Australia regulates data privacy and protection through a mix of federal, state and territory laws. The federal Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (“APPs”) contained in the Privacy Act apply to private sector entities (including body corporates, partnerships, trusts and unincorporated associations) with an annual turnover of at least AU$3 million, and all Commonwealth Government and Australian Capital Territory Government agencies.
Most States and Territories in Australia (except Western Australia and South Australia) have their own data protection legislation applicable to relevant State or Territory government agencies and private businesses that interact with State and Territory government agencies. These Acts include:
- Information Privacy Act 2014 (Australian Capital Territory)
- Information Act 2002 (Northern Territory)
- Privacy and Personal Information Protection Act 1998 (New South Wales)
- Information Privacy Act 2009 (Queensland)
- Personal Information Protection Act 2004 (Tasmania), and
- Privacy and Data Protection Act 2014 (Victoria)
Consumer Data Right
The Commonwealth Government is in the implementation phases of the Consumer Data Right (“CDR”) following a number of policy reviews, including the Productivity Commission’s “Data Availability and Use” report and the “Review into Open Banking in Australia”.
The CDR allows a consumer to obtain certain data held about that consumer by a third party and requires data to be given to accredited third parties for certain purposes. By requiring businesses to provide public access to information on specified products they have on offer, it is intended that consumers’ ability to compare and switch between products and services will be improved, as well as encouraging competition between service providers, which could lead to better prices for customers and more innovative products and services. In this way, the CDR provides a mechanism for accessing a broader range of information within designated sectors than is provided for by APP 12 in the Privacy Act, given it applies not only to data about individual consumers but also to business consumers and related products.
The CDR rules have been implemented in respect of the banking sector in Australia. The energy sector is the next to be added to the CDR, with the telecommunications sector currently scheduled to follow. Other sectors across the economy will be added to the CDR over time.
The CDR regime addresses competition, consumer, privacy and confidentiality issues. As such, it is regulated by the Australian Competition and Consumer Commission as well as the Office of the Australian Information Commissioner.
There is no registration requirement in Australia for data controllers or data processing activities. Under the Privacy Act, organizations are not required to notify the Privacy Commissioner of any processing of personal information.
Organizations are not required to appoint a data protection officer. However, the Privacy Commissioner has issued guidance recommending that organizations appoint a data protection officer as good practice.
Organizations may not collect personal information unless the information is reasonably necessary for one or more of its business functions or activities.
Under the Privacy Act, organizations must take reasonable steps to ensure that the personal information collected is accurate and up-to-date.
At or before the time organizations collect personal information, or as soon as practicable afterward, they must take reasonable steps to provide individuals with notice of:
The Organization’s identity and contact information;
Why it is collecting (or how it will use the) information about the individual;
The entities or types of entities to which it might give the personal information;
Any law requiring the collection of personal information;
The main consequences (if any) for the individual if all or part of the information is not provided;
Whether the organization is likely to disclose their personal information to overseas recipients and, if so, the countries in which such recipients are likely to be located ;
Organizations must not use or disclose personal information about an individual unless one or more of the following applies:
- The personal information was collected for that purpose (the primary purpose) or a different (secondary) purpose that is related to (and, in the case of sensitive information, directly related to) the primary purpose of collection and the individual would reasonably expect the organization to use or disclose the information for that secondary purpose.
- The individual consents.
- The information is not sensitive information and disclosure is for direct marketing and it is impracticable to seek the individual’s consent and (among other things) the individual is told that they can opt out of receiving marketing from the organization.
- A ‘permitted general situation’ or ‘permitted health situation’ exists; for example, the entity has reason to suspect that unlawful activity relating to the entity’s functions has been engaged in or that there is a serious threat to the health and safety of an individual or the public.
- It is required or authorized by law or on behalf of an enforcement agency.
Personal data (referred to as ‘personal information’ in Australia) means information or an opinion about an identified individual or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not.
The Privacy Act currently contains an exemption for “employee records”, such that any records containing personal information which an employer makes in connection with a current or former employment relationship are exempt from the Privacy Act. However, there are some further carve outs to this (for example, the exemption does not apply to contractors or unsuccessful applicants), and it is widely anticipated that the employee records exemption will be removed from the Privacy Act as a result of the ongoing review of the Privacy Act
Sensitive personal data (referred to as ‘sensitive information in Australia) means information or an opinion about:
- Racial or ethnic origin
- Political opinions
- Membership of a political association
- Religious beliefs or affiliations
- Philosophical beliefs
- Membership of a professional or trade association
- Membership of a trade union
- Sexual orientation or practices
- Criminal record that is also personal information
- Health information about an individual
- Genetic information about an individual that is not otherwise health information
- Biometric information that is to be used for the purpose of automated biometric identification or verification
Unless certain limited exemptions under the Privacy Act apply, personal information may only be disclosed to an organization outside of Australia where the entity has taken reasonable steps to ensure that the overseas recipient does not breach the APPs (other than APP 1) in relation to the personal information. The disclosing/transferring entity will generally remain liable for any act(s) done or omissions by that overseas recipient that would if done by the disclosing organization in Australia, constitute a breach of the APPs. However, this provision will not apply where any of the following apply:
The organization reasonably believes that the recipient of the information is subject to a law or binding scheme which effectively provides for a level of protection that is at least substantially similar to the Privacy Act, including as to access to mechanisms by the individual to take action to enforce the protections of that law or binding scheme. There can be no reliance on contractual provisions requiring the overseas entity to comply with the APPs to avoid ongoing liability (although the use of appropriate contractual provisions is a step towards ensuring compliance with the ‘reasonable steps’ requirement).
The individual consents to the transfer. However, under the Privacy Act, the organization must, prior to receiving consent, expressly inform the individual that if he or she consents to the overseas disclosure of the information, the organization will not be required to take reasonable steps to ensure the overseas recipient does not breach the APPs.
A ‘permitted general situation’ applies.
The disclosure is required or authorized by law or a court/tribunal order.
Entities with obligations to comply with the Privacy Act must comply with the mandatory data breach notification regime under the Privacy Act.
The mandatory data breach notification includes data breaches that relate to:
- Personal information
- Credit reporting information
- Credit eligibility information
- Tax file number
An “eligible data breach” occurs when the following conditions are satisfied in relation to personal information, credit reporting information, credit eligibility information or tax file information:
All of the following conditions are satisfied:
- There is unauthorized access to, or unauthorized disclosure of, or loss of the information;
- A reasonable person would conclude that the access or disclosure, or loss would be likely to result in serious harm to any of the individuals to which the information relates; and
- Prevention of the risk of serious harm through remedial action has not been successful.
The sending of electronic marketing (referred to as ‘commercial electronic messages’ in Australia) is regulated under the Spam Act 2003 (Cth) (“Spam Act”) and enforced by the Australian Communications and Media Authority.
Under the Spam Act, a commercial electronic message (which includes emails and SMSs sent for marketing purposes) must not be sent without the prior opt-in consent of the recipient.
In addition, each electronic message (which the recipient has consented to receive) must identify the sender and contain a functional unsubscribe facility to enable the recipient to opt out of receiving future electronic marketing. Requests to unsubscribe must be processed within five business days.
A failure to comply with the Spam Act (including unsubscribing a recipient that uses the unsubscribe facility) may have costly consequences, with repeat offenders facing penalties of up to AU$2.1 million per day.
There are no laws or regulations in Australia specifically relating to online privacy beyond the application of the Privacy Act, the Spam Act and State and Territory privacy laws relating to online / e-privacy, and other specific laws regarding the collection of location and traffic data.
The Privacy Commissioner is responsible for the enforcement of the Privacy Act and will investigate an act or practice if the act or practice may be an interference with the privacy of an individual and a complaint about the act or practice has been made. Generally, the Privacy Commissioner prefers mediated outcomes between the complainant and the relevant organization. Importantly, where the Privacy Commissioner undertakes an investigation of a complaint that is not settled, it is required to ensure that the results of that investigation are publicly available.
After investigating a complaint, the Privacy Commissioner may dismiss the complaint or find the complaint substantiated and make declarations that the organization rectify its conduct or that the organization redress any loss or damage suffered by the complainant (which can include non-pecuniary loss such as awards for stress and/or humiliation). In late 2022, in the wake of the data breaches referred to above, the maximum penalties that may be sought by the Privacy Commissioner and imposed by the Courts for serious or repeated interferences with the privacy of individuals were increased significantly to the greater of (i) AUD50M, (ii) three times the benefit of a contravention, or (iii) (where the benefit cannot be determined) 30% of domestic turnover.
A draft bill to introduce a framework for a binding online privacy code for social media and certain other online platforms, including data brokerage services and platforms with more than 2,500,000 end users in Australia (but excluding customer loyalty schemes), has not yet progressed in the federal Parliament.
The Privacy Commissioner, under the Office of the Australian Information Commissioner (“OAIC”) is the national data protection regulator responsible for Privacy Act oversight.
175 Pitt Street Sydney NSW 2000