DLA Piper Intelligence

Data Protection
Laws of the World

Electronic Marketing

The sending of electronic marketing (which is referred to as ‘commercial electronic messages’ in Australia) is regulated under SPAM Act 2003 (Cth) ('SPAM Act') and enforced by the Australian Communications and Media Authority.

Under the SPAM Act a commercial electronic message must not be sent without the prior opt-in consent of the recipient.

In addition, each electronic message (which the recipient has consented to receive) must contain a functional unsubscribe facility to enable the recipient to opt out of receiving future electronic marketing.

A failure to comply with the SPAM Act (including unsubscribing a recipient that uses the unsubscribe facility) may have costly consequences, with repeat offenders facing penalties of up to AU$2.1 million per day.

Last modified 28 Jan 2019
Law
Australia

Australia regulates data privacy and protection through a mix of federal, state and territory laws. The Federal Privacy Act 1988 (Cth) (Privacy Act) and its Australian Privacy Principles (APPs) apply to private sector entities with an annual turnover of at least AU$3 million, and all Commonwealth Government and Australian Capital Territory Government agencies.

Under the Privacy Act, the Privacy Commissioner has authority to conduct investigations, including own motion investigations, to enforce the Privacy Act and seek civil penalties for serious and egregious breaches or for repeated breaches of the APPs where an entity has failed to implement remedial efforts.

Most states and territories in Australia (except Western Australia and South Australia) have their own data protection legislation applicable to state government agencies, and private businesses that interact with state government agencies. These acts include: 

  • Information Privacy Act 2014 (Australian Capital Territory)
  • Information Act 2002 (Northern Territory)

  • Privacy and Personal Information Protection Act 1998 (New South Wales)

  • Information Privacy Act 2009 (Queensland)

  • Personal Information Protection Act 2004 (Tasmania), and

  • Privacy and Data Protection Act 2014 (Victoria)

Additional parts of state and federal legislation relate to data protection. For example, the following all impact privacy and data protection for specific types of data or specific activities: the Telecommunications Act 1997 (Cth), the Criminal Code Act 1995 (Cth), the National Health Act 1953 (Cth), the Health Records and Information Privacy Act 2002 (NSW), the Health Records Act 2001 (Vic) and the Workplace Surveillance Act 2005 (NSW).

Further, specific regulators have expressed an expectation that regulated entities should have specified data protection in place. For example, the Australian Prudential and Regulatory Authority regulates financial services institutions, and the Australian Securities and Investment Commission regulates corporations generally.

Notably, both the Australian Commonwealth and state governments have expressed an intent to further consider data privacy and protection issues beyond existing legislation, including a focus on protecting minors online. However, the focus of this entry relates to the application of the Privacy Act to private sector entities, which are referred to as “organizations.”

Under the Privacy Act and the APPs, an organization can be any of the following:

  • An individual

  • A body corporate

  • A partnership

  • Any other unincorporated association 

  • A trust

Other important privacy and data protection laws

Assistance and Access Act

The federal parliament also passed with great urgency in late 2018 a very wide ranging omnibus amendment act (Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth)) which, ostensibly, provides law enforcement agencies with access to encrypted data for serious crime investigation. However, the legislation may inadvertently have a much broader remit with limited judicial oversight, and the legislation has been the subject of much criticism from local and global technology firms which have stated the legislation has the potential of significantly impacting on security/encryption solutions in Australia. The enacted laws are ambiguous in many areas, and it is likely that the legislation will be further amended in early 2019, reflecting a further review of the operation of the Act by the Parliamentary Joint Committee on Intelligence and Security (PJCIS) and with changes including, among other things, the re-wording of several key definitions and the omission of others.

At its heart, the Act allows various agencies to any of the following:

  • Issue a "technical assistance notice," which will require a communications provider to give assistance that is reasonable, proportionate, practicable and technically feasible
  • Issue a "technical capability notice," which will require a communications provider to build new capabilities to assist. The Attorney-General must consult with the communications provider prior to issuing the notice, and must be satisfied that the notice is reasonable, proportionate, practicable and technically feasible
  • Make "technical assistance requests," to give foreign and domestic communications providers and device manufacturers a legal basis to provide voluntary assistance to various Australian intelligence organizations and interception agencies relating to issues of national interest, national security and law enforcement

Organizations will need to ensure customer terms and conditions deal carefully with the matter of legal compliance and any commitments made to customers generally.

Consumer Data Right

Following a number of policy reviews including the Productivity Commission's "Data Availability and Use" report and the "Review into Open Banking in Australia," the Commonwealth Government also committed to implement a Consumer Data Right (CDR) in Australia. The regime to implement the CDR has not yet been legislation, although the current draft bill seeks to implement the regime through amendments to Australia's key piece of competition legislation, the Competition and Consumer Act 2010 (Cth).

At its core, CDR allows a consumer to obtain certain data held about that consumer by a third party and require data to be given to accredited third parties for certain purposes. By requiring businesses to provide public access to information on specified products they have on offer it is also intended to improve consumers' ability to compare and switch between products and services as well as encouraging competition between service providers which could lead to better prices for customers and more innovative products and services. In this way, the CDR provides a mechanism for accessing a broader range of information within designated sectors than is provided for by APP 12 in the Privacy Act given it applies not only to data about individual consumers but also business consumers and related products.

It is currently intended that the big four banks - Westpac Banking Corporation, Australia and New Zealand Banking Group Limited, National Australia Bank and The Commonwealth Bank of Australia - will participate in a pilot of the CDR from July 1, 2019 to January 31, 2020. During the pilot the banks will share product data about credit and debit cards, deposit accounts and transaction accounts, with consumers and FinTechs also invited to take part in pilot. A full public roll out in the banking sector is slated for February 1, 2020, with the energy and telecommunications sectors to follow thereafter, and then other sectors across the economy to be added to the CDR over time.

The CDR systems covers competition, consumer, privacy and confidentiality matters. As such, it will be regulated by both the Australian Competition and Consumer Commission as well as the Office of the Australian Information Commissioner.

Last modified 28 Jan 2019
Definitions

Definition of personal data 

Personal data (referred to as ‘personal information’ in Australia) means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in material form or not.

Definition of sensitive personal data

Sensitive personal data (referred to as ‘sensitive information’ in Australia) means information or an opinion about:

  • Racial or ethnic origin
  • Political opinions

  • Membership of a political association

  • Religious beliefs or affiliations

  • Philosophical beliefs

  • Membership of a professional or trade association

  • Membership of a trade union

  • Sexual orientation or practices

  • Criminal record that is also personal information

  • Health information about an individual

  • Genetic information about an individual that is not otherwise health information

  • Biometric information that is to be used for the purpose of automated biometric identification or verification

  • Biometric templates

Last modified 28 Jan 2019
Authority

The Privacy Commissioner, under the Office of the Australian Information Commissioner (OAIC) is the national data protection regulator responsible for Privacy Act oversight.

Last modified 28 Jan 2019
Registration

There is no registration requirement in Australia for data controllers or data processing activities. Under the Privacy Act, organizations are not required to notify the Office of the Privacy Commissioner of any processing of personal information.

Last modified 28 Jan 2019
Data Protection Officers

Organizations are not required to appoint a data protection officer. However, the Privacy Commissioner has issued guidance recommending that organizations appoint a data protection officer as good practice.

Last modified 28 Jan 2019
Collection & Processing

Organizations may not collect personal information unless the information is reasonably necessary for one or more of its business functions or activities.

Under the Privacy Act, organizations must take reasonable steps to ensure that personal information collected is accurate and up-to-date.

At or before the time organizations collect personal information, or as soon as practicable afterwards, they must take reasonable steps to provide individuals with notice of:

  • Organization identity and contact information 
  • Why it is collecting (or how it will use the) information about the individual

  • To whom it might give the personal information

  • Any law requiring the collection of personal information
  • The main consequences (if any) for the individual if all or part of the information is not provided

  • The fact that the organization’s privacy policy contains information about how the individual may access and seek correction of their personal information, how they may make a complaint about a breach of the APPs and how the organization will deal with such complaint
  • Whether the organization is likely to disclose their personal information to overseas recipients and, if so, the countries in which such recipients are likely to be located

Organizations usually comply with these notification requirements by including the above information in a privacy policy and requiring individuals to accept the terms of that privacy policy prior to collecting their personal information.

In practice, a major Privacy Act compliance issue often arises because organizations fail to recognize that the mandatory notice requirements outlined above also apply to any personal information collected from a third party. Organizations must provide individuals with required notice on receipt of personal information from a third party, though they did not collect personal information directly from the individual. Unlike Europe, Australian privacy law does not distinguish between ‘data processors’ and ‘data controllers.’

Organizations must not use or disclose personal information about an individual unless one or more of the following applies:

  • The personal information was collected for the primary purpose of such disclosure or a secondary purpose related to (and, in the case of sensitive information, directly related to) the primary purpose of collection and the individual would reasonably expect the organization to use or disclose the information for that secondary purpose.
  • The individual consents.
  • The information is not sensitive information and disclosure is for direct marketing and it is impracticable to seek the individual’s consent and (among other things) the individual is told that they can opt out of receiving marketing from the organization.
  • A 'permitted general situation' or 'permitted health situation' exists; for example, the entity has reason to suspect that unlawful activity relating to the entity's functions has been engaged in, or there is a serious threat to the health and safety of an individual or the public.
  • It is required or authorized by law or on behalf of an enforcement agency.

In the case of use and disclosure for the purpose of direct marketing, organizations are required to ensure that:

  • Each direct marketing communication provides a simple means by which the individual can opt out
  • The individual has not previously requested to opt out of receiving direct marketing communications

The above direct marketing requirements apply to all forms of direct marketing. Additionally, specific commercial electronic messaging requirements are outlined below under the heading “Electronic Marketing.”

The Privacy Act affords additional protections when processing involves sensitive information. Organizations are prohibited from collecting sensitive information from an individual unless certain limited requirements are met, including one or more of the following:

  • The individual has consented to the collection and the collection of the sensitive information is reasonably necessary for one or more of the entity’s functions or activities.
  • Collection is required or authorized by law or a court/tribunal order.
  • A 'permitted general situation' or 'permitted health situation' exists (for example, where the information is required to establish or defend a legal or equitable claim or there is a serious threat to the life or health of the individual or the public).
  • The entity is an enforcement body and the collection is reasonably necessary for that entity's functions or activities.
  • The entity is a nonprofit organization and the information relates to the activities of the organization and solely to the members of the organization (or to individuals who have regular contact with the organization relating to its activities).

Organizations must provide individuals with access to their personal information held by the organization upon an individual’s request. Additionally, individuals have a right to correct inaccurate, out-of-date, and irrelevant personal information held by an organization. Under certain circumstances, the organization may limit the extent to which it provides an individual with access or correction rights, including in emergency situations, specified business imperatives, and law enforcement or other public interests.

Further, organizations must provide individuals with the option to not identify themselves, or use a pseudonym, when dealing with the organization, unless it is impractical to do so or the organization is required or authorized by law to deal with identified individuals.

Last modified 28 Jan 2019
Transfer

Unless certain limited exemptions under the Privacy Act apply, personal information may only be disclosed to an organization outside of Australia where the entity has taken reasonable steps to ensure that the overseas recipient does not breach the APPs (other than APP 1) in relation to the personal information. The disclosing / transferring entity will generally remain liable for any act(s) done or omissions by that overseas recipient that would, if done by the disclosing organization in Australia, constitute a breach of the APPs. However, this provision will not apply where any of the following apply:

  • The organization reasonably believes that the recipient of the information is subject to a law or binding scheme which effectively provides for a level of protection that is at least substantially similar to the Privacy Act, including as to access to mechanisms by the individual to take action to enforce the protections of that law or binding scheme. There can be no reliance on contractual provisions requiring the overseas entity to comply with the APPs to avoid ongoing liability (although it is a step towards ensuring compliance with the 'reasonable steps' requirement).
  • The individual consents to the transfer. However, under the Privacy Act the organization must, prior to receiving consent, expressly inform the individual that if he or she consents to the overseas disclosure of the information the organization will not be required to take reasonable steps to ensure the overseas recipient does not breach the APPs.
  • A 'permitted general situation' applies.
  • The disclosure is required or authorized by law or a court/tribunal order.
Last modified 28 Jan 2019
Security

An organization must have appropriate security measures in place (ie, 'take reasonable steps') to protect any personal information it retains from misuse and loss and from unauthorized access, modification or disclosure. The Privacy Commissioner has issued a 32-page detailed guidance document on what it considers to be reasonable steps in the context of security of personal information, which we recommend be reviewed and implemented. Depending on the organization, and how and by which government agency it is regulated, as noted above specific requirements or expectations may also exist and with which organizations should be familiar. An organization must also take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for the purpose(s) for which it was collected.

Last modified 28 Jan 2019
Breach Notification

Entities with obligations to comply with the APPs under the Privacy Act must comply with mandatory reporting requirements under the mandatory data breach notification regime. This regime commenced on February 22, 2018.

The mandatory data breach notification includes data breaches that relate to:

  • Personal information
  • Credit reporting information
  • Credit eligibility information
  • Tax file numbers

In summary, the regime requires organizations to notify the OAIC and affected individuals of "eligible data breaches" (in accordance with the required contents of a notice). Where it is not practicable to notify the affected individuals individually, an organization that has suffered an eligible data breach must make a public statement on its website containing the required contents of the notice. 

An "eligible data breach" occurs when the following conditions are satisfied in relation to personal information, credit reporting information, credit eligibility information or tax file information:

  • Both of the following conditions are satisfied:
    • There is unauthorized access to, or unauthorized disclosure of, the information

    • A reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to which the information relates

  • The information is lost in circumstances where both of the following apply:

    • Unauthorized access to, or unauthorized disclosure of, the information is likely to occur
    • Assuming that unauthorized access or unauthorized access disclosure were to occur, a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to which the information relates

While "serious" harm is not defined in the legislation, the OAIC has released guidance on how serious harm may be interpreted and assessed by organizations. There are a number of key criteria to examine when determining if "serious" harm is likely to result from a breach which should be assessed holistically and take into account: the kinds of information, sensitivity, security measures protecting the information, the nature of the harm (ie, physical, psychological, emotional, financial or reputational harm) and the kind(s) of person(s) who may obtain the information.

The regime also imposes obligations on organizations to assess whether an eligible data breach has occurred where the organization suspects (on reasonable grounds) that an eligible data breach has occurred, but that suspicion does not amount to reasonable grounds to believe that an eligible data breach has occurred. Importantly, the OAIC has released guidance indicating that such assessments must be undertaken by organizations within 30 days of any suspected data breach.

There are various exceptions to the requirement to notify affected individuals and/or the OAIC of a data breach notification including in instances where law enforcement related activities are being carried out or where there is a written declaration by the Privacy Commission.

The introduction of the regime has resulted in many organizations requiring detailed contractual obligations with third party suppliers in relation to cybersecurity and the protection of personal information of their customers / clients. Complimenting this regime, the OAIC has also released several guidance notes relating to the regime which include topics such as the security of personal information, while these are not legally binding, they are considered industry best practice.

Further, organizations may have additional obligations to notify other regulators of data breaches in certain circumstances. By way of example, in late 2018 the Australian Prudential and Regulatory Authority (APRA) released a new cross-industry prudential standard: Prudential Standard CPS 234 Information Security (CPS 234) to strengthen APRA-regulated entities' resilience against information security incidents (including cyberattacks), and their ability to respond swiftly and effectively in the event of a breach. CPS 234 will apply to all APRA-regulated entities who are expected to meet the new requirements by July 1, 2019 subject to certain transition periods in the case of information assets managed by third parties. Among other things, CPS 234 will require entities to notify APRA within 72 hours 'after becoming aware' of an information security incident and no later than 10 business days after 'it becomes aware of a material information security control weakness which the entity expects it will not be able to remediate in a timely manner'. APRA also expects to release a revised CPG 234 Management of Security Risk in Information Technology in the first half of 2019 to provide guidance on the implementation of CPS 234.

Last modified 28 Jan 2019
Enforcement

The Privacy Commissioner is responsible for the enforcement of the Privacy Act and will investigate an act or practice if the act or practice may be an interference with the privacy of an individual and a complaint about the act or practice has been made. Generally, the Privacy Commissioner prefers mediated outcomes between the complainant and the relevant organization. Importantly, where the Privacy Commissioner undertakes an investigation of a complaint which is not settled, it is required to ensure that the results of that investigation are publicly available. Currently, this is undertaken by disclosure through the OAIC website of the entire investigation report.

The Privacy Commissioner may also investigate any 'interferences with the privacy of an individual' (ie, any breaches of the APPs) on its own initiative (ie, where no complaint has been made) and the same remedies as below are available.

After investigating a complaint, the Privacy Commissioner may dismiss the complaint or find the complaint substantiated and make declarations that the organization rectify its conduct or that the organization redress any loss or damage suffered by the complainant (which can include non-pecuniary loss such as awards for stress and/or humiliation). Furthermore, fines of up to AU$420,000 for an individual and AU$2.1 million for corporations may be requested by the Privacy Commissioner and imposed by the Courts for serious or repeated interferences with the privacy of individuals.

Last modified 28 Jan 2019
Electronic Marketing

The sending of electronic marketing (which is referred to as ‘commercial electronic messages’ in Australia) is regulated under SPAM Act 2003 (Cth) ('SPAM Act') and enforced by the Australian Communications and Media Authority.

Under the SPAM Act a commercial electronic message must not be sent without the prior opt-in consent of the recipient.

In addition, each electronic message (which the recipient has consented to receive) must contain a functional unsubscribe facility to enable the recipient to opt out of receiving future electronic marketing.

A failure to comply with the SPAM Act (including unsubscribing a recipient that uses the unsubscribe facility) may have costly consequences, with repeat offenders facing penalties of up to AU$2.1 million per day.

Last modified 28 Jan 2019
Online Privacy

There are no laws or regulations in Australia specifically relating to online privacy, beyond the application of the Privacy Act and State and Territory privacy laws relating to online / e-privacy, the collection of location and traffic data, or the use of cookies (or any similar technologies). If the cookies or other similar technologies collect personal information of a user the organization must comply with the Privacy Act in respect of collection, use, disclosure and storage of such personal information. App developers must also ensure that the collection of customers' personal information complies with the Privacy Act and the Privacy Commissioner has released detailed guidance on this.

Last modified 28 Jan 2019
Contacts
Nicholas Boyle
Nicholas Boyle
Partner
T +61 2 9286 8479
Last modified 28 Jan 2019