Global Data Protection Law Guide  Australia

Macpherson Kelley

 

What law(s) specifically govern personal data / information?

Australia’s privacy regime consists of both Federal (Australia-wide) and individual State-based laws and regulations.

As a starting position, Australia’s Federal Privacy Act 1988 (Cth) ( Privacy Act) generally applies to all businesses with a turnover of at least AUD$3 million, as well as all private sector “health service providers” located anywhere in Australia (regardless of AUD turnover).

These Federal laws do not apply to State and Territory public sector health service providers, such as public hospitals.

In certain States / Territories, private sector health service providers must also comply with the individual State- and Territory-based privacy laws when handling health information, as well as government-imposed regulation (in the public hospital setting).

In addition to these core Federal and State-based laws, many businesses must also broadly comply with:

• the Spam Act 2003 (Cth) – regulating the sending of “commercial messages”;
• the Privacy (Credit Reporting) Code - regulating the sharing of consumer credit information;
• the Notifiable Data Breaches scheme – requiring certain mandatory actions upon ‘eligible data breach’ incidents occurring; and
• the Consumer Data Right - for limited data sharing arrangements currently in relation to the banking and energy sectors, but to be expanded to further sectors in future (eg, other utilities).

Given the multi-layered approach to the Australian privacy regime, the information provided on this webpage addresses the general requirements for businesses in the private sector, for standard or common types of personal information. It is strongly recommended that readers bear in mind the additional legislative regimes which are not set out in full on this webpage, and seek specific advice as to their specific business type, data collection types and data handling practices.

 

What are the key data protection principles in this jurisdiction?:

The thirteen Australian Privacy Principles (APPs) are the key principles that apply to data protection for the private sector in Australia.

They are contained in the Privacy Act, and pertain to:

1. APP 1 - Open and transparent management of personal information
2. APP 2 - Anonymity and pseudonymity
3. APP 3 - Collection of solicited personal information
4. APP 4 - Dealing with unsolicited personal information
5. APP 5 - Notification of the collection of personal information
6. APP 6 - Use or disclosure of personal information
7. APP 7 - Direct marketing
8. APP 8 - Cross-border disclosure of personal information
9. APP 9 - Adoption, use or disclosure of government related identifiers
10. APP 10 - Quality of personal information
11. APP 11 - Security of personal information
12. APP 12 - Access to personal information
13. APP 13 - Correction of personal information

In addition to the APPs, there are various State-based privacy principles under specific State-based legislative regimes.

For example, in the State of Victoria, there are:

• the Information Privacy Principles which set out the minimum standard for how Victorian public sector bodies should manage personal information in Victoria; and
• the Health Privacy Principles that apply to health information collected and handled in Victoria by the Victorian public sector and private sector health service providers (note that the definition of “health service provider” is broad).

 

What is the supervisory authority / regulator in charge of data protection?

The Office of the Australian Information Commissioner (OAIC) (https://www.oaic.gov.au/) is primarily responsible for enforcing the Privacy Act and the APPs.

In addition:

• the Health Services Commissioners in the various States and Territories of Australia are the regulatory authority for the management of Health Information;
• there are Government regulators in the various States and Territories, such as the Office of the Victorian Information Commissioner;
• the Australian Competition & Consumer Commission for the regulation of the Consumer Data Right and consumer-protection issues such as ‘unfair terms’ and ‘misleading and deceptive conduct’; and
• the Australian Communications and Media Authority for the regulation of commercial messages and “spam”.

 

Is there a requirement to register with a supervisory authority / regulator?

There is no requirement for registration with the OAIC or the various State and Territory regulators.

 

Is there a requirement to notify the supervisory authority / regulator?

No – generally there is no requirement to notify the supervisory authority / regulator.

However, as examples:

• under the Federal privacy regime, an APP entity must take reasonable steps to notify the individual about certain matters (APP 5);
• under the Federal privacy regime, data breach incidents that satisfy the definition of an ‘eligible data breach’ must be reported to the OAIC and to affected individuals; and
• under the Victorian health information privacy regime, the health service provider must also make certain mandatory disclosures (IPP 1.3).

The above examples are not exhaustive.

 

Is it possible to register with / notify the supervisory authority / regulator online?

Generally N/A, however, ‘eligible data breaches’ can be notified to the OAIC by way of completion of an online form describing the data breach incident etc.

 

What are the key data subject rights under the data protection laws of this jurisdiction?

Under the APPs, individuals / data subjects have the right to:

• Remain anonymous or pseudonymous, unless an exception applies (APP 2);
• Provide or withhold their consent to the collection of ‘sensitive information’, unless an exception applies (APP 3);
• Receive various notifications and other information regarding the type of personal information being collected from or about them, and its use / disclosure, etc (APP 5);
• Have their personal data protected from misuse, interference and loss, and unauthorised access / modification / disclosure (APP 11);
• Access the personal information held about them (APP 12); and
• Request a correction of the personal information held about them (APP 13).

Some similar rights are also replicated under the various State-based regimes.

Australia’s Federal Competition and Consumer Act 2010 (Cth) also provides for a consumer data right, which is a data-portability right giving consumers greater control over their own data and access to better services. They can direct the sharing of their data with accredited third parties (eg. from one bank to another), which encourages competition. Other rights include correction requests, restrictions on overseas transfer of data and consent for direct marketing etc, unless an exception applies.

There is also a current legislative proposal (which has not yet passed) to introduce a ‘right of deletion’ of personal data.

 

Is there a requirement to appoint a data protection officer (or equivalent)?

No, there is no specific requirement under Australia’s privacy regime to appoint a data protection officer (commonly called a “Privacy Officer” in Australia). However, it is strongly recommended as good practice.

 

Do data protection/ privacy impact assessments need to be carried out in certain circumstances?

The OAIC has published guidance on how businesses can undertake a privacy impact assessment (PIA).

A privacy impact assessment is a systematic assessment of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating that impact.

APP 1 requires entities to take “reasonable steps” to implement practices, procedures and systems that support compliance with the APPs.

Conducting a PIA helps entities to ensure privacy compliance and identify better practice.

Not every project will need a PIA. Generally, if personal information is involved in the project, some form of PIA may be necessary.

Additionally, the OAIC can direct Australian government agencies to undertake a PIA.

 

Does this jurisdiction have any specific data breach notification requirements?

Yes - under the Notifiable Data Breaches scheme, any organisation or agency covered by the Privacy Act must follow the data breach notification requirements in the event of an ‘eligible data breach’.

When to notify?

A mandatory notification is required when the data compromising incident (whether access to, loss of, or disclosure of the personal information) ‘would be likely… to result in serious harm to any of the individuals to whom the information relates’.

Who to notify?

Under the Privacy Act, the entity in breach / likely breach must notify:

• all affected individual/s; and
• the OAIC.

How to notify?

• Notifying the individual/s – if the entity typically communicates with the individual using a particular method, the notification to the individual may use this method, so long as it includes a statement to the individual notifying them of the breach / likely breach and includes recommendations about the steps they should take in response to the data breach.
• Notifying the OAIC – when notifying the OAIC, notification is only required in relation to a ‘notifiable data breach’. This can be done by using the OAIC’s ‘Notifiable Data Breach form’, available on the OAIC’s website.

The entity in breach / likely breach must also prepare a statement about the eligible data breach and give a copy to the OAIC and the individual/s.

The Federal privacy regime is the only privacy regime that mandates a reporting mechanism, however there are (for example) government guidelines that strongly encourage reporting.

 

What restrictions apply to the international transfer of personal data / information?

Whether the cross-border disclosure of information is permitted will depend on whether it complies with the relevant Federal or State-based privacy regimes

APP 8 Cross-Border Disclosure of Personal Information governs the disclosure of personal information by an Australian APP entity to an overseas recipient and requires that before an entity discloses personal information to an overseas recipient, it must take reasonable steps to ensure that the overseas entity does not breach the APPs. If the overseas entity commits any breaches against the APPs in connection to the personal information, the Australian entity will be held accountable.

Australia is a member of the Organisation for Economic Co-Operation and Development (OECD). The OECD has Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The APPs reflect these guidelines.

Further, the Asia-Pacific Economic Cooperation (APEC) has a “Privacy Framework”, which aims at promoting electronic commerce throughout the Asia Pacific region, and is consistent with the OECD Guidelines. From our experience, this Framework is not widely relied upon in practice by Australian entities.

It imposes requirements that must be met (eg. actions taken by the overseas entity), for the disclosure to be compliant with Australia’s privacy laws.

However, there are no specific transfer tools/mechanisms provided by the OAIC, in order to make the transfer ‘lawful’.

The various State and Territory regimes also restrict the transfer of personal information outside of that State and Territory, with some exceptions applying to enable for such transfers to take place.

Often, obtaining the individual’s consent to the cross-border disclosure of their personal information will permit the cross-jurisdictional transfer to occur (with ‘consent’ required to be explicit and informed).

 

Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?

Yes. The Privacy Act extends to acts done, or practices engaged in, outside of Australia by entities that have an “Australian link”. This includes where the entity:

• Carries on business in Australia; and
• Collects or holds personal information in Australia.

Each of these are questions of fact, however, the factors to be considered for establishing an “Australian link” include:

• Whether the entity has a place of business in Australia;
• Whether the entity has appointed an agent in Australia;
• Whether the entity’s website offers goods or services to Australians (including Australia being a country in a drop-down menu, or advertising AUD$ pricing); and
• Whether the entity has registered trade marks in Australia.

Personal information will be ‘collected’ in Australia if it is collected from an individual who is physically located in Australia, regardless of the geographical location of the collecting entity.

 

What rules specifically deal with marketing?

Direct Marketing

At the Federal level, APP 7 provides that APP entities must not use or disclose the personal information they hold for a purpose of direct marketing unless an exception applies.

Direct marketing involves the use or disclosure of personal information to communicate directly with an individual to promote goods and services.

Marketing Emails / Messages

Additionally, the Spam Act 2003 (Spam Act) details rules regarding marketing which occurs via email and text messages etc.

 

Do different rules apply to business-to-business and business-to-consumer marketing?

No – the Spam Act and the Privacy Act do not impose different rules for business-to-business verses business-to-consumer marketing.

 

What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?

The Spam Act and the Privacy Act set out the rules which individuals and businesses need to comply with when sending out marketing emails or messages.

 

What rules specifically deal with cookies?

The Privacy Act is written in ‘technology neutral’ language, and there are no specific legislative provisions dealing with cookies. Rather, the applicability of the privacy regime to cookies requires the ‘usual’ assessment of whether that information is information that can be used to identify an individual.

 

What are the consequences of non compliance with data protections laws (including marketing laws)?

A breach of the Privacy Act relating to an ‘interference with privacy’ can attract penalties including:

• jail terms (eg, up to 2 years);
• compensation orders;
• for individuals: fines of up to AUD$444,000 per contravention; and
• for companies: fines of up to AUD$2.22 million per contravention.

The proposed Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 will increase maximum pecuniary penalties for companies to the greater of:

• AUD$50 million;
• Three (3) times the value of any benefit obtained through the misuse of the personal information; or
• 30% of the company’s adjusted turnover in the relevant period.

Additionally, for the sectors subject to the Consumer Data Right, the penalties can range up to:

• for individuals: up to AUD$500,000; and
• for entities: the greater of:
• AUD$10 million;
• 3 x the value of any ‘benefit’ obtained through the misuse of the personal information; or
• 10% of the entity’s turnover.

The Spam Act provides for penalties ranging from a formal warning through to penalties imposed by the Courts.

• for companies (with prior offending conduct): up AUD$2,22 million per day.
• for companies (with no prior history): up to AUD $440,000.

 

In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?

It is important for multinational companies to consider that each country has its own specific privacy compliance requirements, and that a “one-size-fits-all” approach will not achieve proper privacy compliance.

Further, whilst the European General Data Protection Regulation (GDPR) is widely considered to be the “gold standard” of data protection, it is not replicated like-for-like in Australia - even if a business is fully compliant with the GDPR, there are some Australian-specific requirements that will still need to be addressed.

Similar comments also apply in relation to the privacy legislation of other countries and regions (eg, China’s PIPL, the USA’s various privacy regimes, etc).

 

What upcoming data protection developments should multinational organisations be aware of?

The Australian Government has proposed the further strengthening of privacy protections and regulatory tools, including:

• increased penalties for serious or repeated breaches (before the Australian Parliament as at November 2022);
• new infringement notice powers and other options to address breaches (before the Australian Parliament as at November 2022);
• a requirement for social media and online platforms to stop using or disclosing an individual’s personal information upon request;
• a ‘right of deletion’; and
• rules to protect privacy online including vulnerable groups such as children / minors.

 

Search by:

Need more information?
Contact a member firm:

Kelly Dickson

Macpherson Kelley

Melbourne, Australia

Disclaimer:

© 2023, Macpherson Kelley. All rights reserved by Macpherson Kelley as author and the owner of the copyright in this chapter. Macpherson Kelley has granted to Multilaw non-exclusive worldwide license to use and include this chapter in this guide and to sublicense Lexis Nexis, a division of RELX Inc. and its affiliates certain rights to use and distribute this Guide.

The information in the International Data Protection Laws Guide provides a general overview at the time of publication and is not intended to be a comprehensive review of all legal developments nor should it be taken as opinion or legal advice on the matters covered. It is for general information purposes only and readers should take legal advice from a Multilaw member firm.

Publication Date: 2023