🇦🇺 Australia
Informations
Extracts :
Extract :
"The Privacy Act does not explicitly refer to nationality or place of residence. However, personal information processed by an APP entity will be subject to the Privacy Act."
2021
Reference :
Australia Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"The Privacy Act does not explicitly refer to nationality or place of residence. However, personal information processed by an APP entity will be subject to the Privacy Act."
2021
Reference :
Australia Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"The Privacy Act protects the personal information of 'individuals', defined as 'natural persons'. While not specifically noted, as an 'individual' implies a living person, the Privacy Act does not applies to the information of or about deceased persons."
2021
Reference :
Australia Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"Article 13 (5): Personal information handlers may only handle personal information where they conform to one of the following circumstances, handling personal information within a reasonable scope to implement news reporting, public opinion, supervision, and other such activities for the public interest."
2021
Reference :
China Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extract :
Now a difference between the two entities is written out in the reform.
Reference :
Government Response |Privacy Act Review Report
Information on AUS potential updates
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
A PIA is now mandated as part of the reforms.
Reference :
Government Response |Privacy Act Review Report
Information on AUS potential updates
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Australia Data protection overview | DataGuidance
Updated DataGuidance reports
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"While this is not a 'legal basis' for collection, subject to meeting the requirement of APP 3, where there is a contract between the entity and the individual this will usually provide any required consent for the collection."
2021
Reference :
Australia Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"'Legal obligations' (e.g. the requirement or authorisation by or under Australian law or a court/tribunal order) are exceptions from the requirement to obtain consent to collect relevant sensitive information. However, such does not avoid the obligation under APP 5 to notify individuals of the prescribed matters (APP 5.2) at or before the time of or, as soon as practicable, after the collection of that information."
2021
Reference :
Australia Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"Again similar to 'legal obligations' noted above, an entity can dispense with obtaining consent from an individual for the collection of sensitive information where such information is reasonably necessary to assist the location of a person that has been reported missing or which is necessary to lessen or prevent a serious threat to the life, health, or safety of any individual or to public health or safety."
2021
Reference :
Australia Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"Consent for the collection of sensitive information may also be dispensed with by the entity collecting it where such is reasonably necessary to lessen or prevent a serious threat to public health or safety, find a missing person, where the unlawful activity or misconduct of a serious nature is suspected, or it is rea- sonably necessary for an entity's diplomatic or consular functions or activities."
2021
Reference :
Australia Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"The entity is able to collect sensitive information without consent where it does so as regards to sus- pected unlawful activity or misconduct of a serious nature, for the establishment, exercise, or defence
of a legal claim or for the purposes of a confidential alternative dispute resolution process."
2021
Reference :
Australia Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"Under the Privacy Act, the Information Commissioner has the power to investigate organizations based on complaints or of the Commissioner's own accord, accept enforceable undertakings, make determinations, apply to the court for injunctions or civil penalties.
The maximum penalty for a corporation for serious and repeated interferences of privacy has recently been increased to the greater of:
AUD 50,000,000,
If a court can determine the value of the benefit obtained from the contravention - three times the value of the benefit, or
If a court cannot determine the value of the benefit obtained from the contravention - 30% of the body corporate's adjusted turnover during the breach turnover period.
Additionally, the Information Commissioner may issue infringement notices imposing monetary penalties for failure or refusal to provide information, answer questions or to produce documents or records required by the Commissioner. The Information Commissioner's determinations can include requirements for the respondent to a complaint to take specified steps to rectify conduct which led to a breach, which may include a direction to engage an independent and suitably qualified adviser to assist with this process at the respondent's own cost.
Under the Healthcare Identifiers Act, knowing or reckless unauthorized use or disclosure of healthcare identifiers gives rise to a maximum civil penalty of AUD 825,000 for corporations and AUD 165,000 for individuals.
Misuse of a My Health Record or breach of the requirements of the MHR Act is subject to a maximum civil penalty of AUD 2,062,500 for corporations and AUD 412,500 for individuals.
State and Territory public sector privacy, health records laws, surveillance laws, telecommunications laws and critical infrastructure laws also have their own civil penalty regimes which may be triggered by data-related breaches."
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"Under the Privacy Act, the maximum penalty for noncompliance is currently a fine of AUD 2.22 million (approx. €1.4 million). At the time of publication, this is being revised upward in the near future to be the greater of AUD 10 million (approx. €6.4 million) and 4% of annual domestic revenue."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - AUS
Extracts :
Extract :
"Under the Privacy Act, the maximum penalty for noncompliance is currently a fine of AUD 2.22 million (approx. €1.4 million). At the time of publication, this is being revised upward in the near future to be the greater of AUD 10 million (approx. €6.4 million) and 4% of annual domestic revenue."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - AUS
Extracts :
Extract :
"Unauthorized use or disclosure of healthcare identifiers is an offence under the Healthcare Identifiers Act subject to a maximum penalty of imprisonment for two years or AUD 33,000.
For criminal breaches of the My Health Record Act, the maximum penalty is up to five years' imprisonment and/or a fine of AUD 82,500.
State and Territory public sector privacy, health records laws, surveillance laws, telecommunications laws and critical infrastructure laws also have their own criminal penalty regimes, which may be triggered by data-related breaches.
Under the Crimes Act 1914 (Cth), criminal pecuniary penalties can typically be increased five-fold, and penalties for imprisonment can be converted into monetary penalties, for corporations."
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"There is currently no private tort of interference with privacy in Australia. However:
Breach of the Australian Privacy Principles and certain other provisions in the Privacy Act is an interference with the privacy of an individual. An individual can complain to the OAIC about interferences with their privacy, and the OAIC may assist with conciliation or commence an investigation, and potentially subsequently make a determination in the individual's favor (which may result in compensation being paid to the individual and/or an apology being made)
An individual could potentially bring an action for damages on the basis of breach of statutory duty, on another tortious basis (e.g., negligence), or for breach of contract, depending on the circumstances
The report on the review of the Privacy Act proposed that the legislature should introduce a direct right of action for individuals against organizations that breach their privacy and a tort for serious invasions of privacy."
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"Unauthorized use or disclosure of healthcare identifiers is an offence under the Healthcare Identifiers Act subject to a maximum penalty of imprisonment for two years or AUD 33,000.
For criminal breaches of the My Health Record Act, the maximum penalty is up to five years' imprisonment and/or a fine of AUD 82,500.
State and Territory public sector privacy, health records laws, surveillance laws, telecommunications laws and critical infrastructure laws also have their own criminal penalty regimes, which may be triggered by data-related breaches.
Under the Crimes Act 1914 (Cth), criminal pecuniary penalties can typically be increased five-fold, and penalties for imprisonment can be converted into monetary penalties, for corporations."
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"Under the GDPR a DPIA must be conducted in specified circumstances. Whilst the Privacy Act does not explicitly require APP entities to conduct a DPIA, the APP Guidelines state that APP entities should consider conducting a DPIA to assist them with compliance."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - AUS
Extracts :
Extract :
"The Privacy Act does not define
pseudonymisation"
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - AUS
Extracts :
Extract :
"An APP entity is required to notify
the OAIC and all affected individuals to whom the information relates"
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - AUS
Extracts :
Extract :
"An APP entity is required to notify
the OAIC and all affected individuals to whom the information relates"
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - AUS
Extracts :
Extract :
There is no comment by DataGuidance.
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - AUS
Extracts :
Extract :
No specific processor notification requirements outlines in the reforms. Previously, Australia did not differentiate between controllers and processors.
Extracts :
Extract :
No specific processor notification requirements outlines in the reforms. Previously, Australia did not differentiate between controllers and processors.
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"The right to request not to receive direct marketing and to not have the individual's personal information disclosed or used for direct marketing is covered under APP 7.6. Also, any personal information collected under a consent will be subject to the individual withdrawing their consent to processing"
2021
Reference :
Australia Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"An organisation must, following a valid request from a data subject, give access to the information in the manner requested by the data subject if it is reasonable and practical to do so. A data subject could use this right to ask for their personal data in a portable format. If the organisation does not provide access in the manner so requested by the individual, it will need to set out its reasons for not doing so in written notice to the individual.
In August 2019 the Australian Federal Government passed the Treasury Laws Amendment (Consumer Data Right) Act 2019 (Cth), which creates a framework for a national Consumer Data Right (the "CDR)" that will provide consumers with further rights to data portability (outside of the Privacy Act). The CDR gives consumers the right to access specified categories of data held about them by designated organisations and efficiently transfer that data to accredited third parties.
Under the CDR regime, designated sectors of the economy will be required to respond to requests from CDR consumers to transfer "CDR data", which will include any datasets that the Treasurer specifies under a designation instrument. The CDR is being rolled out in stages, beginning with the banking sector from 1 July 2020, followed by the energy and telecommunication sectors.
CDR consumers include individuals and businesses who are identifiable or reasonably identifiable from CDR data (which is broader than the remit of personal data about a reasonably identifiable individual under the Privacy Act). Designated organisations will be required to disclose CDR data in machine-readable form to accredited third parties, and in human-readable form to CDR consumers on request."
2022
Reference :
Data Protection in different countries | Linklaters
Database for comparing other databases for the same information on data protection
Link to reference Extracts :
Extract :
"8.7. Right not to be subject to automated decision-making
There is currently no right provided under Australian privacy law to request not be subject to automatic
decision-making, unless such results in discrimination in which case there are possible actions under
legislation other than privacy legislation."
2021
Reference :
Australia Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"8.1. Right to be informed
As noted above, there is an obligation to notify all individuals whose personal information an entity collects
of certain prescribed matters detailed in APP 5.2 at, or prior to, the collection of that information. If
this is impracticable then notification must occur as soon as possible after the collection of that information.
This is, in effect, Australian privacy law's 'right to be informed', APP 5.2 provides the prescribed
matters that must be notified and these include who is collecting, the purpose(s) for the collection, what
use will be made of the information, and to whom it may be disclosed (and whether any of those disclosures
are to recipients You have 6 days left in o uytosuidre of Australia)."
2021
Reference :
Australia Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"The Privacy Act does not deal specifically with minors or specify an age after which individuals can make their own privacy decisions. However, the APP Guidelines indicate that:
Where an APP entity is seeking consent from an individual under the age of 18, it will need to determine on a case-by-case basis if the individual has capacity to consent
If it is not practicable or reasonable for an APP entity to assess the capacity of individuals under the age of 18 on a case-by-case basis, the entity may presume that an individual aged 15 or over has capacity to consent, unless there is something to suggest otherwise
An individual aged under 15 is presumed not to have capacity to consent
In practice, it is usual to seek a parent's or guardian's consent for collection of personal information from children, especially where sensitive information is concerned and where a younger child is involved.
The review of the Privacy Act considered whether additional privacy protections in relation to children should apply to all APP entities. The review report endorses existing OAIC guidance on children, young people and capacity, but also suggests codifying the principle that consent must be given by someone with capacity in order to be valid. Other proposals include that notices and privacy policies should be clear and understandable, in particular for information addressed to children and that there should be a Children’s Online Privacy Code which will provide more guidance and regulated online services that are likely to be accessed by children."
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"8.2. Right to access
The right to access the personal information held by the APP entity about that individual is covered by
APP 12.1."
2021
Reference :
Australia Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"8.3. Right to rectification
The right to seek correction of the personal information held by the APP entity about that individual is
covered by APP 13.1 and the right to have any correction notified to third parties to whom the personal
information was provided by the APP entity is covered by APP 13.2."
2021
Reference :
Australia Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
According to the reform, this right is explicitly written out.
Reference :
Government Response |Privacy Act Review Report
Information on AUS potential updates
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
SCCs are now explicit part of the reforms.
Reference :
Government Response |Privacy Act Review Report
Information on AUS potential updates
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
International Data transfer Agreements | DataGuidance
Comparison of international data transfer agreements
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
International Data transfer Agreements | DataGuidance
Comparison of international data transfer agreements
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"Under the GDPR a DPIA must be conducted in specified circumstances. Whilst the Privacy Act does not explicitly require APP entities to conduct a DPIA, the APP Guidelines state that APP entities should consider conducting a DPIA to assist them with compliance."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - AUS
Extracts :
Extract :
Australian "Privacy Act" does not have any requirement for the appointment for a DPO. However, the APP guidelines recommend appointing a privacy officer.
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - AUS
Extracts :
Extract :
Australian "Privacy Act" does not have any requirement for the appointment for a DPO. However, the APP guidelines recommend appointing a privacy officer.
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - AUS
Extracts :
Extract :
Technically there are roles specified but this is for the privacy offier appointed rather than for the DPO position.
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - AUS
Extracts :
Extract :
"The Privacy Act does not include a requirement to appoint a DPO."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - AUS
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Australian "Privacy Act" does not have any requirement for the appointment for a DPO. However, the APP guidelines recommend appointing a privacy officer.
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - AUS
Extracts :
Extract :
"The Privacy Act provides an exception to mandatory breach notification to the individual when the risk of any serious harm can be mitigated before any serious harm is suffered by the individuals to whom the information relates."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - AUS
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Extracts :
Extract :
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"The GDPR requires controllers and processors to maintain a record of their processing activities. However, the Privacy Act does not contain a specific record-keeping requirement with respect to processing activities."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - AUS
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference | Name | Short name | Classification | Jurisdiction | Year of creation |
|---|---|---|---|---|
| Office of the Australian Information Commissioner (OAIC) | OAIC | Regulator | Independant agency | 2010 |
| Australian Privacy Commissioner (APC) | Regulator | Independant agency | 1989 | |
| Australian Competition and Consumer Commission (ACCC) | Regulator | Independant agency | 1995 | |
| Australian Communications and Media Authority (ACMA) | Regulator | Independant agency | 2005 | |
| Australian Taxation Office (ATO) | Regulator | Under the government authority | 1910 | |
| Australian Securities and Investments Commission (ASIC) | Regulator | Under the government authority | 1991 |
| Legal text name | Original text name | Legislation type | Year signed | Regulation status | In effect since | Latest update initiated | Latest update areas | Latest update signed year |
|---|---|---|---|---|---|---|---|---|
| Privacy Legislation Amendment (Enforcement and Other Measures) Act | Privacy Act | General privacy/data protection law | 1988 | Active | 1988 | 2022 | Penalties, extra territoriality |