Australian Privacy and Data Protection Laws

Australia regulates data privacy and protection through a mix of federal, state and territory laws. The federal Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APP) contained in the Privacy Act apply to private sector entities (including body corporates, partnerships, trusts and unincorporated associations) with an annual turnover of at least AU$3 million, and all Commonwealth Government and Australian Capital Territory Government agencies.

The Privacy Act regulates the handling of personal information by relevant entities and under the Privacy Act, the Privacy Commissioner has authority to conduct investigations, including own motion investigations, to enforce the Privacy Act and seek civil penalties for serious and egregious breaches or for repeated breaches of the APPs where an entity has failed to implement remedial efforts.

Most States and Territories in Australia (except Western Australia and South Australia) have their own data protection legislation applicable to relevant State or Territory government agencies, and private businesses that interact with State and Territory government agencies. These Acts include:

  • Information Privacy Act 2014 (Australian Capital Territory)
  • Information Act 2002 (Northern Territory)
  • Privacy and Personal Information Protection Act 1998 (New South Wales)
  • Information Privacy Act 2009 (Queensland)
  • Personal Information Protection Act 2004 (Tasmania), and
  • Privacy and Data Protection Act 2014 (Victoria)

Additionally, there are other parts of State, Territory and federal legislation that relate to data protection. For example, the following all impact privacy and data protection for specific types of data or activities: the Telecommunications Act 1997 (Cth), the Criminal Code Act 1995 (Cth), the National Health Act 1953 (Cth), the Health Records and Information Privacy Act 2002 (NSW), the Health Records Act 2001 (Vic) and the Workplace Surveillance Act 2005 (NSW).

Specific regulators have also expressed an expectation that regulated entities should have specified data protection practices in place. For example, the Australian Prudential and Regulatory Authority (APRA), which regulates financial services institutions requires regulated entities to comply with Prudential Standards, including Prudential Standard CPS 234 Information Security (CPS 234), and the Australian Securities and Investment Commission regulates corporations more generally.

Other important privacy and data protection laws

Assistance and Access Act

The Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) (AA Act) provides law enforcement agencies with access to encrypted data for serious crime investigation and imposes obligations on “Designated Communications Providers”. However, the AA Act may inadvertently have a much broader remit with limited judicial oversight, and has been the subject of much criticism from local and global technology firms which have stated the legislation has the potential to significantly impact security / encryption solutions in Australia.

The AA Act allows various agencies to do any of the following:

  • Issue a “technical assistance notice”, which requires a communications provider to give assistance that is reasonable, proportionate, practicable and technically feasible
  • Issue a “technical capability notice”, which requires a communications provider to build new capabilities to assist the agency. The Attorney-General must consult with the communications provider prior to issuing the notice, and must be satisfied that the notice is reasonable, proportionate, practicable and technically feasible
  • Make “technical assistance requests”, to give foreign and domestic communications providers and device manufacturers a legal basis to provide voluntary assistance to various Australian intelligence organizations and interception agencies relating to issues of national interest, national security and law enforcement

Organizations will need to ensure customer terms and conditions deal carefully with the matter of legal compliance and any commitments made to customers generally.

Consumer Data Right

The Commonwealth Government is in the implementation phases of the Consumer Data Right (CDR) following a number of policy reviews including the Productivity Commission’s “Data Availability and Use” report and the “Review into Open Banking in Australia”.

The CDR allows a consumer to obtain certain data held about that consumer by a third party and require data to be given to accredited third parties for certain purposes. By requiring businesses to provide public access to information on specified products they have on offer, it is intended that consumers’ ability to compare and switch between products and services will be improved, as well as encouraging competition between service providers, which could lead to better prices for customers and more innovative products and services. In this way, the CDR provides a mechanism for accessing a broader range of information within designated sectors than is provided for by APP 12 in the Privacy Act, given it applies not only to data about individual consumers but also to business consumers and related products.

The CDR rules have been implemented in respect of the banking sector in Australia. The energy sector is the next to be added to the CDR, with the telecommunications sector currently scheduled to follow. Other sectors across the economy will be added to the CDR over time.

The CDR regime addresses competition, consumer, privacy and confidentiality issues. As such, it is regulated by the Australian Competition and Consumer Commission as well as the Office of the Australian Information Commissioner.

We will be happy to hear your thoughts

Leave a reply