Australia’s privacy and data protection laws are hard to explain and often poorly understood. The first challenge is to explain that the Australian Privacy Commissioner sits in the Office of the Australian Information Commissioner (OAIC) and applies laws that the Australian parliament has misleadingly called ‘principles’. The second challenge is describing how to read principles as laws and fit them together with other provisions in the Privacy Act that clearly are drafted as laws. And then there’s the difficulty of trying to interpret these provisions when dealing with novel issues such as cross-border cloud deployment and access to personal information held in another jurisdiction (or jurisdictions unknown), geo-tracking of devices, data warehouses, virtualised servers, big data and customer data analytics. Privacy and data protection in Australia has become a confusing landscape, with forests of regulation to get lost in, unexplored corners and many poorly understood rules. At a time when privacy and information security is becoming a major area of concern for governments, businesses and consumers, it is unfortunate that Australia has created such a confusing thicket of regulation and quasi regulation.