Editor's note: This article was originally published 11 Oct. 2017 as part of a series that matched laws from across the globe to the EU General Data Protection Regulation. This article has been updated to include the latest developments to Australia's Privacy Act in December 2024.

The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.

The Privacy Act (cth) is the foundation of Australia's national privacy regulatory regime. Its genesis lies in the 1980 guidelines issued by the Organisation for Economic Co-operation and Development. Since it came into force in 1988, the Privacy Act has undergone four key rounds of amendments: the expansion of the application of the act to private sector businesses in 2000, the extensive updates to the act in 2014 following a comprehensive review by the Australian Law Reform Commission and a significant expansion to the civil penalties available under the act in 2022.

More recently, in 2024, the first tranche of amendments following a lengthy review process commenced in 2021. This first tranche included amendments to the powers of the regulator, new rules around overseas disclosures, and new transparency requirements. A second tranche will be required to implement the bulk of accepted reform proposals, however, this has not yet been scheduled at publication time.

The Privacy Act is intended to provide a basis for nationally consistent privacy regulation, facilitate the free flow of information outside of Australia while ensuring that individual privacy is respected, provide a complaint mechanism, and to implement Australia's international privacy obligations. Most of these objectives are achieved by the Australian Privacy Principles, set out in Schedule 1 of the act. The APPs impose obligations regarding the collection, use, disclosure, storage and disposal of "personal information" about individuals, as well as obligations relating to access and correction and credit reporting.

ADVERTISEMENT

Syrenis data privacy metrics ad

The APPs apply to APP entities — that is, Australian, Australian Capital Territory and Norfolk Island government agencies and private sector businesses. Individuals and small business operators — businesses with an annual turnover of less than AUD3 million, are exempt from the operation of the act. Unlike the EU General Data Protection Regulation, the Privacy Act does not distinguish between data controllers and data processors — any APP entity that holds personal information must comply with the APPs.

Summary of the APPs

APP 1: Open and transparent management of personal information

This first Australian Privacy Principle requires APP entities to manage personal information in an "open and transparent way," including taking reasonable steps to ensure that they comply with the APPs.

APP 1 is similar in effect to GDPR Article 5 Principle 2, which requires controllers to be able to demonstrate compliance with the obligations set out in Principle 1. Principle 1(a) also requires data processing to be done in a "transparent manner."

APP 1.3 and 1.4 also require APP entities to have a clearly expressed privacy policy that deals with specified matters. GDPR Article 7 discusses obtaining consent from an individual in the context of a "written declaration," and Articles 12–14 address similar matters to those specified in APP 1.3 and 1.4. Articles 13–14 also require additional information to be provided; this includes information about how long personal data will be stored, the enhanced personal rights under the GDPR (such as data portability, the right to withdraw consent, and the right to be forgotten), and any automated decision-making including profiling. 

APP 2: Anonymity and pseudonymity

APP 2 requires APP entities to give individuals the option of not identifying themselves, or of using a pseudonym unless a listed exception applies.

There is no direct analog to this provision in the GDPR. However, it should be noted the GDPR may apply to pseudonymous information per Recital 28.

APP 3: Collection of solicited personal information

APP 3 outlines when an APP entity can collect personal information it has asked for. In particular, this APP requires organizations only collect personal information where it is reasonably necessary or directly related to their functions or activities, and by "lawful and fair means." Higher standards are applied to the collection of sensitive information; specifically, sensitive information may only be collected with consent or where a listed exception applies.

A comparison can be drawn here to GDPR Article 5, which requires data collected for "specified, explicit and legitimate purposes" and be processed "lawfully (and) fairly" (Principle 1(a) and (b)).

APP 4: Dealing with unsolicited personal information

APP 4 requires APP entities to destroy or de-identify unsolicited personal information that they could not have otherwise collected under APP 3.

There is no direct analog in the GDPR; however, it should be noted that the GDPR does not permit collection of personal data without a specified, explicit purpose.

APP 5: Notification of the collection of personal information

APP 5 requires APP entities to notify individuals, or otherwise ensure they are aware, of specified matters when they collect their personal information, such as, by providing individuals with a collection statement.

Again, Articles 13–14 also impose requirements for the provision of privacy information that is substantially similar to the matters specified in APP 5, as well as additional obligations, see APP 1 above.

APP 6: Use or disclosure of personal information

APP 6 outlines the circumstances in which an APP entity may use or disclose personal information that it holds. Where an APP entity has collected personal information for a specific purpose and wishes to use it for a secondary purpose, APP 6 provides entities may not do so unless the individual has consented, it is within their reasonable expectations, or another listed exception applies. Exceptions include circumstances involving health and safety and law enforcement.

GDPR Article 6 similarly requires that personal data may only be processed where the data subject has consented to one or more of the specific purposes of the processing, or another listed scenario applies. For example, where the processing is necessary to perform a contract or comply with a legal obligation.

APP 7: Direct marketing

APP 7 provides that an organization that is an APP entity may only use or disclose personal information for direct marketing purposes if certain conditions are met. Direct marketing messages must include a clear and simple way to opt out of receiving future messages and must not be sent to individuals who have already opted out. Sensitive information about an individual may only be used for direct marketing with the consent of the individual.

GDPR Article 21 provides individuals with, among other things, the right to object to the use of their personal data for direct marketing.

APP 8: Cross-border disclosure of personal information

APP 8 requires an APP entity, take reasonable steps to ensure that the recipient does not breach the APPs in relation to that information, before it discloses personal information to an overseas recipient. Personal information may only be disclosed when the recipient is subject to a regulatory regime that is substantially similar to the APPs, where the individual has consented, or another listed exception applies. APP entities may be liable for the acts and practices of overseas recipients in certain circumstances per Section 16.

Notably, the 2024 reforms to the Privacy Act provide the Governor General will outline a list of countries with adequate privacy protections and enforcement mechanisms that are deemed safe to execute cross-border data transfers with. This list will be developed and implemented through regulations — but this has not happened at press time. This is substantially like the approach taken in GPDR Article 45 where transfers of personal data to third countries are permissible where those countries are deemed to provide an "adequate level of (privacy) protection."

Chapter 5 of the GDPR provides that transfers of personal data outside of EU jurisdiction may only be made where the recipient jurisdiction has been assessed as "adequate" in terms of data protection, where sufficient safeguards, such as a binding contract or corporate rules, have been put in place, or a listed exception applies. The European Commission has not, to date, assessed Australia as adequate.

APP 9: Adoption, use or disclosure of government related identifiers

APP 9 provides that an organization that is an APP entity may not adopt a government related identifier of an individual as its own identifier, or use or disclose such an identifier unless a listed exception applies. There is no direct analog to this provision in the GDPR.

APP 10: Quality of personal information

APP 10 requires APP entities to take reasonable steps to ensure the personal information it collects, uses or discloses is accurate, up-to-date and complete.

Accuracy and currency of the information are mentioned in Article 5 of GDPR (Principle 1(d); "every reasonable step must be taken" to ensure that inaccurate personal data is "rectified without delay."

APP 11: Security of personal information

APP 11.1 requires APP entities take reasonable steps to protect the personal information they hold from misuse, interference and loss, and from unauthorized access, modification or disclosure. These steps must include "technical and organisational controls" per APP 11.3 — that is, APP entities are expected to have both governance controls such as policies and procedures, as well as technical cybersecurity controls, such as firewalls, access controls, encryption. This provision is a frequent focus of investigations into APP entities conducted by the Australian information commissioner.

GDPR Article 5 similarly requires that data processing be undertaken in a manner "that ensures appropriate security of the data" (Principle 1(f)). Further, Article 32, requires the data controller and the processor to implement appropriate technical and organizational measures to ensure a level of security appropriate — taking into account the state of the art, the costs of implementation and nature, scope, context and purposes. Those measures must also address the confidentiality, integrity and availability of the data.

APP 11.2 provides that APP entities must also take reasonable steps to destroy or de-identify personal information that they no longer require for a lawful business purpose.

GDPR Article 5(1)(e) imposes a similar storage limitation — personal data may "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed" (Principle 1(e)). However, the GDPR also explains that "personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1)."

These reasonable steps must include, but are not limited to, "technical and organisational controls" under APP 11.3. That is, APP entities are expected to have both governance controls such as policies and procedures, as well as technical cybersecurity controls, such as firewalls, access controls and encryption, and technical controls to enable defensible identification of over-retained personal information, deidentification or destruction.

APP 12: Access to personal information

APP 12 requires APP entities to give an individual access to the personal information about them that the entity holds, on request by that individual. This APP imposes procedural requirements around access and includes limited exceptions.

Article 15 of the GDPR imposes a similar right of access, with additional rights to know information about the collection and envisaged the use of the data, such as recipients or potential recipients, likely storage period, and safeguards for overseas transfers.

APP 13: Correction of personal information

APP 13 requires APP entities take reasonable steps to correct personal information they hold about an individual, on request by the individual. This APP also imposes procedural requirements and includes limited exceptions.

GDPR Article 16 imposes a similar but stronger right; data subjects have the absolute "right to obtain … without undue delay the rectification of inaccurate personal data concerning (them)." 

Comparison Table

Topic

GDPR

Privacy Act 1988 (cth)

Personal data

Article 4
Any information:
(a)  "Relating to an identified or identifiable natural person."
(b) "An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."

Section 6(1)
The Privacy Act governs the handling of personal information, defined as "information or an opinion about an identified individual, or an individual who is reasonably identifiable:

(a) whether the information or opinion is true or not; and
(b) whether the information or opinion is recorded in a material form or not."

Data subject

Article 4
Relating to an identified or identifiable natural person.

Section 6(1)
Individual is defined as "a natural person."

APP Guidelines para. B99
The regulator guidance indicates that a deceased person is not a natural person.

Controller

Article 4
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by the EU or member state law, the controller or the specific criteria for its nomination may be provided for by Union or member state law.

The Privacy Act does not distinguish between controllers and processors.
Instead, the APPs apply to any APP entity that collects personal information.

Section 6(1)
The definition of APP entity includes:
• Most Australian government agencies
• All private sector and not-for-profit organizations with an annual turnover of more than AUD3 million
• All private health service providers, and 
• Some small businesses, i.e., that trade in personal information for a benefit, are a contracted service provider to the Australian government, or are a credit reporting body.

Processor

Article 4
A natural or legal person, public authority, agency or another body that processes personal data on behalf of the controller.
However, the GDPR does also have a definition for third party: A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

See above.

Consent

Article 4
"'Consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."

Section 6(1)
"Consent" is defined as "express consent or implied consent."

APP Guidelines para. B37 – B61
Regulator guidance indicates that the four key elements of consent are:
• The individual is adequately informed before giving consent
• The individual gives consent voluntarily
• The consent is current and specific
the individual has the capacity to understand and communicate consent, see APP Guidelines para. B. 35.

Sensitive data

Article 9
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

Listed exceptions apply.

Section 6(1)
Sensitive information is a subset of personal information and defined as:
• "Information or an opinion about an individual's:
  ◊ Racial or ethnic origin
  ◊ Political opinions
  ◊ Membership of a political association
  ◊ Religious beliefs or affiliations
  ◊ Philosophical beliefs
  ◊ Membership of a professional or trade      association
  ◊ Membership of a trade union
  ◊ Sexual orientation or practices, or
  ◊ Criminal record
• Health information about an individual
• Genetic information (that is not otherwise health information)
• Biometric information that is to be used for the purpose of automated biometric verification or biometric identification, or
• Biometric templates."

APP 3
APP 3 provides sensitive information about an individual must not be collected unless the individual consents and the collection is reasonably necessary for an APP entity's functions or activity, or a listed exception applies.

Transfer of personal data to third countries or international organizations

Articles 44–50
Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organization shall take place only if the conditions laid down in Articles 44-50 are complied with by the controller and processor to ensure that the level of protection of natural persons guaranteed by the GDPR. Transfers on the basis of an adequacy decision and methods such as binding corporate rules and contract clauses, or in the case of EU-U.S. transfer, the EU-U.S. Data Protection Framework.

APP 8
APP 8 provides that, before disclosing personal information outside of Australia, a business must take reasonable steps to ensure the recipient does not breach the APPs in relation to the information unless a listed exception applies. An APP entity that discloses personal information to an overseas recipient is accountable for a breach of the APPs by the recipient in relation to the information under Subdivision 16C; exceptions apply. Pursuant to the 2024 reforms, the Governor General will identify countries with strong privacy laws and enforcement, deeming them safe for data transfers.

Right to restriction of processing

Article 18
"The data subject shall have the right to obtain from the controller restriction of processing (where a specified ground applies)."

No equivalent.

Right to be forgotten

Article 17
"The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay (where a specified ground applies)."

No equivalent.

APP 11.2 requires APP entities must destroy or deidentify personal information they no longer require for a lawful business purpose.
However, individuals have no right to require APP entities to destroy or deidentify the information they hold about them.

Data portability

Article 20
"The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided."

No direct equivalent.

APP 12.1 provides that if an APP entity holds personal information about an individual, the entity must, on request by the individual, give the individual access to the information. APPs 12.2 and 12.3 list exceptions.
APP 12.5 provides the entity must take reasonable steps to give access in a way that meets the needs of the entity and the individual.

Data breach notification

Article 33
"… the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority …"

Article 34
"When the personal data breach is likely to result in a high risk to the rights and freedoms of natural personas, the controller shall communicate the personal data breach to the data subject without undue delay."

Part IIIC
APP entities that experience "eligible data breaches" that generate a likely risk of serious harm to affected individuals must give a statement in a prescribed format to the information commissioner as soon as practicable under Subdivision 26WK, and to affected individuals per Subdivision 26WL.
If it is unclear whether a breach is eligible, APP entities must conduct an assessment within 30 days of becoming aware of the breach according to Subdivision 26WH.

Penalty

Article 83
• Up to 10 million euros, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher for infringements of obligations such as controllers and processors, the certification body, and the monitoring body.
• Up to 20 million euros, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher for infringements of obligations such as principles of processing, conditions for consent, data subject's rights, transfer beyond the EU, etc.
Under Article 84, each member state can lay down the rules on other penalties applicable to infringements of GDPR in particular for infringements which are not subject to Article 83 and can take all measures necessary to ensure that they are implemented.

Section 13
A breach of the APPs, breach notification obligations or listed codes or guidelines is an interference with privacy.

The regulator may seek civil penalties for interferences with privacy per Section 13H, or for serious interferences with privacy per 13G. The maximum penalty for serous interferences is the greater of AUD50 million, three times the value of the benefit obtained by the contravention, or 30% of adjusted revenue, i.e., in the period of noncompliance.

The information commissioner also has the power to issue infringement notices of up to AUD66,000 for certain administrative failures, including the failure to have a compliant APP 1 privacy policy, provide direct marketing opt outs, failure to appropriately handle personal rights requests, or provide an incomplete or misleading data breach notification to the commissioner.

The 2024 reforms also introduced a statutory tort for "serious invasions of privacy," enabling an individual to sue an APP directly for damages and other remedies without proving harm.

Children's Privacy Protection

Recital 38 states "children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data.

Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child."

Article 8 restricts the offer of information services to children that are at least 16 years of age, unless a parent or guardian consents on their behalf.

Member states may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.

The 2024 reforms requiring the regulator to develop a Children's Online Privacy Code.

The Code will apply to all social media platforms and online services likely accessed by children.

The COPC must be registered within 24 months following the coming into force of the 2024 reforms, i.e., by November 2026.

Automated Decision-Making Transparency

Article 22 provides that data subjects have a right not to be subjected to a wholly automated decision, including profiling. Where it will have legal or other significant effects on the data subject.

Article 13(2)(g) and 14(2)(g) provides that controllers must disclose the existence of wholly automated decision making, including profiling, at the time when personal data is collected from the data subject. processing for the data subject.

APP 1
APP 1.7 will require APP entities to disclose in their privacy policies if they use a computer program to "do a thing that is substantially and directly related to making a decision," and the thing could reasonably be expected to affect the rights or interests an individual and will use personal information in doing so.

This provision will take effect in December 2026.

Small Business Exemption

N/A

Section 6D
The Privacy Act applies to APP entities and not small business operators. A small business operator is a private sector organization with an annual revenue of less than AUD3 million.

However, some entities are by definition not small business operators — for example, if they provide a health service, sell personal information, are a contracted service provider to the Australian government, or are a credit reporting body per Section 6D(4). These entities are covered by the Privacy Act.

The Australian government has accepted, in principle, the proposal to remove this small business exemption, but this has not yet been legislated or scheduled. See Proposal 6.1 of the Australian government's Response to the Privacy Act Review.

Employee Records Exemption

N/A

Section 7B
Section 7B(3) provides that the Privacy Act does not apply to the acts and practices of private sector organizations relating to employee records.

The Australian government has accepted in principle the proposal to reduce the  scope of this exemption and provide more protections for employee personal information, but this has not yet been legislated or scheduled. For more, see Proposal 7.1 of the Australian Government's Response to the Privacy Act Review.

What's next

The Privacy Act is still subject to an ongoing review process. At press time, the Australian government has not specified when the second tranche of reforms can be expected.

If implemented, the second tranche of reforms will provide further significant changes to Australia's privacy protection framework. These are expected to include, but are not limited to:

  • Amend the definition of consent to provide that it must be voluntary, informed, current, specific and unambiguous per proposal 11.1.
  • Implement a fair and reasonable test for the handling of personal information according to proposal 12.1.
  • Require APP entities to conduct privacy impact assessments for activities with high privacy risks proposal 13.1.
  • Proposals 18.1-18.10 would expand individual rights to more closely align with the GDPR by expanding the right to access, introduce the right to object to collection, use or disclosure, to erasure and the right to de-index online search results in certain circumstances.

See the Government's Response to the Privacy Act Review Report.

Tim de Sousa, AIGP, CIPP/E, CIPM, FIP, is managing director, technology, privacy, information governance and tech ethics at FTI Consulting.