Editor's note: This article was originally published 11 Oct. 2017 as part of a series that matched laws from across the globe to the EU General Data Protection Regulation. This article has been updated to include the latest developments to Australia's Privacy Act in December 2024.
The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
The Privacy Act (cth) is the foundation of Australia's national privacy regulatory regime. Its genesis lies in the 1980 guidelines issued by the Organisation for Economic Co-operation and Development. Since it came into force in 1988, the Privacy Act has undergone four key rounds of amendments: the expansion of the application of the act to private sector businesses in 2000, the extensive updates to the act in 2014 following a comprehensive review by the Australian Law Reform Commission and a significant expansion to the civil penalties available under the act in 2022.
More recently, in 2024, the first tranche of amendments following a lengthy review process commenced in 2021. This first tranche included amendments to the powers of the regulator, new rules around overseas disclosures, and new transparency requirements. A second tranche will be required to implement the bulk of accepted reform proposals, however, this has not yet been scheduled at publication time.
The Privacy Act is intended to provide a basis for nationally consistent privacy regulation, facilitate the free flow of information outside of Australia while ensuring that individual privacy is respected, provide a complaint mechanism, and to implement Australia's international privacy obligations. Most of these objectives are achieved by the Australian Privacy Principles, set out in Schedule 1 of the act. The APPs impose obligations regarding the collection, use, disclosure, storage and disposal of "personal information" about individuals, as well as obligations relating to access and correction and credit reporting.
The APPs apply to APP entities — that is, Australian, Australian Capital Territory and Norfolk Island government agencies and private sector businesses. Individuals and small business operators — businesses with an annual turnover of less than AUD3 million, are exempt from the operation of the act. Unlike the EU General Data Protection Regulation, the Privacy Act does not distinguish between data controllers and data processors — any APP entity that holds personal information must comply with the APPs.
Summary of the APPs
APP 1: Open and transparent management of personal information
This first Australian Privacy Principle requires APP entities to manage personal information in an "open and transparent way," including taking reasonable steps to ensure that they comply with the APPs.
APP 1 is similar in effect to GDPR Article 5 Principle 2, which requires controllers to be able to demonstrate compliance with the obligations set out in Principle 1. Principle 1(a) also requires data processing to be done in a "transparent manner."
APP 1.3 and 1.4 also require APP entities to have a clearly expressed privacy policy that deals with specified matters. GDPR Article 7 discusses obtaining consent from an individual in the context of a "written declaration," and Articles 12–14 address similar matters to those specified in APP 1.3 and 1.4. Articles 13–14 also require additional information to be provided; this includes information about how long personal data will be stored, the enhanced personal rights under the GDPR (such as data portability, the right to withdraw consent, and the right to be forgotten), and any automated decision-making including profiling.
APP 2: Anonymity and pseudonymity
APP 2 requires APP entities to give individuals the option of not identifying themselves, or of using a pseudonym unless a listed exception applies.
There is no direct analog to this provision in the GDPR. However, it should be noted the GDPR may apply to pseudonymous information per Recital 28.
APP 3: Collection of solicited personal information
APP 3 outlines when an APP entity can collect personal information it has asked for. In particular, this APP requires organizations only collect personal information where it is reasonably necessary or directly related to their functions or activities, and by "lawful and fair means." Higher standards are applied to the collection of sensitive information; specifically, sensitive information may only be collected with consent or where a listed exception applies.
A comparison can be drawn here to GDPR Article 5, which requires data collected for "specified, explicit and legitimate purposes" and be processed "lawfully (and) fairly" (Principle 1(a) and (b)).
APP 4: Dealing with unsolicited personal information
APP 4 requires APP entities to destroy or de-identify unsolicited personal information that they could not have otherwise collected under APP 3.
There is no direct analog in the GDPR; however, it should be noted that the GDPR does not permit collection of personal data without a specified, explicit purpose.
APP 5: Notification of the collection of personal information
APP 5 requires APP entities to notify individuals, or otherwise ensure they are aware, of specified matters when they collect their personal information, such as, by providing individuals with a collection statement.
Again, Articles 13–14 also impose requirements for the provision of privacy information that is substantially similar to the matters specified in APP 5, as well as additional obligations, see APP 1 above.
APP 6: Use or disclosure of personal information
APP 6 outlines the circumstances in which an APP entity may use or disclose personal information that it holds. Where an APP entity has collected personal information for a specific purpose and wishes to use it for a secondary purpose, APP 6 provides entities may not do so unless the individual has consented, it is within their reasonable expectations, or another listed exception applies. Exceptions include circumstances involving health and safety and law enforcement.
GDPR Article 6 similarly requires that personal data may only be processed where the data subject has consented to one or more of the specific purposes of the processing, or another listed scenario applies. For example, where the processing is necessary to perform a contract or comply with a legal obligation.
APP 7: Direct marketing
APP 7 provides that an organization that is an APP entity may only use or disclose personal information for direct marketing purposes if certain conditions are met. Direct marketing messages must include a clear and simple way to opt out of receiving future messages and must not be sent to individuals who have already opted out. Sensitive information about an individual may only be used for direct marketing with the consent of the individual.
GDPR Article 21 provides individuals with, among other things, the right to object to the use of their personal data for direct marketing.
APP 8: Cross-border disclosure of personal information
APP 8 requires an APP entity, take reasonable steps to ensure that the recipient does not breach the APPs in relation to that information, before it discloses personal information to an overseas recipient. Personal information may only be disclosed when the recipient is subject to a regulatory regime that is substantially similar to the APPs, where the individual has consented, or another listed exception applies. APP entities may be liable for the acts and practices of overseas recipients in certain circumstances per Section 16.
Notably, the 2024 reforms to the Privacy Act provide the Governor General will outline a list of countries with adequate privacy protections and enforcement mechanisms that are deemed safe to execute cross-border data transfers with. This list will be developed and implemented through regulations — but this has not happened at press time. This is substantially like the approach taken in GPDR Article 45 where transfers of personal data to third countries are permissible where those countries are deemed to provide an "adequate level of (privacy) protection."
Chapter 5 of the GDPR provides that transfers of personal data outside of EU jurisdiction may only be made where the recipient jurisdiction has been assessed as "adequate" in terms of data protection, where sufficient safeguards, such as a binding contract or corporate rules, have been put in place, or a listed exception applies. The European Commission has not, to date, assessed Australia as adequate.
APP 9: Adoption, use or disclosure of government related identifiers
APP 9 provides that an organization that is an APP entity may not adopt a government related identifier of an individual as its own identifier, or use or disclose such an identifier unless a listed exception applies. There is no direct analog to this provision in the GDPR.
APP 10: Quality of personal information
APP 10 requires APP entities to take reasonable steps to ensure the personal information it collects, uses or discloses is accurate, up-to-date and complete.
Accuracy and currency of the information are mentioned in Article 5 of GDPR (Principle 1(d); "every reasonable step must be taken" to ensure that inaccurate personal data is "rectified without delay."
APP 11: Security of personal information
APP 11.1 requires APP entities take reasonable steps to protect the personal information they hold from misuse, interference and loss, and from unauthorized access, modification or disclosure. These steps must include "technical and organisational controls" per APP 11.3 — that is, APP entities are expected to have both governance controls such as policies and procedures, as well as technical cybersecurity controls, such as firewalls, access controls, encryption. This provision is a frequent focus of investigations into APP entities conducted by the Australian information commissioner.
GDPR Article 5 similarly requires that data processing be undertaken in a manner "that ensures appropriate security of the data" (Principle 1(f)). Further, Article 32, requires the data controller and the processor to implement appropriate technical and organizational measures to ensure a level of security appropriate — taking into account the state of the art, the costs of implementation and nature, scope, context and purposes. Those measures must also address the confidentiality, integrity and availability of the data.
APP 11.2 provides that APP entities must also take reasonable steps to destroy or de-identify personal information that they no longer require for a lawful business purpose.
GDPR Article 5(1)(e) imposes a similar storage limitation — personal data may "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed" (Principle 1(e)). However, the GDPR also explains that "personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1)."
These reasonable steps must include, but are not limited to, "technical and organisational controls" under APP 11.3. That is, APP entities are expected to have both governance controls such as policies and procedures, as well as technical cybersecurity controls, such as firewalls, access controls and encryption, and technical controls to enable defensible identification of over-retained personal information, deidentification or destruction.
APP 12: Access to personal information
APP 12 requires APP entities to give an individual access to the personal information about them that the entity holds, on request by that individual. This APP imposes procedural requirements around access and includes limited exceptions.
Article 15 of the GDPR imposes a similar right of access, with additional rights to know information about the collection and envisaged the use of the data, such as recipients or potential recipients, likely storage period, and safeguards for overseas transfers.
APP 13: Correction of personal information
APP 13 requires APP entities take reasonable steps to correct personal information they hold about an individual, on request by the individual. This APP also imposes procedural requirements and includes limited exceptions.
GDPR Article 16 imposes a similar but stronger right; data subjects have the absolute "right to obtain … without undue delay the rectification of inaccurate personal data concerning (them)."
Comparison Table
Topic | GDPR | Privacy Act 1988 (cth) |
Personal data | Article 4 | Section 6(1) (a) whether the information or opinion is true or not; and |
Data subject | Article 4 | Section 6(1) APP Guidelines para. B99 |
Controller | Article 4 | The Privacy Act does not distinguish between controllers and processors. Section 6(1) |
Processor | Article 4 | See above. |
Consent | Article 4 | Section 6(1) APP Guidelines para. B37 – B61 |
Sensitive data | Article 9 | Section 6(1) APP 3 |
Transfer of personal data to third countries or international organizations | Articles 44–50 | APP 8 |
Right to restriction of processing | Article 18 | No equivalent. |
Right to be forgotten | Article 17 | No equivalent. |
Data portability | Article 20 | No direct equivalent. |
Article 33 | Part IIIC | |
Penalty | Article 83 | Section 13 The regulator may seek civil penalties for interferences with privacy per Section 13H, or for serious interferences with privacy per 13G. The maximum penalty for serous interferences is the greater of AUD50 million, three times the value of the benefit obtained by the contravention, or 30% of adjusted revenue, i.e., in the period of noncompliance. The information commissioner also has the power to issue infringement notices of up to AUD66,000 for certain administrative failures, including the failure to have a compliant APP 1 privacy policy, provide direct marketing opt outs, failure to appropriately handle personal rights requests, or provide an incomplete or misleading data breach notification to the commissioner. |
Children's Privacy Protection | Recital 38 states "children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child." Article 8 restricts the offer of information services to children that are at least 16 years of age, unless a parent or guardian consents on their behalf. | The 2024 reforms requiring the regulator to develop a Children's Online Privacy Code. The Code will apply to all social media platforms and online services likely accessed by children. |
Automated Decision-Making Transparency | Article 22 provides that data subjects have a right not to be subjected to a wholly automated decision, including profiling. Where it will have legal or other significant effects on the data subject. Article 13(2)(g) and 14(2)(g) provides that controllers must disclose the existence of wholly automated decision making, including profiling, at the time when personal data is collected from the data subject. processing for the data subject. | APP 1 This provision will take effect in December 2026. |
Small Business Exemption | N/A | Section 6D However, some entities are by definition not small business operators — for example, if they provide a health service, sell personal information, are a contracted service provider to the Australian government, or are a credit reporting body per Section 6D(4). These entities are covered by the Privacy Act. |
Employee Records Exemption | N/A | Section 7B |
What's next
The Privacy Act is still subject to an ongoing review process. At press time, the Australian government has not specified when the second tranche of reforms can be expected.
If implemented, the second tranche of reforms will provide further significant changes to Australia's privacy protection framework. These are expected to include, but are not limited to:
- Amend the definition of consent to provide that it must be voluntary, informed, current, specific and unambiguous per proposal 11.1.
- Implement a fair and reasonable test for the handling of personal information according to proposal 12.1.
- Require APP entities to conduct privacy impact assessments for activities with high privacy risks proposal 13.1.
- Proposals 18.1-18.10 would expand individual rights to more closely align with the GDPR by expanding the right to access, introduce the right to object to collection, use or disclosure, to erasure and the right to de-index online search results in certain circumstances.
Tim de Sousa, AIGP, CIPP/E, CIPM, FIP, is managing director, technology, privacy, information governance and tech ethics at FTI Consulting.