Law and the regulatory authority

Legislative framework

Summarise the legislative framework for the protection of personal information (PI). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments or laws of other jurisdictions on privacy or data protection?

The legislative framework in Australia is based on both federal laws and state and territory laws.

At the federal level, the collection, use, disclosure and holding of personal information (PI) by an agency or organisation to which the Australian Privacy Principles (APPs) apply, including Australian Commonwealth government agencies and most private organisations (excluding small businesses with an annual turnover of less than A$3 million unless they engage in certain activities – see below), is governed by the Privacy Act 1988 (Cth) (the Privacy Act). The Privacy Act incorporates 13 APPs and facilitates additional obligations being imposed on specific sectors by the registration of additional Privacy Codes such as the Credit Reporting Code.

Most Australian states and territories have adopted their own regimes for collecting and handling PI and for collecting and handling health information that applies to either public sector providers only or both public sector and other health service providers. The state and territory legislative framework is summarised in the table below.

 

State/territory

Legislation

Applies to

New South Wales

  • Privacy and Personal Information Protection Act 1998 (NSW)
  • The Health Records and Information Privacy Act 2002 (NSW)

Public sector agencies

 

Public sector and other health service providers

Australian Capital Territory

  • Information Privacy Act 2014 (ACT)
  • Health Records (Privacy and Access) Act 1997 (ACT)

Public sector agencies and contracted service providers

 

Public sector and other health service providers

Victoria

  • Privacy and Data Protection Act 2014 (Vic)
  • Health Records Act 2001 (Vic)

Victorian public sector and contracted service providers

 

Public sector and other health service providers

Tasmania

  • Personal Information and Protection Act 2004

Public sector agencies

South Australia and Western Australia

No specific privacy legislation

 

Northern Territory

  • Information Act 2002 (NT)

Public sector agencies

Queensland

  • Information Privacy Act 2009 (QLD)
  • Invasion of Privacy Act 1971 (QLD)

Public sector agencies

 

Any individual or entity

Data protection authority

Which authority is responsible for overseeing the data protection law? What is the extent of its investigative powers?

The Privacy Act is administered by the Office of the Australian Information Commissioner.

The Privacy Act grants power to the Information Commissioner to investigate complaints about breaches of the Privacy Act.

As part of an investigation, the Information Commissioner has broad powers to:

  • obtain information and documents;
  • share information regarding a notified data breach with other domestic and international regulators;
  • examine witnesses; and
  • issue directions to persons to attend a compulsory conference.

 

The Information Commissioner also has investigative powers under other statutes, which give the Information Commissioner privacy-related functions, including the power to investigate breaches of the Privacy Safeguards in respect of the Australian Consumer Data Right regime under the Competition and Consumer Act 2010 (Cth).

Cooperation with other data protection authorities

Are there legal obligations on the data protection authority to cooperate with other data protection authorities, or is there a mechanism to resolve different approaches?

The Privacy Commissioner is not required to cooperate with data protection authorities overseas. The Commissioner has entered into memorandums of understanding (MOUs) with the Singaporean Personal Data Protection Commissioner, the United Kingdom Information Commissioner and the Irish Data Protection Commissioner. They outline frameworks between authorities to assist each other with the enforcement of laws protecting PI. They specifically exclude the sharing of PI.

Domestically, the Privacy Commissioner has entered into MOUs with government agencies and regulators such as the Australian Competition and Consumer Commission and the Australian Digital Health Agency to perform specific services in relation to data privacy.

Since December 2022, with the commencement of the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Cth), the Privacy Commissioner has been given expanded powers to share information regarding notified data breaches with other regulators, both domestic and internationally, with the aim to facilitate investigating and taking of appropriate actions in respect of privacy breaches, threats and risks.

Breaches of data protection law

Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?

Failure to comply with the Privacy Act may result in proceedings being brought for the imposition of a civil penalty by the Information Commissioner. Some offences under the Privacy Act may lead to criminal prosecution and penalties. The Information Commissioner may also apply for enforceable undertakings and injunctions.

Scope

Exempt sectors and institutions

Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?

Notwithstanding state and territory-based legislation covering private and public health service providers, the Privacy Act 1988 (Cth) (the Privacy Act) covers all federal government agencies, and all private organisations with an annual turnover of more than A$3 million. The Privacy Act also covers some businesses with a turnover of A$3 million or less, including:

  • private sector health providers;
  • businesses that purchase personal information (PI);
  • credit reporting bodies;
  • contracted service providers for Australian government contracts;
  • employee associations registered or recognised under the Fair Work (Registered Organisations) Act 2009;
  • businesses that hold accreditation under the Consumer Data Right system;
  • businesses that have opted in; and
  • businesses that are related to a business covered by the Privacy Act.
Interception of communications and surveillance laws

Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals?

The Privacy Act does not regulate interception of communications or monitoring and surveillance of individuals. It regulates direct marketing (including direct electronic marketing).

The Telecommunications (Interception and Access) Act 1979 (Cth) outlines the general prohibition on intercepting communications passing over telecommunications systems, with exceptions.

The Surveillance Devices Act 2004 (Cth) establishes procedures for law enforcement officers to obtain warrants, emergency authorisations and tracking device authorisations for the installation and use of surveillance devices.

The Spam Act 2003 (Cth) regulates commercial emails and SMS messages by prohibiting their transmission (except with the recipient’s consent) and ensuring that any permitted emails and messages contain certain information about the sender and a functional unsubscribe facility.

The Do Not Call Register Act 2006 (Cth) prohibits making unsolicited telemarketing calls or sending unsolicited marketing faxes to numbers on the Do Not Call Register, except with the recipient’s consent.

State-based Acts restrict usage of ‘surveillance devices’, including in the workplace.

Other laws

Are there any further laws or regulations that provide specific data protection rules for related areas?

There are several additional laws protecting specific types of data, detailed below.

The My Health Records Act 2012 (Cth) specifies which entities can collect, use and disclose information in the My Health Record system. It also sets out the penalties that can be imposed for improper collection, use and disclosure of such information.

The Australian Prudential Regulation Authority (APRA) regulates authorised deposit-taking institutions in Australia. APRA has established Prudential Standard CPS 234 that requires all APRA-regulated entities to take measures to be resilient against information security incidents. In particular, authorised deposit-taking institutions must take steps to minimise the likelihood and impact of information security incidents on the confidentiality, integrity or availability of information assets.

Thirteen privacy safeguards in Part IVD of the Competition and Consumer Act 2010 (Cth) apply to the handling of PI collected through Australia’s Consumer Data Right regime, largely in substitution of the Australian Privacy Principles. These safeguards set out the privacy rights and obligations for consumers, data holders and accredited data recipients through the regime, including strict requirements in relation to consent.

PI formats

What categories and types of PI are covered by the law?

PI under the Privacy Act is information or an opinion about an identified individual or an individual who is reasonably identifiable, regardless of whether the information or opinion is (1) true or (2) recorded in material form.

The above definition is expansive and, as the Full Federal Court made clear in Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4, captures all information or opinions about an individual and can include digital and paper records as well as, in some cases, metadata.

Extraterritoriality

Is the reach of the law limited to PI owners and processors physically established or operating in your jurisdiction, or does the law have extraterritorial effect?

The Privacy Act has extraterritorial effect provided that the relevant entity has an ‘Australian link’. An entity has an Australian link if it is:

  • an Australian citizen;
  • a person whose continued presence in Australia is not subject to a limitation as to time imposed by law;
  • a partnership is formed in Australia;
  • a trust created in Australia;
  • a body corporate incorporated in Australia; or
  • an incorporated association with its central management and control in Australia or an external Territory.

 

However, an organisation also has an Australian link if the following apply:

  • the organisation is not one of the above; and
  • the organisation carries on business in Australia.

 

In Facebook Inc v Australian Information Commissioner [2022] FCAFC 9 (7 February 2022) the court held that it is possible for an entity to carry on business in Australia without a physical presence in Australia, and that Facebook was carrying on business in Australia by installing cookies on devices in Australia and providing Australian application developers with an interface known as the ‘Graph API’.

Covered uses of PI

Is all processing or use of PI covered? Is a distinction made between those who control or own PI and those who provide PI processing services to owners? Do owners’, controllers’ and processors’ duties differ?

All collection, use and disclosure of PI is covered by the Privacy Act and generally no distinction is made between those who control or own PI and those who process PI on behalf of the owners. However, generally, where PI is transferred by one person to another person in circumstances where the first person retains control of the PI (eg, where PI is stored on cloud computing infrastructure hosted by another person), the information transfer may constitute a use of the PI by the first party rather than disclosure by the first person and collection by the second person.