Doing Business in Australia: Chapter 22 - Privacy

Privacy Act reforms

Some reforms to the Privacy Act were made in late 2022, particularly in relation to penalties, enforcement and extra-territorial application of the Act.

A broader review of the Act is expected to make further recommendations in 2023. We expect that these recommendations will lead to wide-ranging changes to the Act, including in relation to notice and consent, fairness requirements, high privacy risk activities, individual rights, privacy governance and exemptions. Please check the HSF website for updates on this review.

The Australian Privacy Principles

The Australian Privacy Principles (APPs) apply to private sector organisations with an annual turnover of more than A$3 million and their related companies, as well as some others including health service providers and organisations that trade in personal information. The APPs also apply to Federal government agencies.

The Act extends to the activities of foreign companies in Australia, and to the activities of foreign companies outside Australia, where those companies carry on business in Australia.

The 13 APPs regulate the manner in which any regulated organisation can collect, store, use and disclose personal information. Special provision is made with respect to health and other sensitive information, which includes personal information about racial or ethnic origin, religious beliefs or affiliations, political or philosophical beliefs, membership of a political, professional or trade union or association, sexual preferences or practices, genetic and biometric information and criminal record.

It is important to note that the approach of the Privacy Act differs from the European model in that the Privacy Act does not currently contemplate the roles of, and distinctions between, ‘data controllers’ and ‘data processors’. It is possible that the recommendations expected in 2023 as part of the Privacy Act review may suggest adopting this distinction and otherwise increasing alignment with the European Union’s General Data Protection Regulation (GDPR).

Some exemptions apply, including in certain circumstances relating to employee records, media, government contractors and political parties. These exemptions (and the small business exemption based on annual turnover as described above) are being reassessed as part of the Privacy Act review and recommendations may be made in 2023 to remove or modify them. Most of Australia’s state/territory jurisdictions have their own privacy laws which apply to government agencies in those jurisdictions, generally instead of the Privacy Act, with the exception of TFNs. These requirements may also be passed onto contracted service providers engaged by those agencies.

Credit reporting

Part IIIA of the Privacy Act and the Privacy (Credit Reporting) Code apply to Australia’s consumer credit reporting system, under which credit providers contribute to and access the consumer credit histories of individuals held by credit reporting bodies such as Equifax, Illion and Experian. The requirements primarily relate to consumer credit information, but this is sometimes used in connection with commercial credit arrangements, e.g. where sole traders or guarantors are involved.

Tax file numbers

The Privacy Act also deals with the protection of tax file numbers, primarily through the binding Privacy (Tax File Number) Rule issued by the Privacy Commissioner. This Rule also complements some related provisions in tax legislation.

Data breach notification

Entities regulated by the APPs, credit reporting or tax file number requirements are also subject to the ‘notifiable data breaches’ scheme. Entities must promptly notify the OAIC and affected individuals where there is loss of or unauthorised access to or disclosure of personal information, and the incident is likely to result in serious harm.

The Spam Act 2003 (Cth) (Spam Act) regulates the sending of ‘commercial electronic messages’ by anyone (including individuals) in, into or from Australia. In most cases, commercial electronic messages must not be sent without consent, and must include valid contact information and an unsubscribe facility. The collection and use of some automatically harvested lists of email addresses is also banned.

The Do Not Call Register was established in 2006. The types of numbers which may be included on the Register include home phone, personal mobile and fax numbers. Businesses must ‘wash’ their marketing lists against the Register to avoid calling or faxing those numbers, unless consent or another exception applies.

An associated mandatory industry standard regulates telemarketing and market research calls generally, including prohibited calling times, information to be provided during calls, call-termination requirements and the use of calling line identification.

Notwithstanding the fact that the Privacy Act regulates the manner in which all personal information (including health information) is handled, there are additional health records laws in three state/territory jurisdictions: New South Wales, Victoria, and the Australian Capital Territory.

These health privacy regimes have many similarities to the APPs, but go further in some areas including deceased individuals, information access procedures, retention periods and additional requirements for health service providers.

Australia’s e-health records system and government-issued ‘healthcare identifiers’ are also subject to specific privacy requirements.

A number of health-related privacy guidelines have also been published by regulators, including in relation to medical research and genetic information.

Surveillance devices laws

All states and territories have some form of surveillance devices legislation. These laws generally prohibit certain uses of surveillance devices and information obtained using surveillance devices, with some exceptions for law enforcement. Depending on the jurisdiction, these laws may regulate optical surveillance devices (e.g. cameras), listening devices (e.g. microphones), location-tracking devices (e.g. GPS) and data surveillance devices.

Workplace surveillance

Specific workplace privacy legislation exists in New South Wales and the Australian Capital Territory. Those laws regulate overt and covert camera, computer and tracking surveillance, including:

• requirements to provide employees with 14 days’ notice (unless otherwise agreed) of an intention to commence surveillance;
• provision for covert surveillance by order of a Magistrate where unlawful employee conduct is reasonably suspected; and
• prohibition of surveillance in change rooms, bathrooms and toilets (Victoria also has similar requirements to this).

Telecommunications interception and listening devices

With respect to telephone communications, the federal Telecommunications (Interception and Access) Act 1979 (Cth) prohibits listening to or recording communications passing over a telecommunications system without the consent or knowledge of the parties to the communication.

Listening and surveillance devices legislation in each state generally prohibits the use of a listening device to listen to or record private conversations to which the user is not a party without the consent of all parties.

All Australian jurisdictions have ‘spent convictions’ laws which limit the use and disclosure of information about old minor criminal convictions.

The Australian Consumer Law (ACL) prohibits certain misrepresentations and misleading and deceptive conduct in trade or commerce in Australia. This can be relevant to the content of privacy policies and statements, which sometimes over-commit companies by promising to meet privacy standards which exceed legal requirements and are difficult to maintain.

The Australian Competition and Consumer Commission (ACCC), which regulates the ACL, has been getting increasingly involved in privacy and data issues, often in collaboration with the OAIC. These ACCC activities have included inquiries into digital platforms and loyalty programs, jointly regulating the Consumer Data Right (CDR) scheme and taking legal action against online businesses for misleading consumers about how their personal information would be handled.

The Consumer Data Right (CDR) has first commenced in the banking and energy sectors, but is ultimately intended to extend to telecommunications and other business sectors. The CDR allows consumers to access their consumer data, and have it transferred to other accredited data recipients (such as competitor businesses).

The CDR is co-regulated by the OAIC and the ACCC, and includes a set of Privacy Safeguards as well as technical data standards.

Consistent with a general trend in common law countries, including the UK and New Zealand, there appears to be some movement in Australian courts towards recognising new rights to recover damages to for invasions of privacy generally, separate from statutory remedies for inappropriate dealing with personal information.

The federal government is considering legislating in this area, having released a law reform report in 2014 proposing either a new right to sue for serious invasions of privacy, or a new tort of harassment coupled with an extension of breach of confidence to cover emotional distress. These issues may be the subject of recommendations expected in 2023 as part of the Privacy Act review, which is also looking at the introduction of direct rights for individuals to sue for privacy breaches.

The OAIC investigates complaints from individuals about interferences with privacy that are contrary to the Privacy Act. The OAIC also has the power to initiate own motion investigations about potential breaches of privacy that do not relate to a particular complainant.

Following its investigation, the OAIC has the power to make a determination ordering compensation and reparatory action, among other things, which is enforceable in the Federal Court or Federal Magistrates Court.

Maximum penalties for certain Privacy Act and ACL breaches were increased to A$50 million in 2022. CDR breaches are subject to penalties of up to A$10 million. Even higher penalties for breaches of these laws can also apply in some cases based on the benefit obtained from the breach, or turnover during the breach period.

Certain breaches of the Spam Act or Do Not Call Register Act 2006 (Cth) can result in fines of up to A$2.22 million per day. Regulators can also agree enforceable undertakings with entities that breach these Acts, or the Privacy Act.

In some jurisdictions, contravening privacy legislation can result in the imposition of fines or imprisonment. For example, a breach of the Surveillance Devices Act 1999 (Vic) can result in imprisonment of up to two years or the imposition of substantial fines.