In Australia, the following laws govern the collection, use, storage, transmission and retention of personal data and information:
Privacy Act 1988 (Cth) (Privacy Act)
Broadly, the Privacy Act governs how "personal information" is handled by Commonwealth Government entities, private sector entities with a global aggregate group turnover of AUD3 million or more and certain small businesses that do not meet this turnover threshold, but which nonetheless have data-intensive business practices (including private sector health services providers that hold health information, businesses that sell or purchase personal information, credit reporting bodies and contracted service providers for the Commonwealth Government) (APP entities).
"Personal information" is defined as information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether the information or opinion is recorded in a material form or not.
The Privacy Act contains 13 Australian Privacy Principles (APPs) which set out the minimum standards for dealing with personal information and cover the life cycle of the collection, use, storage, disclosure and destruction of personal information. The Privacy Act also contains credit-reporting obligations that govern the way in which personal credit information about individuals must be handled by regulated entities.
It is worth noting that:
Spam Act 2003 (Cth) (Spam Act)
The Spam Act prohibits the sending of direct marketing emails, SMS, MMS or other electronic communications that offer, advertise or promote goods or services, or business or investment opportunities to any person in Australia without the consent of that person.
Data Breach Notification Requirements
Under the Notifiable Data Breach Scheme (contained in the Privacy Act), if an APP entity suspects there has been a data breach, it has 30 days to determine whether there are sufficient grounds to believe that the breach is likely to result in serious harm to any of the affected individuals. If so, it must notify both the Office of the Australian Information Commissioner (OAIC or Information Commissioner) and affected individuals with certain prescribed information, such as recommendations as to the steps that should be taken by individuals in response to the breach. There are some limited exceptions to the duty to notify.
Additionally, in July 2019, Prudential Standard CPS 234 on Information Security came into force. It is a legally binding minimum standard for information security which requires regulated entities under the jurisdiction of the Australian Prudential Regulatory Authority (APRA) – being primarily financial and insurance institutions – to notify APRA of an information security incident that has:
Penalty and Enforcement Environment
The Privacy Act and Spam Act do not allow individuals to bring a claim directly against an entity that breaches the Privacy Act or Spam Act. Additionally, Australia does not have a clearly established fundamental or constitutional "right to privacy" that would allow individuals to bring a claim for breach of privacy. This means that, subject to a potential common law action further discussed in 2.5 Enforcement and Litigation, all complaints and claims must be lodged with the relevant regulator, which may then decide to take action.
The Privacy Act (including the Data Breach Notification Scheme and the APPs) is administered by the Australian Information Commissioner and the Spam Act is administered by the Australian Communications and Media Authority (ACMA).
The Australian Information Commissioner may:
The ACMA may:
Other Relevant Laws and Regulations
Other relevant laws and regulations include:
See 1.1 Laws.
The preferred regulatory approach of both the OAIC and the ACMA is to encourage voluntary compliance by working with relevant entities and educating and informing regulated entities. Accordingly, both regulators may conduct assessments of compliance by specific entities, or alternatively, broadly investigate compliance within a particular industry group or sector, with a view to encouraging voluntary compliance.
The OAIC may investigate a complaint that an APP entity has breached the Privacy Act and may also initiate an investigation of an act or practice that may be an interference with the privacy of an individual of its own volition. Similarly, the ACMA may investigate non-compliance with the Spam Act if it receives a complaint or otherwise identifies potential non-compliance.
Fines for Spam Act non-compliance are common.
When investigating a complaint that an APP entity has breached the Privacy Act, the OAIC:
After conducting an investigation, both the OAIC and the ACMA may decide to take regulatory or enforcement action against the entity. In each case, this decision (and the decision as to what enforcement action will be taken) is informed by a number of factors, including the seriousness of the incident or conduct investigated and whether the entity has engaged co-operatively with the OAIC or ACMA respectively.
A decision of the OAIC or the ACMA not to investigate (or further investigate) a complaint, or of the OAIC to make a determination under the Privacy Act, may be reviewed by the Federal Court of Australia, on application under the Administrative Decisions (Judicial Review) Act 1977 (Cth). The Court will not review the merits of the case but it may refer the matter back to the OAIC for further consideration if it finds the decision or determination was wrong in law or the regulator’s powers were not exercised properly. An application for review must be made to the Court within 28 calendar days of receipt of the regulator’s decision or determination. Civil standards of proof apply.
See section 1.6 System Characteristics.
Additionally, Australia has recently acceded to the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) System. The federal Attorney-General’s Department is currently working with the OAIC to implement the APEC CBPR in Australia.
Each state and territory has equivalent legislation that applies to the handling of personal information by government entities.
Additionally, there are specific laws in most states and territories that:
The privacy and data protection area is not heavily populated with NGOs or self-regulatory organisations (SROs) in Australia. There are some key industry bodies, such as the International Association of Privacy Professionals (IAPP), the IoT Alliance Australia (IOTAA), the Australian Information Security Association (AISA) and the Communications Alliance, but they do not have regulatory powers.
Similarities to and Differences from the GDPR
The APPs follow the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980) and so there are a number of similarities between the APPs and the EU General Data Protection Regulation (GDPR). For instance:
However, there are some key differences between the APPs and the GDPR and, if businesses are caught by both regimes, they will need to consider how to manage these differing obligations appropriately. For instance, it is not as clear under the APPs as it is under the GDPR whether and when metadata, cookies, browsing and viewing data, and IP addresses fall within the definition of personal information. The better view is that these types of information are likely to be personal information in most instances, and best practice in Australia is to align with international practice (which is informed by the online behavioural tracking rules in the GDPR).
Less Comprehensive than the GDPR
There are some key issues with Australia’s laws which mean that it is seen as less comprehensive than the GDPR. These issues include the "employee records exception" (which means employee records are not covered by the Privacy Act in many circumstances), the absence of a private right of action/direct right of enforcement, and the small business exception (which exempts certain private sector entities with an annual turnover under AUD3 million).
On the other hand, the introduction of Australia’s Notifiable Data Breaches Scheme reflects similar provisions in the GDPR and has a similar effect to the Californian Consumer Privacy Act of 2018, which introduced a number of GDPR-like rights for individual consumers in that state. In essence, these regimes all acknowledge that a personal data breach can result in a range of significant adverse effects on the rights and freedoms of natural persons. One of the key differences between the regimes is the scope of each regime. For example, GDPR data breach notification obligations are significantly broader than their Australian equivalents with regard to the scope of personal data breaches that need to be notified to supervisory authorities. Conversely, the Californian regulations are narrower in scope, as the definition of personal information is more limited than in Australia.
Consumer Data Right
The Australian government has announced the introduction of a data portability right (the Consumer Data Right). Broadly, this right will allow consumers to access their information and require that it be shared across service providers, enabling easier transfer between, for instance, bank accounts. This right will be rolled out on a sector-by-sector basis starting with the banking sector followed by the telecommunications and energy sectors. It has been announced that, as of 1 July 2020, consumers will be able to direct major banks to transfer their credit and debit card, deposit account and transaction account data and, as of 1 November 2020, mortgage and personal loan data will be able to be shared.
Response to Digital Platforms Enquiry
In 2017, the competition and consumer rights regulator in Australia (the Australian Competition and Consumer Commission or ACCC) was directed to consider the impact of online search engines, social media, and digital content aggregators (digital platforms) on competition in the media and advertising markets. In July 2019, the ACCC released its final report for this Digital Platforms Inquiry. Importantly, this report recommended that some GDPR-style consumer rights, like the right to erase personal information in certain circumstances or "the right to be forgotten" be introduced. In December 2019, the federal government released a response to this report. Relevantly, it has committed to review the Privacy Act, ensure that privacy settings empower consumers, protect their data and best serve the Australian economy.
These amendments are in addition to its existing commitments. Specifically, the federal government has announced the following proposed amendments to the Privacy Act (although they have not yet been presented as legislation and so timing is unclear):
Recently, the ACMA has been targeting consent-based marketing as one of its priority compliance areas for unsolicited communications. In November 2019, Oneflare Pty Ltd (an online marketplace where people can hire local experts) paid a AUD75,600 infringement notice for sending SMS messages without consent to phone numbers found on public directories and failing to include an unsubscribe option. The ACMA has also received a court enforceable undertaking from Oneflare for future compliance.
Please see the comments in 1.7 Key Developments on the announcement of the Consumer Data Right and the Australian government’s response to the Digital Platforms Inquiry.
The information set out in this section relates to the Privacy Act and APP entities. State and territory government agencies are, in most cases, not bound by the Privacy Act and are instead bound by the relevant state and territory legislation. As a general rule, state and territory legislation is broadly similar to the Commonwealth legislation, although there are some key differences which are not discussed in this chapter.
Data Protection Officers
While the Privacy Act does not require the appointment of a privacy or data protection officer, it is generally accepted as best practice for an APP entity to assign responsibility for data security and privacy-related matters to a particular person or department.
Authorised Data Collection
APP entities are entitled to collect and handle personal information for purposes that are reasonably necessary for their functions and activities, provided the means of collection is fair and lawful. There are additional restrictions on the collection and handling of "sensitive information" as discussed further in 2.2 Sectoral and Special Issues.
Personal information must be collected directly from the individual unless it is unreasonable or impracticable to do so. Once collected, an APP entity must only use the personal information for the purpose for which it was collected or any other purpose that would be reasonably expected or in relation to which the relevant individual has provided their consent.
Under APP 6, APP entities must only use or disclose personal information for the purposes for which it was collected unless the individual consents to the use or disclosure or an exception applies (such as the use or disclosure being required or authorised by law or a court order, or the use or disclosure lessening or preventing a serious threat to life, health, or safety).
Privacy by Design
Under APP 1, APP entities are required to manage personal information in an open and transparent way, including by taking reasonable steps to implement practices, procedures, and systems that will ensure compliance with the APPs. The OAIC refers to this as "privacy by design". APP entities should design these practices, procedures and systems to facilitate compliance with the Privacy Act and with regard to the APP entity’s circumstances (including the type and sensitivity of information collected).
Privacy Impact Analyses
There is no mandatory requirement for private organisations to conduct privacy impact assessments. However, the OAIC has identified privacy impact assessments as an important element of privacy by design. The OAIC may direct a Commonwealth government entity to conduct a privacy impact assessment if it considers that the proposed activities or functions of that entity would have a significant privacy impact.
Data Subject Access Rights
Under APP 12 and 13 individuals have the right to request access to their personal information and request that an APP entity’s record of their personal information be corrected. Subject to certain exceptions, APP entities must comply with these requests. Additionally, information held by the government is subject to public freedom of information laws, but these laws do not apply to private sector entities.
Anonymisation, De-identification and Pseudonymisation
Information that has undergone an appropriate and robust de-identification process is no longer caught as "personal information" for the purposes of the Privacy Act and is therefore not subject to the Privacy Act. The OAIC has published a high-level guide to de-identification (De-identification and the Privacy Act) but recommends that entities seek specialist expertise for complex de-identification matters as information that is not appropriately de-identified will still be caught by the Privacy Act.
Profiling, Automated Decision Making, Big Data Analysis, AI and Algorithms
There are currently no specific restrictions on the use of information for profiling, automated decision making, online monitoring or tracking, big data analysis, or artificial intelligence where that information is not personal information. However, the OAIC has issued informal guidance in relation to best practices for big data analytics. The Australian government has also announced the introduction of a privacy code for social media and online platforms that trade in personal information which is likely to address at least some of these matters.
"Injury” or “Harm”
The concept of “serious harm” is relevant for the assessment of whether a data breach is caught under the Notifiable Data Breach Scheme (as discussed in 1.1 Laws).
Sensitive information is a subset of personal information that includes information or an opinion about an individual’s racial or ethnic origin, political opinions, political association memberships, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association or trade union, sexual orientation or practices, criminal record, health or genetic information, biometric information or biometric templates.
Sensitive information is afforded a higher level of protection than other personal information in that:
Financial data is not afforded special protection under the Privacy Act. However, if it identifies a person, or could reasonably identify a person, it will constitute personal information and must be handled in accordance with the Privacy Act.
Health data, biometric information and biometric templates about an individual are sensitive information and must be handled in accordance with the restrictions that apply to sensitive information (outlined above).
Health data held in the My Health Records database is also protected under the My Health Records Act 2012 (Cth).
As noted in 1.4 Multilateral and Subnational Issues, various states and territories also have their own regimes relating to the handling of health data received from state or territory government sources (eg, public hospitals).
Telecommunications carriers are required to store certain metadata (as discussed in 4.5 Sharing Technical Details). Under the telecommunications legislation, this is defined as personal information and is therefore afforded specific protections.
Voice telephony and text messaging
Test messages are "commercial electronic messages" for the purposes of Spam Act. Under the Spam Act text messages (as well as other commercial electronic messages such as email, and instant messages) with an Australian link:
Content of electronic communications
The interception of communications is governed by the Telecommunications (Interception and Access) Act 1979 (Cth) (TIA Act). Under this Act, a person must not intercept any communication passing through a telecommunications network without the knowledge of the persons issuing or receiving the communication.
The key exception to this prohibition is that law enforcement agencies may lawfully intercept or access telecommunications in specific circumstances, pursuant to a stored communications warrant or interception warrant issued under the TIA Act.
Children’s or student data
Children’s privacy is not specifically protected in Australia as it is in other jurisdictions (eg, the COPA in the USA). The Privacy Act does not distinguish between the rights of adults and children so, under this legislation, children have the same privacy protections as adults. The only exception to this is around the issue of consent. Consent is relevant to the operation of a number of APPs as it can be the deciding factor in how personal information may be handled under the Privacy Act and the APPs. The Privacy Act and the APPs are silent as to whether children have the capacity to provide consent for the purposes of the Privacy Act and the APPs. However, the OAIC has released guidelines indicating that, as a general principle, an individual under the age of 18 has the capacity to consent when they have sufficient understanding and maturity to understand what is being proposed. If it is not practicable or reasonable for an APP entity to make this assessment on a case-by-case basis, the entity may presume that an individual aged 15 or over has this capacity (unless there is something to suggest otherwise). The guidelines also provide that where a child does not have the capacity to consent, it may be appropriate for a parent or guardian to consent on their behalf.
Most child care centres, private tertiary institutions and private schools are subject to the Privacy Act, whereas public schools and public universities are not (but may be governed by state or territory privacy laws).
Employee data that falls within the employee records exception (discussed in section 2.4 Workplace Privacy) is expressly excluded from the application of the Privacy Act. However, to the extent that employee records don’t fall within this exception, it must be handled in accordance with the Privacy Act.
Other categories of sensitive data
This information falls within the definition of sensitive information discussed above and so must be handled in accordance with the restrictions that apply to sensitive information.
Internet Streaming and Video Issues
See 1.6 System Characteristics.
See 1.6 System Characteristics.
Cookies and beacons
Geolocation raises privacy issues because of the ubiquity of smart phones and connected "wearables" which enable rich aggregations of personal travels to be created. There is no specific legislative response to these issues but it is an area of policy focus (particularly in view of the Australian government’s focus on digital platform providers which collect location data).
Do not track, and tracking technology
The use of monitoring and surveillance devices is governed by various pieces of legislation at a federal level as well as at the state and territory level. Generally, surveillance legislation prohibits the tracking and audio or video recording of any person or activity without the consent of that person or of the person involved in the activity.
See 2.3 Online Marketing.
Social media, search engines, large online platforms
At present, digital platforms are governed by the same principles as other business (primarily under the Privacy Act). However, the Australian government has announced that it intends to introduce a binding privacy code for social media and online platforms which trade in personal information (as discussed in section 1.7 Key Developments).
Addressing hate speech, disinformation, etc
As part its response to the ACCC’s Digital Platforms Inquiry, the Australian Government has announced that it will ask major digital platforms to develop a voluntary code of conduct for disinformation and news quality, in order to address concerns regarding disinformation and credibility for news content. This code will be informed by international examples such as the European Union’s Code of Practice on Disinformation.
Also, in response to the Christchurch shootings in April 2019, Australia introduced laws relating to the taking down of abhorrent content. The Criminal Code Amendment (Sharing of Abhorrent Violent Material) Act 2019 (Act) amends the Criminal Code Act 1995 (Cth) by introducing offences for failing to notify of abhorrent content, and for failing to take down abhorrent content.
The key concept is "abhorrent violent conduct", which is defined as conduct whereby a person:
Data subject rights
See 2.1 Omnibus Laws and General Requirements on data subject access rights.
Right to be forgotten
Unlike in the EU, Australians have no statutory right to be forgotten. However, APP entities are required to destroy or de-identify personal information they no longer need for any purpose permitted by the APPs. This is an issue that will be addressed further in light of the Digital Platforms Enquiry, as discussed in 1.7 Key Developments.
Data access and portability
See 1.7 Key Developments on the Consumer Data Right and 2.1 Omnibus Laws and General Requirements on data subject access rights.
Right of rectification or correction
As mentioned above, individuals have a right to request that an entity which holds their personal information corrects that information if it is wrong. Additionally, APP 13.1 explicitly requires an APP entity to take reasonable steps to correct personal information it holds, ensure it is accurate, current, complete, relevant and not misleading. APP 13 also sets out a series of minimum procedural requirements in relation to correcting personal information.
Under the Privacy Act, an APP entity is not permitted to use personal information for the purposes of direct marketing unless an exception applies. The key exceptions are where the individual concerned:
Additionally, sensitive information cannot be used for direct marketing purposes unless the individual concerned provides their consent.
The Spam Act also contains restrictions on direct marketing (discussed further in 2.2 Sectoral and Special Issues).
The Do Not Call Register Act 2006 (Cth) prohibits unsolicited telemarketing calls being made and unsolicited marketing faxes being sent to any numbers registered on the Do Not Call Register. However, the Do Not Call Register Act does not apply to certain exempt entities, such as registered charities or political parties, or to market research calls. Telemarketers, researchers, and fax marketers must also comply with enforceable industry standards including the Telemarketing and Research Calls Industry Standard 2007 and the Fax Marketing Industry Standard 2011.
As mentioned above, it is unclear whether data collected for behavioural advertising (such as metadata, browsing and viewing data) falls within the definition of personal information. The better view is that these types of information are likely to be personal information in most instances, and best practice in Australia is to align with international practice (which is informed by the online behavioural tracking rules in the GDPR).
It is also best practice to comply with the Australian Guideline for Online Behavioural Advertising, which is a self-regulatory guideline for third-party online behavioural advertising. The guideline sets out seven self-regulatory principles, including keeping data secure and giving consumers a choice as to whether or not they consent to the collection of their data for the purposes for online behavioural advertising.
Employee records relating to current or former employment relationships are expressly excluded from the application of the Privacy Act and the APPs so long as a record or information is used or handled in the context of the current or former employment relationship. Examples of employee records may include hours of employment, salary, trade union or professional association memberships, personal and emergency contact details, and performance or conduct in the workplace.
Workplace surveillance is regulated at the state and territory level. The Australian Capital Territory and the states of New South Wales and Victoria have specific laws regarding surveillance in the workplace. At a high level:
In addition to the workplace surveillance laws mentioned above, states and territories have laws regulating the general use of surveillance equipment and systems, which may apply in relation to workplace surveillance.
Monitoring Workplace Communications
Generally speaking, employers are not prohibited from monitoring employees’ use of company computers, laptops or mobile devices (including times of access, emails sent and received, and websites visited).
However, we note that:
The Privacy Act does not apply to any acts or practices of an employer that are directly related to a current or former employment relationship with an employee, or a record relating to the employment of that employee. Accordingly, labour organisations and work councils do not play a significant role in the Australian privacy landscape. This has been a key criticism of the scope of federal privacy law in Australia.
Whistle-blowing protections in Australia are not as strong as in other jurisdictions. Accordingly, while the Privacy Act does not prohibit anonymous reporting of privacy related complaints or issues to the OAIC, no specific whistle-blowing protections are currently in place for individuals who disclose the privacy-related infringements of businesses in Australia.
Issues of e-discovery
There are no specific e-discovery-related privacy regulations in Australia. However, entities that handle personal information in this context may be caught by the Privacy Act or other equivalent legislation (as discussed further in section 1.1 Laws). If an entity is caught by privacy legislation, it should seek to de-identify or anonymise the material it is required to disclose in order to avoid conflicts between its privacy and discovery obligations.
Entities should also ensure that, before they use or disclose personal information regulated by the Privacy Act in the context of e-discovery, they consider whether that use or disclosure is permitted under the Privacy Act.
The Privacy Act and equivalent state and territory legislation impose restrictions on the disclosure of personal information outside Australia which may be practically difficult to comply with in the context of e-discovery (see 4.1 Restrictions on International Data Issues). Therefore, in relation to litigation conducted outside Australia, entities should seek to comply with e-discovery obligations within that jurisdiction without seeking discovery of Australian material.
See 1 Basic National Regime for the legal standards regulators must establish to allege violations of privacy or data protection laws and the section on the penalty and enforcement environment, in 1.1 Laws, for potential enforcement penalties.
Leading Enforcement Cases
In June 2019, the OAIC determined that the Commonwealth Bank of Australia interfered with a complainant’s privacy by improperly disclosing inaccurate and out-of-date information (in breach of APP 10) about a prior credit card debt to a number of credit card providers. As a result, the complainant’s applications for home loans with those credit providers were declined). Commonwealth Bank was ordered to pay the complainant AUD15,000 for non-economic loss caused by the interference with the complainant’s privacy. This decision is significant in that the figure that the Commonwealth Bank was ordered to pay the complainant is on the higher end of what we would normally see from the regulator.
Additionally, the Notifiable Data Breach Scheme has now been in place for 12 months and so the OAIC has released a 12-month review setting out statistics and its proposed enforcement approach in relation to that scheme. In particular, it has announced that it will take a proportionate and evidence-based regulatory approach in relation to the Notifiable Data Breach Scheme (including by exercising its enforcement powers where necessary). Given the OAIC’s range of powers, this could include conducting investigations or issuing infringement notices.
What legal standards apply?
The Privacy Act does not allow an individual to make a claim directly against an entity for a breach of the Privacy Act. Any complaint about how an entity collects and handles personal information must go through the OAIC, who may then take appropriate actions, such as investigating the complaint or seeking a court order. Similarly, Australian law does not currently allow an individual to make a claim directly against another party for breach of cybercrime provisions in the Criminal Code Act 1995 (Cth). Any complaint would need to be reported to the Australian federal police for further action.
However, a leading High Court case suggests that individuals may (in certain circumstances) be able to seek a remedy for invasion of privacy through an equitable cause of action for breach of confidence (see ABC v Lenah Game Meats (2001) 185 ALR 1). This cause of action has not since been pursued to our knowledge.
Are class actions allowed?
As individuals do not have standing to bring a claim against another party for breach of privacy or cybercrime legislation, class actions for breaches of the Privacy Act are not permitted.
The OAIC can conduct investigations on behalf of a class of people, but these are not class actions in the traditional sense.
Chapter 4, Division 4 of the TIA Act provides that disclosure of information or a document to an enforcement agency is not an offence, if the disclosure is reasonably necessary for the enforcement of:
In addition, an authorised officer of an enforcement agency may authorise the disclosure of specified information or specified documents that came into existence before the moment the person from whom the disclosure is sought received notification of the authorisation.
Authorised officers of the Australian federal police, and state police forces have stronger powers in relation to missing persons, and may authorise the disclosure of specified information or specified documents that came into existence before the moment the person from whom the disclosure is sought received notification of the authorisation.
The TIA Act makes it an offence for a person to intercept or access private telecommunications without the knowledge of those involved in that communication, unless the exceptions above apply.
Under Sections 306 and 306A of the Telecommunications Act, if a carrier, carriage service provider or number-database operator discloses information or documents, certain records of that disclosure must be made and retained for three years. The number of disclosures made during each financial year must also be reported to the ACMA within two months after the end of that financial year.
There are offences and penalties for:
Under certain circumstances, Australian intelligence agencies, as well as federal and state police forces, can request access to an individual’s telephone and internet records. Independent judicial approval is not required. Please see 3.1 Laws and Standards for Access to Data for Serious Crimes and 4.5 Sharing Technical Details for an overview of the legislation that sets out relevant procedures.
The Surveillance Devices Act 2004 (Cth) governs the use of surveillance devices by Australian Government agencies. This Act also applies to the state and territory police forces when they are using surveillance devices under federal laws.
Disclosure of information or documents to a foreign law enforcement agency may only be authorised by a member of the Australian federal police if they are satisfied that the disclosure:
Australia does not yet participate in a Cloud Act Agreement with the USA and does not currently have legislation that is equivalent to the Cloud Act. However, on 7 October 2019, both countries announced that they had entered into formal negotiations for a bilateral agreement under the US Cloud Act. However, such negotiations and are not expected to produce a finalised agreement until Australian legislation equivalent to the Cloud Act is enacted.
See 4.5 Sharing Technical Details on the TOLAAA. This law has been controversial and may change in the coming year.
Furthermore, access to the metadata held by telecommunications carriers is limited to certain parties and which parties should have access to this data is a source of ongoing debate.
There are restrictions on the disclosure of personal information outside Australia.
Before an APP entity discloses personal information to an overseas recipient, that entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information. Furthermore, an APP entity that discloses personal information to an overseas recipient may be held liable for privacy breaches by that recipient. There are exceptions to this reasonable steps requirement. The key exceptions are where:
Certain types of data cannot be transferred internationally. For instance, transfer and disclosure of health records internationally has been restricted by the Australian Government’s My Health record framework, and Part IIIA of the Privacy Act places restrictions on sending credit reporting information overseas. Additionally, some state and territory privacy legislation contains obligations to retain certain records within state and territory borders (subject to certain conditions and exceptions).
At a minimum, Australian entities that engage overseas providers should ensure their contracts contain appropriate clauses relating to the protection and security of personal information disclosed to them and to ensure the international third parties are compliant with the Privacy Act in their handling of that personal information.
No mechanisms (such as Privacy Shield) apply to international data transfers - please see 4.1 Restrictions on International Data Issues for an explanation of the process for disclosure of personal information outside Australia.
No government notifications or approvals are required to transfer personal information outside Australia – please see 4.1 Restrictions on International Data Issues.
Data is generally not required to be maintained within Australia under the Privacy Act. However, there are requirements under certain state and territory legislation for certain records to be retained within state and territory borders. See 4.1 Restrictions on International Data Issues.
The TIA Act (discussed in 2.2 Sectoral and Special Issues) requires telecommunications carriers to store, for two years, certain metadata relating to network users’ activity. The metadata must be encrypted and it can only be accessed on application by a restricted list of entities, including law enforcement agencies.
In addition, in late 2018, the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) (TOLAAA) was introduced; this has garnered international attention, as it can be used to require technology vendors to assist law enforcement by providing access to technical data and removing technical protections.
The laws are highly controversial and may change in the coming year. The Australian government has noted that this new framework does not compel communication providers to build vulnerabilities in their systems to allow decryption. However, there has been significant public concern that there are few limits or constraints on the assistance that telecommunications providers may be ordered to offer, and around transparency. Furthermore, there are limited accountability structures and processes in place.
The TOLAAA Act is currently still under review by the Parliamentary Joint Committee on Intelligence and Security. Submissions to this inquiry closed in July 2019 but it is unclear when it will complete its review (including holding further public hearings) and provide a final report.
Technical Assistance Notices and Technical Assistance Requests
The TOLAAA Act sets out a list of the "acts or things" that an agency can ask a designated communications provider to do under a Technical Assistance Request (on a voluntary basis) or Technical Assistance Notice (on a mandatory basis), which relevantly include:
In deciding which acts or things are included in a mandatory Technical Assistance Notice, the agency head must be satisfied that the requirements are reasonable, proportionate, practicable and technically feasible.
There is a broad exception that vendors cannot be forced to create systemic weaknesses (ie, permanent backdoors), but it is difficult to understand how this will operate in practice, especially given a number of the above actions could require providers to build weaknesses and vulnerabilities, in order for them to be exploitable by the specified agencies.
Technical Capability Notices
Additionally, the Attorney-General has the power to issue Technical Capability Notices, requiring a designated communications provider to do acts or things to ensure the provider is capable of assisting the Australian Security Intelligence Organisation (ASIO) and interception agencies. This may require designated communications providers to build equipment or software to facilitate or better handle real or potential Technical Assistance Requests or Technical Assistance Notices in the future.
Prior to a Technical Capability Notice being issued, the Attorney-General must be satisfied that the requirements are reasonable, proportionate, practicable and technically feasible. There is a mandatory 28-day consultation period with the relevant designated communications provider (unless an emergency situation arises). The same applies to a variation of an existing notice.
There are no specific provisions in Australia specifically limiting or prohibiting collection or transfer of information in accordance with foreign government requests. However, relevant entities would need to comply with the restrictions on cross-border disclosures of personal information (discussed in detail in 4.1 Restrictions on International Data Issues).
See 4.6 Limitations and Considerations.
While there is no "blocking" legislation in Australia that would impede cross-border disclosure by law enforcement authorities to their overseas counterparts, all disclosures of personal information outside Australia must comply with relevant restrictions on cross-border disclosures of personal information.
Additionally, Australian courts have historically found that they are not bound to refuse an order for discovery on the basis that the contravention of a foreign law (or blocking statute) may be involved in the disclosure process (see the decision of Besanko J in ACCC v Prysmian Cavi E Sistemi Energia SRL (No 7)  FCA 5).
Big Data Analytics
Big data analytics creates significant privacy issues because of the large volumes of data it involves, and the ever-present issue of re-identification of that data. Fundamentally, the collection and processing of data in big data platforms is governed in the same way as any other business process, but the risks are magnified. Ensuring the proper anonymisation of data sets is the key practical mitigation.
There are currently multiple legislative instruments in Australia that permit or contemplate decision making to be delegated to automated means. It is unclear to what extent those decisions may be challenged under the usual administrative law principles, and the key issues, algorithmic bias and transparency, are also the key issues of debate that have not yet been satisfactorily resolved (nor been the subject of instructive legal proceedings).
Profiling is not specifically addressed in legislation, although it naturally raises issues under the Privacy Act because it involves the collection and use of personal information, and many instances involve the use of sensitive information, which is subject to higher processing standards.
AI is not specifically legislated for, but given its connection with big data analytics, it raises similar issues in relation to the size, composition and anonymity of data sets.
Internet of Things (IoT)
The Internet of Things raises significant privacy issues in connection with wearables (as set out in the geolocation section below) and to the extent that smart devices are able to capture personal information (for instance, through cameras and microphones). It also creates significant cybersecurity issues as it greatly increases the number of attack vectors for hackers and malware. There is no specific legislation in connection with it, but there is a great deal of policy discussion around how to secure IoT devices generally.
Autonomous decision making is not currently legislated for, but key issues around vehicle safety and algorithmic bias are live policy discussions in Australia.
Facial recognition involves the collection and use of sensitive information under Australian law, and so is subject to the requirements in relation to that information, as discussed elsewhere in this chapter.
Biometric data is included in the definition of sensitive information under the Privacy Act, and so is subject to the requirements in relation to that class of information, as discussed in 2.2 Sectoral and Special Issues.
See comments on location data in 2.2 Sectoral and Special Issues.
Drones are not subject to specific privacy legislation but are subject to specific aviation safety legislation. Drones and their use have captured a lot of public attention due to the surveillance capability and generalised privacy issues that they raise. However, given that Australia does not have a privately enforceable right to privacy, the community concerns are largely unactionable.
As discussed elsewhere in this chapter, the potential future introduction of a private right of action for breach of privacy will likely lead to a raft of claims because drones are increasingly seen as a public nuisance.
More generally, to the extent that these types of information constitute personal information as defined in the Privacy Act and state and territory privacy legislation, they must be dealt with in accordance with that legislation.
Organisations can establish protocols for digital governance or fair data practice review boards or committees, however, there is no established practice of doing so in Australia.
Please see 2.5 Enforcement and Litigation for information on significant audits, investigations or penalties imposed for alleged privacy or data protection violations. Despite the availability of penalties of up to AUD2.1 million for serious or repeated interferences with privacy (and calls to increase this maximum penalty) the OAIC has not historically sought these penalties given its compliance approach (see 1.2 Regulators).
The applicable legal standards for regulatory enforcement depend on the standards set out in the specific legislation that regulators enforce. For example, in the Privacy Act, there are some provisions which carry civil penalties (and would be subject to civil standards of proof) and other provisions which carry criminal penalties (which would be subject to criminal standards of proof).
Private litigation is not currently possible under the Privacy Act, and so we have not seen any major litigation. The introduction of a Consumer Data Right and potential direct right of action as a future feature of the landscape means this may change over the medium term.
In the context of due diligence in corporate transactions, companies will need to consider how to comply with their privacy obligations. For example, companies disclosing information will need to consider whether it contains personal information and, if so, whether and how they can disclose that information. Additionally, companies purchasing interests in other companies need to consider whether the target company has complied with its privacy obligations in the past (as non-compliance can attract hefty fines and loss of public confidence).
No non-privacy or data protection-specific laws currently mandate disclosure of an Australian organisations’ cybersecurity risk profile or experience. Australia also lacks detailed regulatory guidelines on cybersecurity for publicly listed companies. However, some data breach notification obligations do apply (as further discussed in 1.1 Laws).
Not applicable, all the major data privacy and protection issues in Australia have been discussed.
Level 11, 66 Eagle Street
Brisbane QLD 4000
GPO Box 1855
Brisbane QLD 4001
+61 7 3233 8888
+61 7 3229 9949www.mccullough.com.au