Australia - Data Protection Overview
The Government has announced (and it is expected by 31 December 2020 to pass) increased fines under the Privacy Act No. 119 1988 (as amended) ('the Privacy Act') to be in line with other recent changes to administrative fines in other areas. The maximum fine for a serious invasion or repeated invasions of privacy (i.e. breaches of the privacy law) will be increased to up to the greater of AUD 10 million (approx. €6.1 million), three times any benefit obtained from the invasion breach (whichever the greater) and 10% of Australian annual revenue.
This minimum five-fold increase in the available fine under the Privacy Act and the increased budget given to the Office of the Australian Information Commissioner ('OAIC') will lead to greater own-motion investigations (and levying of fines) by the OAIC.
1. GOVERNING TEXTS
The key legislation in Australia affecting private-sector organisations (and Federal Government agencies) Australia-wide is the Privacy Act and its Australian Privacy Principles ('APPs'). In addition to the Privacy Act/APPs, there is a Privacy Regulation 2013, legally binding Privacy (Credit Reporting) Code and rules and guidelines, for example, in relation to privacy in the conduct of medical research and Tax File Numbers ('TFNs') which have the force of law and apply in specific areas/to specific types of information.
From 1 July 2020, the consumer data right ('CDR'), introduced by amendments to the Competition and Consumer Act 2010 (Cth) and the Privacy Act, went live for limited data sharing in relation to the four major banks (as the first part of the so called 'open banking regime'). The rest of the banking data subject to CDR must be available for sharing by those big four banks from 1 November 2020. The CDR will then be rolled out progressively in the retail energy and telecoms sectors before, we expect, being rolled out across other sectors where there is significant consumer interaction and thus resulting consumer data.
The key privacy related 'legislation' overseen by the OAIC resulting from the introduction of the CDR regime is the CDR Privacy Safeguard Guidelines, which are legally binding statutory provisions which set out the privacy rights and obligations for participants in the CDR regime, a CDR version of the APPs.
Also, on an Australia-wide basis, there are additional sector/information-specific laws such as those relating to TFNs, personal electronic health records, and the CDR regime that also apply in addition to the Privacy Act/APPs. In addition, a number of Australian States also have their own privacy laws that regulate State Government agencies and private enterprise contractors to the State Governments and, in some cases, health records. Even where private sector organisations, as contractors to State Government agencies, are governed by State privacy law this is in addition to their obligations under the Privacy Act/APPs.
Key non-binding Guidelines and Guides are issued by the OAIC.
1.3. Case law
Noteworthy recent decisions, determinations, and undertakings obtained by the Privacy Commissioner include:
- L B and Comcare (Privacy)  AICmr 28;
- Financial Rights Legal Centre Inc & Others and Veda Advantage Information Services and Solutions Ltd  AICmr 88;
- Jeremy Lee v. Superior Wood Pty Ltd  FWCB 2946;
- 'SF' and 'SG' (Privacy)  Al CMR 22;
- 'SD' and 'SE' and Northside Clinic (Vic) Pty Ltd (Privacy)  Al Cmr 21; and
- 'QP' and the Commonwealth Bank of Australia Limited (Prviacy)  Al Cmr 48.
Commonwealth Bank of Australia enforceable undertaking;
Recent court action taken by the OAIC against Facebook Inc. in relation to the Cambridge Analytica activities seeks to impose such fines for the first time. While this is significant, and still in its early stages (as of July 2020), it appears much more significant that the OAIC may be seeking to apply the fine for each of the approximately 320,000 Australians purportedly affected by Facebook's alleged serious and/or repeated invasions of their privacy. That is, rather than just one fine of up to AUD 2.1 million (approx. €1.2 million) levied on the serious and/or repeated invasions of privacy as a whole (i.e. no matter how many people were affected) as had been previously expected. If successful, the resulting fine(s) imposed on Facebook could be staggering and a significant 'game-changer' in Australian privacy.
2. SCOPE OF APPLICATION
In addition to all Federal Government agencies, the Privacy Act/APPs apply to all private sector organisations (collectively 'APP entities') other than:
- those organisations (including all their related bodies corporate each) with less than AUD 3 million (approx. €1.8 million) annual turnover at any time (unless they use or disclose personal information for a benefit or collect and use health information);
- registered political parties; and
- State or Territory Authorities or Instrumentalities, although the notifiable data breaches ('NDB') provisions apply to all eligible data breaches involving TFNs (including in respect of the above).
The Privacy Act/APPs apply to all organisations carrying out business in Australia which includes actively collecting personal information in Australia or from Australian residents, or by promoting an offshore entity/website to Australian residents.
All processing (i.e. collection, use, and disclosure) of personal information by APP entities is covered by the Privacy Act/APPs. However, the processing of de-identified or anonymous data (if it cannot be reasonably re-identified) is not covered by the Privacy Act/APPs.
In addition, all persons and entities (including usually excluded entities e.g. State Government agencies) dealing with TFNs are covered by:
- the TFN Rules; and
- the NDB provisions as regards any data breaches involving TFNs/TFN information.
Processing exempted from the Privacy Act/APPs includes purely personal/domestic processing of personal information (i.e. individuals in a non-business capacity), employee records once held by the employer (as to which please see Section 13), political acts and practices (e.g. related to Members of Parliament), small businesses (e.g. under the AUD 3 million (approx. €1.8 million) turnover threshold and not otherwise subject to the Privacy Act/APPs) engaged under a Commonwealth contract and by media organisations, if done in the course of journalism.
3.1. Main regulator for data protection
The Privacy Commissioner is the relevant regulator under the Privacy Act/APPs. The Privacy Commissioner sits within, and is overseen by, the Australian Information Commissioner (who is currently the same person as the Privacy Commissioner) and both are in the OAIC.
3.2. Main powers, duties and responsibilities
The Privacy Commissioner is charged with enforcing the Privacy Act/APPs, including receiving and resolving complaints, undertaking own motion investigations and, as a result of any relevant determination, seeking an enforceable undertaking, publishing determinations/decisions, and issuing guidance in respect of the interpretation and enforcement of the Privacy Act/APPs.
The Privacy Commissioner can also seek the imposition of a fine for a serious invasion of privacy (i.e. breach of the APPs) or repeated invasions of privacy (i.e. repeated breaches of the APPs). Please see section 9 below.
4. KEY DEFINITIONS
In Australia, data protection is generally known as 'privacy' and, for the purposes of this Guidance Note, unless otherwise specifically noted, we limit our comments to the privacy law under the Privacy Act and APPs. The Privacy Act/APPs regulate the collection, use, holding, and disclosure of the personal information of living individuals by APP entities.
Data controller: Unlike European law, there is no concept of data 'controller' under Australian privacy law. Each APP entity that obtains/receives personal information (even as what may be considered a 'data processor' under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') will effectively be considered a data controller under Australian law and has its own separate and primary privacy obligations under the Privacy Act/APPs.
Data processor: Unlike European law, there is no concept of a data 'processor' under Australian privacy law. Each APP entity that obtains/receives personal information (even as what may be considered a 'data processor' under the GDPR) will effectively be considered a data controller under Australian law and has its own separate and primary privacy obligations under the Privacy Act/APPs.
Personal data: Referred to as 'personal information' in the Privacy Act/APPs, personal data is defined to mean information or an opinion about an identified individual or an individual who is reasonably identifiable:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not, the information or opinion itself does not have to identify the individual or the individual does not need be reasonably identifiable from that information or opinion alone, but includes where an individual is reasonably identifiable by other means or from other information reasonably obtainable when used with the information in question.
Sensitive data: A sub-set of personal information is 'sensitive information,' which is defined to mean personal information which includes information or an opinion about an individual's racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, criminal record and health information, genetic information, and/or biometric information used for automated biometric verification or biometric identification.
Health data: 'Health information' is part of 'sensitive information' (see above under 'sensitive data') and is defined to include information or opinion about the health including an illness, disability, or injury of an individual, health services provided or to be provided to an individual, and an individual's expressed wishes about future provision of health services that, in all cases, is also 'personal information.' It also includes other personal information collected to provide or in providing a health service, collected in connection with the donation or intended donation by an individual of his or her body parts, organs, or body substances, and genetic information about an individual in a form that is or could be predictive of the health of that individual or genetic relatives.
Biometric data: 'Biometric data' is not a term used or defined in Australian privacy law but the equivalent 'biometric information' (undefined) is included in the definition of 'sensitive information' (see 'sensitive data' above). As 'biometric information' is not defined under the Privacy Act, it is to be given its ordinary dictionary meaning, not dissimilar to 'biometric data' under the GDPR.
Pseudonymisation: This term is not defined in Australian privacy law, but the concept is used in APP 2. It is an obligation under APP 2, where practicable, for APP entities to provide individuals with an option of using a pseudonym. 'Pseudonym' and 'pseudonymisation,' absent a specific definition in the Privacy Act, are given their ordinary dictionary definitions which, in practice, will be little different to the definition in the GDPR.
5. LEGAL BASES
'Consent' (meaning express or implied consent) is required under APP 3.3 for the collection of sensitive information, including health information, from an individual. Again, as long as the sensitive information collected is reasonably necessary for one or more of the entity's functions or activities.
While this is not a 'legal bases' for collection, subject to meeting the requirement of APP 3, where there is a contract between the entity and the individual this will usually provide any required consent for the collection.
'Legal obligations' (e.g. the requirement or authorisation by or under Australian law or a court/tribunal order) are exceptions from the requirement to obtain consent to collect sensitive information. However, such does not avoid the obligation under APP 5 to notify individuals of the prescribed matters (APP 5.2) at or before the time of or, as soon as practicable, after the collection of that information.
Again similar to 'legal obligations' noted above, an entity can dispense with obtaining consent from an individual for the collection of sensitive information where such information is reasonably necessary to assist the location of a person that has been reported missing or which is necessary to lessen or prevent a serious threat to the life, health, or safety of any individual or to public health or safety.
Consent for the collection of sensitive information may be dispensed with by the entity collecting it where such is reasonably necessary to lessen or prevent a serious threat to public health or safety, find a missing person, where the unlawful activity or misconduct of a serious nature is suspected, or it is reasonably necessary for an entity's diplomatic or consular functions or activities.
The entity is able to collect sensitive information without consent where it does so as regards to suspected unlawful activity or misconduct of a serious nature, for the establishment, exercise, or defence of a legal claim or for the purposes of a confidential alternative dispute resolution process.
As noted above, the main precondition to (or 'legal basis' for) collecting any personal information (including sensitive/health information) is to ensure that the information collected is reasonably necessary for one or more of the entity's functions or activities. Even where an exception permits the collection of sensitive information without consent, the entity is still obliged to meet this precondition to the collection.
Where a law or court order requires an entity to collect the specified information then that will be sufficient to establish that the precondition has been met. However, where the law or court order only permits the collection of such information then, arguably, in some cases meeting the precondition must be established before the entity is entitled to collect that information.
The key obligations of all APP entities (whether considered data controllers or data processors under the GDPR) under the Privacy Act/APPs include:
- to take reasonable steps to implement practices, procedures, and systems that will ensure compliance with the APPs (APP 1.2);
- only collect personal information that is reasonably necessary for one or more of the APP entity's functions or activities (APP 3.2), by lawful and fair means (APP 3.3), and directly from the individual, unless it is unreasonable or impracticable to do so (APP 3.6);
- at or before the time or, if that is not practicable, as soon as practicable after an APP entity collects personal information about an individual, take such steps as are reasonable in the circumstances to notify the individual of the matters in APP 5.2, or otherwise ensure that the individual is aware of such matters (APP 5.1);
- only use the personal information collected for the notified purpose(s) for collection, unless a secondary purpose is permitted by the APPs or consented to by the individual (APP 6.1);
- to take reasonable steps to ensure that the personal information that the APP entity collects, uses, or discloses is accurate, up-to-date, and complete (APP 10);
- to take reasonable steps in the circumstances to protect the personal information held by the APP entity from misuse, interference, and loss and from unauthorised access, modification, or disclosure (APP 11.1); and
- to notify all eligible data breaches as soon as practicable to the OAIC and all affected individuals.
As regards the information security obligations in APP 11.1, it is important to note that this is not a fixed or static obligation (i.e. it is not a 'one size fits all'). The bigger you are, the more personal information you collect, the more sensitive the information is, the more centralised the data holdings are etc., and the greater the security obligations are (i.e. measures that need to be taken to satisfy the obligations). A helpful start to understanding one's information security obligations under APP 11.1 is the Privacy Commissioner's guide to securing personal information.
7. CONTROLLER AND PROCESSOR OBLIGATIONS
As regards the obligations and requirements attached to the offshore disclosure (including transfer) of personal information, please see our separate Australia – Data Transfers Guidance Note.
'Data processing records' are not specifically provided for in, or required by, Australian privacy law. While APP 1 requires an APP entity to take such steps as are reasonable in the circumstances to implement practices, procedures, and systems relating to the entity's functions and activities that ensures compliance with the APPs (APP 1.2), the concept of 'data processing records' is not common under Australian privacy law.
A Privacy Impact Assessment ('PIA') is contemplated by Australian privacy law but, apart from government agencies, is not mandated. However, arguably, a PIA is required to fulfil one's obligations under APP 1.2. The guidance and recommendations of the OAIC are that a PIA should be used for any new, changed/varied or altered process, method, or technology used that processes any personal information.
No. A data protection officer ('DPO') (or rather, in Australian terminology, a privacy officer) is not mandated by law in Australia but it is recommended by the Privacy Commissioner and, arguably, necessary to comply with APP 1.2.
In practice, we are seeing more and more privacy officer roles where a substantial part of the job description (or, for large APP entities, some chief privacy officers whose sole responsibility) is privacy compliance. We are fast approaching the point where, for other than the smallest APP entities with limited personal information, it will be difficult to establish that reasonable steps have been taken to ensure compliance with the Privacy Act/APPs (APP 1.2) without having a privacy officer.
As a DPO is not compulsory under Australian privacy law, there are no stated/legislative requirements for the position. In practice, a privacy officer is usually from/in the risk or in-house legal functions, but it is recommended that they also have some IT and business knowledge/experience.
Yes. Australia has mandatory notification of all 'eligible data breaches.' Unless a specific limited exemption applies, all eligible data breaches must be notified to the OAIC and all relevant individuals as soon as practicable after the entity:
- becomes aware of the eligible data breach;
- becomes aware of reasonable grounds to believe an eligible data breach has occurred; or
- is directed to do so by the Privacy Commissioner.
An eligible data breach occurs if:
- there is an unauthorised access to, unauthorised disclosure, or loss of personal information held by an APP entity (i.e. a data breach); and
- a reasonable person would believe that such data breach is likely to result in serious harm to any of the individuals to whom the information relates.
To assist with assessing what a reasonable person might think, a non-exhaustive list of relevant matters to be considered has been included in the Privacy Act (Section 26WG).
Where there are no reasonable grounds to believe but there are reasonable grounds to suspect that there may have been an eligible data breach, the entity must take all reasonable steps to undertake an assessment within 30 days (after the entity becomes aware of reasonable grounds to suspect such may have occurred) to determine whether or not an eligible data breach has occurred. Once such an assessment is completed (i.e. as soon as there are reasonable grounds to believe an eligible data breach has occurred) the entity will have to notify the eligible data breach as soon as practicable, assuming it finds reasonable grounds for believing that an eligible data breach has occurred. However, this provision cannot be used to automatically get 30 days to determine what to do in the case of an eligible data breach.
APP entities may use the usual means by which they communicate with the relevant affected individuals, if practicable, to notify all affected individuals of the eligible data breach. If not practicable, the APP entity must consider other means by which to notify the eligible data breach but, simply because it is impracticable to notify each individual personally, this does not obviate the need for notification and other appropriate means must be devised to notify the affected persons. As a deterrent to doing nothing, the provisions request, at a minimum, that the required notice be prominently published on the entity's website or that it is otherwise widely publicised.
In addition to the security obligations noted above, the Privacy Act/APPs require that APP entities delete or de-identify all personal information in their possession once all legal requirements to keep it in an identified form have passed, it is not required for threatened or current litigation and it has been used for the notified purpose(s) for which it was collected. That is, personal information cannot be kept indefinitely, and all document/records/data retention policies must include appropriate provisions requiring deletion/de-identification of personal information.
The de-identification/deletion obligation raises significant issues for those APP entities that wish to keep personal information beyond the time limits permitted by the Privacy Act/APPs for data analytics purposes, especially if data analytics was not an original stated purpose for the collection.
There are no specific provisions in Australian privacy law dealing with children's personal information. However, under the general law the age of majority in Australia is 18 years of age. While this is appropriate for contracting, the OAIC has given guidance that, subject to a consideration of the capacity of each relevant individual, a person of at least 15 years old can generally be notified of a privacy collection statement and/or consent to the collection their sensitive information.
Under Australian privacy law, the 'special categories of personal information' are, subject to our comment below, mostly captured under 'sensitive information,' and while there are no separate specific 'sensitive information' provisions, in practice the obligations are applied more rigorously with respect to sensitive information. For example, the obligation to take reasonable steps to secure personal information against unauthorised disclosure, use, and/or loss are more rigorously applied in respect of holdings of 'sensitive information.' That is, more information security measures are expected as reasonable where one holds sensitive information.
Additional specific requirements (more onerous than for sensitive information) are included in or incorporated into Australian privacy law for 'Tax File Number information' and 'credit information.'
Data processors have the same primary obligations and responsibilities as data controllers under the Privacy Act/APPs. As there is no separation between controllers and processors in Australia and thus no mandated agreement requirements or obligations. However, it is recommended that any third-party service provider arrangement should be documented (i.e. by agreement), especially where the processor is outside Australia, and should include purpose limitations, compliance with the Privacy Act/APPs (for offshore providers in particular), and provisions relating to the notification of and responsibility for notifiable data breaches.
8. DATA SUBJECT RIGHTS
As noted above, there is an obligation to notify all individuals whose personal information an entity collects of certain prescribed matters detailed in APP 5.2 at, or prior to the collection of that information, or, if impracticable, as soon as possible after the collection of that information. This is, in effect, Australian privacy law's 'right to be informed.' APP 5.2 provides the prescribed matters that must be notified and these include who is collecting, the purpose(s) for the collection, what use will be made of the information, and to whom it may be disclosed (and whether any of those disclosures are to recipients outside of Australia).
The right to access the personal information held by the APP entity about that individual is covered by APP 12.1.
The right to seek correction of the personal information held by the APP entity about that individual is covered by APP 13.1 and the right to have any correction notified to third parties to whom the personal information was provided by the APP entity is covered by APP 11.2.
There is no specific 'right to erasure' given to individuals currently under Australian privacy law. However, there are obligations imposed on the entity to provide access to and correct personal information, together with an obligation to keep the information collected current. Also, under APP 11.2, the entity is obliged to delete or de-identify personal information (whether or not requested by the individual) once it has been used for the notified purpose(s) of collection and is no longer required by law to be kept in an identifiable form.
The right to request not to receive direct marketing and to not have the individual's personal information disclosed or used for direct marketing is covered under APP 7.6.
Currently, there is no general 'right to data portability' under Australian privacy law, although there is the right to access the personal information held about one by an entity. However, the recent CDR legislation, being first applied in the banking system as 'open banking,' does impose a data portability requirement for certain specified 'consumer data.' The CDR, while commencing with open banking, will be extended to at least the retail energy and telecommunications sectors and the expectation is that it will then progressively be rolled out across all sectors of the Australian economy.
There is currently no right provided under Australian privacy law to request not be subject to automatic decision-making.
The right to not identify oneself when dealing with an APP entity (i.e. deal anonymously), unless impracticable or required by law is covered by APP 2.
The ultimate sanction available to the OAIC/Privacy Commissioner is to apply to the court to have a fine of up to AUD 2.1 million (approx. €1.3 million) for entities and AUD 420,000 (approx. €260,000) for individuals imposed for a serious breach or repeated breaches of the APPs. Also, please see section 14 under 'New Developments.'
The Privacy Commissioner also has the ability to impose enforceable undertakings, award compensation/reimbursement, and publish public determinations/decisions specifying full details of the infringement (in the case of a complaint) and the results of the Privacy Commissioner's investigation.
The current OAIC case against Facebook seeking to levy fines under the Privacy Act is the first such 'enforcement' action taken in the court by the OAIC in respect of penalties that can be sought to be imposed by the OAIC for a serious invasion or repeated invasions of privacy (i.e. breaches of the APPs). This case will likely not be decided until late 2021 but, interestingly, the OAIC has sought to impose the up to AUD 2.1 million (approx. €1.2 million) fine in relation to each of the individuals impacted by the alleged serious invasion of privacy resulting from the Cambridge Analytica activities. In Australia, this is a group of in excess of 300,000 which, even if only a token fine per person is applied by the court, will be a significant amount of money. Prevailing 'wisdom' was that the fine would be applied to the activity as a whole (i.e. almost irrespective of the number of individuals impacted). That is, up to AUD 1.2 million (approx. €1.2 million) in total, not up to AUD 2.1 million x 300,000.
In addition, the Australian Competition and Consumer Commission ('ACCC') has been significantly more active in the 'consumer privacy' space. Recently, the ACCC obtained a court order fining a start-up in the digital health space AUD 2.8 million (approx. €1,730,000) (ACCC v HealthEngine Pty Ltd  FCA 1203). AUD 1.4 million (approx. €857,100) of that fine was 'allocated' to the failure to clearly inform customers of how their personal information was being used, to whom it was being disclosed, and for what purpose.