Oceania
Global Privacy Regulations
Australia
BDO Local Resources
Law: Privacy Act No. 119 1988 (as amended)
Regulator: The Office of the Australian Information Commissioner (‘OAIC’)
Adequacy Agreement with GDPR: No
Measures Announced
Overview
The OAIC operates on the federal level and are responsible for enforcing privacy compliance across the Australian states and territories. Australia has a federal privacy law, and eight territories have regional specific legislation.
In December 2020, the OAIC called for several changes to the Privacy Act to ensure they remain ‘consistent with Australian values’ and suitable for an increasingly digital world. The regulator stopped short of supporting GDPR style data regulation and consent management, as the government considers the most significant reforms to Australian privacy law in decades.
Australian Information Commissioner and Privacy Commissioner released the regulator’s submission to the ongoing review of Australia’s Privacy Act which includes 70 recommendations[1]. Primarily, the OAIC review includes whether:
- the scope and application of the Privacy Act, including the definition of ‘personal information,’ exemptions, and general permitted situations to collect, use and disclose personal information.
- the Privacy Act protects personal information and provides practice frameworks for promoting good privacy practices (e.g., notification, consent, overseas data flows, erasure).
- an individual should have the right to enforce privacy obligations.
- serious invasions of privacy allow for the introduction of torts.
- the impact and effectiveness of the Notifiable Data Breaches Scheme.
- the effectiveness of enforcement powers and mechanisms under the Privacy Act and the interaction with other regulatory frameworks.
- it is desirable or feasible to introduce an independent certification scheme and demonstrate compliance with Australian privacy laws.
From 1 July 2020, the consumer data right ('CDR'), introduced by amendments to the Competition and Consumer Act 2010 (Cth) and the Privacy Act, went live for limited data sharing concerning the four major banks (as the first part of the so-called 'open banking regime'). The rest of the banking data subject to CDR must be shared by those big four banks from 1 November 2020. The CDR will then be rolled out progressively in the retail energy and telecoms sectors before, we expect, being rolled out across other sectors where there is significant consumer interaction and thus resulting consumer data.
Since 22 February 2018, the 'notifiable data breaches' provisions of the Privacy Act require mandatory notification of all 'eligible data breaches to the OAIC and affected individuals. Ransomware and impersonation fraud are the leading concerns for Australia. From January to June 2021, there were 446 data breaches, of which 43% resulted from cybersecurity incidents[2].
Data Protection Authority Focus
The Privacy Commissioner enforces the Privacy Act/Australian Privacy Principles (‘APPs’), including receiving and resolving complaints, undertaking own motion investigations, and because of any relevant determination, seeking an enforceable undertaking, publishing determinations/decisions, and issuing guidance in respect of the interpretation and enforcement of the Privacy Act/APPs. The Privacy Commissioner can also seek the imposition of a fine for a severe invasion of privacy or repeated invasions of privacy (i.e., repeated breaches of the APPs).
[1] Australian Government, Office of the Australian Information Commissioner, Privacy Act Review - Issues Paper
[2] Australian Government, Office of the Australian Information Commissioner, Data breach report highlights ransomware and impersonation fraud as concerns