top of page

AUSTRALIA - Data Protection and GDPR Review

The history of data protection in Australia has seen gradual but significant changes over the years, reflecting the nation's increasing engagement with digital technology and global data trends. Here is an overview of some of the key developments:

1970s-1980s: Early Awareness and State Laws

  • 1970s: The Australian government began recognizing the importance of data protection with the advent of computerized data systems. Various states initiated their own data protection laws focusing on public sector data.

1980s: Privacy Act and National Privacy Principles

  • 1988: The Australian federal government enacted the Privacy Act 1988 (Cth), which initially applied only to Australian Government agencies, the ACT administration, and, in part, to ACT and Norfolk Island agencies.

1990s: Expanding Scope and Health Records

  • 1990: Victoria enacted the Information Privacy Act 2000, focusing on state public sector data protection.

  • 1997: The Commonwealth amended the Privacy Act to include private health service providers and certain small businesses.

2000s: Towards Comprehensive Protection

  • 2000: The Privacy Amendment (Private Sector) Act 2000 extended the Privacy Act to cover private sector organizations, which came into effect in 2001.

  • 2008: The Australian Law Reform Commission (ALRC) reviewed the Privacy Act and made several recommendations.

2010s: Major Reforms and GDPR Impact

  • 2012: The Privacy Amendment (Enhancing Privacy Protection) Act 2012 brought significant changes to the Privacy Act, including a set of new, harmonized, privacy principles that replaced the National Privacy Principles and Information Privacy Principles known as the Australian Privacy Principles (APPs).

  • 2014: The new amendments and APPs took effect.

  • 2017: The Privacy Amendment (Notifiable Data Breaches) Act 2017 established a Notifiable Data Breach (NDB) scheme in Australia, which requires organizations to notify individuals whose personal information is involved in a data breach that is likely to result in "serious harm."

  • 2018: The General Data Protection Regulation (GDPR) in the EU had a global impact, affecting Australian companies dealing with EU citizens. The Australian government began examining the possibility of further updates to national laws to harmonize with international standards.

2020s: Ongoing Developments

  • 2020-2021: Consultations and discussions continue on updating Australia’s privacy laws, focusing on issues like consent, overseas data flow, and the effectiveness of enforcement measures.

Australia’s data protection laws are under continual review, influenced by global developments like the GDPR, technological advances, and the increasingly complex landscape of digital information.

This historical timeline is meant to provide a broad overview and may not cover all details and nuances of Australia's data protection laws and regulations.

While the General Data Protection Regulation (GDPR) is an EU regulation, it has extraterritorial reach and can affect businesses and organizations operating in Australia. This guide offers a comprehensive overview of how Australian entities can achieve GDPR compliance while also abiding by local data protection laws.

Table of Contents

  1. The Extraterritorial Scope of GDPR

  2. Australian Data Protection Laws

  3. Who is Affected?

  4. Rights of EU Data Subjects

  5. Responsibilities Under GDPR

  6. Data Protection Officer (DPO)

  7. Data Breach Notification

  8. International Data Transfers

  9. Fines and Penalties

  10. Steps for Compliance

  11. FAQs

  12. Conclusion

1. The Extraterritorial Scope of GDPR

GDPR applies to organizations both within and outside the EU that process personal data of EU citizens. Australian businesses offering goods or services to EU citizens or monitoring their behavior are subject to GDPR.

2. Australian Data Protection Laws

Australia's primary data protection law is the Privacy Act 1988, which is enforced by the Office of the Australian Information Commissioner (OAIC). It includes the Australian Privacy Principles (APPs) that guide how personal information should be handled.

3. Who is Affected?

Any Australian business or organization that:

  • Offers goods or services to EU citizens, or

  • Monitors the behavior of EU citizens,

is obligated to comply with GDPR.

4. Rights of EU Data Subjects

  • Right to be informed

  • Right of access

  • Right to rectification

  • Right to erasure

  • Right to data portability

  • Right to object

  • Rights related to automated decision-making

5. Responsibilities Under GDPR

Australian businesses must:

  • Obtain explicit consent for data processing.

  • Conduct Data Protection Impact Assessments (DPIAs) for riskier data processing.

  • Implement data protection measures such as encryption and regular security audits.

6. Data Protection Officer (DPO)

Some organizations may need to appoint a Data Protection Officer knowledgeable in data protection laws and practices, including GDPR.

7. Data Breach Notification

You are obligated to report a data breach affecting EU citizens' data to the relevant EU data protection authority within 72 hours.

8. International Data Transfers

Australian businesses must ensure that data transfers to non-EU countries comply with GDPR requirements, often through Standard Contractual Clauses (SCCs) or other legal mechanisms.

9. Fines and Penalties

Non-compliance could result in fines up to €20 million or 4% of the company’s global annual turnover, whichever is higher.

10. Steps for Compliance

  • Audit existing data and practices.

  • Update Privacy Policy and Consent Forms.

  • Train employees.

  • Review contracts with third-party vendors.

  • Appoint a Data Protection Officer if required.

11. FAQs

  • How does Australian law intersect with GDPR?

    • Compliance with Australian data protection laws like the Privacy Act doesn't automatically mean compliance with GDPR. Both need to be adhered to separately.

  • Is a Data Protection Officer always necessary?

    • No, only in specific cases, such as large-scale data processing, is a DPO mandatory.

12. Conclusion

GDPR compliance is a serious obligation for Australian businesses that engage with EU citizens. By being proactive, you not only avoid severe penalties but also gain trust from customers by respecting their data privacy.

Disclaimer: This guide is intended for informational purposes and should not be considered as legal advice.

Understanding GDPR and its implications are crucial steps towards a transparent and secure data processing environment. It is advisable to consult with legal experts to tailor your data protection strategies to your specific needs.


bottom of page