*This report updates a report from 2012
There have been a number of significant developments in Australia’s legal framework related to privacy, including online privacy, in the past five years. Major reforms to the Privacy Act 1988 (Cth) were enacted at the end of the 2012 and came into effect in 2014, including changes to the principles related to the cross-border disclosure of information and direct marketing. In addition, a new data retention system was established, becoming fully effective in early 2017, with internet service providers required to retain certain data about online communications that can then be accessed by government agencies for law enforcement and national security purposes. A further legislative change in 2017 established a requirement for entities covered by the Privacy Act to notify affected individuals and the Information Commissioner of data breaches.
In addition to the legislative changes, the Office of the Australian Information Commission has produced new guidance documents, participated in international studies related to online privacy, and conducted surveys regarding attitudes to privacy among members of the public. There has also been ongoing discussion regarding civil redress for breaches of privacy, including a court case involving “revenge porn” that saw the respondent held liable for breach of confidence. The Australian government has indicated, however, that it does not support the introduction of a new statutory cause of action for invasion of privacy.
During the period from 2012 to 2017, several significant legislative changes were made in Australia in relation to privacy law, with implications for online privacy.
As noted in the Law Library of Congress report on online privacy, published in 2012, the Australian government had at that time introduced the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Cth). The bill included provisions that would implement more than half of the Australian Law Reform Commission’s (ALRC’s) recommendations contained in its 2008 report on reforming privacy law. The bill was subsequently enacted at the end of 2012 and the amendments to the Privacy Act 1988 (Cth) came into effect in March 2014.
Following those reforms, there was considerable debate about a proposal to establish a requirement for telecommunications service providers, including internet service providers, to retain certain communications data that could then be accessed for law enforcement or national security purposes. The Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015 (Cth) was enacted in in April 2015 and the implementation period ended in April 2017, at which time all service providers were required to be fully compliant with the legislation.
A further development in 2017 was the passage of the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth). This legislation implements recommendations that the Parliamentary Joint Committee on Intelligence and Security made in the context of its consideration of the data retention bill, as well as recommendations of the ALRC in its 2008 report.
Also during this period, in 2014, the ALRC completed an inquiry into the protection of privacy in the digital era, which addressed “both prevention and remedies for serious invasions of privacy.” However, the current government has indicated that it does not support a tort of invasion of privacy, which the ALRC recommended establishing through a new statutory cause of action. Such a recommendation was also included in the ALRC’s 2008 report, and similar recommendations were made in 2009 by the New South Wales Law Reform Commission and in 2010 by the Victorian Law Commission. In 2016, the first bill in Australia related to remedies for serious invasions of privacy was introduced by a member of parliament in New South Wales, following an inquiry conducted by a parliamentary committee. The bill lapsed at the end of that year.
In the absence of a specific cause of action for breach of privacy, plaintiffs may be able to utilize other actions in certain situations. For example, in a 2015 “revenge porn” case, the court found that the respondent was liable for breach of confidence.
Other discussions relevant to online privacy have taken place within the federal government. For example, in 2013, the Australian Communications and Media Authority released a paper that discusses developments in the digital data environment and their impact on privacy. It also published other papers related to mobile applications, cloud services, and near field communications.
II. Legislative Changes
A. Privacy Amendment (Enhancing Privacy Protection) Act 2012
1. Key Changes
The “significant reforms” to the Privacy Act 1988 (Cth) contained in the 2012 Amendment Act
- create a single set of Australian Privacy Principles (APPs) applying to both Australian Government agencies and the private sector. These principles replaced the Information Privacy Principles and National Privacy Principles and set out the standards, rights and obligations for collecting, handling, holding, accessing, using, disclosing and correcting personal information
- introduce more comprehensive credit reporting for consumer credit, improved privacy protections and more logical, consistent and simple language
- strengthen the functions and powers of the Australian Information Commissioner to resolve complaints, use external dispute resolution services, conduct investigations and promote compliance
- create new provisions on privacy codes and the credit reporting code, including codes that are binding on specified agencies and organisations.
The thirteen Australian Privacy Principles (APPs) are contained in schedule 1 of the Privacy Act 1988 (Cth) and are divided into five parts:
Part 1 sets out principles that require APP entities to consider the privacy of personal information, including ensuring that APP entities manage personal information in an open and transparent way.
Part 2 sets out principles that deal with the collection of personal information including unsolicited personal information.
Part 3 sets out principles about how APP entities deal with personal information and government related identifiers. The Part includes principles about the use and disclosure of personal information and those identifiers.
Part 4 sets out principles about the integrity of personal information. The Part includes principles about the quality and security of personal information.
Part 5 sets out principles that deal with requests for access to, and the correction of, personal information.
Some of the new APPs differ from the previous Information Privacy Principles (which applied to Australian government agencies) and National Privacy Principles (which applied to private sector entities with annual turnover of more than AU$3 million, as well as those that handle certain information or opt in). This includes “APP 7 on the use and disclosure of personal information for direct marketing, and APP 8 on cross-border disclosure of personal information.”
Following the passage of the 2012 Amendment Act, new regulations were developed, the Privacy Regulation 2013 (Cth), which came into effect at the same time as the amendments.
2. Cross-Border Disclosure of Personal Information
APP 8, on cross-border disclosure of information, along with section 16C of the Privacy Act 1988 (Cth), establishes a framework that follows the “accountability approach” to this issue that was adopted by the APEC Privacy Framework in 20014, shifting away from the “adequacy approach” adopted by the European Union, which had previously been reflected in the Act. The new approach “generally requires an APP entity to ensure that an overseas recipient will handle an individual’s personal information in accordance with the APPs, and makes the APP entity accountable if the overseas recipient mishandles the information.” The Office of the Australian Information Commissioner (OAIC) guidance on this APP includes examples relevant to online privacy, stating that an APP entity will be considered to have “disclosed” personal information about an individual if it “publishes the personal information on the internet, whether intentionally or not, and it is accessible to an overseas recipient.” It also covers the situation where “an APP entity engages a contractor located overseas to perform services on its behalf” and provides it with personal information. For example, a disclosure would include the scenario where “an Australian based retailer outsources the processing of online purchases through its website to an overseas contractor and, in order to facilitate this, provides the overseas contractor with personal information about its customers.”
There are exceptions to the requirement in APP 8.1 to take “reasonable steps” to ensure an overseas recipient does not breach the APPs. If the overseas recipient of the information is subject to a law that protects information in a “substantially similar” way to the APPs, and mechanisms can be accessed by the individual to enforce that protection, then the APP entity in Australia does not need to comply with APP 8.1. An APP entity may also not need to comply with APP 8.1 if it “expressly informs the individual that if they consent to the disclosure, this principle will not apply,” and the individual consents to the disclosure. Other exceptions relate to, for example, law enforcement activities, protection of health and life, and compliance with other laws and regulations.
3. Direct Marketing
The new APP 7 establishes a separate, general prohibition on direct marketing. Previously, the use or disclosure of information for direct marketing purposes was an exception in one of the NPPs. Under the reforms, entities “may only use or disclose personal information for direct marketing purposes where the individual has either consented to their personal information being used for direct marketing, or has a reasonable expectation that their personal information will be used for this purpose, and conditions relating to opt-out mechanisms are met.”
4. Functions and Powers of the Information Commissioner
As noted above, the amendments to the Privacy Act in 2012 were intended to “improve the Commissioner’s ability to resolve complaints, recognise and encourage the use of external dispute resolution services, conduct investigations and promote compliance with privacy obligations.” The amendments “also restructure relevant provisions dealing with the powers and functions of the Commissioner to improve clarity and consistency in the provisions.”
The functions of the Commissioner are now divided into guidance-related functions, monitoring-related functions, advice-related functions, and any functions conferred by the Act or other legislation, including investigating complaints about actions or practices that may interfere with the privacy of individuals.
B. Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015
Under the data retention system established by amendments to the Telecommunications (Interception and Access) Act 1979 (Cth), telecommunications service providers, including internet service providers, are “required to retain a particular set of telecommunications data for at least two years.” The type of data that must be retained includes “information about a communication rather than the content or substance of a communication.” This means, for example, that for emails, the retention requirements apply to “information such as the relevant email addresses and when it was sent—not the subject line of the email or its content.” Furthermore, the legislation “does not require companies to retain data that may amount to a person’s web-browsing history.” Companies are also not required to keep data about a person’s use of social media.
The legislation enables agencies to access the data as part of serious criminal or national security investigations, subject to various safeguards.
C. Privacy Amendment (Notifiable Data Breaches) Act 2017
The new system for notifiable data breaches, which will come into effect in February 2018, requires “government agencies and businesses covered by the Privacy Act to notify any individuals affected by a data breach that is likely to result in serious harm.” The notice must include recommendations that such individuals should take in response to the breach. The OAIC must also be informed of data breaches and can determine what further action is required. The Commissioner has the authority to direct an entity to notify individuals if it has not done so.
III. Court Decision Relating to “Revenge Porn”
In early 2015, the Supreme Court of Western Australia issued a decision in which it found in favor of a plaintiff in a “revenge porn” case involving the posting of private images on Facebook. The plaintiff relied on a breach of confidence cause of action, which involves the unauthorized use of confidential information, as there is no statutory or common law tort of invasion of privacy in Australia. The court exercised its equitable jurisdiction in issuing an injunction against further disclosure of the photographs at issue, and also ordered that the defendant pay compensation.
IV. Guidance and Studies Related to Online Privacy
In the past five years, the OAIC has produced various guidance documents related to the amended Privacy Act and developments in online technology, and has participated in international studies regarding the protection of privacy online. These include the following:
- The 2015 Guide to Securing Personal Information, which is intended to be read alongside the Australian Privacy Principles Guidelines. The Guide is intended for use by entities covered by the Privacy Act and will be referred to by the OAIC in undertaking its functions. The APP Guidelines outline mandatory requirements contained in the APPs, how the APPs will be interpreted by the OAIC, and matters that the OAIC may take into account when exercising its functions.
- A “better practice guide” for mobile app developers, published in 2014, which is intended to help developers embed better privacy practices in their products and services and help those operating in the Australian market to comply with Australian privacy law.
- An August 2013 press release on the results of a “privacy sweep” of the websites most used by Australians, which was part of the “first international internet privacy sweep, an initiative of the Global Privacy Enforcement Network (GPEN).” As part of the sweep, “[a]lmost 50 website privacy policies were assessed for accessibility, readability and content,” as well as being assessed against new transparency criteria in the Privacy Act.
- A September 2016 press release regarding a global sweep of the “Internet of Things,” which was also a GPEN initiative. The Australian Privacy Commissioner “found that the Australian businesses assessed as part of the sweep generally lacked clear information for customers about how their personal information was being managed — with more than half failing to adequately explain how personal information was collected, used and disclosed.”
V. “Attitudes to Privacy” Surveys
The OAIC again ran the “Community Attitudes to Privacy” survey project in 2013 and 2017, having conducted similar surveys periodically since 1990. In the most recent survey, among the biggest privacy risks that respondents identified were online services, including social media sites. The report notes that “[t]he majority of Australians claim to be more concerned about the privacy of their personal information when using the internet than five years ago (69%), a consistent finding compared to the last two surveys. A new question this year revealed that more than eight in ten (83%) believe the privacy risks are greater when dealing with an organisation online compared with other means.”
However, despite their concerns about online privacy, respondents indicated that they did not use some of the privacy protections available: “Over three in five (61%) Australians do not regularly read online privacy policies and about half do not regularly shred documents (50%), clear their browsing history (50%), or adjust their privacy settings on social media sites (43%).”
Prepared by Kelly Buchanan
Chief, Foreign, Comparative, and International Law Division I
 Kelly Buchanan, Online Privacy Law: Australia (Law Library of Congress, June 2012), https://www.loc. gov/law/help/online-privacy-law/2012/australia.php.
 Privacy Amendment (Enhancing Privacy Protection) Bill 2012, Parliament of Australia, https://www.aph.gov. au/Parliamentary_Business/Bills_Legislation/Bills_Search_Results/Result?bId=r4813 (last visited Nov. 14, 2017), archived at https://perma.cc/5RWC-934K; Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth), https://www.legislation.gov.au/Details/C2015C00053, archived at http://perma.cc/5S67-3FBK.
 See Kelly Buchanan, Australia: New Privacy Law Comes into Effect, Global Legal Monitor (Mar. 21, 2014), https://www.loc.gov/law/foreign-news/article/australia-new-privacy-law-comes-into-effect/.
 Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015, Parliament of Australia, https://www.aph.gov.au/Parliamentary_Business/Bills_LEGislation/Bills_Search_Results/ Result?bId=r5375 (last visited Nov. 14, 2017), archived at https://perma.cc/XL6L-29K2; Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Cth),https://www.legislation.gov. au/Details/C2015A00039, archived at https://perma.cc/9ZUZ-PGMC. See also Kelly Buchanan, Australia: Committee Report on Data Retention Bill Released, Global Legal Monitor (Mar. 4, 2015), //www.loc.gov/law/foreign-news/article/australia-committee-report-on-data-retention-bill-released/.
 Attorney General’s Department, Data Retention Implementation Period Ends on 13 April 2017: What Service Providers Should Know (Mar. 22, 2017), https://www.ag.gov.au/NationalSecurity/DataRetention/Documents/Fact-sheet-data-retention-implementation-period.pdf, archived at https://perma.cc/8LMM-95TM.
 Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), https://www.legislation.gov.au/Details/ C2017A00012, archived at https://perma.cc/R4MT-RHVG. See also Kelly Buchanan, Australia: Bill Passed Requiring Notification of Data Breaches, Global Legal Monitor (Feb. 15, 2017), //www.loc.gov/law/ foreign-news/article/australia-bill-passed-requiring-notification-of-data-breaches/.
 Privacy Amendment (Notifiable Data Breaches) Bill 2016, Parliament of Australia, https://www.aph.gov. au/Parliamentary_Business/Bills_Legislation/Bills_Search_Results/Result?bId=r5747 (last visited Nov. 14, 2017), archived at https://perma.cc/7CKD-WQGS.
 Serious Invasions of Privacy, Australian Law Reform Commission (ALRC),https://www.alrc.gov.au/ inquiries/invasions-privacy (last visited Nov. 14, 2017), archived at https://perma.cc/BH4Y-2473; ALRC, Serious Invasions of Privacy in the Digital Era: Final Report (ALRC Report 123, June 2014), https://www.alrc.gov. au/sites/default/files/pdfs/publications/final_report_123_whole_report.pdf, archived at https://perma.cc/X8XU-BUEP.
 See ALRC Report on Serious Invasions of Privacy in the Digital Era, King & Wood Mallesons (Sept. 3, 2014), http://www.kwm.com/en/au/knowledge/insights/alrc-report-on-serious-invasions-of-privacy-in-the-digital-era-20140903, archived at https://perma.cc/W6YX-QY2Y; Normann Witzleb, It’s Time for Privacy Invasion to Be a Legal Wrong, The Conversation (Sept. 4, 2014),https://theconversation.com/its-time-for-privacy-invasion-to-be-a-legal-wrong-31288, archived at https://perma.cc/UW56-RJGG.
 See Privacy, NSW Law Reform Commission,http://www.lawreform.justice.nsw.gov.au/Pages/lrc/lrc_ completed_projects/lrc_privacy.aspx (last updated Feb. 23, 2017), archived at https://perma.cc/JWR5-G2ZN; NSW Law Reform Commission, Invasion of Privacy (Report 120, Apr. 2009), http://www.lawreform.justice. nsw.gov.au/Documents/Publications/Reports/Report-120.pdf, archived at https://perma.cc/MB3B-RWXJ.
 Surveillance in Public Places, Victorian Law Reform Commission,http://www.lawreform.vic.gov.au/all-projects/surveillance-public-places (last updated Nov. 14, 2017), archived at https://perma.cc/X5V4-QEMK; Keeping Privacy Lives Private, Victorian Law Reform Commission (Oct. 1, 2011),http://www.lawreform.vic. gov.au/publications-and-media/journal-articles/keeping-private-lives-private, archived at https://perma.cc/N56J-VHHC.
 Civil Remedies for Serious Invasions of Privacy Bill 2016, Parliament of New South Wales, https://www.parliament.nsw.gov.au/bills/Pages/bill-details.aspx?pk=3307(last visited Nov. 15, 2017), archived at https://perma.cc/SPY8-TFVK.
 Remedies for Serious Invasion of Privacy in New South Wales, Parliament of New South Wales,https://www.parliament.nsw.gov.au/committees/inquiries/Pages/inquiry-details.aspx?pk=1877 (last visited Nov. 15, 2017), archived at https://perma.cc/NHU7-XP2N.
 See Kelly Buchanan, Australia: Damages Awarded in Revenge Porn Case, Global Legal Monitor (Feb. 12, 2015), //www.loc.gov/law/foreign-news/article/australia-damages-awarded-in-revenge-porn-case/.
 Privacy and Digital Data – Emerging Issues, Australian Communications and Media Authority,https://www.acma.gov.au/theACMA/About/The-ACMA-story/Connected-regulation/privacy-and-digital-data-emerging-issues (last updated Oct. 21, 2013), archived at https://perma.cc/9QPN-PFAD.
 Privacy Act Amendments,Attorney-General’s Department, https://www.ag.gov.au/RightsAndProtections/ Privacy/Pages/PrivacyActamendments.aspx (last visited Nov. 15, 2017), archived at https://perma.cc/UG2Q-KRXG.
 Privacy Act 1988 (Cth), sch 1, Overview of the Australian Privacy Principles, https://www.legislation.gov. au/Details/C2017C00283, archived at https://perma.cc/KC3Y-NPDU. For a list of the principles, see Privacy Fact Sheet 17: Australian Privacy Principles, Office of the Australian Information Commissioner (OAIC), https://www.oaic.gov.au/individuals/privacy-fact-sheets/general/privacy-fact-sheet-17-australian-privacy-principles (last updated Jan. 2014), archived at https://perma.cc/AVT4-LF9G.
 For comparisons between the APP and NPP, and the APP and IPP, see Australian Privacy Principles and National Privacy Principles – Comparison Guide, OAIC (Apr. 2013),https://www.oaic.gov.au/agencies-and-organisations/guides/australian-privacy-principles-and-national-privacy-principles-comparison-guide, archived at https://perma.cc/QGH6-6J5L, and Australian Privacy Principles and Information Privacy Principles – Comparison Guide, OAIC (Apr. 2013), https://www.oaic.gov.au/agencies-and-organisations/guides/australian-privacy-principles-and-information-privacy-principles-comparison-guide, archived at https://perma.cc/B49S-SNW7.
 Privacy Reforms, Attorney-General’s Department,https://www.ag.gov.au/RightsAndProtections/ Privacy/Pages/Privacyreforms.aspx (last visited Nov. 15, 2017), archived at https://perma.cc/958K-MVF3.
 Privacy Regulation 2013 (Cth), https://www.legislation.gov.au/Details/F2017C00191, archived at https://perma.cc/3ABR-2DHX.
 Parliament of Australia, Privacy Amendment (Enhancing Privacy Protection) Bill 2012: Explanatory Memorandum 70, http://parlinfo.aph.gov.au/parlInfo/download/legislation/ems/r4813_ems_00948d06-092b-447e-9191-5706fdfa0728/upload_pdf/368711.pdf;fileType=application%2Fpdf, archived at https://perma.cc/5Z7D-FLSH.
 APP Guidelines, Chapter 8: APP 8 – Cross-Border Disclosure of Personal Information, OAIC (version 1.1, Mar. 2015),https://www.oaic.gov.au/agencies-and-organisations/app-guidelines/chapter-8-app-8-cross-border-disclosure-of-personal-information, archived at https://perma.cc/48Z5-U8NH.
 Australian Privacy Principles and National Privacy Principles – Comparison Guide, supra note 19; Explanatory Memorandum, supra note 22, at 81–2 & 216–7.
 Explanatory Memorandum, supra note 22, at 4–5.
 Privacy Act 1988 (Cth) pts IV & V.
 Telecommunications (Interception and Access) Act 1979 (Cth), https://www.legislation.gov.au/Details/ C2017C00308, archived at https://perma.cc/DFE3-FPFN.
 Frequently Asked Questions about the Data Retention Obligations, Attorney-General’s Department,https://www.ag.gov.au/NationalSecurity/DataRetention/Pages/Frequentlyaskedquestions.aspx (last visited Nov. 15, 2017), archived at https://perma.cc/TY54-6L6C.
 Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), s 2.
 Press Release, OAIC, Mandatory Data Breach Notification (Feb. 13, 2017), https://www.oaic.gov.au/media-and-speeches/statements/mandatory-data-breach-notification#mandatory-data-breach-notification, archived at https://perma.cc/7NLN-MVDX.
 Notifiable Data Breaches: Resources for Businesses and Agencies, OAIC,https://www.oaic.gov.au/engage-with-us/consultations/notifiable-data-breaches/ (last visited Nov. 15, 2017), archived at https://perma.cc/6EJA-8EGD.
 Wilson v Ferguson  WASC 15 (6 January 2015), http://www8.austlii.edu.au/cgi-bin/sign.cgi/au/cases/ wa/WASC/2015/15, archived at https://perma.cc/M5PB-DXSS.
 Id. ¶ 2.
 Guide to Securing Personal Information, OAIC (Jan. 2015),https://www.oaic.gov.au/agencies-and-organisations/guides/guide-to-securing-personal-information, archived at https://perma.cc/87BN-AVNC.
 APP Guidelines, OAIC (last updated Apr. 1, 2015), https://www.oaic.gov.au/agencies-and-organisations/app-guidelines/, archived at https://perma.cc/NCN6-BK9P.
 Guide for Mobile App Developers, OAIC (Sept. 2014),https://www.oaic.gov.au/agencies-and-organisations/guides/guide-for-mobile-app-developers, archived at https://perma.cc/L4KT-624R.
 Press Release, OAIC, Privacy Commissioner: Website Privacy Policies are too Long and Complex (Aug. 14, 2013), https://www.oaic.gov.au/media-and-speeches/media-releases/privacy-commissioner-website-privacy-policies-are-too-long-and-complex, archived at https://perma.cc/VYZ8-K2ER.
 Press Release, OAIC, Privacy Commissioners Reveal the Hidden Risks of the Internet of Things (Sept. 23, 2016), https://www.oaic.gov.au/media-and-speeches/media-releases/privacy-commissioners-reveal-the-hidden-risks-of-the-internet-of-things, archived at https://perma.cc/D4BX-9K2A.
 Community Attitudes, OAIC,https://www.oaic.gov.au/engage-with-us/community-attitudes/ (last visited Nov. 15, 2017), archived at https://perma.cc/3DTD-48DE.
 Australian Community Attitudes to Privacy Survey 2017, OAIC (https://www.oaic.gov.au/engage-with-us/community-attitudes/australian-community-attitudes-to-privacy-survey-2017 (last visited Nov. 15, 2017), archived at https://perma.cc/ZS9Z-JGRB.
Last Updated: 04/05/2018