Businesses collect and process personal information from users for a wide range of purposes, but if you’re based in Australia or monitor the online behaviors of website visitors in the country, you may be subject to the Australia Privacy Act 1988.
Below, I explain everything you need to know the Australia Privacy Act, including its business requirements, the rights it grants to users, the penalties for non-compliance, and the solutions you need to set your website up for compliance.
- What Is the Australia Privacy Act 1988?
- Australia Privacy Act 1988 Key Terms and Definitions
- What Does the Australia Privacy Act 1988 Cover?
- Requirements of the Australia Privacy Act 1988
- Australia Privacy Act 1988 vs Global Data Privacy Laws: Similarities and Differences
- How Does the Australia Privacy Act 1988 Impact Consumers?
- How Does the Australia Privacy Act 1988 Impact Businesses?
- Who Must Comply With the Australia Privacy Act 1988?
- How Can Businesses Prepare for the Australia Privacy Act 1988?
- How Is the Australia Privacy Act 1988 Enforced?
- Fines and Penalties Under the Australia Privacy Act 1988
- How Does Termly Help With Australia Privacy Act 1988 Compliance?
- Are There Other Privacy Related Laws in Australia?
- Summary
What Is the Australia Privacy Act 1988?
The Australian Privacy Act 1988 is the primary data protection law in the country.
It has undergone several amendments since its inception in 1989 and dictates how entities can collect, process, and use personal data from people in Australia.
The law also outlines people’s rights over their data and the penalties imposed for violating portions of the act.
When Did the Australia Privacy Act 1988 Take Effect?
The Australia Privacy Act 1988 took effect in 1989, but according to the history of the Privacy Act, it has undergone several amendments since its creation to remain relevant to the modern digital landscape.
Most notably, the law underwent a major reform in 2014 with the passing of the Privacy Amendment Act 2012, which introduced:
- Expanded enforcement powers for the Information Commissioner
- New laws on codes of practice regarding the Australian Privacy Principles
- Requirements for credit reporting providers
Australia Privacy Act 1988 Key Terms and Definitions
To help you understand how to comply with the Australia Privacy Act 1988, I provided some key terms and definitions as they appear in the text of the law:
What Does the Australia Privacy Act 1988 Cover?
The Privacy Act 1988 covers the personal information of all people in Australia, regardless of their citizenship status.
In particular, it protects the data of individuals, consumers, and employees in the country.
Requirements of the Australia Privacy Act 1988
The Australia Privacy Act 1988 outlines several requirements businesses must follow, which I cover in the following section.
Lawful Basis for Processing Personal Information
Under Australia’s Privacy Act, you may lawfully collect personal data where it is reasonably necessary to achieve the purposes communicated to users in a privacy policy.
However, to collect sensitive information, you must obtain consent, which is defined by the law as both implied or expressed.
The collection of this type of data must still be necessary for the purposes disclosed to users in a compliant privacy notice.
The 13 Australian Privacy Principles (APPs)
Most of the Privacy Act is made up of 13 Australian Privacy Principles or APPs, which outline the rights, standards, and obligations around:
- Collecting, using, and sharing personal data
- What entities are accountable for when collecting and using personal information
- The integrity and correctness of the personal information
- The rights individuals have to access their personal information
Here’s a complete list of all 13 APPs:
Organizations have the flexibility to tailor these APPs to their unique data processing activities.
In addition, they’re designed to be ‘technology neutral,’ meaning they can adapt and apply to existing and future technologies.
Data Safety and Security Obligations
Under Australia’s privacy law, organizations must take measures to protect the security and integrity of the personal information they collect from unauthorized:
- Access
- Modification
- Disclosure
Organizations must also appropriately destroy personal data (or de-identify it) where it is no longer required for the purpose(s) for which it was collected.
Data Breach Notification Requirements
Organizations must notify individuals and the Office of the Australian Information Commissioner (OAIC) about all eligible data breaches as soon as possible.
Eligible data breaches include:
- Unauthorized access to, disclosure of, or loss of personal information that is held by an APP entity.
- Anything a reasonable person would believe might cause serious harm to any individual whose data was compromised.
Australia Privacy Act 1988 vs Global Data Privacy Laws: Similarities and Differences
Several different data privacy laws exist around the world, including the following:
- The California Consumer Privacy Act (CCPA)
- Europe’s General Data Protection Regulation (GDPR)
- Argentina’s Personal Data Protection Act (Argentina PDPA)
- Brazil’s General Data Protection Law (LGPD)
- Canada’s Personal Information Protection and Electronics Documents Act (PIPEDA)
- South Africa’s Protection of Personal Information Act (POPIA)
- Thailand’s Personal Data Protection Act (Thailand PDPA)
- New Zealand’s Privacy Act 2020
The table below compares the Australia Privacy Act 1988 to these other global privacy laws.
| Data Privacy Law | Requires opt-in consent* | Mandates publishing a privacy policy | Outlines contractual obligations with third parties | Holds businesses accountable for data security | Has specific requirements for international data transfers | Requires additional guidelines for categories of sensitive (special) information |
| Privacy Act 1988 | ✓ | ✓ | ✓ | ✓ | ||
| Argentina PDPA | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| CCPA | ✓ | ✓ | ✓ | ✓ | ||
| GDPR | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| LGPD | ✓ | ✓ | ✓ | ✓ | ✓ | |
| PIPEDA | ✓ | ✓ | ✓ | |||
| POPIA | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Privacy Act 2020 | ✓ | ✓ | ✓ | ✓ | ✓ | |
| Thailand PDPA | ✓ | ✓ | ✓ | ✓ | ✓ |
*With some exceptions for some laws.
How Does the Australia Privacy Act 1988 Impact Consumers?
The Australia Privacy Act 1988 impacts consumers by granting them rights and controls over their data, which includes:
- The right to not identify themselves when dealing with some organizations.
- Consent and choice over how their data is used and disclosed, especially if it gets shared with third parties or is used for direct marketing purposes.
- The ability to lodge a complaint if they believe an organization violated the APPs when handling their data.
- The ability to request not to receive direct marketing communications from organizations.
- The right to know if their data is being transferred internationally to a country with similar levels of protection as the Privacy Act.
Who Does the Australia Privacy Act 1988 Apply To?
The Privacy Act applies to any natural person in Australia, which means it protects the personal data of anyone in the country, regardless of their citizenship status.
However, data collected by individuals purely for personal or household use is exempt.
How Does the Australia Privacy Act 1988 Impact Businesses?
Beyond the lawful purposes for data processing and data security requirements previously mentioned, the Australia Privacy Act also impacts businesses’ privacy and cookie policies.
How Does the Australia Privacy Act 1988 Affect My Privacy Policy?
Australia’s data privacy law heavily affects privacy policies because the law outlines several different transparency and notification requirements, which include:
- Disclosing what personal information you collect, including sensitive personal information.
- Explaining how the information is collected (aka., directly from consumers or indirectly from external sources).
- Outlining your purpose for why you’re collecting the personal information.
- Disclosing if you share the data with any third parties.
- Explaining if you transfer the data internationally and the safety measures in place to ensure it’s handled securely.
- Describing the general security measures in place to keep personal data safe and secure.
- Stating what rights users have over their information and how they can act on those rights.
Under this law, organizations must regularly review and update their privacy policy to meet all notification and transparency guidelines.
How Does the Australia Privacy Act 1988 Affect My Cookie Policy?
The Privacy Act of 1988 affects cookie policies because the law describes guidelines for targeted advertising and the disclosure (aka. sharing) of personal information, which includes data collected through internet cookies.
Your cookie policy must clearly explain the purposes for why you share data collected from internet cookies with third parties.
You must also explain if you use cookies for direct marketing purposes and provide your users with a way to follow through on their right to opt out of it, which you can do using a compliant consent banner or linking a Data Subject Access Request (DSAR) form to your website.
Finally, ensure your cookie policy is updated and accurate to meet the notification requirements.
Who Must Comply With the Australia Privacy Act 1988?
All Australian private sector organizations, Australian Federal government agencies, and any international organizations that qualify as ‘carrying on business’ in the country must comply with the Privacy Act 1988.
An organization is considered to be ‘carrying on business’ if its products or services are available in Australia.
Foreign organizations may need to comply with the law even if they don’t collect or process personal data from Australian individuals.
Who Is Exempt From the Australia Privacy Act 1988?
The following organizations are exempt from following the Australian Privacy Act 1988:
- Organizations with less than AUD 3 million annual turnover unless they are trading in personal data for benefit, or collect health data.
- Registered political parties
- State and Territory Authorities
How Can Businesses Prepare for the Australia Privacy Act 1988?
To prepare for the Australia Privacy Act 1988, businesses should ensure their privacy policy is updated, accurate, and meets all notification requirements.
It’s also necessary to update your cookie policy and provide users with a consent banner or DSAR form so they can act on their privacy rights.
Make sure you’re only collecting a reasonable amount of data to perform the purposes as described to your users in your privacy policy.
Implement the necessary security measures to keep that data safe from breaches and establish a plan for informing the OAIC and individuals, just in case a cyberattack ever occurs.
How Is the Australia Privacy Act 1988 Enforced?
The Australia Privacy Act 1988 is enforced by the Office of the Australia Information Commissioner (OAIC).
They have the authority to outline rules based on the law, perform investigations, and penalize those who violate the act.
Fines and Penalties Under the Australia Privacy Act 1988
Penalties for violating the Australia Privacy Act 1988 are severe.
They can reach between $2.5 million for individuals and up to $50 million for companies, or 30% of the total sales accumulated while violating the law.
Repeat offenses lead to higher fines, as do severe violations involving large amounts of data.
The first significant fine the OAIC filed was a penalty of AUD 1.9 million ($1.22 million) against Facebook (owned by Meta) for violating aspects of the Privacy Act.
The case is still ongoing but represents the extraterritorial scope of the law.
How Does Termly Help With Australia Privacy Act 1988 Compliance?
Termly helps businesses comply with the Australia Privacy Act 1988 by providing a Privacy Policy Generator that includes all necessary clauses to meet the notification and transparency guidelines outlined by the APPs.
Designed by our legal team and data privacy experts, it asks simple questions about your business and makes a ready-to-use policy based on your answers.
We also offer a consent management platform (CMP) that you can configure to meet all consent obligations described by the law.
Are There Other Privacy Related Laws in Australia?
Several other privacy-related laws exist in Australia, many of which work in tandem with the Privacy Act 1988, which include:
- Australian Communications and Media Authority Regulations: This law oversees broadcasting, internet, radiocommunications, and telecommunications and enforces privacy related to online content.
- Telecommunications Act 1997: This law outlines obligations for how telecommunications services handle customer information.
- Spam Act 2003: This law regulates commercial electronic messages to ensure consent is obtained before sending marketing messages to individuals.
- My Health Records Act 2012: This act governs digital health data in the national digital health records system.
In addition, some state and territory-specific laws address privacy concerns for people in different regions across Australia.
Summary
If your business is subject to the Australia Privacy Act 1988, make sure you take the following steps to comply with all APPs and obligations:
- Update privacy and cookie policies to meet notification and transparency guidelines.
- Provide users with a compatible consent banner, especially if you perform targeted advertising or collect sensitive information.
- Post a DSAR form on your site so users can exercise their rights to access, correct, amend, or delete their data.
- Implement security measures to keep personal data safe from unauthorized access.
To simplify your compliance journey, use our Privacy Policy Generator and Consent Management Platform, which are configurable to meet the requirements of the Australia Privacy Act 1988.
More about the author
Written by James Ó Nuanáin, CIPP/E, CIPM, CIPT
James is an Information Privacy Professional with over seven years of experience assisting large organizations comply with their obligations under the GPDR and other local privacy regulations. He is passionate about data privacy and the intersection between law and technology. More about the author
