Data Protection & Privacy 2020

Last Updated March 09, 2020

Australia

Law and Practice

Authors



McCullough Robertson has an intellectual property and competition team that is heavily involved in data protection work and that advises clients on all aspects of data protection – including implementing data management, cybersecurity and privacy compliance programmes; assisting in data breach assessments and notifications; and advising on big data, cloud, internet of things (IoT) and drone solutions. The team also has expertise in dealing with commercial IP, telecommunications and IT/technology matters – acting for a range of technology vendors, government entities and corporates, across sectors from financial services to online advertising, marketing firms and start-ups. The team leverages this expertise when acting in data intensive transactions, such as large IT and sourcing projects and cloud transformation projects.

In Australia, the following laws govern the collection, use, storage, transmission and retention of personal data and information:

Privacy Act 1988 (Cth) (Privacy Act)

Broadly, the Privacy Act governs how "personal information" is handled by Commonwealth Government entities, private sector entities with a global aggregate group turnover of AUD3 million or more and certain small businesses that do not meet this turnover threshold, but which nonetheless have data-intensive business practices (including private sector health services providers that hold health information, businesses that sell or purchase personal information, credit reporting bodies and contracted service providers for the Commonwealth Government) (APP entities).

"Personal information" is defined as information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether the information or opinion is recorded in a material form or not.

The Privacy Act contains 13 Australian Privacy Principles (APPs) which set out the minimum standards for dealing with personal information and cover the life cycle of the collection, use, storage, disclosure and destruction of personal information. The Privacy Act also contains credit-reporting obligations that govern the way in which personal credit information about individuals must be handled by regulated entities.

It is worth noting that:

  • the APPs contain higher standards for the collection and disclosure of "sensitive information" (see 2.2 Sectoral and Special Issues); and
  • the Privacy Act and the APPs do not apply to state government entities, which instead are bound by separate privacy legislation in each state or territory.

Spam Act 2003 (Cth) (Spam Act)

The Spam Act prohibits the sending of direct marketing emails, SMS, MMS or other electronic communications that offer, advertise or promote goods or services, or business or investment opportunities to any person in Australia without the consent of that person.

Data Breach Notification Requirements

Under the Notifiable Data Breach Scheme (contained in the Privacy Act), if an APP entity suspects there has been a data breach, it has 30 days to determine whether there are sufficient grounds to believe that the breach is likely to result in serious harm to any of the affected individuals. If so, it must notify both the Office of the Australian Information Commissioner (OAIC or Information Commissioner) and affected individuals with certain prescribed information, such as recommendations as to the steps that should be taken by individuals in response to the breach. There are some limited exceptions to the duty to notify.

Additionally, in July 2019, Prudential Standard CPS 234 on Information Security came into force. It is a legally binding minimum standard for information security which requires regulated entities under the jurisdiction of the Australian Prudential Regulatory Authority (APRA) – being primarily financial and insurance institutions – to notify APRA of an information security incident that has:

  • materially affected, or has the potential to materially affect, financially or non-financially, that entity or the interests of depositors, policyholders, beneficiaries or other customers (as relevant); or
  • been notified to other regulators (whether in Australia or other jurisdictions).

Penalty and Enforcement Environment

The Privacy Act and Spam Act do not allow individuals to bring a claim directly against an entity that breaches the Privacy Act or Spam Act. Additionally, Australia does not have a clearly established fundamental or constitutional "right to privacy" that would allow individuals to bring a claim for breach of privacy. This means that, subject to a potential common law action further discussed in 2.5 Enforcement and Litigation, all complaints and claims must be lodged with the relevant regulator, which may then decide to take action.

The Privacy Act (including the Data Breach Notification Scheme and the APPs) is administered by the Australian Information Commissioner and the Spam Act is administered by the Australian Communications and Media Authority (ACMA).

The Australian Information Commissioner may:

  • conduct investigations in relation to a suspected or actual breach of the Privacy Act (in response to a complaint or of its own volition) including by requiring a person to give information or documents or attend a compulsory conference and entering premises to inspect documents;
  • accept enforceable undertakings from an APP entity, the breach of which can lead to a civil penalty;
  • make determinations regarding alleged breaches of the Privacy Act and impose compensation orders in favour of affected individuals (which are not subject to a statutory cap, but have generally been between AUD1,000 and 10,000);
  • seek injunctions regarding conduct that would contravene the Privacy Act; and
  • seek civil penalty orders from the Federal Court of up to AUD2.1 million for "serious" or "repeated" interference with the privacy of an individual.

The ACMA may:

  • issue a formal warning and require an entity to give a court-enforceable undertaking, the breach of which can lead to a civil penalty;
  • issue infringement notices (which are similar to "on the spot" fines) if it considers there has been a breach of the Spam Act. Infringement notices can be up to AUD210,000, depending on the basis for issuing the notice;
  • seek an injunction regarding conduct that would contravene the Spam Act;
  • seek civil penalty orders from the Federal Court of up to AUD2.1 million for repeated breaches of the Spam Act.

Other Relevant Laws and Regulations

Other relevant laws and regulations include:

  • the Criminal Code Act 1995 (Cth) as amended by the Cybercrime Act 2001 (Cth) (Criminal Code Act), which expressly makes it an offence to cause unauthorised access or modification to data held in a computer or cause any unauthorised impairment of electronic communication to or from a computer;
  • the Telecommunications (Interception and Access) Act 1979 (Cth), which makes it an offence for a person to intercept or access private telecommunications without the knowledge of those involved, and imposes restrictions on the telecommunications sector on the use and disclosure of telecommunications- and communications-related data;
  • the MyHealth Records Act 2012 (Cth), which imposes specific data handling rules for health records that are on the My Health Records database, which is a national database that allows individuals and their doctors and other healthcare providers to have access to the individual’s health information; and
  • the Do Not Call Register Act 2006 (Cth) which regulates unsolicited commercial calls to listed phone numbers.

See 1.1 Laws.

The preferred regulatory approach of both the OAIC and the ACMA is to encourage voluntary compliance by working with relevant entities and educating and informing regulated entities. Accordingly, both regulators may conduct assessments of compliance by specific entities, or alternatively, broadly investigate compliance within a particular industry group or sector, with a view to encouraging voluntary compliance. 

The OAIC may investigate a complaint that an APP entity has breached the Privacy Act and may also initiate an investigation of an act or practice that may be an interference with the privacy of an individual of its own volition. Similarly, the ACMA may investigate non-compliance with the Spam Act if it receives a complaint or otherwise identifies potential non-compliance.

Fines for Spam Act non-compliance are common.

When investigating a complaint that an APP entity has breached the Privacy Act, the OAIC:

  • must make a reasonable attempt to conciliate the complaint;
  • will seek to work with the parties concerned; and
  • if necessary, may use the formal powers conferred by the Privacy Act to require an individual or entity to provide information and documents.

After conducting an investigation, both the OAIC and the ACMA may decide to take regulatory or enforcement action against the entity. In each case, this decision (and the decision as to what enforcement action will be taken) is informed by a number of factors, including the seriousness of the incident or conduct investigated and whether the entity has engaged co-operatively with the OAIC or ACMA respectively.

A decision of the OAIC or the ACMA not to investigate (or further investigate) a complaint, or of the OAIC to make a determination under the Privacy Act, may be reviewed by the Federal Court of Australia, on application under the Administrative Decisions (Judicial Review) Act 1977 (Cth). The Court will not review the merits of the case but it may refer the matter back to the OAIC for further consideration if it finds the decision or determination was wrong in law or the regulator’s powers were not exercised properly. An application for review must be made to the Court within 28 calendar days of receipt of the regulator’s decision or determination. Civil standards of proof apply.

Multilateral Issues

See section 1.6 System Characteristics.

Additionally, Australia has recently acceded to the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) System. The federal Attorney-General’s Department is currently working with the OAIC to implement the APEC CBPR in Australia.   

Subnational Issues

Each state and territory has equivalent legislation that applies to the handling of personal information by government entities.

Additionally, there are specific laws in most states and territories that:

  • regulate the handling of health information received from state-government sources; and
  • prohibit the use of surveillance devices to record or monitor private activities without the consent of the individuals involved, and the surveillance or monitoring of employees in the workplace (as further discussed in 2.4 Workplace Privacy).

The privacy and data protection area is not heavily populated with NGOs or self-regulatory organisations (SROs) in Australia. There are some key industry bodies, such as the International Association of Privacy Professionals (IAPP), the IoT Alliance Australia (IOTAA), the Australian Information Security Association (AISA) and the Communications Alliance, but they do not have regulatory powers.

Similarities to and Differences from the GDPR

The APPs follow the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980) and so there are a number of similarities between the APPs and the EU General Data Protection Regulation (GDPR). For instance:

  • both regimes take a privacy by design approach to compliance with key privacy principles and obligations;
  • the concept of "personal information" in the APPs is the equivalent of personally identifiable information under the GDPR;
  • the concept of "sensitive information" under the APPs (discussed in 2.2 Sectoral and Special Issues) is broadly similar to the GDPR concept of "special categories" and qualifying information is afforded extra protection.

However, there are some key differences between the APPs and the GDPR and, if businesses are caught by both regimes, they will need to consider how to manage these differing obligations appropriately. For instance, it is not as clear under the APPs as it is under the GDPR whether and when metadata, cookies, browsing and viewing data, and IP addresses fall within the definition of personal information. The better view is that these types of information are likely to be personal information in most instances, and best practice in Australia is to align with international practice (which is informed by the online behavioural tracking rules in the GDPR). 

Less Comprehensive than the GDPR

There are some key issues with Australia’s laws which mean that it is seen as less comprehensive than the GDPR. These issues include the "employee records exception" (which means employee records are not covered by the Privacy Act in many circumstances), the absence of a private right of action/direct right of enforcement, and the small business exception (which exempts certain private sector entities with an annual turnover under AUD3 million).

On the other hand, the introduction of Australia’s Notifiable Data Breaches Scheme reflects similar provisions in the GDPR and has a similar effect to the Californian Consumer Privacy Act of 2018, which introduced a number of GDPR-like rights for individual consumers in that state. In essence, these regimes all acknowledge that a personal data breach can result in a range of significant adverse effects on the rights and freedoms of natural persons. One of the key differences between the regimes is the scope of each regime. For example, GDPR data breach notification obligations are significantly broader than their Australian equivalents with regard to the scope of personal data breaches that need to be notified to supervisory authorities. Conversely, the Californian regulations are narrower in scope, as the definition of personal information is more limited than in Australia.

Consumer Data Right

The Australian government has announced the introduction of a data portability right (the Consumer Data Right). Broadly, this right will allow consumers to access their information and require that it be shared across service providers, enabling easier transfer between, for instance, bank accounts. This right will be rolled out on a sector-by-sector basis starting with the banking sector followed by the telecommunications and energy sectors. It has been announced that, as of 1 July 2020, consumers will be able to direct major banks to transfer their credit and debit card, deposit account and transaction account data and, as of 1 November 2020, mortgage and personal loan data will be able to be shared.

Response to Digital Platforms Enquiry

In 2017, the competition and consumer rights regulator in Australia (the Australian Competition and Consumer Commission or ACCC) was directed to consider the impact of online search engines, social media, and digital content aggregators (digital platforms) on competition in the media and advertising markets. In July 2019, the ACCC released its final report for this Digital Platforms Inquiry. Importantly, this report recommended that some GDPR-style consumer rights, like the right to erase personal information in certain circumstances or "the right to be forgotten" be introduced. In December 2019, the federal government released a response to this report. Relevantly, it has committed to review the Privacy Act, ensure that privacy settings empower consumers, protect their data and best serve the Australian economy. 

These amendments are in addition to its existing commitments. Specifically, the federal government has announced the following proposed amendments to the Privacy Act (although they have not yet been presented as legislation and so timing is unclear):

  • new penalties for serious or repeated breaches of the Privacy Act and APPs by APP entities from AUD2.1 million to the greater of:
    1. AUD10 million;
    2. three times the value of any benefit that is obtained through the misuse of personal information; or
    3. 10% of the annual domestic turnover of the company;
  • new penalties of AUD63,000 for bodies corporate that fail to co-operate with efforts to resolve minor breaches of the Privacy Act and APPs;
  • the introduction of a binding privacy code for social media and online platforms which trade in personal information; and
  • the introduction of specific rules to protect the personal information of children and vulnerable groups.

Enforcement

Recently, the ACMA has been targeting consent-based marketing as one of its priority compliance areas for unsolicited communications. In November 2019, Oneflare Pty Ltd (an online marketplace where people can hire local experts) paid a AUD75,600 infringement notice for sending SMS messages without consent to phone numbers found on public directories and failing to include an unsubscribe option. The ACMA has also received a court enforceable undertaking from Oneflare for future compliance. 

Please see the comments in 1.7 Key Developments on the announcement of the Consumer Data Right and the Australian government’s response to the Digital Platforms Inquiry.

The information set out in this section relates to the Privacy Act and APP entities. State and territory government agencies are, in most cases, not bound by the Privacy Act and are instead bound by the relevant state and territory legislation. As a general rule, state and territory legislation is broadly similar to the Commonwealth legislation, although there are some key differences which are not discussed in this chapter.

Data Protection Officers

While the Privacy Act does not require the appointment of a privacy or data protection officer, it is generally accepted as best practice for an APP entity to assign responsibility for data security and privacy-related matters to a particular person or department. 

Authorised Data Collection

APP entities are entitled to collect and handle personal information for purposes that are reasonably necessary for their functions and activities, provided the means of collection is fair and lawful. There are additional restrictions on the collection and handling of "sensitive information" as discussed further in 2.2 Sectoral and Special Issues.

Personal information must be collected directly from the individual unless it is unreasonable or impracticable to do so. Once collected, an APP entity must only use the personal information for the purpose for which it was collected or any other purpose that would be reasonably expected or in relation to which the relevant individual has provided their consent.

Under APP 6, APP entities must only use or disclose personal information for the purposes for which it was collected unless the individual consents to the use or disclosure or an exception applies (such as the use or disclosure being required or authorised by law or a court order, or the use or disclosure lessening or preventing a serious threat to life, health, or safety).

Privacy by Design

Under APP 1, APP entities are required to manage personal information in an open and transparent way, including by taking reasonable steps to implement practices, procedures, and systems that will ensure compliance with the APPs. The OAIC refers to this as "privacy by design". APP entities should design these practices, procedures and systems to facilitate compliance with the Privacy Act and with regard to the APP entity’s circumstances (including the type and sensitivity of information collected).

Privacy Impact Analyses

There is no mandatory requirement for private organisations to conduct privacy impact assessments. However, the OAIC has identified privacy impact assessments as an important element of privacy by design. The OAIC may direct a Commonwealth government entity to conduct a privacy impact assessment if it considers that the proposed activities or functions of that entity would have a significant privacy impact.

Privacy Policies

Under APP 1.3, APP entities must have a clearly expressed and up to date privacy policy about the management of personal information by the entity. The policy must be publicly available (free of charge) and must contain certain information, including the kinds of personal information collected, the purposes for which the personal information is collected, whether the personal information is likely to be disclosed overseas and to which jurisdictions, how an individual can access and correct their personal information, and how an individual can complain about a breach of the APPs.

Data Subject Access Rights

Under APP 12 and 13 individuals have the right to request access to their personal information and request that an APP entity’s record of their personal information be corrected. Subject to certain exceptions, APP entities must comply with these requests. Additionally, information held by the government is subject to public freedom of information laws, but these laws do not apply to private sector entities.

Anonymisation, De-identification and Pseudonymisation

Information that has undergone an appropriate and robust de-identification process is no longer caught as "personal information" for the purposes of the Privacy Act and is therefore not subject to the Privacy Act. The OAIC has published a high-level guide to de-identification (De-identification and the Privacy Act) but recommends that entities seek specialist expertise for complex de-identification matters as information that is not appropriately de-identified will still be caught by the Privacy Act. 

Profiling, Automated Decision Making, Big Data Analysis, AI and Algorithms

There are currently no specific restrictions on the use of information for profiling, automated decision making, online monitoring or tracking, big data analysis, or artificial intelligence where that information is not personal information. However, the OAIC has issued informal guidance in relation to best practices for big data analytics. The Australian government has also announced the introduction of a privacy code for social media and online platforms that trade in personal information which is likely to address at least some of these matters. 

"Injury” or “Harm”

The concept of “serious harm” is relevant for the assessment of whether a data breach is caught under the Notifiable Data Breach Scheme (as discussed in 1.1 Laws). 

Sensitive Information

Sensitive information is a subset of personal information that includes information or an opinion about an individual’s racial or ethnic origin, political opinions, political association memberships, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association or trade union, sexual orientation or practices, criminal record, health or genetic information, biometric information or biometric templates.

Sensitive information is afforded a higher level of protection than other personal information in that:

  • APP entities may only collect sensitive information with the consent of the relevant individual, except in limited circumstances (eg, where collection is required by law or a court order);
  • the purposes for which sensitive information may be used are more restricted and the use of sensitive information for the purposes of direct marketing is prohibited unless the individual concerned provides their consent;
  • sensitive information cannot be shared by "related bodies corporate" in the same way that they may share other personal information.

Financial data

Financial data is not afforded special protection under the Privacy Act. However, if it identifies a person, or could reasonably identify a person, it will constitute personal information and must be handled in accordance with the Privacy Act.

Health data

Health data, biometric information and biometric templates about an individual are sensitive information and must be handled in accordance with the restrictions that apply to sensitive information (outlined above). 

Health data held in the My Health Records database is also protected under the My Health Records Act 2012 (Cth).

As noted in 1.4 Multilateral and Subnational Issues, various states and territories also have their own regimes relating to the handling of health data received from state or territory government sources (eg, public hospitals).

Communications data

Telecommunications carriers are required to store certain metadata (as discussed in 4.5 Sharing Technical Details). Under the telecommunications legislation, this is defined as personal information and is therefore afforded specific protections.

Voice telephony and text messaging

Test messages are "commercial electronic messages" for the purposes of Spam Act. Under the Spam Act text messages (as well as other commercial electronic messages such as email, and instant messages) with an Australian link:

  • may not be sent without the addressee's consent (which may be express or inferred);
  • must include clear and accurate information about the person or business that is responsible for sending the message; and
  • must include a functional unsubscribe facility.

Content of electronic communications

The interception of communications is governed by the Telecommunications (Interception and Access) Act 1979 (Cth) (TIA Act). Under this Act, a person must not intercept any communication passing through a telecommunications network without the knowledge of the persons issuing or receiving the communication.

The key exception to this prohibition is that law enforcement agencies may lawfully intercept or access telecommunications in specific circumstances, pursuant to a stored communications warrant or interception warrant issued under the TIA Act.

Children’s or student data

Children’s privacy is not specifically protected in Australia as it is in other jurisdictions (eg, the COPA in the USA). The Privacy Act does not distinguish between the rights of adults and children so, under this legislation, children have the same privacy protections as adults. The only exception to this is around the issue of consent. Consent is relevant to the operation of a number of APPs as it can be the deciding factor in how personal information may be handled under the Privacy Act and the APPs. The Privacy Act and the APPs are silent as to whether children have the capacity to provide consent for the purposes of the Privacy Act and the APPs. However, the OAIC has released guidelines indicating that, as a general principle, an individual under the age of 18 has the capacity to consent when they have sufficient understanding and maturity to understand what is being proposed. If it is not practicable or reasonable for an APP entity to make this assessment on a case-by-case basis, the entity may presume that an individual aged 15 or over has this capacity (unless there is something to suggest otherwise). The guidelines also provide that where a child does not have the capacity to consent, it may be appropriate for a parent or guardian to consent on their behalf.   

Most child care centres, private tertiary institutions and private schools are subject to the Privacy Act, whereas public schools and public universities are not (but may be governed by state or territory privacy laws).

Employment data

Employee data that falls within the employee records exception (discussed in section 2.4 Workplace Privacy) is expressly excluded from the application of the Privacy Act. However, to the extent that employee records don’t fall within this exception, it must be handled in accordance with the Privacy Act.

Other categories of sensitive data

This information falls within the definition of sensitive information discussed above and so must be handled in accordance with the restrictions that apply to sensitive information.

Internet Streaming and Video Issues

Browsing data

See 1.6 System Characteristics.

Viewing data

See 1.6 System Characteristics.

Cookies and beacons

Information derived from cookies, beacons and tracking technologies is not always considered personal information in Australia. This will depend on whether the information is able to itself identify an individual, or is linked to an individual’s personal information in a separate database that enables the individual to be identified. However, it is best practice for a privacy policy to include a cookie-notification clause, explaining the entity’s use of cookies, and how the use of cookies can be controlled by through browser settings. 

Location data

Geolocation raises privacy issues because of the ubiquity of smart phones and connected "wearables" which enable rich aggregations of personal travels to be created. There is no specific legislative response to these issues but it is an area of policy focus (particularly in view of the Australian government’s focus on digital platform providers which collect location data).

Do not track, and tracking technology

The use of monitoring and surveillance devices is governed by various pieces of legislation at a federal level as well as at the state and territory level. Generally, surveillance legislation prohibits the tracking and audio or video recording of any person or activity without the consent of that person or of the person involved in the activity.

Behavioural advertising

See 2.3 Online Marketing.

Social media, search engines, large online platforms

At present, digital platforms are governed by the same principles as other business (primarily under the Privacy Act). However, the Australian government has announced that it intends to introduce a binding privacy code for social media and online platforms which trade in personal information (as discussed in section 1.7 Key Developments).

Addressing hate speech, disinformation, etc

As part its response to the ACCC’s Digital Platforms Inquiry, the Australian Government has announced that it will ask major digital platforms to develop a voluntary code of conduct for disinformation and news quality, in order to address concerns regarding disinformation and credibility for news content. This code will be informed by international examples such as the European Union’s Code of Practice on Disinformation.

Also, in response to the Christchurch shootings in April 2019, Australia introduced laws relating to the taking down of abhorrent content. The Criminal Code Amendment (Sharing of Abhorrent Violent Material) Act 2019 (Act) amends the Criminal Code Act 1995 (Cth) by introducing offences for failing to notify of abhorrent content, and for failing to take down abhorrent content.

The key concept is "abhorrent violent conduct", which is defined as conduct whereby a person:

  • engages in a terrorist act;
  • murders another person;
  • attempts to murder another person;
  • tortures another person;
  • rapes another person; or
  • kidnaps another person.

Other Issues

Data subject rights

See 2.1 Omnibus Laws and General Requirements on data subject access rights.

Right to be forgotten

Unlike in the EU, Australians have no statutory right to be forgotten. However, APP entities are required to destroy or de-identify personal information they no longer need for any purpose permitted by the APPs. This is an issue that will be addressed further in light of the Digital Platforms Enquiry, as discussed in 1.7 Key Developments.

Data access and portability

See 1.7 Key Developments on the Consumer Data Right and 2.1 Omnibus Laws and General Requirements on data subject access rights.

Right of rectification or correction

As mentioned above, individuals have a right to request that an entity which holds their personal information corrects that information if it is wrong. Additionally, APP 13.1 explicitly requires an APP entity to take reasonable steps to correct personal information it holds, ensure it is accurate, current, complete, relevant and not misleading. APP 13 also sets out a series of minimum procedural requirements in relation to correcting personal information.

Under the Privacy Act, an APP entity is not permitted to use personal information for the purposes of direct marketing unless an exception applies. The key exceptions are where the individual concerned:

  • has consented to that use; or
  • would reasonably expect the APP entity to use or disclose the information for that purpose; and
  • can unsubscribe from direct marketing (and has not yet unsubscribed). 

Additionally, sensitive information cannot be used for direct marketing purposes unless the individual concerned provides their consent. 

The Spam Act also contains restrictions on direct marketing (discussed further in 2.2 Sectoral and Special Issues).

The Do Not Call Register Act 2006 (Cth) prohibits unsolicited telemarketing calls being made and unsolicited marketing faxes being sent to any numbers registered on the Do Not Call Register. However, the Do Not Call Register Act does not apply to certain exempt entities, such as registered charities or political parties, or to market research calls. Telemarketers, researchers, and fax marketers must also comply with enforceable industry standards including the Telemarketing and Research Calls Industry Standard 2007 and the Fax Marketing Industry Standard 2011.

As mentioned above, it is unclear whether data collected for behavioural advertising (such as metadata, browsing and viewing data) falls within the definition of personal information. The better view is that these types of information are likely to be personal information in most instances, and best practice in Australia is to align with international practice (which is informed by the online behavioural tracking rules in the GDPR). 

It is also best practice to comply with the Australian Guideline for Online Behavioural Advertising, which is a self-regulatory guideline for third-party online behavioural advertising. The guideline sets out seven self-regulatory principles, including keeping data secure and giving consumers a choice as to whether or not they consent to the collection of their data for the purposes for online behavioural advertising.

Employee records relating to current or former employment relationships are expressly excluded from the application of the Privacy Act and the APPs so long as a record or information is used or handled in the context of the current or former employment relationship. Examples of employee records may include hours of employment, salary, trade union or professional association memberships, personal and emergency contact details, and performance or conduct in the workplace. 

Workplace surveillance is regulated at the state and territory level. The Australian Capital Territory and the states of New South Wales and Victoria have specific laws regarding surveillance in the workplace. At a high level:

  • in the Australian Capital Territory, the Workplace Privacy Act 2011 (ACT) regulates the use of tracking devices and video surveillance devices;
  • in New South Wales, the Workplace Surveillance Act 2005 (NSW) regulates the use of tracking devices and video surveillance devices, and the use of software to monitor use of any work computer;
  • in Victoria, the Surveillance Devices Act 1999 (Vic) regulates the use of listening devices and video surveillance devices;
  • generally speaking:
    1. surveillance equipment is prohibited in bathrooms, changing rooms, washrooms, prayer rooms, sick bays, first-aid rooms and nursing/parent rooms, and any camera must be clearly visible and accompanied with a sign notifying people that the premises are under video surveillance;
    2. employers must notify all employees of the surveillance in accordance with the legislation (including new employees); and
    3. covert surveillance is prohibited.

In addition to the workplace surveillance laws mentioned above, states and territories have laws regulating the general use of surveillance equipment and systems, which may apply in relation to workplace surveillance.

Monitoring Workplace Communications

Generally speaking, employers are not prohibited from monitoring employees’ use of company computers, laptops or mobile devices (including times of access, emails sent and received, and websites visited).

However, we note that:

  • in New South Wales, workplace surveillance legislation regulates how employers can monitor the use of company computers, which means that employers must notify all employees of the surveillance in accordance with the legislation (including new employees); and
  • where a company computer, laptop or mobile device is used for personal purposes, the information collected by the employer may not fall within the employee records exemption and the Privacy Act and the APPs may apply.

Labour Organisations

The Privacy Act does not apply to any acts or practices of an employer that are directly related to a current or former employment relationship with an employee, or a record relating to the employment of that employee. Accordingly, labour organisations and work councils do not play a significant role in the Australian privacy landscape. This has been a key criticism of the scope of federal privacy law in Australia.

Whistle-Blowing

Whistle-blowing protections in Australia are not as strong as in other jurisdictions. Accordingly, while the Privacy Act does not prohibit anonymous reporting of privacy related complaints or issues to the OAIC, no specific whistle-blowing protections are currently in place for individuals who disclose the privacy-related infringements of businesses in Australia. 

Issues of e-discovery

There are no specific e-discovery-related privacy regulations in Australia. However, entities that handle personal information in this context may be caught by the Privacy Act or other equivalent legislation (as discussed further in section 1.1 Laws). If an entity is caught by privacy legislation, it should seek to de-identify or anonymise the material it is required to disclose in order to avoid conflicts between its privacy and discovery obligations.

Entities should also ensure that, before they use or disclose personal information regulated by the Privacy Act in the context of e-discovery, they consider whether that use or disclosure is permitted under the Privacy Act.

The Privacy Act and equivalent state and territory legislation impose restrictions on the disclosure of personal information outside Australia which may be practically difficult to comply with in the context of e-discovery (see 4.1 Restrictions on International Data Issues). Therefore, in relation to litigation conducted outside Australia, entities should seek to comply with e-discovery obligations within that jurisdiction without seeking discovery of Australian material. 

See 1 Basic National Regime for the legal standards regulators must establish to allege violations of privacy or data protection laws and the section on the penalty and enforcement environment, in 1.1 Laws, for potential enforcement penalties.

Leading Enforcement Cases

In June 2019, the OAIC determined that the Commonwealth Bank of Australia interfered with a complainant’s privacy by improperly disclosing inaccurate and out-of-date information (in breach of APP 10) about a prior credit card debt to a number of credit card providers. As a result, the complainant’s applications for home loans with those credit providers were declined). Commonwealth Bank was ordered to pay the complainant AUD15,000 for non-economic loss caused by the interference with the complainant’s privacy. This decision is significant in that the figure that the Commonwealth Bank was ordered to pay the complainant is on the higher end of what we would normally see from the regulator.

Additionally, the Notifiable Data Breach Scheme has now been in place for 12 months and so the OAIC has released a 12-month review setting out statistics and its proposed enforcement approach in relation to that scheme. In particular, it has announced that it will take a proportionate and evidence-based regulatory approach in relation to the Notifiable Data Breach Scheme (including by exercising its enforcement powers where necessary). Given the OAIC’s range of powers, this could include conducting investigations or issuing infringement notices.

Private Litigation

What legal standards apply?

The Privacy Act does not allow an individual to make a claim directly against an entity for a breach of the Privacy Act. Any complaint about how an entity collects and handles personal information must go through the OAIC, who may then take appropriate actions, such as investigating the complaint or seeking a court order. Similarly, Australian law does not currently allow an individual to make a claim directly against another party for breach of cybercrime provisions in the Criminal Code Act 1995 (Cth). Any complaint would need to be reported to the Australian federal police for further action.

However, a leading High Court case suggests that individuals may (in certain circumstances) be able to seek a remedy for invasion of privacy through an equitable cause of action for breach of confidence (see ABC v Lenah Game Meats (2001) 185 ALR 1). This cause of action has not since been pursued to our knowledge.

Are class actions allowed?

As individuals do not have standing to bring a claim against another party for breach of privacy or cybercrime legislation, class actions for breaches of the Privacy Act are not permitted. 

The OAIC can conduct investigations on behalf of a class of people, but these are not class actions in the traditional sense.

Leading cases

See above.

Chapter 4, Division 4 of the TIA Act provides that disclosure of information or a document to an enforcement agency is not an offence, if the disclosure is reasonably necessary for the enforcement of:

  • the criminal law; or
  • a law imposing a pecuniary penalty or for the protection of the public revenue.

In addition, an authorised officer of an enforcement agency may authorise the disclosure of specified information or specified documents that came into existence before the moment the person from whom the disclosure is sought received notification of the authorisation.

Authorised officers of the Australian federal police, and state police forces have stronger powers in relation to missing persons, and may authorise the disclosure of specified information or specified documents that came into existence before the moment the person from whom the disclosure is sought received notification of the authorisation.

The TIA Act makes it an offence for a person to intercept or access private telecommunications without the knowledge of those involved in that communication, unless the exceptions above apply.

Under Sections 306 and 306A of the Telecommunications Act, if a carrier, carriage service provider or number-database operator discloses information or documents, certain records of that disclosure must be made and retained for three years. The number of disclosures made during each financial year must also be reported to the ACMA within two months after the end of that financial year.

There are offences and penalties for:

  • failing to keep records of disclosure (maximum fine of AUD63,000); and
  • making incorrect records (maximum imprisonment of six months).

Under certain circumstances, Australian intelligence agencies, as well as federal and state police forces, can request access to an individual’s telephone and internet records. Independent judicial approval is not required. Please see 3.1 Laws and Standards for Access to Data for Serious Crimes and 4.5 Sharing Technical Details for an overview of the legislation that sets out relevant procedures.

The Surveillance Devices Act 2004 (Cth) governs the use of surveillance devices by Australian Government agencies. This Act also applies to the state and territory police forces when they are using surveillance devices under federal laws.

Disclosure of information or documents to a foreign law enforcement agency may only be authorised by a member of the Australian federal police if they are satisfied that the disclosure:

  • is appropriate in all the circumstances; and
  • is reasonably necessary for:
    1. the enforcement of the criminal law of a foreign country;
    2. an investigation or prosecution of a crime within the jurisdiction of the International Criminal Court; or
    3. an investigation or prosecution of a War Crimes Tribunal offence.

Australia does not yet participate in a Cloud Act Agreement with the USA and does not currently have legislation that is equivalent to the Cloud Act. However, on 7 October 2019, both countries announced that they had entered into formal negotiations for a bilateral agreement under the US Cloud Act. However, such negotiations and are not expected to produce a finalised agreement until Australian legislation equivalent to the Cloud Act is enacted.

See 4.5 Sharing Technical Details on the TOLAAA. This law has been controversial and may change in the coming year.

Furthermore, access to the metadata held by telecommunications carriers is limited to certain parties and which parties should have access to this data is a source of ongoing debate.

There are restrictions on the disclosure of personal information outside Australia.

Before an APP entity discloses personal information to an overseas recipient, that entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information. Furthermore, an APP entity that discloses personal information to an overseas recipient may be held liable for privacy breaches by that recipient. There are exceptions to this reasonable steps requirement. The key exceptions are where:

  • disclosure is between offices of the same corporate entity;
  • the recipient is subject to similar laws to the APPs and those laws provide the affected individual a right to take action or enforce that law;
  • the affected individual is informed that their information is being transferred overseas and that, if they consent to that disclosure, the reasonable steps requirement will not apply (although, we note that this exception has not yet been tested and is not widely relied on in Australia). 

Certain types of data cannot be transferred internationally. For instance, transfer and disclosure of health records internationally has been restricted by the Australian Government’s My Health record framework, and Part IIIA of the Privacy Act places restrictions on sending credit reporting information overseas. Additionally, some state and territory privacy legislation contains obligations to retain certain records within state and territory borders (subject to certain conditions and exceptions).

At a minimum, Australian entities that engage overseas providers should ensure their contracts contain appropriate clauses relating to the protection and security of personal information disclosed to them and to ensure the international third parties are compliant with the Privacy Act in their handling of that personal information.

No mechanisms (such as Privacy Shield) apply to international data transfers - please see 4.1 Restrictions on International Data Issues for an explanation of the process for disclosure of personal information outside Australia.

No government notifications or approvals are required to transfer personal information outside Australia – please see 4.1 Restrictions on International Data Issues.

Data is generally not required to be maintained within Australia under the Privacy Act. However, there are requirements under certain state and territory legislation for certain records to be retained within state and territory borders. See 4.1 Restrictions on International Data Issues.

The TIA Act (discussed in 2.2 Sectoral and Special Issues) requires telecommunications carriers to store, for two years, certain metadata relating to network users’ activity. The metadata must be encrypted and it can only be accessed on application by a restricted list of entities, including law enforcement agencies.

In addition, in late 2018, the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) (TOLAAA) was introduced; this has garnered international attention, as it can be used to require technology vendors to assist law enforcement by providing access to technical data and removing technical protections. 

The laws are highly controversial and may change in the coming year. The Australian government has noted that this new framework does not compel communication providers to build vulnerabilities in their systems to allow decryption. However, there has been significant public concern that there are few limits or constraints on the assistance that telecommunications providers may be ordered to offer, and around transparency. Furthermore, there are limited accountability structures and processes in place.

The TOLAAA Act is currently still under review by the Parliamentary Joint Committee on Intelligence and Security. Submissions to this inquiry closed in July 2019 but it is unclear when it will complete its review (including holding further public hearings) and provide a final report.

Technical Assistance Notices and Technical Assistance Requests

The TOLAAA Act sets out a list of the "acts or things" that an agency can ask a designated communications provider to do under a Technical Assistance Request (on a voluntary basis) or Technical Assistance Notice (on a mandatory basis), which relevantly include:

  • removing one or more forms of electronic protection that are or were applied, by or on behalf of the provider (eg, decrypting messages where possible to do so using an existing decryption capability);
  • providing technical information (eg, source code, network or service design plans and/or configuration of network equipment and encryption schemes);
  • doing any act or thing to assist in the facilitation of a warrant or an effective receipt of information in connection with a warrant;
  • facilitating access or assisting in accessing the data, equipment, software or electronic service that the designated communications provider holds; and
  • concealing the fact that activities have been done covertly in the performance of a function by an enforcement agency, in so far as it relates to the criminal law of Australia.

In deciding which acts or things are included in a mandatory Technical Assistance Notice, the agency head must be satisfied that the requirements are reasonable, proportionate, practicable and technically feasible.

There is a broad exception that vendors cannot be forced to create systemic weaknesses (ie, permanent backdoors), but it is difficult to understand how this will operate in practice, especially given a number of the above actions could require providers to build weaknesses and vulnerabilities, in order for them to be exploitable by the specified agencies.

Technical Capability Notices

Additionally, the Attorney-General has the power to issue Technical Capability Notices, requiring a designated communications provider to do acts or things to ensure the provider is capable of assisting the Australian Security Intelligence Organisation (ASIO) and interception agencies. This may require designated communications providers to build equipment or software to facilitate or better handle real or potential Technical Assistance Requests or Technical Assistance Notices in the future.

Prior to a Technical Capability Notice being issued, the Attorney-General must be satisfied that the requirements are reasonable, proportionate, practicable and technically feasible. There is a mandatory 28-day consultation period with the relevant designated communications provider (unless an emergency situation arises). The same applies to a variation of an existing notice.

There are no specific provisions in Australia specifically limiting or prohibiting collection or transfer of information in accordance with foreign government requests. However, relevant entities would need to comply with the restrictions on cross-border disclosures of personal information (discussed in detail in 4.1 Restrictions on International Data Issues).

See 4.6 Limitations and Considerations.

While there is no "blocking" legislation in Australia that would impede cross-border disclosure by law enforcement authorities to their overseas counterparts, all disclosures of personal information outside Australia must comply with relevant restrictions on cross-border disclosures of personal information. 

Additionally, Australian courts have historically found that they are not bound to refuse an order for discovery on the basis that the contravention of a foreign law (or blocking statute) may be involved in the disclosure process (see the decision of Besanko J in ACCC v Prysmian Cavi E Sistemi Energia SRL (No 7) [2014] FCA 5).

Big Data Analytics

Big data analytics creates significant privacy issues because of the large volumes of data it involves, and the ever-present issue of re-identification of that data. Fundamentally, the collection and processing of data in big data platforms is governed in the same way as any other business process, but the risks are magnified. Ensuring the proper anonymisation of data sets is the key practical mitigation.

Automated Decision-Making

There are currently multiple legislative instruments in Australia that permit or contemplate decision making to be delegated to automated means. It is unclear to what extent those decisions may be challenged under the usual administrative law principles, and the key issues, algorithmic bias and transparency, are also the key issues of debate that have not yet been satisfactorily resolved (nor been the subject of instructive legal proceedings). 

Profiling

Profiling is not specifically addressed in legislation, although it naturally raises issues under the Privacy Act because it involves the collection and use of personal information, and many instances involve the use of sensitive information, which is subject to higher processing standards.

Artificial Intelligence

AI is not specifically legislated for, but given its connection with big data analytics, it raises similar issues in relation to the size, composition and anonymity of data sets.

Internet of Things (IoT)

The Internet of Things raises significant privacy issues in connection with wearables (as set out in the geolocation section below) and to the extent that smart devices are able to capture personal information (for instance, through cameras and microphones). It also creates significant cybersecurity issues as it greatly increases the number of attack vectors for hackers and malware. There is no specific legislation in connection with it, but there is a great deal of policy discussion around how to secure IoT devices generally.

Autonomous Decision-Making

Autonomous decision making is not currently legislated for, but key issues around vehicle safety and algorithmic bias are live policy discussions in Australia.

Facial Recognition

Facial recognition involves the collection and use of sensitive information under Australian law, and so is subject to the requirements in relation to that information, as discussed elsewhere in this chapter.

Biometric Data

Biometric data is included in the definition of sensitive information under the Privacy Act, and so is subject to the requirements in relation to that class of information, as discussed in 2.2 Sectoral and Special Issues.

Geolocation

See comments on location data in 2.2 Sectoral and Special Issues.

Drones

Drones are not subject to specific privacy legislation but are subject to specific aviation safety legislation. Drones and their use have captured a lot of public attention due to the surveillance capability and generalised privacy issues that they raise. However, given that Australia does not have a privately enforceable right to privacy, the community concerns are largely unactionable. 

As discussed elsewhere in this chapter, the potential future introduction of a private right of action for breach of privacy will likely lead to a raft of claims because drones are increasingly seen as a public nuisance.

More generally, to the extent that these types of information constitute personal information as defined in the Privacy Act and state and territory privacy legislation, they must be dealt with in accordance with that legislation.

Organisations can establish protocols for digital governance or fair data practice review boards or committees, however, there is no established practice of doing so in Australia. 

Please see 2.5 Enforcement and Litigation for information on significant audits, investigations or penalties imposed for alleged privacy or data protection violations. Despite the availability of penalties of up to AUD2.1 million for serious or repeated interferences with privacy (and calls to increase this maximum penalty) the OAIC has not historically sought these penalties given its compliance approach (see 1.2 Regulators). 

The applicable legal standards for regulatory enforcement depend on the standards set out in the specific legislation that regulators enforce. For example, in the Privacy Act, there are some provisions which carry civil penalties (and would be subject to civil standards of proof) and other provisions which carry criminal penalties (which would be subject to criminal standards of proof). 

Private litigation is not currently possible under the Privacy Act, and so we have not seen any major litigation. The introduction of a Consumer Data Right and potential direct right of action as a future feature of the landscape means this may change over the medium term. 

In the context of due diligence in corporate transactions, companies will need to consider how to comply with their privacy obligations. For example, companies disclosing information will need to consider whether it contains personal information and, if so, whether and how they can disclose that information. Additionally, companies purchasing interests in other companies need to consider whether the target company has complied with its privacy obligations in the past (as non-compliance can attract hefty fines and loss of public confidence).

No non-privacy or data protection-specific laws currently mandate disclosure of an Australian organisations’ cybersecurity risk profile or experience. Australia also lacks detailed regulatory guidelines on cybersecurity for publicly listed companies. However, some data breach notification obligations do apply (as further discussed in 1.1 Laws).

Not applicable, all the major data privacy and protection issues in Australia have been discussed.

McCullough Robertson

Level 11, 66 Eagle Street
Brisbane QLD 4000

GPO Box 1855
Brisbane QLD 4001

+61 7 3233 8888

+61 7 3229 9949

www.mccullough.com.au
Author Business Card

Law and Practice

Authors



McCullough Robertson has an intellectual property and competition team that is heavily involved in data protection work and that advises clients on all aspects of data protection – including implementing data management, cybersecurity and privacy compliance programmes; assisting in data breach assessments and notifications; and advising on big data, cloud, internet of things (IoT) and drone solutions. The team also has expertise in dealing with commercial IP, telecommunications and IT/technology matters – acting for a range of technology vendors, government entities and corporates, across sectors from financial services to online advertising, marketing firms and start-ups. The team leverages this expertise when acting in data intensive transactions, such as large IT and sourcing projects and cloud transformation projects.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.