DLA Piper Intelligence

Data Protection
Laws of the World

Collection & Processing

Organizations may not collect personal information unless the information is reasonably necessary for one or more of its business functions or activities.

Under the Privacy Act, organizations must take reasonable steps to ensure that personal information collected is accurate and up-to-date.

At or before the time organizations collect personal information, or as soon as practicable afterwards, they must take reasonable steps to provide individuals with notice of:

  • The Organization’s identity and contact information
  • Why it is collecting (or how it will use the) information about the individual

  • The entities or types of entities to which it might give the personal information

  • Any law requiring the collection of personal information
  • The main consequences (if any) for the individual if all or part of the information is not provided

  • The fact that the organization’s privacy policy contains information about how the individual may access and seek correction of their personal information, how they may make a complaint about a breach of the APPs and how the organization will deal with such complaint
  • Whether the organization is likely to disclose their personal information to overseas recipients and, if so, the countries in which such recipients are likely to be located

Organizations should comply with these notification requirements by preparing a “collection statement” or “privacy notice” for each significant collection of personal information, and providing this to individuals  prior to collecting their personal information.

This notification requirement applies in addition to the requirement for organisations to maintain a broader privacy policy, which details the general personal information handling processes of the organisation. APP 1 lists the information which is required to be included in a privacy policy.

In practice, a major Privacy Act compliance issue often arises because organizations fail to recognize that the mandatory notice requirements outlined above also apply to any personal information collected from a third party. Organizations must provide individuals with required notice on receipt of personal information from a third party, even though they did not collect personal information directly from the individual. Unlike Europe, Australian privacy law does not distinguish between 'data processors' and 'data controllers.'

Organizations must not use or disclose personal information about an individual unless one or more of the following applies:

  • The personal information was collected for that purpose (the primary purpose) or a different (secondary) purpose which is related to (and, in the case of sensitive information, directly related to) the primary purpose of collection and the individual would reasonably expect the organization to use or disclose the information for that secondary purpose.
  • The individual consents.
  • The information is not sensitive information and disclosure is for direct marketing and it is impracticable to seek the individual’s consent and (among other things) the individual is told that they can opt out of receiving marketing from the organization.
  • A 'permitted general situation' or 'permitted health situation' exists; for example, the entity has reason to suspect that unlawful activity relating to the entity's functions has been engaged in, or there is a serious threat to the health and safety of an individual or the public.
  • It is required or authorized by law or on behalf of an enforcement agency.

In the case of use and disclosure for the purpose of direct marketing, organizations are required to ensure that:

  • Each direct marketing communication provides a simple means by which the individual can opt out
  • The individual has not previously requested to opt out of receiving direct marketing communications

The above direct marketing requirements apply to all forms of direct marketing. Additionally, specific requirements for commercial electronic messaging are outlined in Electronic Marketing.

The Privacy Act affords additional protections when processing involves sensitive information. Organizations are prohibited from collecting sensitive information from an individual unless certain limited requirements are met, including one or more of the following:

  • The individual has consented to the collection and the collection of the sensitive information is reasonably necessary for one or more of the entity's functions or activities.
  • Collection is required or authorized by law or a court/tribunal order.
  • A 'permitted general situation' or 'permitted health situation' exists (for example, where the information is required to establish or defend a legal or equitable claim or there is a serious threat to the life or health of the individual or the public).
  • The entity is an enforcement body and the collection is reasonably necessary for that entity's functions or activities.
  • The entity is a nonprofit organization and the information relates to the activities of the organization and solely to the members of the organization (or to individuals who have regular contact with the organization relating to its activities).

Organizations must provide individuals with access to their personal information held by the organization upon an individual’s request. Additionally, individuals have a right to correct inaccurate, out-of-date, and irrelevant personal information held by an organization. Under certain circumstances, the organization may limit the extent to which it provides an individual with access or correction rights, including in emergency situations, specified business imperatives, and law enforcement or other public interests.

Further, organizations must provide individuals with the option to not identify themselves, or use a pseudonym, when dealing with the organization, unless it is impractical to do so or the organization is required or authorized by law to deal with identified individuals.

Last modified 23 Dec 2021

Data Protection Principles

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under these principles, personal data must be (Article 5):

  • processed lawfully, fairly and in a transparent manner (the "lawfulness, fairness and transparency principle");
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the "purpose limitation principle");
  • adequate, relevant and limited to what is necessary in relation to the purpose(s) (the "data minimization principle");
  • accurate and where necessary kept up-to-date (the "accuracy principle");
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (the "storage limitation principle"); and
  • processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (the "integrity and confidentiality principle").

The controller is responsible for and must be able to demonstrate compliance with the above principles (the "accountability principle"). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to demonstrate compliance perhaps years after a particular decision relating to processing personal data was taken. Record-keeping, audit and appropriate governance will all form a key role in achieving accountability.

Legal Basis under Article 6

In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate basis for processing. The legal bases (also known as lawful bases or lawful grounds) under which personal data may be processed are (Article 6(1)):

  • with the consent of the data subject (where consent must be "freely given, specific, informed and unambiguous", and must be capable of being withdrawn at any time);
  • where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract;
  • where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
  • where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited to 'life or death' scenarios, such as medical emergencies);
  • where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller; or
  • where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).

Special Category Data

Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an Article 6 basis):

  • with the explicit consent of the data subject;
  • where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and social protection law or a collective agreement;
  • where necessary to protect the vital interests of the data subject or another natural person who is physically or legally incapable of giving consent;
  • in limited circumstances by certain not-for-profit bodies;
  • where processing relates to the personal data which are manifestly made public by the data subject;
  • where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their legal capacity;
  • where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to the aim pursued and with appropriate safeguards;
  • where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
  • where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of health care and of medical products and devices; or
  • where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with restrictions set out in Article 89(1).

Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to processing genetic data, biometric data and health data.

Criminal Convictions and Offences data

Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an official public authority, or specifically authorized by Member State domestic law (Article 10).

Processing for a Secondary Purpose

Increasingly, organisations wish to 're-purpose' personal data - ie, use data collected for one purpose for a new purpose which was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were initially collected (Article 6(4)). These include:

  • any link between the original purpose and the new purpose
  • the context in which the data have been collected
  • the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is compatible)
  • the possible consequences of the new processing for the data subjects
  • the existence of appropriate safeguards, which may include encryption or pseudonymization.

If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and proportionate measure in a democratic society).

Transparency (Privacy Notices)

The GDPR places considerable emphasis on transparency, ie, the right for a data subject to understand how and why his or her data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.

Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using clear and plain language (Article 12(1)).

The following information must be provided (Article 13) at the time the data are obtained: 

  • the identity and contact details of the controller;
  • the data protection officer's contact details (if there is one);
  • both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate interests for processing;
  • the recipients or categories of recipients of the personal data;
  • details of international transfers;
  • the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
  • the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object to processing and data portability;
  • where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
  • the consequences of failing to provide data necessary to enter into a contract;
  • the existence of any automated decision making and profiling and the consequences for the data subject; and
  • in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that further processing, providing the above information.

Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.

Rights of the Data Subject

Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable, whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two months where the request is onerous.

Right of access (Article 15)

A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information about the how the data have been used by the controller.

Right to rectify (Article 16)

Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.

Right to erasure ('right to be forgotten') (Article 17)

Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s highest court ruled against Google (Judgment of the CJEU in Case C-131/12), in effect requiring Google to remove search results relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the search results had no legal basis to process that information.

The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise of the objection right, or of the withdrawal of consent.

Right to restriction of processing (Article 18)

Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of the data subject, or where the legitimate grounds for processing by the controller are contested.

Right to data portability (Article 20)

Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or have transmitted to another controller all personal data concerning him or her in a structured, commonly used and machine-readable format (eg, commonly used file formats recognized by mainstream software applications, such as .xsl).

Right to object (Article 21)

Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.

In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at any time. 

The right not to be subject to automated decision making, including profiling (Article 22)

Automated decision making (including profiling) "which produces legal effects concerning [the data subject] … or similarly significantly affects him or her" is only permitted where: 

  1. necessary for entering into or performing a contract;
  2. authorized by EU or Member State law; or 
  3. the data subject has given their explicit (ie, opt-in) consent.

Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain human intervention, to contest the decision, and to express his or her point of view.

The BDSG has additional rules regarding processing of special categories of personal data. Contrary to Art. 9 (1) GDPR, processing of such data is permitted by public and private bodies in some cases, see Sec. 22 (1), 26 (3) BDSG. Also, Sec. 24 BDSG determines cases in which controllers are permitted to process data for a purpose other than the one for which the data were collected.

Sec. 4 BDSG provides a special rule for video surveillance of publicly accessible areas. According to the German data protection supervisory authorities as well as the German Federal Administrative Court (Bundesverwaltungsgericht – ‘BVerwG’) and the near unanimous opinion in German legal literature, the provision is not compliant with the GDPR insofar as it regulates surveillance by private bodies (Sec. 4 (1) Nos. 2, 3 BDSG). This is based on the argument that the GDPR does not contain any opening clause on which these deviations from Art. 6 (1) GDPR could be based.

Furthermore, the BDSG provides special rules regarding processing for employment-related purposes in Sec. 26 BDSG. The German legislator has made very broad use of the opening clause in Art. 88 (1) GDPR and has basically established a specific employee data protection regime. These new rules reflect the current German employee privacy rules which also has the consequence that a set of case law of the German Federal Labour Court (Bundesarbeitsgericht – ‘BAG’) will apply. In case the processing is conducted for employment-related purposes it is subject to Sec. 26 BDSG only and a recourse to the general legal grounds set out in Article 6 GDPR is blocked. Personal data of employees can only be processed in the employment context (setting aside some very special cases under the BDSG when it comes to the assessment of the working capacity of the employee and other handling of special categories data as well as exchange of data with the works council) in the following cases:

  • The processing is necessary for hiring decisions or, after hiring, for carrying out or terminating the employment contract (Sec. 26 (1) sentence 1 BDSG) (please note that the BAG interprets the predecessor provision broader than Art. 6 (1) (b) GDPR)

  • Employees’ personal data may be processed to detect criminal offenses only if there is a documented reason to believe the data subject has committed such an offense while employed, the processing of such data is necessary to investigate the offense and is not outweighed by the data subject’s legitimate interest in not processing the data, and in particular the type and extent are not disproportionate to the reason (Sec. 26 (1) sentence 2 BDSG)

  • The processing is based on a works council agreement which complies with the requirements set out Art. 88 (2) GDPR (Sec. 26 (4) BDSG)

  • The processing is based on the employee’s consent in written or electronic form. A derogation from this form can apply if a different form is appropriate because of special circumstances (but this derogation will rarely apply in practice). Moreover, the utilization of consent as basis for the processing is particularly problematic in Germany as Sec. 26 (2) BDSG stipulates requirements in addition to Art. 7 GDPR. If personal data of employees are processed on the basis of consent, then the employee’s level of dependence in the employment relationship and the circumstances under which consent was given shall be taken into account in assessing whether such consent was freely given. Consent may be freely given in particular if it is associated with a legal or economic advantage for the employee, or if the employer and employee are pursuing the same interests. The German data protection supervisory authorities interpret this provision in a way that employee consent cannot be used for processing of personal data which directly relates to the employment relationship, but only to supplementary services offered by the employer (e.g., private use of company cars or IT equipment, occupational health management or birthday lists).

Notwithstanding, processing of employee personal data for purposes that are not specifically related to employment as such can still be based on Art. 6 (1) GDPR. In particular, controllers that are part of a group of companies may be able to base transfers of data within the group for internal administrative purposes on their legitimate interests in accordance with to Art. 6 (1) f) (as stated by Recital 48 of the GDPR).

The processing of personal data in the context of the provision of telecommunication services is subject to Sec. 9 et seqq. TTDSG. Furthermore, both the content of telecommunications and its detailed circumstances, in particular the fact whether someone is or was involved in a telecommunications process, is subject to the secrecy of telecommunications, Sec. 3 TTDSG. Violations of the secrecy of telecommunications constitutes a criminal offence under the German Criminal Code (Strafgesetzbuch – StGB). 

The processing of personal data in the context of the provision of telemedia (like for example a website or a social network) is subject to specific limitations contained in Sec. 19 et seqq. TTDSG. There are, inter alia, specific requirements regarding the provision of inventory data, passwords or usage data to public authorities in Sec. 22 et seqq. TTDSG.

Last modified 31 Jan 2022
Law
Australia

Australia regulates data privacy and protection through a mix of federal, state and territory laws. The federal Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles ("APPs") contained in the Privacy Act apply to private sector entities (including body corporates, partnerships, trusts and unincorporated associations) with an annual turnover of at least AU$3 million, and all Commonwealth Government and Australian Capital Territory Government agencies.

The Privacy Act regulates the handling of personal information by relevant entities and under the Privacy Act, the Privacy Commissioner has authority to conduct investigations, including own motion investigations, to enforce the Privacy Act and seek civil penalties for serious and egregious breaches or for repeated breaches of the APPs where an entity has failed to implement remedial efforts.

Most States and Territories in Australia (except Western Australia and South Australia) have their own data protection legislation applicable to relevant State or Territory government agencies, and private businesses that interact with State and Territory government agencies. These Acts include:

  • Information Privacy Act 2014 (Australian Capital Territory)
  • Information Act 2002 (Northern Territory)

  • Privacy and Personal Information Protection Act 1998 (New South Wales)

  • Information Privacy Act 2009 (Queensland)

  • Personal Information Protection Act 2004 (Tasmania), and

  • Privacy and Data Protection Act 2014 (Victoria)

Additionally, there are other parts of State, Territory and federal legislation that relate to data protection. For example, the following all impact privacy and data protection for specific types of data or activities: the Telecommunications Act 1997 (Cth), the Criminal Code Act 1995 (Cth), the National Health Act 1953 (Cth), the Health Records and Information Privacy Act 2002 (NSW), the Health Records Act 2001 (Vic) and the Workplace Surveillance Act 2005 (NSW).

Specific regulators have also expressed an expectation that regulated entities should have specified data protection practices in place. For example, the Australian Prudential and Regulatory Authority (“APRA”), which regulates financial services institutions requires regulated entities to comply with Prudential Standards, including Prudential Standard CPS 234 Information Security (CPS 234), and the Australian Securities and Investment Commission regulates corporations more generally.

Other important privacy and data protection laws

Assistance and Access Act

The Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) (“AA Act”) provides law enforcement agencies with access to encrypted data for serious crime investigation and imposes obligations on "Designated Communications Providers". However, the AA Act may inadvertently have a much broader remit with limited judicial oversight, and has been the subject of much criticism from local and global technology firms which have stated the legislation has the potential to significantly impact security / encryption solutions in Australia.

The AA Act allows various agencies to do any of the following:

  • Issue a "technical assistance notice", which requires a communications provider to give assistance that is reasonable, proportionate, practicable and technically feasible
  • Issue a "technical capability notice", which requires a communications provider to build new capabilities to assist the agency. The Attorney-General must consult with the communications provider prior to issuing the notice, and must be satisfied that the notice is reasonable, proportionate, practicable and technically feasible
  • Make "technical assistance requests", to give foreign and domestic communications providers and device manufacturers a legal basis to provide voluntary assistance to various Australian intelligence organizations and interception agencies relating to issues of national interest, national security and law enforcement

Organizations will need to ensure customer terms and conditions deal carefully with the matter of legal compliance and any commitments made to customers generally.

Consumer Data Right

The Commonwealth Government is in the implementation phases of the Consumer Data Right (“CDR”) following a number of policy reviews including the Productivity Commission's "Data Availability and Use" report and the "Review into Open Banking in Australia".

The CDR allows a consumer to obtain certain data held about that consumer by a third party and require data to be given to accredited third parties for certain purposes. By requiring businesses to provide public access to information on specified products they have on offer, it is intended that consumers' ability to compare and switch between products and services will be improved, as well as encouraging competition between service providers, which could lead to better prices for customers and more innovative products and services. In this way, the CDR provides a mechanism for accessing a broader range of information within designated sectors than is provided for by APP 12 in the Privacy Act, given it applies not only to data about individual consumers but also to business consumers and related products.

The CDR rules have been implemented in respect of the banking sector in Australia. The energy sector is the next to be added to the CDR, with the telecommunications sector currently scheduled to follow. Other sectors across the economy will be added to the CDR over time.

The CDR regime addresses competition, consumer, privacy and confidentiality issues. As such, it is regulated by the Australian Competition and Consumer Commission as well as the Office of the Australian Information Commissioner.

Last modified 23 Dec 2021
Definitions

Definition of personal data 

Personal data (referred to as 'personal information' in Australia) means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in material form or not.

The Privacy Act currently contains an exemption for “employee records”, such that any records containing personal information which an employer makes in connection with a current or former employment relationship are exempt from the Privacy Act.  However there are some further carve outs to this (for example, the exemption does not apply to contractors or unsuccessful applicants), and it is widely anticipated that the employee records exemption will be removed from the Privacy Act as a result of the ongoing review of the Privacy Act (see Enforcement).

Definition of sensitive personal data

Sensitive personal data (referred to as 'sensitive information' in Australia) means information or an opinion about:

  • Racial or ethnic origin
  • Political opinions

  • Membership of a political association

  • Religious beliefs or affiliations

  • Philosophical beliefs

  • Membership of a professional or trade association

  • Membership of a trade union

  • Sexual orientation or practices

  • Criminal record that is also personal information

  • Health information about an individual

  • Genetic information about an individual that is not otherwise health information

  • Biometric information that is to be used for the purpose of automated biometric identification or verification

  • Biometric templates

Last modified 23 Dec 2021
Authority

The Privacy Commissioner, under the Office of the Australian Information Commissioner ("OAIC") is the national data protection regulator responsible for Privacy Act oversight.

175 Pitt Street Sydney NSW 2000

T 1300 363 992

F +61 2 9284 9666

Last modified 23 Dec 2021
Registration

There is no registration requirement in Australia for data controllers or data processing activities. Under the Privacy Act, organizations are not required to notify the Privacy Commissioner of any processing of personal information.

Last modified 23 Dec 2021
Data Protection Officers

Organizations are not required to appoint a data protection officer. However, the Privacy Commissioner has issued guidance recommending that organizations appoint a data protection officer as good practice.

Last modified 23 Dec 2021
Collection & Processing

Organizations may not collect personal information unless the information is reasonably necessary for one or more of its business functions or activities.

Under the Privacy Act, organizations must take reasonable steps to ensure that personal information collected is accurate and up-to-date.

At or before the time organizations collect personal information, or as soon as practicable afterwards, they must take reasonable steps to provide individuals with notice of:

  • The Organization’s identity and contact information
  • Why it is collecting (or how it will use the) information about the individual

  • The entities or types of entities to which it might give the personal information

  • Any law requiring the collection of personal information
  • The main consequences (if any) for the individual if all or part of the information is not provided

  • The fact that the organization’s privacy policy contains information about how the individual may access and seek correction of their personal information, how they may make a complaint about a breach of the APPs and how the organization will deal with such complaint
  • Whether the organization is likely to disclose their personal information to overseas recipients and, if so, the countries in which such recipients are likely to be located

Organizations should comply with these notification requirements by preparing a “collection statement” or “privacy notice” for each significant collection of personal information, and providing this to individuals  prior to collecting their personal information.

This notification requirement applies in addition to the requirement for organisations to maintain a broader privacy policy, which details the general personal information handling processes of the organisation. APP 1 lists the information which is required to be included in a privacy policy.

In practice, a major Privacy Act compliance issue often arises because organizations fail to recognize that the mandatory notice requirements outlined above also apply to any personal information collected from a third party. Organizations must provide individuals with required notice on receipt of personal information from a third party, even though they did not collect personal information directly from the individual. Unlike Europe, Australian privacy law does not distinguish between 'data processors' and 'data controllers.'

Organizations must not use or disclose personal information about an individual unless one or more of the following applies:

  • The personal information was collected for that purpose (the primary purpose) or a different (secondary) purpose which is related to (and, in the case of sensitive information, directly related to) the primary purpose of collection and the individual would reasonably expect the organization to use or disclose the information for that secondary purpose.
  • The individual consents.
  • The information is not sensitive information and disclosure is for direct marketing and it is impracticable to seek the individual’s consent and (among other things) the individual is told that they can opt out of receiving marketing from the organization.
  • A 'permitted general situation' or 'permitted health situation' exists; for example, the entity has reason to suspect that unlawful activity relating to the entity's functions has been engaged in, or there is a serious threat to the health and safety of an individual or the public.
  • It is required or authorized by law or on behalf of an enforcement agency.

In the case of use and disclosure for the purpose of direct marketing, organizations are required to ensure that:

  • Each direct marketing communication provides a simple means by which the individual can opt out
  • The individual has not previously requested to opt out of receiving direct marketing communications

The above direct marketing requirements apply to all forms of direct marketing. Additionally, specific requirements for commercial electronic messaging are outlined in Electronic Marketing.

The Privacy Act affords additional protections when processing involves sensitive information. Organizations are prohibited from collecting sensitive information from an individual unless certain limited requirements are met, including one or more of the following:

  • The individual has consented to the collection and the collection of the sensitive information is reasonably necessary for one or more of the entity's functions or activities.
  • Collection is required or authorized by law or a court/tribunal order.
  • A 'permitted general situation' or 'permitted health situation' exists (for example, where the information is required to establish or defend a legal or equitable claim or there is a serious threat to the life or health of the individual or the public).
  • The entity is an enforcement body and the collection is reasonably necessary for that entity's functions or activities.
  • The entity is a nonprofit organization and the information relates to the activities of the organization and solely to the members of the organization (or to individuals who have regular contact with the organization relating to its activities).

Organizations must provide individuals with access to their personal information held by the organization upon an individual’s request. Additionally, individuals have a right to correct inaccurate, out-of-date, and irrelevant personal information held by an organization. Under certain circumstances, the organization may limit the extent to which it provides an individual with access or correction rights, including in emergency situations, specified business imperatives, and law enforcement or other public interests.

Further, organizations must provide individuals with the option to not identify themselves, or use a pseudonym, when dealing with the organization, unless it is impractical to do so or the organization is required or authorized by law to deal with identified individuals.

Last modified 23 Dec 2021
Transfer

Unless certain limited exemptions under the Privacy Act apply, personal information may only be disclosed to an organization outside of Australia where the entity has taken reasonable steps to ensure that the overseas recipient does not breach the APPs (other than APP 1) in relation to the personal information. The disclosing / transferring entity will generally remain liable for any act(s) done or omissions by that overseas recipient that would, if done by the disclosing organization in Australia, constitute a breach of the APPs. However, this provision will not apply where any of the following apply:

  • The organization reasonably believes that the recipient of the information is subject to a law or binding scheme which effectively provides for a level of protection that is at least substantially similar to the Privacy Act, including as to access to mechanisms by the individual to take action to enforce the protections of that law or binding scheme. There can be no reliance on contractual provisions requiring the overseas entity to comply with the APPs to avoid ongoing liability (although the use of appropriate contractual provisions is a step towards ensuring compliance with the 'reasonable steps' requirement).
  • The individual consents to the transfer. However, under the Privacy Act the organization must, prior to receiving consent, expressly inform the individual that if he or she consents to the overseas disclosure of the information the organization will not be required to take reasonable steps to ensure the overseas recipient does not breach the APPs.
  • A 'permitted general situation' applies.
  • The disclosure is required or authorized by law or a court/tribunal order.
Last modified 23 Dec 2021
Security

An organization must have appropriate security measures in place (ie, 'take reasonable steps) to protect any personal information it retains from misuse and loss and from unauthorized access, modification or disclosure. The Privacy Commissioner has issued detailed guidance on what it considers to be reasonable steps in the context of security of personal information, which we recommend be reviewed and implemented. Depending on the organization, and how and by which government agency it is regulated, as noted above specific requirements or expectations may also exist and with which organizations should be familiar. An organization must also take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for the purpose(s) for which it was collected.

Last modified 23 Dec 2021
Breach Notification

Entities with obligations to comply with the Privacy Act must comply with the mandatory data breach notification regime under the Privacy Act.

The mandatory data breach notification includes data breaches that relate to:

  • Personal information
  • Credit reporting information
  • Credit eligibility information
  • Tax file numbers

In summary, the regime requires organizations to notify the OAIC and affected individuals of "eligible data breaches" (in accordance with the required contents of a notice). Where it is not practicable to notify the affected individuals individually, an organization that has suffered an eligible data breach must make a public statement on its website containing certain information as required under the Privacy Act, and take reasonable steps to publicise the contents of the statement.

An "eligible data breach" occurs when the following conditions are satisfied in relation to personal information, credit reporting information, credit eligibility information or tax file information:

  • All of the following conditions are satisfied:
    • There is unauthorized access to, or unauthorized disclosure of, or loss of the information

    • A reasonable person would conclude that the access or disclosure, or loss would be likely to result in serious harm to any of the individuals to which the information relates

    • Prevention of the risk of serious harm through remedial action has not been successful

While "serious" harm is not defined in the legislation, the OAIC has released guidance on how serious harm may be interpreted and assessed by organizations. There are a number of key criteria to examine when determining if "serious" harm is likely to result from a breach which should be assessed holistically and take into account: the kinds of information, sensitivity, security measures protecting the information, the nature of the harm (ie, physical, psychological, emotional, financial or reputational harm) and the kind(s) of person(s) who may obtain the information.

The regime also imposes obligations on organizations to assess within 30 calendar days whether an eligible data breach has occurred where the organization suspects (on reasonable grounds) that an eligible data breach has occurred, but that suspicion does not amount to reasonable grounds to believe that an eligible data breach has occurred.

There are various exceptions to the requirement to notify affected individuals and/or the OAIC of a data breach notification including in instances where law enforcement related activities are being carried out or where there is a written declaration by the Privacy Commissioner.

The introduction of the regime has resulted in many organizations requiring detailed contractual obligations with third party suppliers in relation to cybersecurity and the protection of personal information of their customers / clients. Complimenting this regime, the OAIC has also released several guidance notes relating to the regime which include topics such as the security of personal information and whilst these are not legally binding, they are considered industry best practice.

Further, organizations may have additional obligations to notify other regulators of data breaches in certain circumstances including under the Prudential Standard CPS 234 Information Security ("CPS 234") which aims to strengthen APRA-regulated entities' resilience against information security incidents (including cyberattacks), and their ability to respond swiftly and effectively in the event of a breach. CPS 234  applies to all APRA-regulated entities who  among other things, are required to notify APRA within 72 hours "after becoming aware" of an information security incident and no later than 10 business days after "it becomes aware of a material information security control weakness which the entity expects it will not be able to remediate in a timely manner". 

Last modified 23 Dec 2021
Enforcement

The Privacy Commissioner is responsible for the enforcement of the Privacy Act and will investigate an act or practice if the act or practice may be an interference with the privacy of an individual and a complaint about the act or practice has been made. Generally, the Privacy Commissioner prefers mediated outcomes between the complainant and the relevant organization. Importantly, where the Privacy Commissioner undertakes an investigation of a complaint which is not settled, it is required to ensure that the results of that investigation are publicly available. Currently, this is undertaken by disclosure through the OAIC website of the entire investigation report.

The Privacy Commissioner may also investigate any "interferences with the privacy of an individual" (ie, any breaches of the APPs) on its own initiative (ie, where no complaint has been made) and the same remedies as below are available.

After investigating a complaint, the Privacy Commissioner may dismiss the complaint or find the complaint substantiated and make declarations that the organization rectify its conduct or that the organization redress any loss or damage suffered by the complainant (which can include non-pecuniary loss such as awards for stress and/or humiliation). Furthermore, fines of up to AU$440,000 for an individual and AU$2.2 million for corporations may be requested by the Privacy Commissioner and imposed by the Courts for serious or repeated interferences with the privacy of individuals.

Following the release of the Australian Competition and Consumer Commission’s Digital Platforms Inquiry report in December 2019, the Australian Government accepted the need for proposed reforms to the Privacy Act. A draft bill has been published which would increase penalties under the Privacy Act to the greater of: AU$ 10 million, three times the value of the benefit obtained through the misconduct, or 10% of annual turnover (as well as introducing the framework for a binding online privacy code for social media and certain other online platforms including data brokerage services and platforms with more than 2,500,000 end users in Australia (excluding customer loyalty schemes). If these changes proceed, they would bring penalties for corporations in line with those already in force under the Competition and Consumer Act 2010 (Cth) for breaches of the Australian Consumer Law. As well as the current prosed changes, a broader review of the Privacy Act is currently being undertaken by the Australian Government, in accordance with the published terms of reference.

Last modified 23 Dec 2021
Electronic Marketing

The sending of electronic marketing (referred to as 'commercial electronic messages' in Australia) is regulated under the Spam Act 2003 (Cth) (“Spam Act”) and enforced by the Australian Communications and Media Authority.

Under the Spam Act, a commercial electronic message (which includes emails and SMS’s sent for marketing purposes) must not be sent without the prior opt-in consent of the recipient.

In addition, each electronic message (which the recipient has consented to receive) must identify the sender and contain a functional unsubscribe facility to enable the recipient to opt out of receiving future electronic marketing. Requests to unsubscribe must be processed within 5 business days.

A failure to comply with the Spam Act (including unsubscribing a recipient that uses the unsubscribe facility) may have costly consequences, with repeat offenders facing penalties of up to AU$2.1 million per day.

Last modified 23 Dec 2021
Online Privacy

There are no laws or regulations in Australia specifically relating to online privacy, beyond the application of the Privacy Act, the Spam Act and State and Territory privacy laws relating to online / e-privacy, and other specific laws regarding the collection of location and traffic data etc. Specifically, the are no specific legal requirements regarding the use of cookies (or any similar technologies). If the cookies or other similar technologies collect personal information of a user the organization must comply with the Privacy Act in respect of collection, use, disclosure and storage of such personal information. App developers must also ensure that the collection of customers' personal information complies with the Privacy Act and the Privacy Commissioner has released detailed guidance on this.

Last modified 23 Dec 2021
Contacts
Nicholas Boyle
Nicholas Boyle
Partner
T +61 2 9286 8479
Last modified 23 Dec 2021