Data Protected - Australia
Last updated June 2022
General | Data Protection Laws
National Supervisory Authority
Scope of Application
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Transfer of Personal Data to Third Countries
ePrivacy | Marketing and cookies
General | Data Protection Laws
General data protection laws
The Commonwealth of Australia has enacted the Privacy Act 1988 (Cth) (the “Privacy Act”). It has also enacted other legislation specifying obligations and granting rights in relation to privacy and the handling of personal data, including the Taxation Administration Act 1953 (Cth), the Telecommunications Act 1997 (Cth) and Telecommunications (Interception and Access) Act 1979 (Cth).
Substantive amendments to the Privacy Act came into effect on 12 March 2014 in respect of a number of areas including direct marketing, privacy collection statements and privacy policies, collection of unsolicited personal data, disclosure of personal data outside Australia and credit reporting. Substantial penalties can now be imposed for "serious" or "repeated" interferences with the privacy of data subjects.
The Australian Federal Government is currently in the process of reviewing the Privacy Act. In October 2020, it published its first issues paper for consultation, which culminated in the release of a discussion paper in October 2021, with the paper contemplating a legislative overhaul of the Privacy Act. In parallel, the Federal Government also released an exposure draft of proposed legislation amending the Privacy Act (Online Privacy Bill) to introduce an Online Privacy Code and update the OAIC’s enforcement powers (including penalties for breach). A number of Australian States and Territories have also enacted privacy legislation. In particular, New South Wales, the Australian Capital Territory, the Northern Territory, Queensland, Tasmania and Victoria all have specific privacy laws governing the handling of personal data by government agencies in those States and Territories. In addition, the Australian States and Territories have enacted a range of other legislation which prescribe obligations and rights relating to data handling and privacy. This other legislation addresses issues such as surveillance, use of criminal record information and use of health information.
The remainder of this summary only considers the Privacy Act (except to the extent otherwise specified).
Entry into force
The Privacy Act came into effect on 1 January 1989. The Privacy Amendment (Private Sector) Act 2000 (Cth) came into effect on 21 December 2001, amending the Privacy Act to establish a national scheme to regulate private sector organisations' handling of personal data. The Privacy Amendment (Enhancing Privacy Protection) Act 2012 came into effect on 12 March 2014, introducing the significant changes to the Privacy Act described above. The Privacy Amendment (Notifiable Data Breaches) Act 2017 came into effect on 22 February 2018, introducing a mandatory data breach notification regime into the Privacy Act.
National Supervisory Authority
Details of the competent national supervisory authority
Office of the Australian Information Commissioner ("Commissioner")
GPO Box 5218
The Commissioner heads the Office of the Australian Information Commissioner (the “OAIC”). In practice, the Commissioner is responsible for the majority of the privacy related functions of the OAIC, including the investigation of complaints made by data subjects.
The previous regulatory authority, the Office of the Privacy Commissioner, was integrated into the OAIC on 1 November 2010. The Commissioner now holds the dual role of Privacy Commissioner and Information Commissioner.
Notification or registration scheme and timing
There is no notification or registration scheme for organisations or agencies that handle personal data.
Exemptions to notification
Scope of Application
What is the territorial scope of application?
The Privacy Act applies to the handling of personal data by federal government agencies and private sector organisations within Australia.
The Privacy Act also applies to the overseas activities of Australian organisations, and the activities of foreign organisations, that have an "Australian link". An organisation is considered to have a link with Australia if: (i) there is an organisational link: for example, the organisation is a company incorporated in Australia, or a trust created in Australia; or (ii) the organisation carries on business in Australia or an external territory, and collects or holds personal data in Australia or an external territory.
If an organisation's overseas activity is required by the law of a foreign country, then that activity is not taken to amount to an interference with the privacy of a data subject under the Privacy Act.
Is there a concept of a controller and a processor?
The Privacy Act makes no distinction between entities which control, as opposed to process, personal data. Any handling by APP entities of personal data, whether collecting, using, disclosing, holding or otherwise processing it either independently or on the instructions of another organisation, is potentially subject to regulation under the Privacy Act.
Entities regulated by the Privacy Act are known as "APP entities".
Are both manual and electronic records subject to data protection legislation?
Yes. The Privacy Act applies to any personal data that is collected, acquired or obtained from any source and by any means. The definition of personal data in the Privacy Act expressly includes reference to personal data whether recorded in a material form or not.
Are there any national derogations?
Generally, private sector organisations and federal government agencies are subject to the Privacy Act, and State and Territory government agencies are subject to separate State and Territory legislation.
The Privacy Act contains exemptions for certain organisations. For example, operators of small businesses (broadly, businesses with an annual turnover for the previous financial year of $3,000,000 or less) are not generally subject to the Privacy Act, except in specific circumstances, e.g. where the small business provides a health service and holds health information, discloses personal data for a benefit, service or advantage, or is a contracted service provider for a Commonwealth contract. The potential removal of this exception for operators of small businesses is one of the issues being considered as part of the Federal Government's review of the Privacy Act.
There are also exemptions for the handling of personal data in relation to personal, family or household affairs, and for media organisations and political parties. However, there is no general exemption for not-for-profit organisations.
There is a limited exemption from the application of the Privacy Act for the sharing of personal data (other than sensitive data) between companies in the same group, whereby the collection and sharing of personal data between those companies will not be considered an interference with the privacy of an individual. However, principles regarding the disclosure of personal data outside Australia apply even where the relevant transfer is between group companies. In some circumstances there is an exemption from the Privacy Act for employers with respect to employee records. This is considered in more detail below.
What is personal data?
The Privacy Act defines personal data (referred to in the Privacy Act as “personal information”) to be “information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not". The distinction between this definition and the definition of personal data in the GDPR is unlikely to be substantive.
Is information about legal entities personal data?
No, unless the legal entity is a data subject (for example a sole trader), or the information identifies (or is capable of reasonably identifying) any individuals (for example, the employees, directors or customers of the legal entity).
However, certain information about legal entities will receive protection under the Privacy Safeguards where the information is "CDR data" under the Consumer Data Right regime (see "Rights to data portability" below).
What are the rules for processing personal data?
The Privacy Act does not specifically refer to “processing” personal data and there is no distinction between entities which control, as opposed to process, personal data. This means that any handling of personal data by APP entities, whether using, holding, processing or otherwise, is potentially subject to the Privacy Act. The Privacy Act contains the Australian Privacy Principles (the “APPs”) that prescribe the rules for the collection, use, disclosure and protection of personal data, which generally apply to both private sector organisations and federal government agencies.
While the APPs contain obligations which are broadly similar in operation and effect to the conditions for processing personal data, these provisions are dispersed throughout the APPs. The obligations in the Privacy Act are grouped according to the type of processing taking place, such as collection, use, disclosure or storage, or by the relevant right given to the data subject.
The APPs provide, as a general rule, that an organisation should only use or disclose personal data for the purpose for which it was collected. However, an organisation may use or disclose personal data about a data subject for another purpose (a secondary purpose) if the data subject has consented or the secondary purpose is related to the primary purpose and such use or disclosure might reasonably be expected by the data subject. If the personal data is sensitive personal data, the secondary purpose must be directly related to the primary purpose. There are also a number of exceptions to this general rule.
Are there any formalities to obtain consent to process personal data?
There are no specific formalities to obtain consent set out in the Privacy Act (except where an organisation wishes to obtain consent to cross-border disclosure, discussed further below). Consent can be express or implied, written or oral, but in any event requires both knowledge of the matter agreed to and voluntary agreement of the relevant data subject. The level of consent required in any particular case will depend upon, among other things, the seriousness of the consequences for the data subject if the personal data were to be used or disclosed.
The Australian Privacy Principles Guidelines issued by the Commissioner (the "APP Guidelines"), which are not legally binding but are intended to promote understanding and acceptance of the APPs, outline four key elements of valid consent, being: (1) the individual is adequately informed before giving consent; (2) the consent is given voluntarily; (3) the consent is current and specific; and (4) the individual has the capacity to understand and communicate their consent.
Are there any special rules when processing personal data about children?
There are no special rules in the Privacy Act relating to the processing (or otherwise) of personal data about children. However, the Commissioner's APP Guidelines on consent state that entities subject to the Privacy Act must assess, on a case-by-case basis, whether a data subject under the age of 18 has sufficient understanding and maturity to understand the particular processing of their personal data that is being proposed. If they do not possess this level of understanding, then parent or guardian consent may be required.
According to the Commissioner's guidance, where it is not practicable to assess the capacity of data subjects under the age of 18 on a case-by-case basis, the entity may presume that a data subject over the age of 15 has capacity to consent, unless there is something to suggest otherwise.
Among other things, the discussion paper released by the Federal Government in October 2021, contemplates amendments to further safeguard children specifically, by requiring organisations to tailor their information-gathering arrangements in circumstances where they are likely to interact with children. In addition to this, the exposure draft of the Online Privacy Bill includes further changes to consent requirements that heighten the privacy protections for children.
Are there any special rules when processing personal data about employees?
Employers will be exempt from compliance with the Privacy Act to the extent that they are collecting and using any employee records that are directly related to a past or former employment relationship. This exemption distinguishes Australian privacy regulation from other jurisdictions, which generally do not contain an equivalent exemption for employee records. However, the Federal Government is considering whether this exemption should remain, as part of its review of the Privacy Act.
Given the way the employee records exemption is framed, the exemption does not extend to an employer's collection of personal information from independent contractors and new applications for employment. The scope of the employee records exemption has also been construed narrowly by Australian courts. In 2019, the Full Bench of the Fair Work Commission found that the exemption only applies in the case of employee records already held by the employer (Jeremy Lee v Superior Wood Pty Ltd  FWCFB 2946). That is, it does not exempt employers from their obligations under the Privacy Act in relation to the collection of employees' personal information.
In addition to the employee records exemption, there are some special rules for processing surveillance data about employees under state-based employee surveillance legislation, including a general requirement to provide prior notice to employees in relation any camera, computer and tracking surveillance conducted in the workplace. (For instance, under the Surveillance Devices Act 1999 (Vic), the Workplace Surveillance Act 2005 (NSW) and the Workplace Privacy Act 2011 (ACT)).
Sensitive Personal Data
What is sensitive personal data?
The Privacy Act defines sensitive personal data (referred to in the Privacy Act as “sensitive information”) in broadly the same way as the standard types of sensitive personal data.
Are there additional rules for processing sensitive personal data?
Generally, an organisation is not allowed to collect sensitive information from a data subject unless the data subject has consented and the personal data is reasonably necessary for one or more of the organisation's functions or activities. An organisation can collect sensitive information from a data subject without consent in certain limited circumstances, for example where collection is required by Australian law. Non-profit organisations may collect sensitive information from a data subject without consent if the information relates to the activities of the organisation and the information relates solely to members or individuals who have regular contact with the organisation in connection with its activities.
An organisation may only use or disclose sensitive data for a purpose other than the primary purpose of collection (a secondary purpose) if either: (i) the secondary purpose is directly related to the primary purpose of collection and such use or disclosure might reasonably be expected by the data subject; (ii) the data subject has consented to the secondary use or disclosure; (iii) the use or disclosure is authorised or required under law; or (iv) another relevant exception applies.
Are there additional rules for processing information about criminal offences?
The Privacy Act expressly classifies a criminal record as a type of sensitive information. Therefore, the rules are the same as for sensitive information (described above).
Are there any formalities to obtain consent to process sensitive personal data?
See “Are there any formalities to obtain consent to process personal data?” above. There are no additional specific formalities to obtain consent to process sensitive personal data.
Data Protection Officers
When must a data protection officer be appointed?
There is no legal requirement under the Privacy Act to appoint a data protection officer. However, the APP Guidelines recommend that organisations consider appointing a designated privacy officer as part of good governance mechanisms to ensure compliance with the Privacy Act.
What are the duties of a data protection officer?
Not applicable (see above).
Accountability and Privacy Impact Assessments
Is there a general accountability obligation?
APP 1 also imposes a positive requirement on organisations to actively take reasonable steps to implement practices, procedures and systems that will ensure compliance with the APPs. What constitutes “reasonable steps” depends on a number of factors, such as the size and resources of the organisation, the nature of the personal data held and the practicality of implementing particular practices. The APP Guidelines, however, are clear that APP entities are not excused from implementing appropriate procedures on the grounds of inconvenience or cost. The APP Guidelines offer a number of examples of the practices that organisations should consider implementing (for example, regular staff training on the APPs and a proactive review and audit program for the organisation's implemented privacy practices, procedures and systems).
Are privacy impact assessments mandatory?
There is no express requirement to carry out privacy impact assessments. However, as discussed above, APP 1 requires organisations to take "reasonable steps" to implement privacy practices, procedures and systems that will ensure compliance with the APPs. The APP Guidelines suggest that to comply with APP 1, organisations should consider conducting privacy impact assessments for new projects in which personal information will be handled, or when a change is proposed to existing data handling practices.
Rights of Data Subjects
Where personal data is not collected directly from the data subject, an organisation must take reasonable steps to make sure the data subject is informed of the same matters in respect of its indirect collection.
Rights to access information
As a general rule, an organisation must, upon request, give the data subject access to any personal data held about them. There are exceptions to this general rule, including where the provision of access to personal data could have an unreasonable impact on the privacy of other data subjects or where denying access is required or authorised by law.
Rights to data portability
An organisation must, following a valid request from a data subject, give access to the information in the manner requested by the data subject if it is reasonable and practical to do so. A data subject could use this right to ask for their personal data in a portable format. If the organisation does not provide access in the manner so requested by the individual, it will need to set out its reasons for not doing so in written notice to the individual.
In August 2019 the Australian Federal Government passed the Treasury Laws Amendment (Consumer Data Right) Act 2019 (Cth), which creates a framework for a national Consumer Data Right (the "CDR)" that will provide consumers with further rights to data portability (outside of the Privacy Act). The CDR gives consumers the right to access specified categories of data held about them by designated organisations and efficiently transfer that data to accredited third parties.
Under the CDR regime, designated sectors of the economy will be required to respond to requests from CDR consumers to transfer "CDR data", which will include any datasets that the Treasurer specifies under a designation instrument. The CDR is being rolled out in stages, beginning with the banking sector from 1 July 2020, followed by the energy and telecommunication sectors.
CDR consumers include individuals and businesses who are identifiable or reasonably identifiable from CDR data (which is broader than the remit of personal data about a reasonably identifiable individual under the Privacy Act). Designated organisations will be required to disclose CDR data in machine-readable form to accredited third parties, and in human-readable form to CDR consumers on request.
Right to be forgotten
Data subjects in Australia do not have a right to have their personal data erased, although the Federal Government is considering the potential introduction of a right to erasure as part of its review of the Privacy Act.
The closest thing to a right of this nature in Australia is the data subject's right under APP 13, which grants data subjects a right to request to have their personal data corrected. An organisation must take reasonable steps to confirm and correct any personal data if it is satisfied that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading. If an organisation refuses to correct personal data, it must give reasons to the data subject who has requested such correction and information about the mechanisms available to complain about the refusal.
Further, under APP 11.2, if an organisation holds personal data about a data subject and the organisation no longer needs it for any purpose for which it may be used or disclosed under the APPs, it must in most cases take reasonable steps to destroy or de-identify the information (see further under 'Security' below).
Objection to direct marketing
The APPs provide that organisations must not use or disclose personal data for direct marketing unless an exception applies.
The first exception applies where: (i) the organisation collected the data from the data subject (and the information was not sensitive information); (ii) the data subject would reasonably expect the organisation to use or disclose the information for direct marketing; (iii) the organisation provides a simple means by which the data subject can "opt out" of the direct marketing communications; and (iv) the data subject has not made a request to opt out.
The second exception applies where: (i) the personal data has been obtained from third parties or the data subject would not reasonably expect the data to be used for direct marketing; (ii) the data subject has given its consent to the use of the personal data for direct marketing (or it is impracticable to obtain that consent); (iii) the organisation provides a simple means by which the data subject can "opt out" of the direct marketing communications; (iv) each direct marketing communication contains a prominent "opt-out" notice; and (v) the data subject has not made a request to opt out.
The third exception applies where the personal data is sensitive information and the data subject has given their consent to the use or disclosure of the personal data for direct marketing.
A fourth exception applies for organisations contracted or sub-contracted under a government contract to provide services to the Commonwealth or a State or Territory. This includes, for example, contractors who provide services to Ministers or Departments.
APP 7 does not apply to the extent that the Do Not Call Register Act 2006 (Cth) or the Spam Act 2003 (Cth) apply. These Acts are described in more detail below (see ”ePrivacy – Marketing and cookies”).
Wherever it is lawful and practicable, data subjects must have the option of not identifying themselves when dealing with the organisation.
As noted above, a data subject may submit a complaint to the Commissioner about an act or practice that may be an interference with the privacy of the data subject. The complaint may then be investigated by the Commissioner.
The Federal Government is undertaking consultation on the potential introduction of a direct right of action to enforce privacy obligations and a statutory tort of privacy as part of its ongoing review of the Privacy Act.
Security requirements in order to protect personal data
APP 11 requires an organisation to take active measures to ensure the security of personal data it holds, and to actively consider whether it is permitted to retain personal data. APP 11 requires organisations to take reasonable steps to protect the personal data they hold from misuse, interference and loss and from unauthorised access, modification or disclosure. APP 11 does not mandate any specific security obligations or standards.
The OAIC, however, has published a "Guide to securing personal information" (the "Guide to Securing Personal Information") which provides non-binding guidance on the reasonable steps organisations are required to take to protect the personal data they hold. According to the guide, reasonable steps require consideration of: (i) the nature of the organisation; (ii) the amount and sensitivity of the personal data held; (iii) the possible adverse consequences for an individual in the case of a breach; (iv) the practical implications of implementing the security measure, including the time and cost involved; and (v) whether a security measure is itself an invasion of privacy. This guide should be read in conjunction with the APP Guidelines and the Commission's "Data breach preparation and response" guide, which respectively outline the mandatory requirements of the APPs and for reporting eligible data breaches under the Privacy Act (see below).
Organisations also need to be aware of other laws (in addition to the APPs) that impose obligations in relation to personal data security. For example, credit reporting bodies and credit providers must comply with Part IIIA of the Privacy Act and the registered Credit Reporting Code, which require certain steps to be taken to maintain the security of credit reporting information. Likewise, a tax file number recipient must comply with the Privacy (Tax File Number) Rule 2015, and health care providers must comply with various health records acts.
Specific rules governing processing by third party agents (processors)
There are no specific rules governing the handling of personal data by third parties. The obligation placed on organisations under APP 11 to take reasonable steps to protect personal data from misuse, interference and loss and from unauthorised access, modification or disclosure, has the effect of requiring those organisations to take reasonable steps to ensure that any third party handling personal data on their behalf also takes the same or equivalent steps to protect that personal data. Ordinarily, this is satisfied by the first organisation imposing contractual requirements on the third party service provider / processor to handle any personal data received from the first organisation in accordance with the APPs and any additional data security requirements specified by the first organisation (including notification requirements in relation to actual or suspected data breaches).
The Guide to Securing Personal Information referred to above also provides non-binding guidance in relation to the processing of personal data by third parties, as well as specific guidance in relation to third party providers of cloud computing. In particular, the OAIC states that to comply with APP 11, organisations must assess the security controls of the third party cloud computing provider, which may include consideration of their governance arrangements, controls relating to software security, access security and network security.
Notice of breach laws
The Privacy Amendment (Notifiable Data Breaches) Act 2017 amended the Privacy Act to incorporate a mandatory notifiable data breaches regime (the "NDB Scheme") that requires organisations to notify the Commissioner and affected data subjects if they believe that there has been an "eligible data breach".
An eligible data breach occurs where there is unauthorised access to, unauthorised disclosure of, or loss of, personal data held by an entity, and the relevant entity has reasonable grounds to believe that the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates. In this event, an entity must provide a statement to the Commissioner as soon as practicable, and must notify affected data subjects and/or data subjects at risk of serious harm as soon as practicable after notifying the Commissioner. The Commissioner may also direct an entity to make a notification in respect of an eligible data breach.
An exception to the notification requirement applies where an entity has taken remedial action early enough for serious harm not to have occurred or not to be likely to still occur.
Organisations who have reasonable grounds to suspect that an eligible data breach may have occurred also have obligations under the NDB Regime to promptly assess the situation and determine whether or not there has been an eligible data breach. An organisation must take all reasonable steps to complete this assessment within 30 calendar days from the time it first became aware of the relevant grounds for the suspicion.
Transfer of Personal Data to Third Countries
Restrictions on transfers to third countries
As APP 8 regulates the “disclosure” of personal data overseas (as opposed to the “transfer” of information), APP 8 applies whenever an organisation makes personal data available to entities located outside Australia, even where the information continues to be stored in Australia.
APP 8 provides that, prior to disclosing personal data to a recipient who is located outside Australia, an organisation must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the personal data. This requirement does not apply if either: (i) the overseas recipient is bound by a law or binding scheme that is substantially similar to the APPs that the data subject can enforce; (ii) the data subject consents to the disclosure of the personal data in the particular manner prescribed by APP 8; or (iii) another exception applies (for example, that the disclosure of the personal data is required by Australian law).
Obtaining the consent described above can be difficult because it requires the organisation to expressly inform the data subject that once disclosed, the organisation will not be accountable, and the individual will not be able to seek redress, under the Privacy Act, and in many cases the overseas recipient will not be subject to a similar overseas law that is enforceable by the data subject. Accordingly, in most cases the organisation must take "reasonable steps" to ensure that the overseas recipient does not breach the APPs prior to disclosing that information to the overseas recipient. The APP Guidelines indicate that taking "reasonable steps" usually involves the organisation obtaining a contractual commitment from the overseas recipient that it will handle the personal data in accordance with the APPs.
Further, unless an exception applies, the Privacy Act provides that if the overseas recipient does breach the APPs (despite the organisation having taken the "reasonable steps" referred to above), the organisation may be held accountable. This amounts to deemed liability falling upon the organisation for a breach committed by the overseas recipient.
Organisations also need to consider APP 11 when disclosing personal data to overseas recipients. The obligation to take reasonable steps to protect personal data from misuse, interference and loss and unauthorised access, modification or disclosure will apply to the disclosure of personal data to an overseas recipient. Organisations disclosing personal data to overseas recipients will need to ensure that the personal data will continue to be secure once disclosed (unless they have relied on the consent exception described above).
Notification and approval of national regulator (including notification of use of Model Contracts)
There is no additional right for (or obligation on) organisations to disclose personal data overseas on the basis of a prior notification and approval of the Commissioner.
Use of binding corporate rules
There is currently no regulatory mechanism in Australia for organisations to use binding corporate rules in respect of the cross-border disclosure of personal data. However, the existence of any binding corporate rules are relevant in the assessment of compliance with APP 8. As noted above, an organisation may disclose personal information to an overseas recipient without complying with the "reasonable steps" requirement in APP 8 where the overseas recipient is subject to a law or binding scheme that is substantially similar to the APPs. This includes where the overseas recipient is subject to binding corporate rules.
The Commissioner may apply to the Federal Court or Federal Circuit Court for an order that the organisation pay a penalty of up to $444,000 for individuals or $2,220,000 for corporations for "serious" or "repeated" interferences with privacy. These penalties constitute regulatory fines and cannot be used to compensate data subjects for breaches of the Privacy Act.
The Federal Government has proposed, in its exposure draft of the Online Privacy Bill, an increase to the maximum penalties for corporations under the Privacy Act from $2,220,000 to the greater of one of the following: (1) $10 million; (2) three times the values of the benefit gained by the company through misusing the personal data; or (3) 10 per cent of the company's annual domestic turnover.
Additionally, the Federal Government is seeking to bolster the Commissioner's regulatory and enforcement toolkit by granting it a suite of enhanced powers.as part of its ongoing review of changes to the Privacy Act, including a proposal to provide the Commissioner with new infringement notice powers backed by new penalties of up to $63,000 for bodies corporate and $12,600 for individuals for failure to cooperate with efforts to resolve minor breaches. Unlike the existing fines regime, the infringement notice powers would not require the Commissioner to take a case to the Federal Court in order to impose a pecuniary penalty.
A breach of the Privacy Act does not result in criminal penalties. The Commissioner does not have the power to apply to a court for a criminal penalty (including imprisonment) for a contravention of the Privacy Act, or for a "serious" or "repeated" interference with privacy.
In response to complaints made by data subjects, the Commissioner has the power, among other things, to attempt, by conciliation, to effect a settlement of the matters that gave rise to the investigation or to make a determination which includes declarations that: (i) the data subject is entitled to a specified amount to reimburse the data subject for expenses reasonably incurred in connection with the making and investigation of the complaint; (ii) the data subject is entitled to a specified amount as compensation; (iii) the organisation has engaged in conduct constituting an interference with the privacy of a data subject and that it must not repeat or continue such conduct; (iv) the organisation take specified steps within a specified period to ensure that such conduct is not repeated or continued; and (v) the organisation perform any reasonable act or course of conduct to redress any loss or damage suffered by the data subject.
A determination of the Commissioner regarding an organisation is not binding or conclusive. However, the data subject or the Commissioner has the right to commence proceedings in the court for an order to enforce the determination.
The Commissioner also has the power to audit organisations (referred to in the Privacy Act as "assessments"), accept enforceable undertakings, develop and register binding privacy codes and seek injunctive relief in respect of contraventions of the Privacy Act.
The OAIC has historically taken a conciliatory approach to enforcing the Privacy Act. That position has now altered and the Commissioner has adopted an increasingly more robust enforcement posture, characterised by more active enforcement action.
The OAIC's 2020/2021 Annual Report indicates that during that reporting period, the Commissioner issued a record of 17 privacy determinations, and where it found interferences with privacy, the remedies included apologies, providing access to personal data, correcting personal data held, requiring the respondent to assess and reports on compliance with the Privacy Act through an independent reviewer experienced in privacy matters or an auditor as well as compensation (ranging from A$1,000 to A$19,980).
During the same period, the Commissioner commenced four privacy-related investigations, conducted 25 privacy assessments and received 975 notifications of data breaches from organisations (including 178 voluntary notifications).
Consistent with the 2019-2020 year, no enforceable undertakings were entered into by organisations in the 2020-2021 year. This contrasts to previous years: 2 enforceable undertakings were entered into in the 2018-19 year, three in 2017-18, one in 2016-2017 and two in 2015-16. This relatively low overall level of enforceable undertakings is reflective of the Commissioner's preference to issue determinations (see the increase in number of determinations above) but contrasts with the higher level of undertakings accepted by the Australian Competition and Commission ("ACCC") in relation to competition and consumer law issues. Among other things, enforceable undertakings typically require organisations to implement recommendations and rectify deficiencies identified in relation to whether their practices, procedures and systems are reasonable to protect the personal data they hold.
For the first time in its history, the Commissioner commenced civil proceedings in the Federal Court in March 2020 alleging serious and/or repeated interferences with privacy and applying for a civil penalty. These proceedings against the US-based Facebook Inc. and Facebook Ireland are still ongoing.
The ACCC is also taking an active interest in privacy practices. In July 2019, the ACCC released the Final Report from its Digital Platforms Inquiry, which contained a number of recommendations for reform to the Privacy Act to increase penalties for breach and to introduce direct rights of action for individuals. These proposals are under consideration by the Federal Government as part of its review of the Privacy Act.
Ahead of such reform, the ACCC has relied on existing legislation to address issues of transparency and adequate disclosure when digital platforms collect and use consumer data. It has primarily done this through the prohibition on misleading and deceptive conduct in the Australian Consumer law ("ACL") in schedule 2 of the Competition and Consumer Act 2010 (Cth), For example, in April 2021, the ACCC succeeded in its enforcement action against Google LLC and Google Australia Pty Ltd in the Federal Court, where it was found that consumers had been misled about how users' personal location data was collected through mobile devices.
These activities, along with its role as the primary regulator of the CDR regime (see ”Rights to data portability” above), suggest that the ACCC is likely to have an increasing role in data regulation in Australia.
ePrivacy | Marketing and cookies
The Spam Act 2003 (Cth) (the “Spam Act”) governs the sending of commercial electronic messages. Its key operative provisions came into force on 10 April 2004.
The Do Not Call Register Act 2006 (Cth) (the “DNCR Act”) and Do Not Call Register Regulations 2006 govern telemarketing and fax marketing. The operative sections of the DNCR Act took effect on 31 May 2007. The Telemarketing and Research Industry Standard 2007 and the Fax Marketing Industry Standard 2011 have also been implemented (from 31 May 2007 and 4 May 2011 respectively) and regulate telemarketing and fax marketing in addition to the DNCR Act.
Although APP 7 deals with direct marketing, the APPs do not apply to the extent that the DNCR Act or the Spam Act apply.
Both the Spam Act and the DNCR Act are regulated by the Australian Communications and Media Authority ("ACMA").
Conditions for direct marketing by e-mail to individual subscribers
The Spam Act requires that all “commercial electronic messages” identify the sender and, unless exempt, be sent with the consent of the recipient and include a functional unsubscribe mechanism.
The Spam Act regulates the sending of commercial electronic messages which have an “Australian link”, which is where: (i) the sending of the message was authorised by a data subject physically present in Australia when the message was sent; (ii) the organisation who sent the message is an organisation whose central management and control is in Australia when the message is sent; or (iii) the relevant electronic account-holder is a person who is physically present in Australia at the time the message is accessed or is an organisation that carries on business or activities in Australia at the time the message is accessed.
Conditions for direct marketing by e-mail to corporate subscribers
The Spam Act does not distinguish between individual and corporate recipients of commercial electronic messages.
Exemptions and other issues
Exemptions from the Spam Act requirements include certain messages authorised by government bodies, registered political parties, religious organisations and charities or charitable institutions, subject to certain conditions. By regulation, facsimile messages are also exempted from the Spam Act requirements. However, fax marketing activities may be covered by the DNRC Act (see below).
Commercial electronic messages may be sent where consent is obtained. Consent may be express or inferred from the conduct of the person and the business or other relationship between the sender and the person. In limited circumstances, consent may be inferred from publication of an e-mail address.
Civil penalties are among the remedies that may apply where an organisation has breached the Spam Act.
Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)
The DNCR Act establishes a compulsory Do Not Call Register (the “Register”) of telephone numbers belonging to individuals who have opted out of receiving telemarketing calls. Individuals are able to submit their Australian fixed line or domestic mobile telephone numbers to be recorded on the Register. With some exceptions, it is an offence to make an unsolicited telemarketing call to any registered number. For the purposes of the DNCR Act, “telemarketing call” is defined as a voice call (including recorded or synthetic voices) to a telephone number, where that telephone call is for a commercial purpose.
The DNCR Act allows organisations seeking to make or authorise telemarketing calls to submit a list of Australian telephone numbers to the ACMA for checking against the Register so as to identify and eliminate from that list the telephone numbers of those people who have listed their telephone number on the Register – a practice known as “washing”. A “washed” list may for a certain time be relied upon by the person submitting it as stating a list of telephone numbers to which telemarketing calls may be made without breaching the DNCR Act.
Telemarketing activities applying to numbers not entered on the Register or conducted by organisations not subject to the DNCR Act are governed by the Telemarketing and Research Industry Standard 2017 (the “TRCI Standard”). The TRCI Standard establishes minimum standards in relation to the hours and days that telemarketing and research calls are able to be made, the nature, purpose and source of telemarketing or research calls, the termination of telemarketing calls upon the request of the recipient and the provision of calling line information.
Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)
An Australian number is eligible to be entered on the Register if it is: (i) used or maintained primarily for private or domestic purposes; (ii) used or maintained exclusively for transmitting and/or receiving faxes; (iii) used or maintained exclusively for use by a government body; or (iv) an emergency service number.
Telemarketing calls to corporate subscribers, unless they fall into one of the categories above, are therefore unlikely to be caught by the DNCR Act. Telemarketing activities applying to numbers not entered on the Register or conducted by organisations not subject to the DNCR Act are governed by the TRCI Standard.
Exemptions and other issues
Exemptions from the DNCR Act requirements include calls authorised by government bodies, religious organisations and charities or charitable institutions, subject to certain conditions. However, such entities may be covered by the TRCI Standard when making specific types of telemarketing calls.
Telemarketing calls may be made to a telephone number which is registered on the Register if the relevant person has consented to receiving such calls. Consent may be express or inferred from the conduct of the person and the business or other relationship between the marketer and the person.
Remedies for breach of the DNCR Act include civil penalties and injunctions.