The principal legislation protecting privacy in Australia is the federal Privacy Act 1988 (the Privacy Act). The Privacy Act establishes 13 Australian privacy principles (APPs), which regulate the handling of personal information by many private sector organisations and by federal government agencies.
The body responsible for enforcing the Privacy Act is the Office of the Australian Information Commissioner (OAIC). In practice, the Information Commissioner (the Commissioner) is responsible for the majority of the privacy-related functions of the OAIC, including the investigation of complaints made by individuals.
Substantive amendments to the Privacy Act came into effect on 12 March 2014. In particular, from that date, substantial monetary penalties (currently, up to A$420,000 for individuals or A$2.1 million for corporations) can be imposed for 'serious' or 'repeated' interferences with the privacy of individuals. In 2019, the government proposed increasing penalties for corporations to the greater of A$10 million, three times the value of any benefit gained through the misuse of personal information, or 10 per cent of the entity's annual domestic turnover (bringing it further in line with European privacy penalties). However, the government has yet to propose legislation to this effect.
Although this chapter is principally concerned with the Privacy Act, each Australian state and territory has also passed legislation that protects information held about individuals by state and territory government organisations.
Privacy also receives some protection through developments to the common law, particularly developments in the law relating to confidential information.2 To date the Australian courts have not recognised a specific cause of action to protect privacy, although there has been judicial suggestion that such a development may be open.3 In July 2019, the Australian Competition and Consumer Commission recommended the introduction of a statutory tort for serious invasions of privacy as part of its Digital Platforms Inquiry. Although the federal government's response to this recommendation was neutral (i.e., it neither supports nor does not support the recommendation), the federal government has indicated that it will consider the recommendation through a general review of the Privacy Act (see Section X for more information about this general review of the Privacy Act).
There is no general charter of human rights in Australia, and as such there is no general recognition under Australian law of privacy being a fundamental right. However, some jurisdictions within Australia, being the Australian Capital Territory, Victoria and Queensland, have enacted a form of human rights act. These Acts recognise the protection of privacy as a human right.4
II THE YEAR IN REVIEW
According to the OAIC's Annual Report 2018–195 (the most recent report as at 31 July 2020), the OAIC received 3,306 privacy complaints and responded to 17,445 privacy enquiries in the year ending 30 June 2019. The Commissioner also initiated 15 investigations, worked on a number of new assessments commenced in 2018–19 and ongoing assessments from 2017–18, initiated three digital health assessments and received 950 mandatory notifications under the Notifiable Data Breaches scheme from organisations.
Although there have been several significant enforcement actions (see Section VII), and the Commissioner currently has litigation on foot (see Section VII.iii), no monetary penalties have yet been imposed on organisations under the new sanction provisions.
This year has also seen developments in relation to cybersecurity. On 6 August 2020, the Australian Federal Government released its highly anticipated Cyber Security Strategy 2020.6 In its report, the Government committed A$1.79 billion to uplift Australia's cybersecurity, outlining a number of measures that are intended to strengthen Australia's cybersecurity regulatory regime. While such measures are yet to come into effect, they will include the introduction of an Industry Advisory Committee, voluntary codes, a potential new director's duty and the expansion of the current critical infrastructure Act.
III REGULATORY FRAMEWORK
i Privacy and data protection legislation and standards
The Privacy Act protects personal information – that is, information or an opinion about an identified individual or an individual who is reasonably identifiable. Special protection is afforded to 'sensitive information' (see further discussion below).
The Privacy Act contains exemptions for certain organisations from the requirement to comply with the APPs. Operators of small businesses (businesses with an annual turnover for the previous financial year of A$3 million or less) are not generally subject to the Privacy Act.7 There are also exemptions for domestic use,8 media organisations9 and political representatives.10 There is no general exemption for not-for-profit organisations.
There is a broad exemption11 from the application of the Privacy Act for acts or practices that are directly related to a current or former employment relationship and that involve an employee record held by the employer. In practice, this means that many activities of organisations with respect to their own employees are exempted from the Privacy Act.
There is a limited exemption from the application of the Privacy Act for the sharing of personal information (other than sensitive information) between companies in the same corporate group.12 However, the rules regarding the disclosure of personal information outside Australia continue to apply even where the information is shared between group companies.
Protection of sensitive information
Sensitive information is defined in Australia as being:
- information or an opinion about an individual's:
- racial or ethnic origin;
- political opinions;
- membership of a political association;
- religious beliefs or affiliations;
- philosophical beliefs;
- membership of a professional or trade association;
- membership of a trade union;
- sexual orientation or practices; and
- criminal record that is also personal information;
- health information about an individual;
- genetic information about an individual that is not otherwise health information;
- biometric information that is to be used for the purpose of automated biometric verification or biometric identification; and
- biometric templates.
Generally, an organisation must not collect sensitive information about an individual unless the individual has consented to the collection and the personal information is reasonably necessary for one or more of the organisation's functions or activities. An organisation may collect sensitive information about an individual without consent in certain limited circumstances; for example, where collection is required by Australian law.
APP Guidelines (Guidelines)
The OAIC has published Guidelines to assist organisations in complying with the APPs. Although the Guidelines are not legally binding, they provide guidance as to how the APPs will be interpreted and applied by the Commissioner when exercising their functions and powers under the Privacy Act.
ii General obligations for data handlers
There is no distinction in the Privacy Act between entities that control and those that process personal information. Any handling of personal information, whether holding, processing or otherwise, is potentially subject to the APPs. The 13 APPs are summarised below.
APP 1 – open and transparent management of personal information
Organisations must take reasonable steps to implement practices, procedures and systems that ensure compliance with the APPs. See the discussion on the required content of privacy policies in Section V.
APP 2 – anonymity and pseudonymity
Individuals must have the option of not identifying themselves, unless this is impracticable.
APP 3 – collection of solicited personal information
Information may be collected only if it is reasonably necessary for the organisation's functions or activities and must be collected only by lawful and fair means. An organisation may only collect information directly from the individual, unless this is unreasonable or impracticable.
APP 4 – unsolicited personal information
Where an organisation receives unsolicited personal information, it must, within a reasonable period, determine whether it could have collected the information itself under the APPs. If not, the organisation must destroy or 'de-identify' that information.
APP 5 – notification of collecting personal information
At or before the time of collection (or as soon as practicable afterwards), an organisation collecting personal information must take such steps (if any) as are reasonable in the circumstances to make the individual aware of a number of prescribed matters; for example:
- the identity of the organisation;
- the purposes of the collection;
- the types of organisations to which the personal information may be disclosed;
- whether the organisation is likely to disclose the information to overseas recipients (and, if so, to which countries); and
Where personal information is not collected directly from the individual, an organisation must take reasonable steps to make sure the individual is informed of the same matters in respect of its indirect collection.
APP 6 – uses or disclosures of personal information
Personal information must only be used or disclosed for the purpose for which it was collected (the primary purpose). Personal information may be used or disclosed for a secondary purpose where:
- the secondary purpose is related to the primary purpose and the individual would reasonably expect it to be disclosed or used this way;
- the individual has consented to that disclosure or use; or
- another exception applies (e.g., that the use or disclosure is required by Australian law).
In the case of sensitive information, the secondary use or disclosure under item (a) above must be directly related to the primary purpose.
APP 7 – direct marketing
Sensitive information can only ever be used for direct marketing with the individual's consent. Other personal information cannot be used or disclosed for direct marketing unless an exception applies. Where direct marketing is permitted, organisations must always provide a means for the individual to 'opt out' of direct marketing communications.
APP 7 does not apply to the extent that the Do Not Call Register Act 2006 (Cth) or the Spam Act 2003 (Cth) apply.
APP 8 – cross-border disclosure of personal information
APP 8 regulates the disclosure of information to a person who is outside Australia. See the discussion in Section IV for further details of the requirements of APP 8.
Under Section 16C of the Privacy Act, in certain circumstances, an organisation may be deemed to be liable for a breach of the APPs by an overseas recipient of personal information disclosed by that organisation.
APP 9 – adoption, use or disclosure of government-related identifiers
An organisation must not adopt an identifier that has been assigned to an individual by a government agency as its own identifier of the individual; or disclose or use an identifier assigned to an individual by a government agency, unless an exception applies (e.g., the adoption, disclosure or use is required or authorised by an Australian law).
An identifier includes things such as a driving licence and passport number.
APP 10 – quality of personal information
An organisation must take reasonable steps to ensure that the personal information it collects, uses and discloses is accurate, complete and up to date and also, in the case of use or disclosure, relevant.
APP 11 – security of personal information
Organisations must take reasonable steps to protect information they hold from misuse, interference, loss, unauthorised access, modification or disclosure; and destroy or de-identify information once it is no longer needed for any purpose for which the information may be used or disclosed under the APPs.
APP 11 does not mandate any specific security obligations or standards. The OAIC, however, has published a Guide to Securing Personal Information,13 which provides nonbinding guidance on the reasonable steps organisations are required to take to protect the personal information they hold.
There are no specific rules governing the handling of personal information by third parties. The obligation placed on organisations under APP 11 to take reasonable steps to protect personal information they hold has the effect of requiring organisations to take reasonable steps to ensure that any third party (including an overseas data processor) handling personal information on their behalf also takes reasonable steps to protect personal information. The above-mentioned Guide to information security also provides non-binding guidance in relation to the processing of information by third parties.
APP 12 – access to personal information
As a general rule, an organisation must, upon request, give an individual access to any personal information held about him or her. There are exceptions to this general rule, including where the provision of access to personal information could have an unreasonable impact on the privacy of other individuals, or where denying access is required or authorised by Australian law.
APP 13 – correction of personal information
An organisation must take reasonable steps to correct any personal information if the entity is satisfied the information is inaccurate or where the individual requests the entity to do so. According to the Guidelines, the reasonable steps to be taken may include 'making appropriate . . . deletions'. However, individuals do not have an express legal right to have inaccurate data deleted. In fact, there is currently no right to have data deleted under Australian law.
If an organisation refuses to correct personal information, it must give reasons to the person who has requested the correction and tell them about the mechanisms available to complain about the refusal.
iii Technological innovation and privacy law
The Privacy Act is drafted in a technologically neutral manner and its provisions can be applied to developments in new technologies. As an example, the direct marketing principle, APP 7, has been taken by the Commissioner14 to apply to online behavioural advertising (OBA). In consequence, the requirements of APP 7, to allow people to opt out of marketing communications, could apply to advertisements appearing through use of OBA.
Since sensitive information under the Privacy Act includes biometric information that is used for the purpose of automated biometric identification, it is likely that the use of automated facial and speech recognition technologies will require compliance with the obligations of the APPs relating to sensitive information. Those obligations include the requirement to obtain consent before the relevant biometric information is collected.
iv Data subject rights
Individuals can request access to their personal information under APP 12 and entities must comply with such requests, subject to certain exceptions (for example, where giving access would pose a serious threat to the life, health or safety of any individual, or would have an unreasonable impact on the privacy of other individuals). Further, APP 13 provides that entities must take reasonable steps to correct personal information where the individual requests the entity to do so.
While individuals do not currently have an express legal right to require the removal or erasure of their personal information, entities have a general obligation to take reasonable steps to de-identify or destroy personal information where it is no longer needed for any purpose for which it may be lawfully used or disclosed by the entity under the APPs (see APP 11.2).
Individuals do not have a direct cause of action against entities to seek redress for breaches of the APPs. However, an individual may complain to the Commissioner who can make a determination that compensation be paid to the individual. This is explained in more detail in Section VII.
On 1 August 2019, legislation was passed to effect a 'consumer data right'. This will facilitate data portability for individuals across the banking industry initially, with the energy sector to follow (the Australian Competition and Consumer Commission is currently progressing this). It is expected that the 'consumer data right' will then be rolled out across other industries, for example the telecommunications sector.
v Specific regulatory areas
There are a number of state and federal acts that protect privacy in particular circumstances, such as when communicating over a telecommunications network, accessing a computer system, or when engaging in activities in a private setting or that protect specific types of information, such as credit information, tax file numbers, healthcare identifiers, eHealth records or health records.
IV INTERNATIONAL DATA TRANSFER
APP 8 provides that, prior to disclosing personal information to a recipient who is located outside Australia, an organisation must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the personal information. This requirement does not apply if:
- the organisation reasonably believes that the overseas recipient is bound by a law similar to the APPs that the individual can enforce;
- the individual consents to the disclosure of the personal information in the particular manner prescribed by APP 8; or
- another exception applies (e.g., that the disclosure of the personal information is required by Australian law).
The consent required by APP 8 has to be an informed consent and in many cases its requirements are likely to be difficult to satisfy in practice. Further, in many cases the overseas recipient will not be subject to a similar overseas law that is enforceable by the individual. Accordingly, in most cases, the organisation must take 'reasonable steps' to ensure that the overseas recipient does not breach the APPs prior to disclosing that information to the overseas recipient. The Guidelines indicate that taking reasonable steps usually involves the organisation obtaining a contractual commitment from the overseas recipient that it will handle the personal information in accordance with the APPs.
V COMPANY POLICIES AND PRACTICES
- the kinds of personal information that the organisation collects and holds;
- how the organisation collects and holds personal information;
- the purposes for which the organisation collects, holds, uses and discloses personal information;
- how an individual may access personal information about the individual that is held by the organisation and seek correction of the information;
- how an individual may complain about a breach of the APPs, or a registered APP code (if any) that binds the organisation and how the organisation will deal with such a complaint;
- whether the organisation is likely to disclose personal information to overseas recipients;
- if the organisation is likely to disclose personal information to overseas recipients, the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy.
This is an overarching obligation applying to organisations in Australia and is generally understood as requiring organisations in Australia to implement the principles of 'privacy by design'. Guidance as to what the Commissioner expects organisations to do to comply with this general obligation was published by the Commissioner in May 2015.15
VI DISCOVERY AND DISCLOSURE
Under APP 6, personal information can generally only be used and disclosed for the purpose for which the information was collected or for a related secondary purpose that would be reasonably expected by the individual. The disclosure of information in response to national or foreign government requests, or in response to domestic or foreign discovery court orders or internal investigations, would not normally satisfy this requirement. However, there are a number of exceptions that may, depending on the circumstances, be available to allow disclosure in response to such requests or orders. These are summarised below.
In the case of Australian legal proceedings, APP 6.2(b) allows disclosure if the disclosure is 'required or authorised by or under an Australian law or a court/tribunal order'. This will allow disclosures that are required or authorised under Australian rules of court.
In addition, Section 16A(i)(4) of the Privacy Act allows disclosure where it is 'reasonably necessary for the establishment, exercise or defence of a legal or equitable claim'. Disclosures of information in the course of legal proceedings where the disclosures are necessary to either assert or defend a claim will accordingly be permitted. Section 16A(i)(5) allows disclosure where it is reasonably necessary for the purposes of a 'confidential alternative dispute resolution process'. This will permit disclosures in the course of confidential mediations and the like. However, these exceptions do not apply to the disclosure of information to someone outside Australia and so would not be available for claims being pursued in foreign courts.
To disclose information in response to the order of a foreign government or court the disclosure will have to comply with both APP 6 and APP 8 (the cross-border disclosure principle). There has been no binding Australian legal decision on the consequences of a person receiving in Australia an order from a foreign court requiring the disclosure of personal information outside Australia. To satisfy both APP 6 and APP 8, the party seeking disclosure of the information outside Australia is likely to have to apply under a relevant international treaty (such as the Hague Convention), to which Australia is a party and which has been implemented in Australian local law. If these conditions can be satisfied, then the disclosure of the information outside Australia will be 'required or authorised by or under an Australian law' and so will be permitted under both APP 6.2(b) and APP 8.2(c).
Another option that might be available in some circumstances would be to redact all personal information from the relevant document before the document is disclosed outside Australia. Whether a document that has been redacted in this way will still comply with the orders of the foreign court will depend on the circumstances.
With respect to disclosures outside Australia, Section 13D(1) provides that acts done outside Australia do not interfere with privacy if the act is required by an applicable law of a foreign country. This exception may be of use where relevant personal information is already located outside Australia and, pursuant to the legal process in the place where it is located, it has to be disclosed to someone in that place. The exception will not be available with respect to information that is located in Australia.
VII PUBLIC AND PRIVATE ENFORCEMENT
i Enforcement agencies
If an individual makes a privacy complaint, the Commissioner has the power to attempt, by conciliation, to effect a settlement of the matter or to make a determination that includes declarations that:
- the individual is entitled to a specified amount as compensation for loss or damage suffered (including for injury to feelings or for humiliation);
- the organisation has engaged in conduct constituting an interference with the privacy of an individual and that it must not repeat or continue the conduct; and
- the organisation perform any reasonable act or course of conduct to redress any loss or damage suffered by the individual.
A determination of the Commissioner regarding an organisation is not binding or conclusive. However, the individual or the Commissioner has the right to commence proceedings in court for an order to enforce the determination.
The Commissioner also has the power to audit organisations (these audits are referred to in the Privacy Act as 'assessments'), accept enforceable undertakings, develop and register binding privacy codes and seek injunctive relief in respect of contraventions of the Privacy Act.
Finally, the Commissioner may apply to the Federal Court or Federal Circuit Court for a penalty (currently, up to A$420,000 for individuals or A$2.1 million for corporations) to be imposed for 'serious' or 'repeated' interferences with privacy. These penalties constitute regulatory fines and cannot be used to compensate individuals for breaches of the Privacy Act. As noted above, the Commissioner has not yet sought to levy the penalty on any organisation. However, in March 2020, the Commissioner commenced court proceedings against Facebook that could potentially result in the first penalty against a corporation being awarded under the Privacy Act. These proceedings are discussed further in Section VII.iii.
ii Recent enforcement cases
One of the enforcement powers available to the Commissioner is to accept an enforceable undertaking from an organisation it is investigating for breaches of privacy. Such an undertaking is likely to be offered by the organisation in the course of resolving an investigation by the Commissioner into its activities. The undertakings are enforceable by the Commissioner in the Federal Court.
The Commissioner has recently taken action in a number of significant cases that are of potentially broad interest. These are summarised below.
Provision of an enforceable undertaking by Optus16
On 27 March 2015, the Commissioner accepted an enforceable undertaking from Optus (a major Australian telecommunications company) arising out of its investigation into three privacy incidents involving Optus.
In the first of these incidents, Optus became aware in April 2014 that, because of a coding error, the names, addresses and phone numbers of 122,000 Optus customers were listed in the White Pages directory without those customers' consent. In the second incident, Optus had issued modems to its customers in such a way that the management ports for the modems were issued with user default names and passwords in place. The consequence was that Optus customers who did not change the default user names and passwords were then vulnerable to a person making and charging calls as though they were the Optus customer. However, there was no evidence that the vulnerability had in fact been exploited. The final incident involved a security flaw that left some Optus customers vulnerable for eight months to 'spoofing attacks', under which an unauthorised party could access a customer's voicemail account.
Following an eight-month investigation, the Commissioner concluded that an enforceable undertaking was the most appropriate regulatory enforcement action in the circumstances. This conclusion was due, in most part, to Optus' cooperation with the Commissioner and steps it had taken to respond to the Commissioner's concerns. Under the terms of the undertaking, Optus was required to appoint an independent third party to conduct reviews of the additional security measures Optus adopted in response to the privacy incident and its vulnerability detection processes concerning the security of personal information.
Metadata collected by telecommunications companies constituted personal information to which the relevant individual could obtain access
In May 2015, the Commissioner found that metadata could be personal information under the Privacy Act where the organisation holding that data has the capacity and resources to link that information to an individual. The background to that finding was a request made by a journalist to access all metadata that Telstra (Australia's largest telecommunications company) stored about him in relation to his mobile service. Over the course of some months, Telstra ultimately released much of the requested metadata to the journalist, but continued to refuse access to IP address information, URL information and cell tower location information beyond that which Telstra retained for billing purposes.
The Commissioner found that the above three categories of information did constitute personal information under the Privacy Act and that Telstra had breached the Privacy Act by failing to release that information.
The decision was overturned by the Administrative Appeals Tribunal (AAT) in December 2015. The AAT reasoned that mobile network data would need to be information 'about an individual' for it to fall within the definition of personal information. It found that the relevant mobile network data was not information about an individual as such, but rather information about the way in which Telstra delivers its services. It could not, therefore, be characterised as personal information under the Privacy Act and did not need to be disclosed to customers upon request.
In coming to the conclusion that the mobile network data was not personal information, the AAT appears to have been influenced by evidence from Telstra that its mobile network data were kept separate and distinct from customer databases, rarely linked to these databases and not ordered or indexed by reference to particular customers.
On 14 January 2016, having considered the AAT's decision, the Commissioner filed a notice of appeal from a tribunal to the Federal Court of Australia. The Federal Court dismissed the Commissioner's appeal on 19 January 2017. In dismissing the appeal, the Court confirmed that if information is not 'about an individual', the information will not be personal information and, accordingly, the Privacy Act will not apply.
Enforceable undertaking from the Australian Red Cross following inadvertent disclosure by a third-party contractor17
On 5 September 2016, a file containing personal information of approximately 550,000 individuals was inadvertently posted to a publicly accessible section of the Australian Red Cross (the Red Cross) website by a third-party contractor. This included 'personal details' and identifying information such as names, gender, addresses and sexual history.
The Red Cross was only made aware of this breach after an unknown individual notified the Red Cross through multiple intermediaries on 25 October 2016. Upon notification, the Red Cross took a number of immediate steps to contain the breach. This included notifying affected individuals, undertaking a risk assessment of the information compromised and conducting a forensic analysis on the exposed server.
The Commissioner found that the Red Cross did not breach the obligation relating to unauthorised disclosure of personal information, as it did not disclose personal information, this was done by a third-party employee. In addition, it was found that although the Red Cross did not physically hold the personal information, it retained ownership of the information because of the terms of its contract with the third-party contractor. Because of its ownership of the personal information, the Red Cross had an obligation to protect this personal information against unauthorised access or disclosure. The Commissioner concluded that the Red Cross had breached this obligation by failing to properly assess the adequacy of its third-party contractor's security practices and by failing to include control measures to mitigate the risks of contracting with a third party in its contractual arrangements.
The Red Cross accepted an enforceable undertaking on 28 July 2017 to engage an independent review of its third-party management policy and standard operating procedure. The third-party contractor also entered into an enforceable undertaking with the Commissioner's office to establish a data breach response plan and update its data protection policy.
Enforceable undertaking from the Department of Health following identified deficiencies in data encryption processes18
On 1 August 2016, the Department of Health published a sample of 10 per cent of the Medicare and Pharmaceutical Benefit Scheme-related data of patients who had made a claim since 2003. The Department attempted to de-identify the datasets by encrypting the data and removing patients from the dataset with certain rare identifiers. However, in September 2016, academics at the University of Melbourne notified the Department that the 10 per cent sample datasets had significant encryption deficiencies which enabled some of the data to be converted back to its original form. As a result, the Department removed the data from the site and then voluntarily notified the Commissioner.
The Commissioner commenced an investigation under Section 40 of the Privacy Act. The Commissioner found that the Department had:
- failed to implement practices and procedures that ensured that it complied with the APPS, therefore breaching APP 1;
- disclosed personal information about providers that was reasonably identifiable, therefore breaching APP 6; and
- failed to take reasonable steps to protect the personal information it held, therefore breaching APP 11.
The Commissioner accepted an enforceable undertaking from the Department. The Department undertook to engage an independent person to review and report on the Department's policies and procedures regarding the release of personal data under APP 1 and APP 11. The Department also undertook, 12 months later, to engage an external body to audit the recommendations implemented from the first review. The Department provided the Commissioner with copies of both reports.
iii Potential Court Examination of Privacy Act Application
As mentioned in Section VII.i, in March 2020, the Commissioner commenced proceedings against Facebook, Inc and Facebook Ireland Ltd (Facebook) for breaches of the Privacy Act, which the Commissioner identified following the Cambridge Analytica scandal. The Commissioner has alleged that Facebook's actions breached Section 13G of the Privacy Act, as well as APP 6.1 and APP 11.1(b). The Commissioner has alleged that these breaches occurred between March 2014 and May 2015 and occurred in relation to 311,127 Australian Facebook users.
In April 2020, the Commissioner was successfully granted leave by the Federal Court for overseas and substituted service of the originating claim on Facebook's international body corporates.
This case will be the first court examination of the Privacy Act and will likely set a precedent as to the scope of the application of the Privacy Act to overseas entities, and the likely penalties that would be awarded by a court for breaches of the Privacy Act.
iv Private litigation
In general, privacy legislation is only enforceable in Australia by the relevant authority. However, some limited private rights of action do exist, particularly a general right under the Privacy Act for anyone to seek an injunction to restrain conduct that would be a contravention of the Act.19
VIII CONSIDERATIONS FOR FOREIGN ORGANISATIONS
The Privacy Act has a broad extraterritorial application and applies to the overseas activities of Australian organisations and foreign organisations that have an 'Australian link'.20
An organisation is considered to have an 'Australian link' if there is an organisational link21 – for example, the organisation is a company incorporated in Australia; or if the organisation carries on business in Australia and collects or holds personal information in Australia.22 This has been interpreted very broadly as including an organisation that has a website that offers goods or services to countries including Australia.23
If an organisation's overseas activity is required by the law of a foreign country, then that activity is not taken to amount to an interference with the privacy of an individual.24
IX CYBERSECURITY AND DATA BREACHES
As stated above, APP 11 requires an organisation to take such steps as are reasonable in the circumstances to protect information from misuse, interference and loss; and from unauthorised access, modification or disclosure.
The obligation in APP 11 would extend to taking reasonable steps to protect information that an organisation holds against cyberattacks. See the discussion on APP 11 in Section III for more details of its requirements.
In addition to the general obligation under APP 11, particular industry sectors are subject by their regulators to take additional measures to protect information (including personal information) that they hold. Government agencies are also generally subject to government-specific security requirements, most notably the Protective Security Policy Framework.
The Privacy Amendment (Notifiable Data Breaches) Act 2017 came into effect on 22 February 2018 and amended the Privacy Act to impose an express obligation on entities to notify the OAIC, affected individuals and at-risk individuals in the event of an 'eligible data breach'.
An eligible data breach refers to any unauthorised access, disclosure or loss of information that a 'reasonable person' is 'likely' to conclude would result in serious harm to an individual. In the event an entity becomes aware that an eligible data breach may have occurred, it must provide a copy of a statement to the OAIC setting out the details of the breach as soon as is practicable. It must also subsequently notify any individuals affected by or at risk of being affected by the eligible data breach.
On 28 August 2020, the OAIC released its Corporate Plan 2020–2021.25 The Corporate Plan indicates that the OAIC's strategic priorities for the coming year are as follows:
- advancing online privacy protection for Australians;
- influencing and upholding privacy and information access rights frameworks;
- encouraging and supporting the proactive release of government-held information; and
- taking a contemporary approach to regulation.
More broadly, it seems likely that privacy regulation in Australia will be strengthened in the coming years. Although draft legislation has not yet been introduced, the federal government has proposed amendments to the Privacy Act, including:
- the increase of penalties for serious or repeated interferences with privacy to the greater of A$10 million, three times the value of any benefit gained by the entity through misusing personal information, or 10 per cent of the entity's annual domestic turnover; and
- the granting of new powers to the Commissioner to allow the latter to issue infringement notices of up to A$63,0000 where entities fail to cooperate with efforts to resolve minor breaches (this would not require a court application).
Further, in July 2019, the Australian Competition and Consumer Competition highlighted consumer concerns around current data practices and released a number of sweeping recommendations relating to privacy in Australia as part of its Digital Platforms Inquiry. Such recommendations include requiring consent for secondary uses of information, the introduction of strengthened notification requirements, and the introduction of protections for de-identified data. Such recommendations passing into law will be a significant tightening of privacy law in Australia. In December 2019, the government committed to conducting a review of the Privacy Act to consider whether reform is necessary to protect consumers and best serve the Australian economy.
In addition, and as noted above, we now have open banking in Australia, with the introduction of the 'consumer data right'. Although still at an early stage, the consumer data right will allow individuals to require their banks to disclose their data to certain third parties. The energy sector is next to be regulated, and it is expected that the telecommunications sector will follow.
Finally, the introduction of the EU's General Data Protection Regulation (GDPR) means that an additional layer of privacy regulation applies to many Australian entities. This is because the GDPR has extraterritorial effect; Australian entities that offer goods or services to individuals in the EU, or monitor individuals in the EU, may be bound by the GDPR.
1 Michael Morris is a partner and Emily Cravigan is a senior associate at Allens.
2 See in particular Giller v. Procopets  VSCA 236.
3 See Australian Broadcasting Corporation v. Lenah Game Meats Pty Ltd (2001) 208 CLR 199.
4 Human Rights Act 2004 (ACT) Section 12; Charter of Human Rights and Responsibilities Act 2006 (Vic) Section 13; Human Rights Act 2019 (Qld) Section 25.
7 Section 6D.
8 Section 16 of the Privacy Act.
9 Section 7B(4) of the Privacy Act.
10 Section 7C(1) of the Privacy Act.
11 Section 7B(3) of the Privacy Act.
12 Section 13B of the Privacy Act.
13 'Guide to securing personal information: 'Reasonable steps' to protect personal information: January 2015', available at www.oaic.gov.au/agencies-and-organisations/guides/guide-to-securing-personal-information.
14 Section 7.11, Privacy Guidelines, 'Chapter 7: Australian Privacy Principle 7 – Direct marketing: Version 1.1, 22 July 2019' available at www.oaic.gov.au/images/documents/privacy/applying-privacy-law/app-guidelines/chapter-7-app-guidelines-v1.pdf.
15 'Privacy management framework: enabling compliance and encouraging good practice', available at www.oaic.gov.au/privacy/guidance-and-advice/privacy-management-framework-enabling-compliance-
16 'Singtel Optus: enforceable undertaking', available at: www.oaic.gov.au/privacy/privacy-decisions/enforceable-undertakings/singtel-optus-enforceable-undertaking/.
17 'Australian Red Cross Blood Service: enforceable undertaking', available at: www.oaic.gov.au/privacy/privacy-decisions/enforceable-undertakings/australian-red-cross-blood-service-enforceable-undertaking/.
18 'Department of Health: enforceable undertaking', available at: www.oaic.gov.au/privacy/privacy-decisions/enforceable-undertakings/department-of-health-enforceable-undertaking/.
19 Section 98 of the Privacy Act.
20 Section 5B(1A) of the Privacy Act.
21 Section 5B(2) of the Privacy Act.
22 Section 5B(3) of the Privacy Act.
23 Section B.14, Privacy Guidelines, available at www.oaic.gov.au/images/documents/privacy/applying-privacy-law/app-guidelines/APP-guidelines-combined-set-v1.pdf.
24 Section 13D(1) of the Privacy Act.