Legal and regulatory framework

Government approach

How can the government’s attitude and approach to internet issues best be described?

The Australian government has generally adopted a progressive attitude towards internet issues; however, as with most jurisdictions, legislative change tends to lag behind the evolving technologies and the legal issues which such technologies create.


What legislation governs business on the internet?

While there are no specific laws, considerable litigation arises out of non-compliance with the Consumer Law, which is Schedule 2 of the Competition and Consumer Act 2010 (Cth).

Regulatory bodies

Which regulatory bodies are responsible for the regulation of e-commerce, data protection and internet access tariffs and charges?

The most relevant bodies are the Australian Competition and Consumer Commission (e-commerce), the Office of the Australian Information Commissioner (data protection) and the Department of Home Affairs (tariffs).


What tests or rules are applied by the courts to determine the jurisdiction for internet-related transactions or disputes in cases where the defendant is resident or provides goods or services from outside the jurisdiction?

If goods offered by an overseas supplier over the Internet are downloaded in Australia, Australian consumer protection legislation will be deemed to apply (Valve Corporation v Australian Competition and Consumer Commission (2017) FCAFC 224).

Establishing a business

What regulatory and procedural requirements govern the establishment of digital businesses in your jurisdiction? To what extent do these requirements and procedures differ from those governing the establishment of brick-and-mortar businesses?

Regulatory and procedural requirements for the establishment of a digital business in Australia do not differ markedly from those applying to the establishment of other businesses.

Contracting on the internet

Contract formation

Is it possible to form and conclude contracts electronically? If so, how are contracts formed on the internet? Explain whether ‘click wrap’ contracts are enforceable, and if so, what requirements need to be met?

The enforceability of clickwrap contracts is determined by traditional common law principles – that is, the customer must have had prior notice of the terms and a person who signs (or clicks) terms is deemed to have read them. There has been little case law in this area, but the courts have not questioned the enforceability of clickwrap terms (see, eg, eBay International AG v Creative Festival Entertainment Pty Ltd (2006) 170 FCR 450).

Applicable laws

Are there any particular laws that govern contracting on the internet? Do these distinguish between business-to-consumer and business-to-business contracts?

No, no specific laws govern contracting on the Internet.

Electronic signatures

How does the law recognise or define digital or e-signatures?

There is no statutory definition of ‘digital signature’ or ‘e-signature’. However, Section 10 of the Electronic Transactions Act 1999 (Cth) provides that a requirement for a signature can be satisfied electronically if:

  • a method is used which indicates a person’s intention in respect of the information communicated; and
  • the identification method is ‘as reliable as appropriate for the purpose’.
Data retention

Are there any data retention or software legacy requirements in relation to the formation of electronic contracts?

There are no specific data retention or software legacy requirements in relation to the formation of electronic contracts.


Are any special remedies available for the breach of electronic contracts?

No special remedies apply in relation to the breach of electronic contracts in Australia.


Security measures

What measures must be taken by companies or ISPs to guarantee the security of internet transactions? Is encryption mandatory?

Encryption is not mandated by statute and, unlike many countries, there are no controls on importing encryption software or hardware or using it domestically. However, there are controls on the export of this material. Encryption hardware and software are identified as ‘controlled goods’ in Part 2, Category 5/2 of the Defence and Strategic Goods List (set out under Section 112 of the Customs Act 1901 (Cth)).

Notably, in November 2018 the Australian Prudential Regulation Authority (APRA) released Prudential Standard CPS 234 (Information Security) to ensure that APRA-regulated entities have appropriate information security capabilities in place.

Government intervention and certification authorities

As regards encrypted communications, can any authorities require private keys to be made available? Are certification authorities permitted? Are they regulated and are there any laws as to their liability?

Certification keys are permitted but not expressly regulated.

Electronic payments

Are there any rules, restrictions or other relevant considerations regarding the use of electronic payment systems in your jurisdiction?

Australia has a voluntary code of practice (known as the e-Payments Code), which regulates electronic payments. Financial institutions and other providers of electronic payment facilities can opt to comply with the code. However, the Australian Securities and Investment Commission ‘expects’ Australian financial services licence holders to comply.

Are there any rules or restrictions on the use of digital currencies?

In April 2018 new laws for digital currency exchange providers operating in Australia were implemented by the Australian Transaction Reports and Analysis Centre (AUSTRAC), Australia’s financial intelligence agency and anti-money laundering and counter-terrorism financing (AML/CTF) regulator. As a consequence, business operations located in Australia must now register with AUSTRAC and meet the government’s AML/CTF compliance and reporting obligations.

Domain names

Registration procedures

What procedures are in place to regulate the licensing of domain names? Is it possible to register a country-specific domain name without being a resident in the country?

The registration of domain names in Australia is governed by the .au Domain Administration (auDA). From October 2019 new auDA licensing rules will apply. Non-residents can register a domain name in Australia if they own a trademark application or registration for a word mark that exactly matches the domain name.


Do domain names confer any additional rights beyond the rights that naturally vest in the domain name?

A domain name can be used as a trademark. Use of a domain name can infringe a trademark and may constitute passing off (or misleading and deceptive conduct in breach of Section 18 of the Consumer Law).

Trademark ownership

Will ownership of a trademark assist in challenging a ‘pirate’ registration of a similar domain name?

Yes, ownership of a trademark regularly forms the prime basis for challenging a ‘pirate’ registration of a similar domain name.

Dispute resolution

How are domain name disputes resolved in your jurisdiction?

Domain name disputes in Australia are resolved under the .au Dispute Resolution Policy, administered by the auDA. The policy is based on the ICANN Uniform Domain Name Dispute Resolution Policy.



What rules govern advertising on the internet?

Self-regulation applies. Specifically in relation to internet advertising, the Australian Association of National Advertisers (AANA), the Interactive Advertising Bureau (IAB) and the Media Federation of Australia (MFA) promote the Australian Digital Advertising Practices in conjunction with advertisers, media agencies and digital publishers. The boards of the AANA, the IAB and the MFA collectively endorse the Australian Digital Advertising Practices and encourage their use.


How is online advertising defined? Could online editorial content be caught by the rules governing advertising?

This is a question of fact in each case. There is no reason why editorial content could not be classified as advertising in appropriate circumstances.

Misleading advertising

Are there rules against misleading online advertising?

Apart from the voluntary codes of practice applicable to advertisers, the Consumer Law prohibits false and misleading conduct, including misleading advertisements. The Australian Competition and Consumer Commission regularly takes action against internet advertisers in relation to misleading online ads. For example, in May 2018 the Federal Court of Australia imposed substantial penalties on an online advertising company and its sole director for unconscionable conduct regarding its sales strategy (Australian Competition and Consumer Commission v ABG Pages Pty Ltd ([2018] FCA 764)). In this case, the advertiser conceded that it had engaged in unconscionable conduct by misleading potential customers about the number and nature of the businesses which had been advertised on its directory.


Are there any products or services that may not be advertised on the internet?

There are no advertising prohibitions specific to the Internet in Australia.

Hosting liability

What is the liability of content providers and parties that merely host the content, such as ISPs? Can any other parties be liable?

There has been ongoing debate as to the extent to which search engines are responsible for misleading conduct in sponsored links. In 2013 the High Court of Australia determined that Google was no different from other intermediaries (eg, newspaper publishers or broadcasters) that display or transmit advertisements placed by others; thus, the court found that Google was not responsible for sponsored links chosen by advertisers (Google Inc v Australian Competition and Consumer Commission ([2013] HCA 1)).

In 2018, the Federal Court of Australia granted an injunction under the Copyright Act 1968 to compel ISPs to block online access to certain domain names which were streaming unauthorised copyright protected content (Television Broadcasts Limited v Telstra Corporation Limited ([2018] FCA 1434)).

Financial services


Is the advertising or selling of financial services products to consumers or to businesses via the internet regulated, and, if so, by whom and how?

The advertising or selling of financial services via the Internet does not attract specific regulation over and above the general restrictions which apply to advertising through other media. These general restrictions essentially focus on the need to avoid engaging in misleading or deceptive conduct in breach of the Consumer Law. The Australian Securities and Investments Commission has helpfully issued Regulatory Guide 234 – Advertising financial products and services (including credit): Good practice guide.


ISP liability

Are ISPs liable for content displayed on their sites? How can ISPs limit or exclude liability?

An ISP can be liable for defamation as a secondary publisher if it can be demonstrated that it had knowledge of the defamatory material and failed to discontinue the publication despite having the power to do so. An ISP will not be liable if its role can be shown to be the passive provision of access to a telephone network. Search engines are more vulnerable as their role is regarded as less passive, at least following notification of the existence of defamatory material (see, eg, Duffy v Google Inc ([2015] SASC 170) and Google Inc v Trkulja ([2016] VSCA 333)).  A media organisation can be liable for defamatory comments on its Facebook page which were posted by a third party (Voller v Nationwide News Pty Ltd ([2019] NSWSC 766)).

Shutdown and takedown

Can an ISP shut down a web page containing defamatory material without court authorisation?

An ISP can shut down a web page containing defamatory material if its terms of service permit it to do so.

Intellectual property

Third-party links, content and licences

Can a website owner link to third-party websites without permission?

Unless it is contrary to the linked website’s terms and conditions of access, a website owner may link to a third-party website without permission. However, by allowing users to access a website and download infringing material, the website owner may be liable for authorising an infringement of copyright (Universal Music Pty Ltd v Cooper ([2005] FCA 984)).

Can a website owner use third-party content on its website without permission from the third-party content provider? Could the potential consequences be civil in nature as well as criminal or regulatory?

A website owner may be liable for copyright infringement arising from reproduction of linked material (see, eg, Universal Music Pty Ltd v Cooper ([2005] FCA 984)).

Can a website owner exploit the software used for a website by licensing the software to third parties?

In general, a website owner cannot exploit third-party software by licensing it to another third party unless the licence terms expressly permit it to do so.

Are any liabilities incurred by links to third-party websites?

The most common exposure by linking to a third-party website is the prospect of liability for damages under the Copyright Act 1968 (Cth) in the event that the hyperlink facilitates the infringement of copyright. An example would be linking to a website which distributes infringing products. In extreme cases, additional (or penalty) damages may be awarded pursuant to Section 115(4) of the act (see Universal Music Pty Ltd v Cooper ([2005] FCA 984)).

Video content

Is video content online regulated in the same way as TV content or is there a separate regime?

Online video and TV content are both regulated by the Broadcasting Services Act. Other laws apply only to online content – for example, the Broadcasting Services (Online Content Service Provider Rules) 2018 which relate to gambling ads during livestreamed sports events.

IP rights enforcement and remedies

Do authorities have the power to carry out dawn raids and issue freezing injunctions in connection with IP infringement?

The Australian Competition and Consumer Commission has the power to conduct dawn raids for suspected infringements of the Competition and Consumer Act, including for misleading and deceptive conduct, which may involve IP infringement. In IP disputes, rights holders can obtain freezing injunctions (known as Mareva orders) by court order.

What civil remedies are available to IP owners? Do they include search orders and freezing injunctions?

Civil remedies for IP owners generally include:

  • damages or an account of profits (at the election of the rights holder);
  • injunctions;
  • orders for delivery up or destruction; and
  • declarations.

Search orders (known as Anton Pillar orders) and freezing injunctions are available but not easily obtainable.

Data protection and privacy

Definition of ‘personal data’

How does the law in your jurisdiction define ‘personal data’?

The Privacy Act 1988 (Cth) defines ‘personal information’ as ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable, (a) whether the information is true or not and (b) whether the information is recorded in a material form or not’.

The definition of ‘personal information’ has been given a restricted interpretation by the Full Court of the Federal Court, which considers the words ‘about an individual’ to exclude information (eg, an IP address) which is created for a distinct technical purpose (eg, the creation of a communications protocol) and not for the purpose of identifying an individual (Privacy Commissioner v Telstra ([2017] FCFCA 4)).

Additional constraints apply to the use of ‘sensitive information’, which is a sub-category of personal information. Sensitive information includes information about a person’s racial or ethnic original, political affiliations, religious beliefs, sexual orientation, criminal record or health. Further, sensitive information:

  • can be collected only with the individual’s consent;
  • can be used only for purposes directly relating to the primary purpose of collection; and
  • cannot be used for direct marketing without the individual’s consent.

Anonymised or pseudonymised information will not be considered personal information.

Registration requirements

Do parties involved in the processing of personal data, such as website owners, have to register with any regulator to process personal data?

There is no requirement for parties involved in the processing of personal data (eg, website owners) to register with any regulator to process personal data. Further, there is no requirement to appoint a data protection officer.

Cross-border issues

Could data protection laws and regulatory powers apply to organisations or individuals resident outside of the jurisdiction?

Section 5B of the Privacy Act 1988 has extra-territorial operation. It applies to acts conducted outside Australia by organisations with an ‘Australian link, meaning in effect that the activities of Australian entities operating outside Australia are regulated, as are foreign entities which carry on business in Australia or which collect personal information in Australia.

Restrictions apply to the overseas transfer of personal information. Overseas transfers, in the absence of the individual’s informed consent, are permissible only if the destination jurisdiction has substantially similar data protection laws or if the transferor has taken reasonable steps to ensure the overseas transferee complies with the Australian Privacy Principles (eg, through a contractual commitment).

Customer consent

Is personal data processed on the basis of customer consent or other grounds? What is the commonly adopted mechanism for obtaining customer consent or establishing the other grounds for processing?

Consent may be express or implied, but it must be informed, voluntary and current. Bundled consent is regarded with caution by the privacy commissioner. An individual must have the capacity to consent, meaning that age, physical and mental disabilities and limited understanding of the English language will be taken into account. There is no minimum age, but the privacy commissioner considers that children under 15 generally lack the capacity to consent.

Opt-out mechanisms to infer an individual’s consent will be appropriate only in limited circumstances. According to the privacy commissioner, opt-out may nevertheless be effective if:

  • the option is clearly and prominently presented;
  • the individual understands the implications of not opting out; and
  • the option was not bundled with other purposes.
Sale of data to third parties

May a party involved in the processing of personal data, such as a website provider, sell personal data to third parties, such as personal data about website users?

The sale of personal data to a third party without the express or implied consent of the individual is permissible only if the individual should reasonably have expected their data to be disclosed in such a manner. Where permissible, there are no prescribed formalities as to whether the transfer should be by sale or licence – this would be a matter for negotiation between the parties.

In a business sale, disclosure of personal information is permissible for the purposes of due diligence; further, the transfer of personal information about employees and customers to the new business owner will be permissible if it is contemplated that the new business will operate in essentially the same way as before.

Customer profiling

If a website owner is intending to profile its customer base to carry out targeted advertising on its website or other websites visited by its customers, is this regulated in your jurisdiction?

The collection of personal information by website owners for the purpose of advertising to users is regulated by the Privacy Act. The collection of personal information must be relevant to the website owner’s business activities and, in the case of sensitive information, may be collected only with the individual’s consent. The use of such information, once collected, is subject to the constraints on electronic marketing imposed by the Spam Act 2003 and, in the case of hard-copy marketing, by Privacy Principle 7.

Cookies are not the subject of express regulation. They are permissible unless they involve the handling of personal information without the knowledge or consent of an affected individual.

Data breach and cybersecurity

Does your jurisdiction have data breach notification or other cybersecurity laws specific to e-commerce?

It is mandatory under Part IIIC of the Privacy Act to report certain data breaches. The privacy commissioner must be notified in the event of an eligible data breach, which is deemed to exist if ‘a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates’. Data subjects must be provided with a copy of the notification given to the privacy commissioner. If this is not practicable, the contents of the notification must be published on the entity’s website. Notification must take place as soon as practicable, allowing for a ‘reasonable and expeditious assessment’ which may take up to 30 days.

Separately, a mandatory data breach notification scheme exists under the My Health Records Act 2012 (Cth) in respect of the unauthorised collection, disclosure or compromise of data contained in an individual’s electronic health record. The My Health Record system is designed to facilitate access, by the healthcare recipient and treating healthcare providers, to a summary of health information about a healthcare recipient.

What precautionary measures should be taken to avoid data breaches and ensure cybersecurity?

The Office of the Australian Information Commissioner has published a helpful guide, Data breach preparation and response — A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth), in order to advise private sector organisations and government agencies on how to most effectively prepare for and respond to data breaches and cybersecurity threats.


Is cybersecurity insurance available and commonly purchased?

Cybersecurity insurance is available in Australia and commonly purchased.

Right to be forgotten

Does your jurisdiction recognise or regulate the ‘right to be forgotten’?

The Privacy Act contains no express ‘right to be forgotten’. A proposal by the Australian Law Reform Commission in 2014 to introduce a new privacy principle to this effect failed to win support. It is a requirement, nevertheless, that personal information should be destroyed or de-identified by an entity if no longer required in connection with its original purpose of collection: Australian Privacy Principle 11.2.

Email marketing

What regulations and guidance are there for email and other distance marketing?

Direct marketing is permitted in hard copy without the individual’s consent if it is impracticable to obtain said consent and no sensitive information is involved. However, an opt-out notice must clearly be displayed (Australian Privacy Principle 7).

Direct marketing in electronic form (ie, email or SMS) is permissible only with the individual’s consent. However, consent may be inferred from a business or other relationship, and in other circumstances listed in Schedule 2 to the Spam Act 2003. All electronic direct marketing communications must be accompanied by a functional unsubscribe facility.

Consumer rights

What rights and remedies do individuals have in relation to the processing of their personal data? Are these rights limited to citizens or do they extend to foreign individuals?

The Privacy Act does not adopt the EU concept of express individual rights and freedoms, although a number of similar rights exist. Specifically, the act contains a right of access (Privacy Principle 12) and a right of correction (Privacy Principle 13). There is no right of erasure, although organisations cannot retain personal information if the information is no longer required in connection with the original purpose of collection (Privacy Principle 11.2). Australia has no equivalent of the right to object to automated decision making and (with the exception of the banking industry) no right to data portability.


Online sales

Is the sale of online products subject to taxation?

Yes. Locally sold online products are subject to taxation in the same way as other business models. Since 1 July 2017 GST has applied to offshore supplies of digital products, services, rights and other intangibles to Australian customers.

Server placement

What tax liabilities ensue from placing servers outside operators’ home jurisdictions? Does the placing of servers within a jurisdiction by a company incorporated outside the jurisdiction expose that company to local taxes?

Australian income tax will be payable if the entity has a taxable presence in Australia. The Treasury Laws Amendment (Combating Multinational Tax Avoidance) Act 2015 (Cth), otherwise known as the Multinational Anti-Avoidance Law, took effect from 1 January 2016 and prevents multinationals from escaping Australian tax by using artificial or contrived arrangements to avoid having a taxable presence in Australia.

Company registration

When and where should companies register for VAT or other sales taxes? How are domestic internet sales taxed?

In Australia, GST – the country's equivalent to VAT – is imposed under the A New Tax System (Goods and Services Tax) Act 1999 (Cth). In broad terms, a company must register for GST if it is an Australian enterprise with a GST turnover (gross income minus GST) of A$75,000. This is subject to various exceptions and nuances. An Australian business number is required to register.


If an offshore company is used to supply goods over the internet, how will returns be treated for tax purposes? What transfer-pricing problems might arise from customers returning goods to an onshore retail outlet of an offshore company set up to supply the goods?

On 23 November 2018 the Australian Taxation Office (ATO) published Draft Practical Compliance Guideline 2018/D8, Transfer pricing issues related to inbound distribution arrangements, for public comment. The guideline applies to subsidiaries of multinationals with inbound supply chain arrangements that purchase goods and digital products from related parties and on-sell to customers. This followed a report published by the ATO in December 2017 entitled Tax Corporate Australia which identified key compliance risks associated with the transfer pricing of inbound supply chain arrangements.



Is it permissible to operate an online betting or gaming business from the jurisdiction?

Certain forms of online gambling are illegal. Specifically, the Interactive Gambling Act 2001 (Cth) prohibits the offering of:

  • prohibited interactive gambling products to anyone in Australia;
  • unlicensed iGaming products to Australian customers; and
  • Australian-based iGaming products to other countries.

Are residents permitted to use online casinos and betting websites? Is any regulatory consent or age, credit or other verification required?

The Interactive Gambling Act 2001 (Cth) prohibits most forms of online gambling, ranging from poker machines to roulette, blackjack and online poker. On the other hand, it does not ban motor racing or sports betting.

Notably, the act does not criminalise placing bets on online gambling sites. There are no penalties for Australians using online casinos or online poker sites. The legal minimum age to gamble online is 18 years old.


Key legal and tax issues

What are the key legal and tax issues relevant in considering the provision of services on an outsourced basis?

Tax outcomes from a company’s overseas expansion may depend on its choice of structure and financing arrangements (including the mix of equity, debt and hybrid instruments). There is a risk that payments to overseas providers for services may be considered royalty payments within Australian tax law. Further, the Australian Tax Office has warned that ‘use of interposed holding entities in tax secrecy jurisdictions without a commercial reason or use of artificial financing arrangements to reduce tax may attract our attention’.

Notably, for entities regulated by the Australian Prudential Regulation Authority, risk management practices are prescribed in relation to cloud computing services. These requirements include the adoption of:

  • a change management strategy;
  • an appropriate governance framework;
  • a systematic solution selection process;
  • a measured approach for transitioning;
  • initial and periodic security risk assessments;
  • a considered allocation of responsibility between the provider and the client;
  • ongoing oversight practices;
  • business recovery contingency planning; and
  • a suitable audit and assurance model.
Employee rights

What are the rights of employees who previously carried out services that have been outsourced? Is there any right to consultation or compensation, and do the rules apply to all employees within the jurisdiction?

Employees have rights under the Fair Work Act 2009 (Cth), including redundancy payments calculated based on their length of continuous service with their former employer. Employers can apply to the Fair Work Commission for a reduction if they cannot afford the full redundancy amount. Employees can appeal against an unfair dismissal within 21 days by applying to the Fair Work Commission.

Online publishing

Content liability

When would a website provider be liable for mistakes in information that it provides online? Can it avoid liability? Is it required or advised to post any notices in this regard?

There are no internet-specific rules in this regard. However, if the effect of a mistake discovered by a website provider on its website is to potentially mislead a member of the public, the website provider might be liable under Section 18 of the Consumer Law for engaging in false and misleading conduct. In such cases, steps should be taken to rectify the error and publicise the fact that this has occurred. Statements referring consumers to another website or webpage, or an extraneous document, will be insufficient to correct misleading or deceptive content (see Australian Competition and Consumer Commission v TPG Internet Pty Ltd ([2011] FCA 1254)).


If a website provider includes databases on its site, can it stop other people from using or reproducing data from those databases?

Databases are protected under the Copyright Act 1968 (Cth) as ‘compilations’. Extraction of data will not necessarily be an infringement of copyright – it is the compilation, rather than individual items of data, which are protected. Raw data is not protected unless, in context, it represents a substantial part of the protected database (see, eg, Dynamic Supplies Pty Ltd v Tonnex International Pty Ltd ([2011] FCA 362)).

Dispute resolution


Are there any specialist courts or other venues in your jurisdiction that deal with online/digital issues and disputes?

Some Australian courts have a technology (or the like) division in which the presiding judge primarily focuses on technology cases.


What alternative dispute resolution (ADR) methods are available for online/digital disputes? How common is ADR for online/digital disputes in your jurisdiction?

Traditional ADR methods are commonly included in online contracts, but suffer the logistical disadvantages confronting all multinational disputes. Online ADR is still an evolving concept, driven by a perceived need for more affordable access to justice and a need to facilitate the resolution of low-value disputes.

Update and trends

Key developments of the past year

Are there any emerging trends or hot topics in e-Commerce regulation in the jurisdiction? Is there any pending legislation that is likely to have consequences for e-Commerce and internet-related business?(EU JURISDICTIONS ONLY: How do you anticipate the General Data Protection Regulation and the e-Privacy Regulation will impact e-commerce?)

Key topics relevant to e-commerce law in Australia at present include:

  • Mandatory data breach reporting – on 22 February 2018 amendments to the Privacy Act 1988 (Cth) came into effect which introduced mandatory data breach reporting for serious data breaches. The effectiveness of the new scheme is being monitored. The privacy commissioner has released quarterly reports, indicating that on average approximately 250 reports are being received per quarter. These results indicate that the scheme is having a significant impact on business.
  • Access to encrypted data – in December 2018 the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 (Cth) was passed, amending the Telecommunications Act 1997 to establish frameworks for voluntary and mandatory assistance to law enforcement and intelligence agencies in relation to encryption technologies. The new power has caused concerns both to business and privacy advocates.
  • Electronic health records – from 31 January 2019 Australia’s voluntary online health record sharing scheme (known as the My Health Record scheme and established under the My Health Records Act 2012) adopted a default opt-in approach. This attracted some resistance from members of the public who had concerns about the security of the system, which in turn prompted a significant number of opt-outs. The security of the system will be closely monitored over the next 12 months.
  • Modern slavery – on 1 January 2019 the Modern Slavery Act 2018 (Cth) came into effect, introducing a reporting obligation on Australian businesses with a minimum annual consolidated revenue of A$100 million. The legislation has been criticised for its lack of breadth and depth.
  • Data portability – Australia’s Privacy Act 1988 contains no data portability right equivalent to the General Data Protection Regulation. However, pursuant to the Treasury Laws Amendment (Consumer Data Right) Bill 2019 (Cth), a form of data portability will apply to the banking sector from 1 July 2019.

Law stated date

Correct on

Give the date on which the information above is accurate.

24 June 2019.