The concepts of “privacy” and “data protection” are largely treated as synonymous in Australia and are mainly governed by the Privacy Act 1988 (Cth) (Privacy Act) and more specifically the “Australian Privacy Principles” (APPs) in Schedule 1 of the Privacy Act .
The Privacy Act applies to Australian federal government agencies and private sector “organisations” with an annual turnover above a prescribed threshold. It does not apply to persons who act in a personal capacity and are not engaged in entrepreneurial activity.
In addition, each Australian state and territory has enacted its own legislation to regulate the privacy and data protection of public sector organizations that are not covered by the provisions of the Privacy Act.
Certain industries also have their own privacy and data protection laws and standards. Example:
- Victoria and New South Wales have specific laws governing the use and collection of health information,2 including establishing complaint processes and creating mechanisms for individuals to access their information; and
- The Australian Financial Services Regulatory Authority requires regulated financial services organizations to adhere to certain prudential standards3 ensure that regulated organizations develop and maintain appropriate information security capabilities.
Australian courts have yet to recognize a specific cause of action based on breach of privacy, despite the High Court of Australia considering legal developments of this nature more than 20 years ago.4
However, the introduction of statutory liability for serious invasion of privacy is currently being considered as part of the Australian Government’s review of the Privacy Act.5 While it remains unclear whether this will be implemented, the Office of the Australian Information Commissioner (OAIC) and the Law Council of Australia have openly stated their support for such an implementation.
Australia is also a party to the International Covenant on Civil and Political Rights (ICCPR), which prohibits unlawful or arbitrary interference with a person’s privacy.6 However, the ICCPR can only be implemented and enforced in Australia at the national level if the ICCPR is ratified under Australian law. Although the Privacy Act and equivalent state legislation in Australia provide some protection for the privacy of individuals, Australia has not yet ratified the ICCPR and therefore does not recognize a fundamental right to privacy.
Summary of the year
In October 2021, the Australian Government released a draft Privacy Amendment Bill7 (Internet Privacy Bill). The Internet Privacy Bill proposes significant amendments to the Privacy Act, including:
- introducing an “online privacy code of conduct” targeting social media and other online platforms;
- clarification regarding the extraterritorial application of the Privacy Act; and
- strengthening the existing powers and sanctions set out in the Privacy Act.8
The Internet Privacy Bill implements policy reform promised by the Australian government in 2019 following the Cambridge Analytica data harvesting incident in March 2018.9 However, the Internet Privacy Bill has yet to be introduced in Parliament, so it remains to be seen whether the proposed changes will be ratified.
Recent changes to Australia’s cyber security laws include:
- adoption of the Law on Internet Security,10 which gives the Electronic Security Commissioner additional powers to regulate online content and introduce stricter standards for online service providers;11
- Amendments to the Surveillance Devices Act 2004 (Cth)12 which give law enforcement agencies additional powers to detect and stop criminal activity on the Internet; and
- Autonomous Sanctions Amendment Act 2011 (Cth)thirteen which allow the relevant minister to impose targeted sanctions for, among other things, facilitating or causing a “significant cyber incident”.14
In a recent decision, the Full Bench of the Federal Court of Australia upheld the Federal Court’s earlier finding that, by setting and managing cookies on the physical devices of Australian users, there was clear evidence that Facebook Inc was “carrying on business” in Australia for the purposes of the Privacy Act.15 This decision explains that even without a physical presence in Australia, a foreign company may still be subject to the Privacy Act. Importantly, the ruling allows the Australian Information Commissioner to continue proceedings against Facebook entities for alleged breaches of the Privacy Act.