pay data; it only mandates the sharing of aggregate and unidentifiable figures such as averages and median pay gaps. The European Data Protection Board (EDPB) has reinforced that any legal provision allowing data processing must be “clear and specific,” leaving little room for interpretation or inappropriate discretion by employers.
In practice, this means that employers must walk a tightrope. If an individual requests information or as part of pay reporting obligations, employers should first check whether their local legislator has provided any specific guidance. For now, Germany stands alone in offering concrete measures, but its approach may influence others still drafting their legislation. Next, employers must carefully assess their data sets. If a particular category contains very few employees of a certain gender, sharing pay data could risk revealing personal information. In such cases, it may be prudent to widen the category or provide alternative information that meets the Directive’s objectives without breaching GDPR requirements.
Employers must also educate both employees and their representatives. While the Directive ensures that employees cannot be prevented from disclosing their own pay for the purpose of enforcing equal pay, it does not obligate them to have their pay disclosed by others. As Employment Law Worldview puts it, “the Directive does not come with an obligation for individual employees to have their pay disclosed.”
Meanwhile, on the other side of the world, Australia is grappling with its own privacy challenges. The OAIC has launched its first compliance sweep of 2026, reviewing the privacy policies of around 60 businesses in sectors that routinely collect personal information in person—think rental and property agencies, chemists, licensed venues, car rental companies, car dealerships, pawnbrokers, and second-hand dealers. The OAIC is focusing on compliance with the Australian Privacy Principles (APPs) 1.3 and 1.4, which require businesses to have clear, up-to-date privacy policies that detail what personal information is collected, how it is handled, whether it is disclosed overseas, and the mechanisms for individuals to access, correct, or complain about their data.
According to White & Case, the OAIC’s increased enforcement activity comes on the heels of several high-profile investigations. For instance, Kmart was found to have breached APP 1.3 and 1.4 by failing to adequately describe the kinds of personal information collected through its facial recognition technology and how that information was gathered. The OAIC determined that Kmart’s privacy policy did not sufficiently explain the collection methods, even though it mentioned that cameras were used. The Commissioner stated that “the information did not adequately and completely describe the kinds of personal information collected by Kmart or how the personal information was collected.”
Bunnings faced similar scrutiny in 2024. The company argued that it did not “collect” personal information via its facial recognition technology, and thus was not required to include details in its privacy policy. The OAIC rejected this argument, finding that biometric information was indeed collected and should have been disclosed in the policy. Property Lovers, another business investigated in 2024, was found to lack a clearly expressed and up-to-date policy about how it managed personal information, especially when collecting data from third-party sources for lead lists.
The OAIC’s sweep is just the beginning. The agency is expected to issue a report and further guidance based on its findings, and may expand its focus to other sectors. In the meantime, businesses are advised to keep their privacy policies transparent and current, provide detailed privacy collection notices (not just generic references to policies), map their data flows, and minimize the collection of personal information to only what is strictly necessary.
Both the EU and Australia are making it clear: privacy can’t be an afterthought. Employers and businesses must proactively ensure compliance with evolving regulations, balancing transparency with the fundamental right to privacy. Navigating this landscape isn’t easy, but as these recent actions show, the stakes for getting it wrong are higher than ever.