Busting Myths - Proposed Changes to the Australian Privacy Act 1988

Thursday 16 May, 2024

Australia’s privacy legislation is the Privacy Act 1988 (Cth) (the Act). The Australian Government’s response to a Privacy Review Report concluded that it is necessary to overhaul Australia’s privacy laws to ensure they remain fit for purpose and that the collection, use and disclosure of people’s personal information is reasonable and adequately protected from unauthorised access.

Let’s bust some myths about Australia’s privacy laws and look at some recent developments!

Myth One: The Act continues to be effective and adequately addresses the consequences for breaches of privacy.

Reality: The Act has been comprehensively reviewed by the Australian Attorney-General’s Department and the Australian Government has now released a report agreeing to a number of proposed privacy reforms as recommended by the Attorney-General. The Government has indicated it will be updating Australia’s privacy laws in 2024.

Myth Two: The Act applies to all Australian organisations.

Reality: The Act currently applies to government agencies and private sector organisations with an annual turnover of $AUS3 million or more. It also applies to some small business depending on their services but excludes universities and public schools. In comparison, the New Zealand Privacy Act 2020 applies to any entity or individual, that collects and holds personal information about other people. This includes all government departments, companies (regardless of annual turnover), universities, schools, social clubs, charities, societies and community groups.

Myth Three: If there has been a data breach involving personal information under Australian privacy law, an organisation only has to notify the individual concerned.

Reality: Under the Notifiable Data Breaches Scheme (NDBS), any entity covered by the Act must notify the Office of the Australian Information Commissioner (OAIC) as well as affected individual(s) when the data breach is likely to result in serious harm to the affected individual(s). The OAIC then publishes statistics of notifiable data breaches twice a year. Questions have been raised about whether the NDBS needs to do more to facilitate the response to a breach. The Australia Government has proposed that the Attorney-General should be able to permit the sharing of information with appropriate entities (such as banks) that may be able to reduce the risk of harm in the event of an eligible data breach.

Myth Four: The Australian penalty regime for breach of privacy is similar to New Zealand’s.

Reality: No. In Australia, the penalty for a serious or repeated breaches of privacy is the greater of $AUS50 million or three times the value of any benefit obtained through the contravention, or where the benefit can't be determined, 30% of domestic turnover. The Australian Government has proposed introducing a new mid-tier civil penalty provision to cover interferences with privacy which do not meet the threshold of being ‘serious’, a new low-level civil penalty provision for specific administrative breaches of the Act and privacy principles with attached infringement notice powers for the OIAC with set penalties. In comparison, the maximum monetary penalty in New Zealand is $NZD10,000 if convicted of an offence under New Zealand’s Privacy Act. Although members of a successful class action can be awarded damages of up to $NZD350,000.

Myth Five: Both New Zealand and Australia are regarded as having “adequate” privacy regimes by the EU.

Reality: No. Currently only New Zealand is considered as having an “adequate” privacy regime. This means that personal data can continue to flow freely between the EU to New Zealand without additional conditions or authorisations. Meanwhile, data transfers from the EU to Australia will require additional safeguards, such as standard contractual clauses to ensure an adequate level of data protection.

If you have any questions about privacy law, or you would like to be kept up to date about this rapidly changing area, please contact our expert Tina Liu.