Australia

Summary

Law: Privacy Act 1988 (No. 119, 1988) (as amended) ('the Privacy Act')

Regulator: The Office of the Australian Information Commissioner ('OAIC') 

Summary: The Privacy Act, which includes a set of Australian Privacy Principles, provides general personal data protection requirements and provisions, including the right to access and to be informed. However, the Privacy Act does not explicitly refer to 'data controllers' or 'data processors,' nor does it include provisions regarding data protection officer appointments or Data Protection Impact Assessments. On 22 February 2018, the 'notifiable data breaches' provisions of the Privacy Act came into effect, requiring mandatory notification of all 'eligible data breaches' to the OAIC as well as affected individuals. In addition, in 2019 the Australian Government passed the Treasury Laws Amendment (Consumer Data Right) Bill, which provides consumers with the right to data portability in order to enable them to switch between products and services. The Consumer Data Right was introduced to the banking sector in 2020 and will be rolled out progressively into the retail energy and telecommunications sectors.

Notably, the Australian Parliament approved the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 ('the 2022 Bill'), which came into effect on 13 December 2022. Importantly, the 2022 Bill significantly increases penalties for repeated or serious privacy breaches by companies which fail to take adequate care of customer data and provides the OAIC with greater powers to resolve privacy breaches and quickly share information about data breaches to help protect impacted customers.

On 16 Febuary 2023, the Attorney General publicly released a Report on the Privacy Act Review. The Report outlines the 116 proposed reforms to the Privacy Act and was informed by feedback received in response to the aforementioned Issues Paper released in October 2020 and a Discussion Paper, released in October 2021. At the same time as releasing the Discussion Paper for the Privacy Act review, the Australian Government published an Exposure Draft for the proposed Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021, however the bill was never introduced to Parliament.

In addition, there are various other pieces of privacy legislation and authorities within the states and territories, further information on which is available through the jurisdiction dashboard links below.

Browse more jurisdictions:

Australian Capital Territory

Northern Territory

Browse more content in Australia

All Guidance Notes

All News

All Insights

News

01 June 2023

Australia: Government issues discussion paper for AI safeguards

19 May 2023

Australia: OAIC submits recommendations to new cybersecurity strategy

10 May 2023

Australia: OAIC and OPC launch joint investigation against Latitude Group

03 May 2023

Australia: Government to appoint Privacy Commissioner

14 April 2023

Australia: IAB publishes response to Privacy Act Review Report

23 March 2023

Australia: ACCC examines expanding ecosystems of digital platform service providers

20 March 2023

Australia: OAIC addresses data breach spike in second half of 2022

15 March 2023

Australia: ACSC updates Information Security Manual for organisations' cybersecurity

14 March 2023

Australia: OAIC action against Facebook returns to Federal Court

03 March 2023

Australia: OAIC publishes notifiable data breaches report covering July to December 2022

03 March 2023

International: ICO and ACMA sign MoU on regulation of unsolicited communications

01 March 2023

Australia: Government launches public consultation to inform of work on 2023-2030 Cybersecurity Strategy

Insights

April 2023

Australia: Erasing your digital footprint - Australia's evolving right to be forgotten

The Attorney-General's Final Report¹ on the Review of the Privacy Act 1988 (Cth) ('the Privacy Report'), published on 16 February 2023, considers enacting a right to be forgotten, also known as the right to erasure. This right would empower individuals to have more control over how organisations retain their personal information, giving them the right to delete their information. Katherine Sainty and Julia Colubriale, from Sainty Law, provide an overview of the right to be forgotten, the proposed amendment, its limitations, the significance, the implications for organisations, and how organisations can best prepare for the possibility that this right may be enshrined in Australian legislation.

March 2023

Australia: Protection of Australians' in the digital age - an overview of AG's Privacy Act report

The Australian Attorney-General's Department released the Privacy Act Review Final Report¹ ('the Report') on 16 February 2023. The Report is a comprehensive review of the Privacy Act 1988 (Cth) ('the Privacy Act') and contains 116 recommendations for reforms to protect Australians in the digital age. Katherine Sainty, Ottilia Thomson, and Julia Colubriale, from Sainty Law, discuss the Report and its key recommendations.

February 2023

Australia: A guide to anonymisation and pseudonymisation

In Australia, Federal, State, and Territory privacy laws govern anonymisation and pseudonymisation of personal information. Lisa Fitzgerald and Keely O'Dowd, from Lander & Rogers, provide an overview of the laws and guidance governing anonymisation and pseudonymisation in Australia, as well as a look at the scope and permitted uses for such data.

February 2023

Australia: How reforms are giving new powers to the privacy regulator

After a year of high-profile data breaches, 2023 is shaping up to be a year of privacy reform. As the economic and personal harm of data breaches continues to be felt, governments are escalating their response to the breaches by expanding the powers of privacy regulators. Katherine Sainty and Aisling Hamilton, from Sainty Law, examines how privacy reforms have expanded the powers of the Office of Australian Information Commissioner ('OAIC') and what that means for Australian businesses.

January 2023

Australia: Reforms to the NSW public sector privacy laws - what you need to know

The New South Wales ('NSW') Government passed the Privacy and Personal Information Protection Amendment Act 2022 (NSW) ('the PPIP Amendment Act') on the 28 November 2022, creating a wave of reforms to NSW public sector privacy laws. The changes come into force on the 28 December 2023. NSW public sector agencies and State-Owned Corporations ('SOCs') have a 12-month transition period to understand their new obligations and build new processes to comply. Katherine Sainty and Lily O Brien, from Sainty Law, detail what the reforms consist of and who they apply to.

December 2022

Australia: Critical Infrastructure Protection Act 2022 - overview and analysis

The Security of Critical Infrastructure Act 2018 (Cth) ('the SOCI Act') provides a framework for managing risks relating to Australia's critical infrastructure, including national security risks of espionage, sabotage, and foreign interference. On 2 April 2022, the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (Cth) ('the SLACIP Act') came into effect. The SLACIP Act amends the SOCI Act and builds on the amendments of the Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth) that came into effect on 2 December 2021. Lisa Fitzgerald and Keely O'Dowd, from Lander & Rogers, provide a look into the SLACIP Act and its impact on Australia's critical infrastructure framework.

December 2022

Australia: Implications of and responses to data breaches – lessons learnt

A string of major data breaches by Australian companies have resulted in far-reaching implications for both Australian and international businesses and consumers. In parallel, the introduction of the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Cth) ('the Privacy Bill') signals that the data security landscape in Australia is changing and that enhanced data handling and cybersecurity practices are imperative. Katherine Sainty, Aisling Hamilton, and Julia Colubriale, from Sainty Law, outline the implications of data breaches, regulatory responses, including changes to the Privacy Act 1988 (Cth) No. 119 1988 (as amended) ('the Privacy Act'), and key lessons for businesses going forward.

September 2022

Australia: OAIC cracks down on retailers using facial recognition technology

Two major Australian retailers are being investigated by the Office of the Australian Information Commissioner ('OAIC') for using facial recognition technology ('FRT') without getting informed consent from patrons. In Australia, retailers are not permitted to use biometric information for profiling and surveillance purposes without the person's knowledge. Katherine Sainty and Aisling Hamilton, from Sainty Law, discuss what FRT is, how it is used, and what businesses should consider for its use.

August 2022

International: Comparing the ADPPA with Australia's Privacy Act

The American Data Privacy and Protection Act¹ ('ADPPA'), whilst still under review, has many similarities with existing privacy legislation, including Australia's Privacy Act 1988 (Cth) ('the Privacy Act'). Katherine Sainty and Aisling Hamilton, from Sainty Law, provide an introduction to some of the main features of the ADPPA, as well as a glance into how the ADPPA compares with the Privacy Act.

August 2022

Australia: DSARs – Employees, prospective employees, and BYOD challenges

A data subject access request ('DSAR') is a request made by an individual to an organisation or agency, asking for access to any personal information collected or stored regarding the individual. Katherine Sainty, Director at Sainty Law, considers how, under Australian law, organisations should handle DSARs involving employees and prospective employees, also discussing situations where personal information is stored on employee's own devices used during the course of their work.

May 2022

Australia: An overview of the Critical Infrastructure Protection Act

On 1 April 2022, the Parliament of Australia announced that, following a number of debates and amendments, it had passed the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 ('the Act'), which was assented to on the same day, and entered into effect on 2 April 2022. The Act was proposed by the Australian Department of Home Affairs ('the Government') in December 2021, with the intention of enhancing the resilience of Australia's critical infrastructure to security risks, including cyber-attacks. OneTrust DataGuidance discusses the Act and gives an overview of the key areas of its contents.

May 2022

Australia: The impact of Chinese data protection laws on Australian businesses

China has implemented data protection legislation that impacts how companies operate in, or transact with, businesses or individuals in China. The Personal Information Protection Law ('PIPL') applies to organisations and individuals who process 'personally identifiable information' in China. Companies that process, analyse, or access personal data relating to individuals based in China, for example to provide a product or service or analyse their behaviour, will be required to comply with the PIPL. Katherine Sainty and Aisling Hamilton, from Sainty Law, share insight into the impact of the PIPL on Australian businesses and look at what affected businesses should consider in order to stay compliant with Chinese legislation.

Australia

Summary

Browse more jurisdictions:

Browse more content in Australia

News

Insights

Get the Latest News

Thanks for signing up!

Company

Our Policies

Your Rights

Follow us