Law and the regulatory authority

Legislative framework

Summarise the legislative framework for the protection of personally identifiable information (PII). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments on privacy or data protection?

The Privacy Act 1988 (Cth) (Privacy Act), which was enacted to give effect to Australia’s agreement to implement the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980), governs how personal information is handled in Australia by the Commonwealth Government and private sector entities with an annual turnover of at least A$3 million (APP entities). Some small businesses (with a global aggregate group turnover of A$3 million or less) are also covered by the Privacy Act, including private health services providers that hold health information, businesses that sell or purchase personal information, credit-reporting bodies and contracted service providers for a Commonwealth contract.

‘Personal information’ is the conceptual equivalent of PII in other jurisdictions, and is defined as information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether the information or opinion is recorded in a material form or not. It is still unclear whether metadata, cookies and IP addresses fall within the definition of personal information. However, while it will ultimately depend on the circumstances, the better view is that they are likely to be personal information and best practice in Australia is to align with international practice (which is of course informed by the online behavioural tracking rules in the GDPR). The Privacy Act contains 13 Australian Privacy Principles (APPs), which set out the minimum standards for dealing with personal information and are the foundation of Australian privacy law. They cover the life cycle of the collection, use, storage, disclosure and destruction of personal information. The Privacy Act also includes credit-reporting obligations that govern the way in which personal credit information about individuals must be handled by credit-reporting bodies, credit providers and other third parties.

Further, each Australian state and territory has legislation broadly equivalent to the Privacy Act that regulates the handling of personal information by public sector agencies at the state and territory level.

Australia also has specific legislation that regulates data protection in the health sector, telecommunications sector and consumer credit reporting (as outlined in question 7), and other legislation at the Commonwealth and state level that is relevant to privacy and the use of personal information, including the Spam Act 2003 (Cth) (Spam Act), which regulates electronic marketing, the Do Not Call Register Act 2006 (Cth) (Do Not Call Register Act), which regulates unsolicited commercial calls to listed phone numbers, criminal laws prohibiting unauthorised access to computer systems and various surveillance and listening-devices legislation.

Data protection authority

Which authority is responsible for overseeing the data protection law? Describe the investigative powers of the authority.

The Office of the Australian Information Commissioner (Information Commissioner) is responsible for overseeing compliance with the Privacy Act.

The Information Commissioner has a legislative mandate to conduct education programmes, and can also:

  • conduct investigations in relation to a suspected or actual breach of the Privacy Act (whether in response to a complaint, or as an ‘own motion’ investigation that is made of its own volition), including by requiring a person to give information or documents, or to attend a compulsory conference and entering premises to inspect documents;
  • accept enforceable undertakings from an APP entity, the breach of which can lead to a civil penalty;
  • make determinations;
  • seek an injunction regarding any conduct that would contravene the Privacy Act; and
  • seek a civil penalty order from the Federal Court for the imposition of a statutory penalty of up to A$2.1 million for serious or repeated interference with the privacy of an individual.

Additionally, the Australian Communications and Media Authority (ACMA) regulates telecommunications, spam and telemarketing, including industry-specific privacy-related rules discussed below. The ACMA is in charge of enforcing the Spam Act and the Do Not Call Register Act and may:

  • issue a formal warning;
  • require an entity to give a court-enforceable undertaking, the breach of which can lead to a civil penalty;
  • issue infringement notices (which are similar to on-the-spot fines) if it considers there has been a breach of the Spam Act (infringement notices can be up to A$180,000, depending on the basis for issuing the notice);
  • seek an injunction regarding conduct that would contravene the Spam Act; and
  • seek a civil penalty order from the Federal Court for the imposition of a statutory penalty of up to A$2.1 million for repeated breaches of the Spam Act.

The Australian Attorney-General’s Department is responsible for administering lawful assistance to law enforcement agencies under the Telecommunications (Interception and Access) Act 1979, which involves regulating and enforcing privacy-related legislative schemes.

Regulators under the various state-based laws for the public sector have similar powers, but these are generally not relevant for private sector entities in Australia.

Legal obligations of data protection authority

Are there legal obligations on the data protection authority to cooperate with data protection authorities, or is there a mechanism to resolve different approaches?

The Information Commissioner is not subject to any strict legal obligations to cooperate with other data protection authorities in other countries. However, the Information Commissioner also participates in several forums and arrangements to promote best privacy practice internationally, address emerging privacy issues and cooperate on cross-border privacy regulation. For example, the Information Commissioner actively participates in the Asia Pacific Privacy Authorities Forum to form partnerships and exchange ideas about privacy regulation, new technologies and the management of privacy enquiries and complaints in the Asia Pacific region.

The Information Commissioner is also co-administrator of the Cross-border Privacy Enforcement Arrangement, which creates a framework for data protection authorities to collaborate and share information in relation to privacy investigation and enforcement across member economies and data protection authorities outside the Asia-Pacific Economic Cooperation area. Similarly, the Global Cross Border Enforcement Cooperation Arrangement encourages enforcement authorities to share information about potential or ongoing privacy investigations and coordinate enforcement activities.

Breaches of data protection

Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?

Breaches of the Privacy Act can lead to administrative determinations of breach (which may or may not be accompanied by a compensation order), the acceptance of court-enforceable undertakings and, for serious or repeated interferences with privacy, a statutory penalty of up to A$2.1 million for corporations.

Criminal sanctions may also be imposed where an individual or corporation fails to comply with a request or direction given by the Information Commissioner in relation to any investigation run by the Information Commissioner, or any determination regarding a breach of data protection law.

Australia’s Federal Parliament introduced mandatory data breach notification obligations which took effect in February 2018 for all government agencies and businesses that are subject to the Privacy Act. Under this new regime, if a relevant agency or business suspects there has been a data breach that is likely to result in serious harm to any of the affected individuals (an ‘eligible data breach’), subject to some limited exceptions, it must:

  • carry out a ‘reasonable and expeditious’ assessment within 30 days of becoming aware as to whether there has been an eligible data breach; and
  • if an eligible data breach has occurred, notify the Information Commissioner and affected individuals as soon as practicable.

Scope

Exempt sectors and institutions

Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?

The Privacy Act and the APPs apply to all APP entities, which broadly speaking include all Commonwealth Government entities and private sector entities with an annual turnover of A$3 million or more. However, some specific types of businesses or areas of activities are specifically excluded from the application of the Privacy Act, such as public hospitals and healthcare facilities, most public universities and public schools, some media organisations acting in the course of journalism, registered political parties and most small businesses (with an annual turnover of less than A$3 million).

Additionally, employee records relating to current and former employment relationships are expressly excluded from the application of the Privacy Act and the APPs.

It is worth noting that in specific circumstances some small businesses may still be captured by the Privacy Act, including where they are a private sector health provider, a service provider for the Commonwealth Government, a related entity to a business that is covered by the Privacy Act, or if they handle credit-reporting information or sell or purchase personal information.

Communications, marketing and surveillance laws

Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals? If not, list other relevant laws in this regard.

The Privacy Act governs how personal information is collected, stored and used, regardless of the medium or material that contains or communicates that information. Generally speaking, the Privacy Act and the APPs will apply to any interception, marketing or surveillance activities that involve dealing with personal information.

Additionally:

  • the interception of communications is governed by the Telecommunications (Interception and Access) Act 1979 (Cth). Under this Act, a person must not intercept any communication passing through the telecommunications network without the knowledge of the persons issuing or receiving the communication;
  • the use of monitoring and surveillance devices is governed by various legislation at a federal level as well as at the state and territory level. Generally speaking, the surveillance legislation prohibits the tracking and audio or video recording of any person or activity without the consent of that person or of the person involved in the activity;
  • specific workplace surveillance laws exist in New South Wales, the Australian Capital Territory and, to some extent, in Victoria;
  • commercial electronic messages that are sent to an email address or a phone number accessed in Australia are regulated by the Spam Act; and
  • the practices of telemarketers and fax marketers must comply with the Do No Call Register Act 2006 (Cth).
Other laws

Identify any further laws or regulations that provide specific data protection rules for related areas.

In Australia, further laws and regulations also apply in relation to specific data protection rules and related areas as follows.

Consumer credit reporting is regulated by the Privacy Regulation 2013 and the Privacy (Credit Reporting) Code 2014, in addition to Part IIIA of the Privacy Act.

There are also specific data protection rules for the health sector in Australia, including:

  • the My Health Records Act 2012 (Cth), My Health Records Rule 2016 (Cth) and My Health Records Regulation 2012 (Cth), which create the legislative framework for the Australian government’s My Health Record System;
  • the Healthcare Identifiers Act 2010 (Cth), which regulates the use and disclosure of healthcare identifiers; and
  • state and territory health privacy legislation in the Australian Capital Territory, New South Wales, and Victoria, that covers health service providers (including private sector providers) in those jurisdictions:
    • the Health Records (Privacy and Access) Act 1997 (ACT);
    • the Health Records and Information Privacy Act 2002 (NSW); and
    • the Health Records Act 2001 (Vic)/The telecommunications sector is subject to specific data protection rules, including the Telecommunications Act 1997 (Cth), which imposes restrictions on the use and disclosure of telecommunications and communications-related data, and the Telecommunications (Interception and Access) Act 1979 (Cth), which, among other things, regulates the interception of and access to the content of communications transiting over telecommunications networks, and stored communications (eg, SMS and emails) on carrier networks with enforcement agencies.

The following laws apply in NSW and the Australian Capital Territory in relation to workplace monitoring and surveillance: the Workplace Privacy Act 2011 (ACT), Listening Devices Act 1992 (ACT), Workplace Surveillance Act 2005 (NSW) and Surveillance Devices Act 2007 (NSW). In both jurisdictions, this legislation imposes strict requirements on employers to obtain employee permission before performing covert surveillance in the workplace.

Further, general laws on monitoring and surveillance would apply to workplace surveillance and monitoring where relevant. For instance, in addition to the Telecommunications (Interception and Access) Act 1979 (Cth), the Surveillance Devices Act 2004 (Cth) applies to the use of surveillance devices by Australian government agencies, and the following laws at the state and territory level apply variously to the monitoring and surveillance of certain devices such as computers, cameras and electronic tracking devices:

  • the Surveillance Devices Act 2016 (SA);
  • the Listening Devices Act 1991 (Tas);
  • the Surveillance Devices Act 1999 (Vic);
  • the Surveillance Devices Act 1998 (WA); and
  • the Surveillances Devices Act 2007 (NT).

While the Privacy Act does not directly cover workplace surveillance, we note that private sector employers that are subject to the Privacy Act are exempted from complying with the Privacy Act in relation to employee records directly related to the employment relationship between employer and employee. Therefore, to the extent that workplace monitoring and surveillance involves the collection of personal information that is not an employee record - for example, a CCTV video recording or a digital copy of emails that do not relate to the employment of an employee - then the APPs may apply to that personal information.

PII formats

What forms of PII are covered by the law?

The Privacy Act covers all personal information, whether it is true or not, and whether it is recorded in a material form or not.

Extraterritoriality

Is the reach of the law limited to PII owners and processors of PII established or operating in the jurisdiction?

The reach of the law is not limited to companies based, or operating, in Australia.

The Privacy Act and the APPs will apply to any APP entity that is established in Australia, carries on business in Australia or collects personal information in Australia. This is quite broad and will capture, for example, any APP entity based outside of Australia that collects personal information about an individual located in Australia through a website hosted outside of Australia.

The Spam Act may also potentially apply in relation to any commercial electronic communication sent to an email address or a phone number accessed in Australia.

Covered uses of PII

Is all processing or use of PII covered? Is a distinction made between those who control or own PII and those who provide PII processing services to owners? Do owners’, controllers’ and processors’ duties differ?

Although the Privacy Act does not refer to ‘processing’ personal information, it governs the collection, holding, use, disclosure, access to and correction of personal information (which in effect are all treated as a form of processing).

Unlike in other jurisdictions, where there is a clear distinction between data controllers and data processors, the Australian regime does not distinguish between those who control or own personal information and those who process personal information. Instead, the Privacy Act applies to any APP entity that collects, uses or holds personal information (ie, any APP entity that has possession or control of any record or other material that contains personal information).

In practice, this leads to parties who would usually consider themselves to be data processors to have additional obligations under the Privacy Act beyond those that they would not normally expect to have.

Legitimate processing of PII

Legitimate processing – grounds

Does the law require that the holding of PII be legitimised on specific grounds, for example to meet the owner’s legal obligations or if the individual has provided consent?

There is no such requirement under Australian law. However, the APPs provide that an APP entity may only hold, use or disclose personal information for the primary purpose for which it was collected, or any other purpose that is related to the purpose for which the information was collected. Typically, parties in Australia have a privacy policy that explains the various uses that may be made of personal information so that it can be used for multiple purposes.

Legitimate processing – types of PII

Does the law impose more stringent rules for specific types of PII?

The Privacy Act distinguishes between personal information generally and sensitive information specifically. Sensitive information includes:

  • any information or opinion about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, or criminal record;
  • health or genetic information about an individual; and
  • biometric information and templates.

The APPs contain higher standards for the collection and use of sensitive information. Sensitive information:

  • may only be collected with the express consent of the relevant individual, except in specified circumstances;
  • must not be used or disclosed for any purpose other than the purpose for which it was collected, and any other purpose that is directly related to that purpose (provided the secondary purpose would be within the reasonable expectations of the relevant individual); and
  • cannot be shared between members of the same corporate group in the same way that they may share other personal information.

Health information is also subject to additional requirements and restrictions under state, territory and Commonwealth legislation, as outlined above.

Data handling responsibilities of owners of PII

Notification

Does the law require owners of PII to notify individuals whose PII they hold? What must the notice contain and when must it be provided?

Yes. APP 5 requires APP entities to take such steps as are reasonable in the circumstances to notify the individual of various matters at or before the time their personal information is collected (or, if that is not practicable, as soon as practicable after collection). These matters include:

  • the identity and contact details of the APP entity;
  • where relevant, the fact that the collection of the personal information is required or authorised by or under an Australian law or a court/tribunal order;
  • the purposes for which the information is collected;
  • any other person to which the APP entity may disclose the personal information;
  • that the entity’s APP privacy policy contains information about how the individual may access and correct their personal information, or complain about a breach of the APPs (and how the entity will deal with such a complaint); and
  • whether the entity is likely to disclose the personal information to overseas recipients, and if so, the countries in which such recipients are likely to be located.

APP entities usually comply with this requirement by having a privacy policy on their website and providing individuals with a privacy collection statement that notifies the individual of the purpose of collection and other mandatory disclosures, and refers the individual to the APP entity’s privacy policy for more complete details.

Exemption from notification

When is notice not required?

The notification requirement in APP 5 is not an absolute requirement. It requires APP entities to take such steps as are reasonable in the circumstances to notify the individual (see question 13). This means that an APP entity does not have to notify the individual if it would be unreasonable or impracticable to do so. The Information Commissioner has indicated that the circumstances in which it would be reasonable for an APP entity not to notify an individual include where notification is impracticable (including where the time and cost outweighs the privacy benefits), notification would jeopardise the purpose of collection, notification may pose a serious threat to the health and safety of a person or public health and safety, or where the APP entity collects information from the individual on a recurring basis.

Control of use

Must owners of PII offer individuals any degree of choice or control over the use of their information? In which circumstances?

Not specifically. As discussed in question 11, personal information must only be used for the purpose for which it was collected or reasonably related purposes; however, this does not extend to giving individuals choice or control over its use. However, individuals must be given access to their information on request, and must be able to direct that information be updated where it is no longer accurate (subject to some exceptions).

Data accuracy

Does the law impose standards in relation to the quality, currency and accuracy of PII?

Yes. An APP entity must take such steps (if any) as are reasonable in the circumstances to ensure that the personal information that the entity collects, holds, uses or discloses is accurate, up to date, complete and, having regard to the purpose of the use or disclosure, relevant. The reasonable steps that an APP entity should take will depend on the sensitivity of the information, the nature of the APP entity (ie, its size, resources and business model), the possible adverse consequences for the relevant individual if the quality of the information is not ensured and the practicability and cost of taking such steps.

Amount and duration of data holding

Does the law restrict the amount of PII that may be held or the length of time it may be held?

There is no specific limit on the amount of information that may be collected, or the period for which it may be held, but there are general principles that impose limits on similar grounds.

Personal information must only be collected to the extent it is reasonably necessary for the purposes of the APP entity’s activities. Also, APP entities must take reasonable steps to destroy or permanently de-identify personal information if that information is no longer needed for any purpose for which it was collected or for a related purpose (unless it is contained in a Commonwealth record or where the entity is required by law or a court/tribunal order to retain the personal information).

Finality principle

Are the purposes for which PII can be used by owners restricted? Has the ‘finality principle’ been adopted?

Yes. An APP entity can only use or disclose personal information for the purpose for which it was collected or for a related purpose (or directly related purpose in the case of sensitive information). These purposes are usually determined by reference to the purposes disclosed in the APP entity’s privacy policy.

Use for new purposes

If the finality principle has been adopted, how far does the law allow for PII to be used for new purposes? Are there exceptions or exclusions from the finality principle?

As discussed above, generally speaking personal information may only be used for the purposes disclosed in the APP entity’s privacy policy or any related purposes. There are also general exceptions that allow for further uses, including where an individual has given their consent, where the use or disclosure is required or authorised by Australian law or by a court (including tribunals and enforcement bodies), where the information is used to prevent a serious threat to the life or health of a person or for research or statistical analysis that is relevant to public health or public safety, or where personal information (other than sensitive information) is disclosed to a related entity within the same corporate group.

These exceptions do not apply to the use or disclosure by an APP entity of personal information for the purpose of direct marketing or of government-related identifiers (such as tax file numbers or social security numbers).

Security

Security obligations

What security obligations are imposed on PII owners and service providers that process PII on their behalf?

An APP entity must take such steps as are reasonable in the circumstances to protect the personal information it holds or control from misuse, interference and loss, as well as unauthorised access, modification or disclosure. This is not an absolute standard, and varies in the circumstances, which include the nature of the APP entity, the amount and sensitivity of the personal information, the possible adverse consequences for an individual in case of a breach, the practicability and cost of implementing security measures and whether a security measure is in itself privacy-invasive.

There are additional information security requirements for credit-reporting bodies, credit providers and some tax and healthcare services providers.

Notification of data breach

Does the law include (general or sector-specific) obligations to notify the supervisory authority or individuals of data breaches? If breach notification is not required by law, is it recommended by the supervisory authority?

As discussed above, Australia’s Federal Parliament introduced new mandatory data breach notification obligations which took effect in February 2018 for all government agencies and businesses that are subject to the Privacy Act. Under this new regime, if a relevant agency or business suspects there has been a data breach that is likely to result in serious harm to any of the affected individuals (‘eligible data breach’), subject to some limited exceptions, it must:

  • carry out a reasonable and expeditious assessment within 30 days of becoming aware as to whether there has been an eligible data breach; and
  • if an eligible data breach has occurred, notify the Information Commissioner and affected individuals as soon as practicable.

Internal controls

Data protection officer

Is the appointment of a data protection officer mandatory? What are the data protection officer’s legal responsibilities?

The Privacy Act does not require an APP entity to appoint a data protection officer, although it is generally accepted best practice to have at least a person or department responsible for data security and privacy-related matters. This person or department would be the first point of contact for any queries or complaints from the public or the Information Commissioner.

Record keeping

Are owners or processors of PII required to maintain any internal records or establish internal processes or documentation?

While the Privacy Act does not outline specific internal process or documentation requirements, there are some obligations under the Privacy Act that are demonstrably easier to prove with appropriate records.

Notably, APP 1 requires APP entities to take reasonable steps to implement practices, procedures and systems that ensure compliance with the APPs. The Information Commissioner has released a Privacy Management Framework that outlines four steps it expects APP entities to take to meet its ongoing compliance obligations under APP 1. Specifically, an APP entity should ensure it:

  • has a culture of privacy and values personal information;
  • develops and implements effective privacy practices, procedures and systems;
  • examines and reviews the effectiveness and appropriateness of its privacy practices, procedures and systems; and
  • tries to anticipate future privacy issues.

In particular, in relation to the second and third points, documentation that demonstrates an analysis of the APPs and the measures taken to comply with them will be a valuable artefact if the Information Commissioner ever conducts an investigation.

Finally, APP 1 requires that all APP entities implement and maintain a privacy policy that must cover various mandatory matters and also describe the company’s information-handling practices generally.

New processing regulations

Are there any obligations in relation to new processing operations?

The Privacy Act does not expressly require a privacy-by-design approach to new data processing operations. However, as set out above, APP 1 requires APP entities to take reasonable steps to implement practices, procedures and systems to ensure compliance with their privacy obligations. This requirement is qualified by a ‘reasonable steps’ test, which is intended to provide entities with the flexibility to implement practices, procedures and systems based on its circumstances, including the type of personal information collected and the potential adverse consequences if such information were not handled in compliance with the Privacy Act, but it is recognised that best practice compliance with this principle will involve consideration of privacy-by-design norms.

Additionally, while not expressly required under the Privacy Act, the Information Commissioner strongly encourages entities to carry out privacy impact assessments as part of their risk management process and to ensure compliance with the Privacy Act, and has published a guide to undertaking such privacy impact assessments.

Registration and notification

Registration

Are PII owners or processors of PII required to register with the supervisory authority? Are there any exemptions?

No registration is required. However, small businesses or not-for-profit organisations not usually covered by the Privacy Act may choose to be treated as an organisation for the purposes of the Privacy Act and therefore be subject to the APPs, in which case they will need to apply to the Information Commissioner to be placed on the public Opt-in Register.

Formalities

What are the formalities for registration?

No registration fee is payable.

Penalties

What are the penalties for a PII owner or processor of PII for failure to make or maintain an entry on the register?

Not applicable.

Refusal of registration

On what grounds may the supervisory authority refuse to allow an entry on the register?

Not applicable.

Public access

Is the register publicly available? How can it be accessed?

The Opt-in Register is publicly available on the Information Commissioner’s website.

Effect of registration

Does an entry on the register have any specific legal effect?

Entry on the Opt-in Register is a public declaration that an entity agrees to become an APP entity and to be treated as an organisation under the Privacy Act.

Other transparency duties

Are there any other public transparency duties?

As set out above, APP 1 provides that APP entities must manage personal information in an open and transparent way. Relevantly, APP 1 requires APP entities to have a clearly expressed and up-to-date privacy policy available free of charge and in an appropriate form about how it manages personal information, including:

  • the kinds of personal information collected and held by the entity;
  • how personal information is collected and held;
  • the purposes for which personal information is collected, held, used and disclosed;
  • how an individual may access their personal information and seek its correction;
  • how an individual may complain if the entity breaches the APPs or any registered binding APP code, and how the complaint will be handled; and
  • whether the entity is likely to disclose personal information to overseas recipients, and if so, the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy.

The Information Commissioner’s APP Guidelines provide further guidance on the types of information that should be included in a privacy policy.

Transfer and disclosure of PII

Transfer of PII

How does the law regulate the transfer of PII to entities that provide outsourced processing services?

Because the Privacy Act does not make the distinction between a data ‘controller’ and ‘processor’, all transfers and disclosures of personal information to a third party are treated the same way (other than companies within the same group of companies), regardless of the purpose of the transfer or disclosure, and an APP entity must comply with the APPs in relation to all transfers or disclosures of personal information.

However, where an APP entity discloses personal information to entities that provide outsourced processing services, it remains liable for any act or practice of the service provider that would breach the APPs.

See the restrictions in relation to cross-border transfer in question 34.

Restrictions on disclosure

Describe any specific restrictions on the disclosure of PII to other recipients.

There are no restrictions on the disclosure of personal information (other than disclosure requirements and purpose limitations, as discussed above).

Cross-border transfer

Is the transfer of PII outside the jurisdiction restricted?

There is no prohibition against ‘disclosing’ personal information outside Australia (disclosure is broader than ‘transfer’ and may include allowing an overseas-based person to access information that is physically stored in Australia), but, under APP 8, an APP entity is required to take reasonable steps to ensure that an overseas recipient will handle an individual’s personal information in accordance with the APPs, and the APP entity will be deemed liable for the acts of the overseas entity if those acts would amount to a breach of the APPs in Australia if done by the disclosing entity in Australia.

There is an exception to the ‘deemed liability’ provisions if the relevant individual consents to the disclosure of their personal information outside of Australia and is told that by consenting their information will not be treated in accordance with the APPs. This exception is relatively new and is not widely relied on.

Some categories of personal information are subject to additional rules. In particular, if sensitive information is disclosed overseas, more rigorous steps may be required to ensure the recipient does not breach the APPs, and there are some restrictions on sending information held in the Australian credit-reporting system overseas. Further, the legislation governing Australia’s My Health Record system prohibits My Health Record operators and service providers from holding, taking, processing or handling relevant health records outside of Australia (or enabling others to do so). The transfer of health information between states is also limited by some state and territory health privacy acts.

Notification of cross-border transfer

Does cross-border transfer of PII require notification to or authorisation from a supervisory authority?

An entity does not need to notify or obtain authorisation from any supervisory authority for the cross-border transfer of personal information. However, it must include in its privacy policy a list of all countries to which it is likely to disclose personal information.

Further transfer

If transfers outside the jurisdiction are subject to restriction or authorisation, do these apply equally to transfers to service providers and onwards transfers?

Not applicable.

Rights of individuals

Access

Do individuals have the right to access their personal information held by PII owners? Describe how this right can be exercised as well as any limitations to this right.

Individuals have the right under APP 12 to request access to their personal information held by APP entities. A reasonable fee may be charged for access, and the APP entity must comply with the request. However, there are circumstances in which such a request can be refused, including where it would pose a serious threat to the life, health or safety of any individual or to public health or safety, where it would have an unreasonable impact on the privacy of other individuals, where granting access would disclose commercially sensitive information, where the request is frivolous or vexatious, or in circumstances relating to legal proceedings and enforcement activities.

Information held by Commonwealth government agencies is subject to public freedom of information laws, but these do not apply to private sector entities.

Other rights

Do individuals have other substantive rights?

An individual may request an APP entity to correct the personal information about that individual, in which case the entity must take reasonable steps to correct the information to ensure that, having regard to the purpose for which the information is held, it is accurate, up to date, complete, relevant and not misleading.

If the individual’s request is not granted, the individual can insist that the entity place a note on its files to the effect that the request has been made and has not been granted.

Further, individuals have the right to deal anonymously with an APP entity or by pseudonym, unless this is impractical for the entity, or the entity is required or authorised by law or a court or tribunal order to deal with identified individuals.

Where an APP entity is authorised to use or disclose personal information for the purpose of direct marketing, it is a condition of the authority that the relevant individual has the right and means to easily request not to receive direct marketing communications from the entity.

As discussed in question 46, from 1 July 2019, consumers in the banking sector (including individuals and business enterprises) will have a data portability right - a ‘Consumer Data Right’. This right is then expected to extend to the telecommunications and energy sectors.

If an individual believes that any APP entity is not handling its personal information in accordance with the Privacy Act, it has a right to lodge a complaint with the Information Commissioner.

Compensation

Are individuals entitled to monetary damages or compensation if they are affected by breaches of the law? Is actual damage required or is injury to feelings sufficient?

Where the Information Commissioner is satisfied that there has been a breach of the Privacy Act, the Commissioner may order a range of remedies, including a declaration that compensation must be paid for any loss or damage suffered because of the act or practice that caused the complaint.

In the case of serious or repeated interference with the privacy of an individual, the Information Commissioner may also seek civil penalty orders before the Federal Court of up to A$2.1 million. An act or practice is an ‘interference with the privacy’ of an individual if it breaches the APPs in relation to personal information about the individual.

Other orders include injunctions and orders to give a public apology. Compensation orders are not subject to any particular monetary limit, but are generally in the low thousands of Australian dollars.

Enforcement

Are these rights exercisable through the judicial system or enforced by the supervisory authority or both?

Australian law currently does not allow an individual to make a claim directly against an APP entity for a breach of the Privacy Act. Any complaint about how an APP entity collects and handles personal information must go through the Information Commissioner, who may then take appropriate actions such as investigating the complaint or seeking a court order.

Exemptions, derogations and restrictions

Further exemptions and restrictions

Does the law include any derogations, exclusions or limitations other than those already described? Describe the relevant provisions.

Not applicable.

Supervision

Judicial review

Can PII owners appeal against orders of the supervisory authority to the courts?

Yes, most decisions and orders made by the Information Commissioner can be appealed before and reviewed by the Administrative Appeal Tribunal or the Federal Court, depending on the decision or order.

Specific data processing

Internet use

Describe any rules on the use of ‘cookies’ or equivalent technology.

It is not clear whether cookies actually satisfy the definition of personal information in Australia. However, it is best practice (and the better view) to treat them as if they were indeed covered by the Privacy Act. Cookie-based marketing activities that involve the collection of personal information are permissible, provided the notice and consent requirements under the APPs are complied with by, for example, describing the activities in the privacy policy.

It is also best practice to comply with the Australian Guideline for Online Behavioural Advertising, which is a self-regulatory guideline for third-party online behavioural advertising. The guideline has been developed by a group of leading business and industry associations in the online advertising sector called the Australian Digital Advertising Alliance, and signatories include leading domestic and international digital businesses.

Electronic communications marketing

Describe any rules on marketing by email, fax or telephone.

As a general requirement, any use of personal information for direct marketing activity must comply with APP 7, which imposes strict rules on what information can be used, and gives individuals the right to opt out of marketing activity.

Additionally, the Spam Act 2003 prohibits the sending of unsolicited commercial electronic messages (spam) without consent. Consent can be express or inferred from business or other relationships (although the Courts in Australia have held that these need to be pre-existing relationships). All commercial electronic messages must have a functional unsubscribe facility included in the message.

Further, the Do Not Call Register Act 2006 (Cth) prohibits unsolicited telemarketing calls being made and unsolicited marketing faxes being sent to any numbers registered on the Do Not Call Register. Telemarketers, researchers and fax marketers must also comply with enforceable industry standards including the Telemarketing and Research Calls Industry Standard 2007 and the Fax Marketing Industry Standard 2011.

Cloud services

Describe any rules or regulator guidance on the use of cloud computing services.

Cloud services are treated no differently from other services under the Privacy Act. However, by their nature, they are more likely to trigger the ‘overseas disclosure’ requirements described in APP 8, which means that the location of overseas disclosures has to be included in the APP entity’s privacy policy, and a deemed liability regime applies so that the acts of the cloud provider are deemed to be the acts of the information owner.

Generally speaking, these issues are typically managed through pre-contractual due diligence to ensure the provider has robust data-handling practices, and the use of contractual measures that seek to flow down the requirements of the Privacy Act on to the cloud service provider, together with general obligations to take reasonable steps to ensure the security of information, restricting the purposes for which information can be used, and to require notification of any breaches.

Update and trends

Key developments of the past year

Are there any emerging trends or hot topics in international data protection in your jurisdiction?

Key developments of the past year46 Are there any emerging trends or hot topics in international data protection in your jurisdiction?

In August 2018, draft legislation was introduced to create a data portability right - the ‘Consumer Data Right’. With this right, consumers (including individuals and business enterprises) will be able to access their information and require that it be shared across service providers. The legislation came into effect on 1 July 2019, however, at this stage, it only applies to the banking sector. The federal government has committed that the telecommunications and energy sectors will soon become subject to the Consumer Data Right (as well as the rest of the economy).