Australia - Data Protection Overview
1. Governing Texts
The Australian Government has announced (and it is expected by 31 December 2021 to pass) increased fines under the Privacy Act 1988 (Cth) No. 119 1988 (as amended) ('the Privacy Act') to be in line with other recent changes to administrative fines in other areas. The maximum fine for a serious invasion or repeated invasions of privacy (i.e. breaches of the privacy law) will be increased to up to the greater of AUD 10 million (approx. €6.3 million), three times any benefit obtained from the invasion breach (whichever the greater) and 10% of Australian annual revenue.
This expected minimum five-fold increase in the available fine under the Privacy Act and the increased budget given to the Office of the Australian Information Commissioner ('OAIC') has led to greater own-motion investigations (and levying of fines) by the OAIC in the past 12-18 months.
Over the past 18-24 months, another key development is the increasing role of the Australian Competition and Consumer Commission ('ACCC') in enforcing consumer privacy. The ACCC's recent enforcement activity demonstrates a heavy-handed approach to protecting consumers’ privacy interests.
The Australian Government's Attorney-General's Department is currently undertaking a comprehensive review of the Privacy Act covering consent requirements, exceptions and rights of action. The review is likely to lead to significant changes to the Privacy Act.
The key legislation in Australia affecting private-sector organisations (and Federal Government agencies) Australia-wide is the Privacy Act and its Australian Privacy Principles ('APPs'). In addition to the Privacy Act/APPs, there is a Privacy Regulation 2013, legally binding Privacy (Credit Reporting) Code and rules and guidelines, for example, in relation to privacy in the conduct of medical research and Tax File Numbers ('TFNs') which have the force of law and apply in specific areas/to specific types of information.
From 1 July 2020, the consumer data right ('CDR'), introduced by amendments to the Competition and Consumer Act 2010 (Cth) and the Privacy Act, went live for limited data sharing in relation to the four major banks (as the first part of the so called 'open banking regime'). The rest of the banking data subject to CDR must be available for sharing by those big four banks from 1 November 2020. The CDR will then be rolled out progressively in the rest of the banking sector, then the retail energy and telecoms sectors before, we expect, being rolled out across other financial services organisations and other sectors where there is significant consumer interaction and thus resulting consumer data.
The key privacy related 'legislation' overseen by the OAIC resulting from the introduction of the CDR regime is the CDR Privacy Safeguard Guidelines, which are legally binding statutory provisions which set out the privacy rights and obligations for participants in the CDR regime, a CDR version of the APPs.
Also, on an Australia-wide basis, there are additional sector/information-specific laws such as those relating to TFNs, personal electronic health records, and the CDR regime that also apply in addition to the Privacy Act/APPs. In addition, a number of Australian States also have their own privacy laws that regulate State Government agencies and private enterprise contractors to the State Governments and, in some cases, health records. Even where private sector organisations, as contractors to State Government agencies, are governed by State privacy law this is in addition to their obligations under the Privacy Act/APPs.
Key non-binding Guidelines and Guides are issued by the OAIC and are available on the OAIC website, of note:
- Data breach preparation and response;
- De-identification Decision-Making Framework;
- Guide to securing personal information; and
- Guide to undertaking privacy impact assessments.
1.3. Case law
Noteworthy recent decisions, determinations, and undertakings obtained by the Privacy Commissioner include:
- Commissioner Initiated Investigation into Uber Technologies, Inc. & Uber B.V. (Privacy)  AICmr 34;
- L B and Comcare (Privacy)  AICmr 28;
- Jeremy Lee v. Superior Wood Pty Ltd  FWCB 2946;
- 'QP' and the Commonwealth Bank of Australia Limited (Privacy)  Al Cmr 48;
- Commonwealth Bank of Australia enforceable undertaking;
- Wilson Asset Management enforceable undertaking; and
- Department of Health enforceable undertaking.
Recent court action taken by the OAIC against Facebook Inc. in relation to the Cambridge Analytica activities seeks to impose such fines for the first time. While this is significant, and still yet to be completed, it appears much more significant that the OAIC may be seeking to apply the fine for each of the approximately 320,000 Australians purportedly affected by Facebook's alleged serious and/or repeated invasions of their privacy. That is, rather than just one fine of up to AUD 2.1 million (approx. €1.3 million) levied on the serious and/or repeated invasions of privacy as a whole (i.e. no matter how many people were affected) as had been previously expected. If successful, the resulting fine(s) imposed on Facebook could be staggering and a significant 'game-changer' in Australian privacy.
2. Scope of Application
In addition to all Federal Government agencies, the Privacy Act/APPs apply to all private sector organisations (collectively 'APP entities') other than:
- those organisations (including all their related bodies corporate each) with less than AUD 3 million (approx. €1.9 million) annual turnover at any time (unless they use or disclose personal information for a benefit or collect and use health information);
- registered political parties; and
- State or Territory Authorities or Instrumentalities, although the notifiable data breaches ('NDB') provisions apply to all eligible data breaches involving TFNs (including in respect of the above).
The Privacy Act/APPs apply to all organisations carrying on business in Australia which includes actively collecting personal information in Australia or from Australian residents, or by promoting an offshore entity/website to Australian residents.
In the Uber decision, however, the OAIC has made clear its position on questions of territorial scope. The OAIC's interpretation of ‘carrying on business in Australia' takes into account the statutory object of the Privacy Act of 'protecting the privacy of individuals and the responsible handling of personal information collected from individuals in Australia'. The effect is that, even where an offshore entity (e.g. a cloud hosting provider located outside Australia) does not have direct engagement with individuals in Australia, is not involved in facilitating the transactions between those individuals and does not directly collect personal information from those individuals, the entity may nonetheless be carrying on business in Australia by reason of it being a vendor of services to an APP entity.
All processing (i.e. collection, use, and disclosure) of personal information by APP entities is covered by the Privacy Act/APPs. However, the processing of de-identified or anonymous data (if it cannot be reasonably re-identified) is not covered by the Privacy Act/APPs.
In addition, all persons and entities (including usually excluded entities e.g. State Government agencies) dealing with TFNs are covered by:
- the TFN Rules; and
- the NDB provisions as regards any data breaches involving TFNs/TFN information.
Processing exempted from the Privacy Act/APPs includes purely personal/domestic processing of personal information (i.e. individuals in a non-business capacity), employee records once held by the employer (as to which please see Section 13), political acts and practices (e.g. related to Members of Parliament), small businesses (e.g. under the AUD 3 million (approx. €1.9 million) turnover threshold and not otherwise subject to the Privacy Act/APPs) engaged under a Commonwealth contract and by media organisations, if done in the course of journalism.
3.1. Main regulator for data protection
The Privacy Commissioner is the relevant regulator under the Privacy Act/APPs. The Privacy Commissioner sits within, and is overseen by, the Australian Information Commissioner (who is currently the same person as the Privacy Commissioner) and both are in the OAIC.
3.2. Main powers, duties and responsibilities
The Privacy Commissioner is charged with enforcing the Privacy Act/APPs, including receiving and resolving complaints, undertaking own motion investigations and, as a result of any relevant determination, seeking an enforceable undertaking, publishing determinations/decisions, and issuing guidance in respect of the interpretation and enforcement of the Privacy Act/APPs.
The Privacy Commissioner can also seek the imposition of a fine for a serious invasion of privacy (i.e. breach of the APPs) or repeated invasions of privacy (i.e. repeated breaches of the APPs).
Please see section on penalties below for further information.
4. Key Definitions
In Australia, data protection is generally known as 'privacy' and, for the purposes of this Guidance Note, unless otherwise specifically noted, we limit our comments to the privacy law under the Privacy Act and APPs. The Privacy Act/APPs regulate the collection, use, holding, and disclosure of the personal information of living individuals by APP entities.
Data controller: Unlike European law, there is no concept of data 'controller' under Australian privacy law. Each APP entity that obtains/receives personal information (even as what may be considered a 'data processor' under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')) will effectively be considered a data controller under Australian law and has its own separate and primary privacy obligations under the Privacy Act/APPs.
Data processor: Unlike European law, there is no concept of a data 'processor' under Australian privacy law. Each APP entity that obtains/receives personal information (even as what may be considered a 'data processor' under the GDPR) will effectively be considered a data controller under Australian law and has its own separate and primary privacy obligations under the Privacy Act/APPs.
Personal data: Referred to as 'personal information' in the Privacy Act/APPs, personal data is defined to mean information or an opinion about an identified individual or an individual who is reasonably identifiable:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not, the information or opinion itself does not have to identify the individual or the individual does not need be reasonably identifiable from that information or opinion alone, but includes where an individual is reasonably identifiable by other means or from other information reasonably obtainable when used with the information in question.
Sensitive data: A sub-set of personal information is 'sensitive information', which is defined to mean personal information which includes information or an opinion about an individual's racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, criminal record and health information, genetic information, and/or biometric information used for automated biometric verification or biometric identification.
Health data: 'Health information' is part of 'sensitive information' (see above under 'sensitive data') and is defined to include information or opinion about the health including an illness, disability, or injury of an individual, health services provided or to be provided to an individual, and an individual's expressed wishes about future provision of health services that, in all cases, is also 'personal information'. It also includes other personal information collected to provide or in providing a health service, collected in connection with the donation or intended donation by an individual of his or her body parts, organs, or body substances, and genetic information about an individual in a form that is or could be predictive of the health of that individual or genetic relatives.
Biometric data: 'Biometric data' is not a term used or defined in Australian privacy law but the equivalent 'biometric information' (undefined) is included in the definition of 'sensitive information' (see 'sensitive data' above). As 'biometric information' is not defined under the Privacy Act, it is to be given its ordinary dictionary meaning, not dissimilar to 'biometric data' under the GDPR.
Pseudonymisation: This term is not defined in Australian privacy law, but the concept is used in APP 2. It is an obligation under APP 2, where practicable, for APP entities to provide individuals with an option of using a pseudonym. 'Pseudonym' and 'pseudonymisation', absent a specific definition in the Privacy Act, are given their ordinary dictionary definitions which, in practice, will be little different to the definition in the GDPR.
5. Legal Bases
'Consent' (meaning express or implied consent) is required under APP 3.3 for the collection of sensitive information, including health information, from an individual. Again, even with consent the sensitive information can only be collected if it is also reasonably necessary for one or more of the entity's functions or activities.
While this is not a 'legal basis' for collection, subject to meeting the requirement of APP 3, where there is a contract between the entity and the individual this will usually provide any required consent for the collection.
'Legal obligations' (e.g. the requirement or authorisation by or under Australian law or a court/tribunal order) are exceptions from the requirement to obtain consent to collect relevant sensitive information. However, such does not avoid the obligation under APP 5 to notify individuals of the prescribed matters (APP 5.2) at or before the time of or, as soon as practicable, after the collection of that information.
Again similar to 'legal obligations' noted above, an entity can dispense with obtaining consent from an individual for the collection of sensitive information where such information is reasonably necessary to assist the location of a person that has been reported missing or which is necessary to lessen or prevent a serious threat to the life, health, or safety of any individual or to public health or safety.
Consent for the collection of sensitive information may also be dispensed with by the entity collecting it where such is reasonably necessary to lessen or prevent a serious threat to public health or safety, find a missing person, where the unlawful activity or misconduct of a serious nature is suspected, or it is reasonably necessary for an entity's diplomatic or consular functions or activities.
The entity is able to collect sensitive information without consent where it does so as regards to suspected unlawful activity or misconduct of a serious nature, for the establishment, exercise, or defence of a legal claim or for the purposes of a confidential alternative dispute resolution process.
As noted above, the main precondition to (or 'legal basis' for) collecting any personal information (including sensitive/health information) is to ensure that the information collected is reasonably necessary for one or more of the entity's functions or activities. Even where an exception permits the collection of sensitive information without consent, the entity is still obliged to meet this precondition to the collection.
Where a law or court order expressly requires an entity to collect the specified information then that will be sufficient to establish that the precondition has been met. However, where the law or court order only permits the collection of such information then, arguably, in some cases meeting the precondition must be established before the entity is entitled to collect that information.
The key obligations of all APP entities (whether they would be considered data controllers or data processors under the GDPR) under the Privacy Act/APPs include:
- to take reasonable steps to implement practices, procedures and systems that will ensure compliance with the APPs (APP 1.2);
- only collect personal information that is reasonably necessary for one or more of the APP entity's functions or activities (APP 3.2), by lawful and fair means (APP 3.3), and directly from the individual, unless it is unreasonable or impracticable to do so (APP 3.6);
- at all time seek to minimise the personal information/sensitive information collected, exploring other ways to meet business purposes. In other words, APP entities should not assume that collecting personal information is always required to meet their requirements;
- at or before the time or, if that is not practicable, as soon as practicable after an APP entity collects personal information about an individual, take such steps as are reasonable in the circumstances to notify the individual of the matters in APP 5.2, or otherwise ensure that the individual is aware of such matters (APP 5.1);
- only use the personal information collected for the notified purpose(s) for collection, unless a secondary purpose is permitted by the APPs (but exercise extra caution with secondary purposes) or consented to by the individual (APP 6.1);
- to take reasonable steps to ensure that the personal information that the APP entity collects, uses, or discloses is accurate, up-to-date, and complete (APP 10);
- to take reasonable steps in the circumstances to protect the personal information held by the APP entity from misuse, interference, and loss and from unauthorised access, modification, or disclosure (APP 11.1);
- take reasonable steps to delete or de-identify personal information when it is no longer required for the notified purposes for which it was collected;
- to notify all eligible data breaches as soon as practicable to the OAIC and all affected individuals; and
- develop and implement:
- a data breach response plan; and
- data destruction policy.
As regards the information security obligations in APP 11.1, it is important to note that this is not a fixed or static obligation (i.e. it is not a 'one size fits all'). The bigger you are, the more personal information you collect, the more sensitive the information is, the more centralised the data holdings are etc., and the greater the security obligations are (i.e. measures that need to be taken to satisfy the obligations). A helpful start to understanding one's information security obligations under APP 11.1 is the Privacy Commissioner's guide to securing personal information and the recent Uber decision. The latter also notes that APP entities without the relevant expertise internally need to engage appropriate external experts to assist with preparation and implementation of policies and in relation to data breach assessment and response.
7. Controller and Processor Obligations
As regards the obligations and requirements attached to the offshore disclosure (including transfer) of personal information, please see our separate Australia – Data Transfers Guidance Note.
'Data processing records' are not specifically provided for in, or required by, Australian privacy law. While APP 1 requires an APP entity to take such steps as are reasonable in the circumstances to implement practices, procedures, and systems relating to the entity's functions and activities that ensures compliance with the APPs (APP 1.2), the concept of 'data processing records' (or records of processing activities/RoPA) is not common under Australian privacy law.
A Privacy Impact Assessment ('PIA') is contemplated by Australian privacy law but, apart from government agencies, is not mandated. However, arguably, a PIA is, if not required, highly recommended to fulfil one's obligations under APP 1.2. The guidance and recommendations of the OAIC are that a PIA should be used for any new, changed/varied or altered process, method, or technology used that processes any personal information.
A data protection officer ('DPO') (or rather, in Australian terminology, a privacy officer) is not mandated by law in Australia but it is recommended by the Privacy Commissioner and, arguably, recommended if not necessary in practice to comply with APP 1.2.
In practice we are seeing more and more privacy officer roles where a substantial part of the job description (or, for large APP entities, some chief privacy officers whose sole responsibility) is privacy compliance. We are fast approaching the point where, for other than the smallest APP entities with limited personal information, it will be difficult to establish that reasonable steps have been taken to ensure compliance with the Privacy Act/APPs (APP 1.2) without having a privacy officer.
As a DPO is not compulsory under Australian privacy law, there are no stated/legislative requirements for the position. In practice a privacy officer is usually from/in the risk or in-house legal functions but it is recommended that they also have some IT and business knowledge/experience.
Australia has mandatory notification of all 'eligible data breaches'. Unless a specific limited exemption applies, all eligible data breaches must be notified to the OAIC and all affected individuals as soon as practicable after the entity:
- becomes aware of the eligible data breach;
- becomes aware of reasonable grounds to believe an eligible data breach has occurred; or
- is directed to do so by the Privacy Commissioner.
An ‘eligible data breach’ occurs if:
- there is an unauthorised access to, unauthorised disclosure, or loss of personal information held by an APP entity (i.e. a data breach); and
- a reasonable person would believe that such data breach is likely to result in serious harm to any of the individuals to whom the information relates.
To assist with assessing what a reasonable person might think, a non-exhaustive list of relevant matters to be considered has been included in the Privacy Act (Section 26WG).
Where there are no reasonable grounds to believe an eligible data breach has occurred but there are reasonable grounds to suspect that there may have been an eligible data breach, the entity must take all reasonable steps to undertake an assessment within 30 days (after the entity becomes aware of reasonable grounds to suspect such may have occurred) to determine whether or not an eligible data breach has occurred. Once such an assessment is completed (i.e. as soon as there are reasonable grounds to believe an eligible data breach has occurred) the entity will have to notify the eligible data breach as soon as practicable, assuming it finds reasonable grounds for believing that an eligible data breach has occurred. However, this provision should not be used to automatically get 30 days to determine what to do in the case of an eligible data breach.
APP entities may use the usual means by which they communicate with the relevant affected individuals, if practicable, to notify all affected individuals of the eligible data breach. If not practicable, the APP entity must consider other means by which to notify the eligible data breach but, simply because it is impracticable to notify each individual personally, this does not obviate the need for notification and other appropriate means must be devised to notify the affected persons. As a deterrent to doing nothing, the provisions request, at a minimum, that the required notice be prominently published on the entity's website or that it is otherwise widely publicised.
While there used to be some ambiguity, the recent Uber decision has made it clear that having (and implementing) an appropriate data breach response plan that details at least certain key issues is required in order to comply with APP 1.2.
In addition to the security obligations noted above, the Privacy Act/APPs require that APP entities delete or de-identify all personal information in their possession once all legal requirements to keep it in an identified form have passed, it is not required for threatened or current litigation and it has been used for the notified purpose(s) for which it was collected (APP 11.2). That is, personal information cannot be kept indefinitely and all document/records/data retention policies must include appropriate provisions requiring deletion/de-identification of personal information in accordance with APP 11.2. The Uber decision has also made it clear that having (and implementing) an appropriate data destruction and retention policy is required in order to comply with APP 1.2.
The de-identification/deletion obligation raises significant issues for those APP entities that wish to keep personal information beyond the time limits permitted by the Privacy Act/APPs for data analytics purposes (including the training of artificial intelligence/machine learning algorithms), especially if data analytics was not an original stated purpose for the collection.
There are no specific provisions in Australian privacy law dealing with children's personal information. However, under the general law the age of majority in Australia is 18 years of age. While this is appropriate for contracting, the OAIC has given guidance that, subject to a consideration of the capacity of each relevant individual, a person of at least 15 years old can generally be notified of a privacy collection statement and/or consent to the collection their sensitive information.
Under Australian privacy law the 'special categories of personal information' are, subject to our comment below, mostly captured under 'sensitive information' and, while there are no separate specific sensitive information-specific provisions, in practice the obligations are applied more rigorously with respect to sensitive information. For example, the obligation to take reasonable steps to secure personal information against unauthorised disclosure, use, and/or loss are more rigorously applied in respect of holdings of 'sensitive information'. That is, more information security measures are expected as reasonable where one holds sensitive information.
Additional specific requirements (more onerous than for sensitive information) are included in or incorporated into Australian privacy law for 'Tax File Number information' and 'credit information'.
As previously noted, there is no distinction under Australian privacy law between data controllers and data processors. That is, data processors have the same primary obligations and responsibilities as data controllers under the Privacy Act/APPs. As there is no separation between controllers and processors in Australia and thus no mandated agreement requirements or obligations. However, it is recommended that any third-party service provider arrangement should be documented (i.e. by agreement), especially where the processor is outside Australia, and should include purpose limitations, compliance with the Privacy Act/APPs (for offshore providers in particular) and provisions relating to the notification of and responsibility for notifiable data breaches.
8. Data Subject Rights
As noted above, there is an obligation to notify all individuals whose personal information an entity collects of certain prescribed matters detailed in APP 5.2 at, or prior to, the collection of that information. If this is impracticable then notification must occur as soon as possible after the collection of that information. This is, in effect, Australian privacy law's 'right to be informed', APP 5.2 provides the prescribed matters that must be notified and these include who is collecting, the purpose(s) for the collection, what use will be made of the information, and to whom it may be disclosed (and whether any of those disclosures are to recipients outside of Australia).
The right to access the personal information held by the APP entity about that individual is covered by APP 12.1.
The right to seek correction of the personal information held by the APP entity about that individual is covered by APP 13.1 and the right to have any correction notified to third parties to whom the personal information was provided by the APP entity is covered by APP 13.2.
There is no specific 'right to erasure' currently given to individuals under Australian privacy law. However, there are obligations imposed on the entity to provide access to and correct personal information, together with an obligation to keep the information collected current. Also, under APP 11.2, the entity is obliged to delete or de-identify personal information (whether or not requested by the individual) once it has been used for the notified purpose(s) of collection and is no longer required by law to be kept in an identifiable form.
The right to request not to receive direct marketing and to not have the individual's personal information disclosed or used for direct marketing is covered under APP 7.6. Also, any personal information collected under a consent will be subject to the individual withdrawing their consent to processing.
Currently, there is no general 'right to data portability' under Australian privacy law, although there is the right to access the personal information held about one by an entity. However, the CDR regime, being first applied in the banking system as 'open banking', does impose a data portability requirement for certain specified 'consumer data'. The CDR will be extended to at least the retail energy and telecommunications sectors and the expectation is that it will then progressively be rolled out across all sectors of the Australian economy.
There is currently no right provided under Australian privacy law to request not be subject to automatic decision-making, unless such results in discrimination in which case there are possible actions under legislation other than privacy legislation.
The right to not identify oneself when dealing with an APP entity (i.e. deal anonymously), unless impracticable or required by law is covered by APP 2.
The ultimate sanction available to the OAIC/Privacy Commissioner is to apply to the court to have a fine of up to AUD 2.1 million (approx. €1.3 million) for entities and AUD 420,000 (approx. €265,000) for individuals imposed for a serious breach or repeated breaches of the APPs. Also, please see the Introduction to this Guidance Note under 'New Developments'.
The Privacy Commissioner also has the ability to impose enforceable undertakings, award compensation/reimburse costs and damages, and publish public determinations/decisions specifying full details of the infringement (in the case of a complaint) and the results of the Privacy Commissioner's investigation.
The current OAIC case against Facebook seeking to levy fines under the Privacy Act is the first such 'enforcement' action taken in the court by the OAIC in respect of penalties that can be sought to be imposed by the OAIC for a serious invasion or repeated invasions of privacy (i.e. breaches of the APPs). This case will likely not be decided until late 2021 but, interestingly, the OAIC has sought to impose the up to AUD 2.1 million (approx. €1.3 million) fine in relation to each of the individuals impacted by the alleged serious invasion of privacy resulting from the Cambridge Analytica activities. In Australia, this is a group of in excess of 300,000 which, even if only a token fine per person is applied by the court, will be a significant amount of money. Prevailing 'wisdom' was that the fine would be applied to the activity as a whole (i.e. almost irrespective of the number of individuals impacted). That is, up to AUD 1.2 million (approx. €1.3 million) in total, not up to AUD 2.1 million x 300,000.
In addition, the ACCC has been significantly more active in the 'consumer privacy' space. Recently, the ACCC obtained a court order fining a start-up in the digital health space AUD 2.8 million (approx. €1.8 million) (ACCC v HealthEngine Pty Ltd  FCA 1203). AUD 1.4 million (approx. €883,000) of that fine was 'allocated' to the failure to clearly inform customers of how their personal information was being used, to whom it was being disclosed, and for what purpose. Similarly, the ACCC succeeded in a Federal Court regulatory action against Google for misleading presentation of geolocation tracking settings in a version of Android (Australian Competition and Consumer Commission v Google LLC (No 2)  FCA 367).