Privacy law in Australia has undergone significant changes over the years to address the evolving landscape of data protection in an increasingly digital world. The cornerstone of privacy legislation in Australia is the Privacy Act 1988, which establishes a framework for the handling of personal information by government agencies and private sector organisations.
The Privacy Act 1988 (Act)
The Act was enacted to protect the privacy of individuals and regulate how personal information is collected, used, disclosed, and managed. Personal information is defined broadly under the Act to include any data or opinion about an identified or reasonably identifiable individual. This definition covers a vast array of information, from names and addresses to sensitive details such as health records and racial or ethnic background.
The Act is structured around the Australian Privacy Principles (APPs), which provide guidelines for the lawful and fair collection of personal information. These principles apply to all APP entities, such as federal government bodies and organisations and private sector organisations, including small businesses with an annual turnover exceeding $3 million and businesses providing health service, buying or selling personal information or providing services for a Commonwealth contract, although there are some exceptions for smaller businesses in certain circumstances; however, those exceptions may be abolished in the near future.
Key features of the APPs
The 13 APPs stress the importance of obtaining consent and responsibly managing data, offering an enforcement framework for addressing complaints and privacy breaches. Organisations must take reasonable steps to ensure the personal information they collect, use, and disclose is accurate, current, and pertinent to its purpose. They are also required to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. Additionally, organisations must maintain a clear, accessible, and up-to-date privacy policy detailing how they handle personal information, including how individuals can access and correct their data and lodge complaints about privacy breaches. The APPs mandate that organisations obtain individuals’ consent before collecting, using, or disclosing their personal information, particularly for sensitive data such as health information or details about race or ethnicity.
The Office of the Australian Information Commissioner (OAIC) oversees compliance with the Act, provides guidance, and investigates complaints regarding privacy breaches. It has the authority to enforce penalties for non-compliance.
Recent Reforms and Proposals
In response to the dynamic nature of technology and the increasing volume of personal data being processed, as well as high-profile data breaches and alignment with overseas privacy laws such as the EU privacy standard, Australia’s next steps in reforming the Privacy Act have been announced, with draft legislation expected by August 2024 following the release of the Attorney-General’s Privacy Act Review Report in February 2023. The Federal Government fully accepted 38 of the 166 recommendations and accepted 68 in principle, pending further consultation.
The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 seeks to impose higher standards of privacy protection. The bill expanded the extraterritorial reach of the Act (to include the Australian Link), enhanced regulatory powers (such as the Privacy Commissioner) and increased penalties for privacy breaches (for example, the maximum penalties for serious or repeated privacy breaches to the greater of $50 million, three times the value of any benefit gained from the misuse of information, or 30% of the company’s adjusted turnover during the relevant period).
Extraterritorial Application
There is a growing recognition of the need for international cooperation in privacy regulation. As data flows across borders, harmonising privacy laws with international standards becomes increasingly important. Australia must navigate its privacy framework in the context of global data protection regulations, such as the European Union’s General Data Protection Regulation (GDPR).
Entities operating outside Australia are still subject to the Act if they were formed in Australia, have their central management and control in Australia, or conduct business and collect or hold personal information in Australia. This extends the Privacy Act’s reach to overseas entities and Australian subsidiaries of foreign entities engaging in business activities within Australia, even if most of their business is conducted elsewhere.
Other Laws Protecting Privacy
In addition to federal laws, Australian states and territories have their own privacy legislation that complements the national framework. For example, the Privacy and Personal Information Protection Act 1998 (NSW) and the Privacy and Data Protection Act 2014 (Vic).
The Notifiable Data Breaches (NDB) Scheme requires organisations to notify individuals and the OAIC of data breaches within a certain time period that are likely to result in serious harm. The NDB scheme aims to improve transparency and accountability in data protection.
The use of surveillance devices is regulated by both state and federal laws, such as the Workplace Surveillance Act 2005 (NSW) and Surveillance Devices Act 2007 (NSW). Although regulations differ across jurisdictions, generally, the use of surveillance or listening devices often requires consent and/or notification. Exceptions can apply, such as when using the device to protect lawful interests, for enforcement purposes, or if it is in the public interest. Specific obligations may also depend on whether the person using the device is a participant in the activity or conversation and whether the activity or conversation is private or occurs in a private space.
Federal laws that govern electronic marketing, namely, SMS, email and phone marketing are Spam Act 2003 (Cth) and Do not Call Register Act 2006 (Cth).
Australian states and territory-based health legislation (such as New South Wales, Victoria and the Australian Capital Territory) applied to private sector organisations, further governing the handling of health recording (which is classified as a type of sensitive information).
Privacy Law Compliance
In today’s digital economy, consumer trust is paramount. Compliance with privacy laws helps build customer trust, as clients are more likely to engage with businesses they believe protect their personal information effectively. Small businesses, in particular, can leverage their compliance as a competitive advantage, promoting their adherence to high privacy standards as a marker of trustworthiness and customer care.
Moreover, the compliance is critical to avoid substantial penalties that can arise from breaches, which, following recent reforms, can amount to significant sums. The increased fines underscore the importance of adhering to privacy regulations, making compliance a financial imperative for small businesses.
In light of the ongoing reforms and the upcoming reforms set to be introduced in the near future, businesses must ensure their compliance with privacy laws, as compliance with some APPs is mandatory. Accordingly, businesses must establish privacy policies, including privacy collection notices, security, access and correction of personal information, and complaint procedures based on the character of business activities.
Retain The IP House Lawyers to assist you in drafting, preparing, reviewing, advising and updating your privacy policies.
For any further information or queries on the above content, please contact us.
The Author
Edmund Huang | Paralegal and Jean Kallmyr | Lawyer, The IP House Lawyers | t: 0435 799 831 | e: admin@theiphouse.com.au
Key Contact
Claire Darby | Managing Director/Lawyer, The IP House Lawyers | t: 0412 998 951 | e: claire@theiphouse.com.au
Disclaimer
The information and contents of this publication do not constitute any legal or financial advice. This publication is intended only for reference purposes for The IP House Lawyers’ clients and prospective clients.
Image by Freepik