Privacy in Australia: overview

A Q&A guide to privacy in Australia.

The Q&A guide gives a high-level overview of privacy rules and principles, including what national laws regulate the right to respect for private and family life and freedom of expression; to whom the rules apply and what privacy rights are granted and imposed. It also covers the jurisdictional scope of the privacy law rules and the remedies available to redress infringement.

To compare answers across multiple jurisdictions, visit the Privacy Country Q&A tool.

This article is part of the global guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-guide.

Contents

Legislation

1. What national laws (if any) regulate the right to respect for private and family life and freedom of expression?

Privacy

Legislation. The federal Privacy Act 1988 (Cth) (Privacy Act) regulates the handling of personal data (referred to in the Act as "personal information"). Personal information is any information that can identify an individual (for example, an individual's name and address, resume or photograph), whether or not the information is true or the individual is named. Essentially, where information is sufficiently specific so as to enable identification of the data subject, it will constitute personal information.

The Privacy Act sets out 13 legally binding principles (referred to in the Privacy Act as the Australian Privacy Principles) that stipulate the minimum standards for collecting, storing, securing, maintaining, using and disclosing personal data.

Common law. Unlike some other jurisdictions (such as the US), there is no common law tort of invasion of privacy in Australia, although there has been some suggestion that the courts may be open to such a development (Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd (2001) 208 CLR 199).

Freedom of expression

Australians do not enjoy an explicit constitutional or legislative right to freedom of expression. Instead, a freedom of political communication is implied from the text and structure of the Constitution (Lange v Australian Broadcasting Corporation (1997) 189 CLR 520). However, this implied freedom of political communication acts as a restriction on government power rather than as a personal right (McCloy v New South Wales (2015) 89 ALJR 857).

 
2. Who can commence proceedings to protect privacy?

The Privacy Act does not create a cause of action that allows data subjects to sue for an invasion of privacy. However, the Privacy Act does confer certain enforcement powers on the Information Commissioner, to whom aggrieved data subjects can make complaints.

Where a data subject makes a complaint to the Commissioner, the Commissioner can:

  • Attempt, by conciliation, to settle the complaint between the parties.

  • Make a determination in response to the complaint.

If a determination is made in response to a data subject's complaint, either the Commissioner or the data subject can commence proceedings to enforce the determination.

The Commissioner can also make determinations based on investigations conducted on its own motion and commence proceedings to enforce such determinations.

In addition, the Commissioner, the data subject or any other person has the right to commence proceedings to seek injunctive relief where an entity has engaged, or is proposing to engage, in any conduct that would constitute a breach of the Privacy Act.

Although the Australian Law Reform Commission (ALRC) has recommended that a new statutory cause of action be introduced for serious invasions of privacy, it seems unlikely that the current government will implement the ALRC's recommendations.

 
3. What privacy rights are granted and imposed?

The Australian Privacy Principles (APPs) mainly consist of obligations placed on private sector organisations and federal government agencies. However, the following rights are granted to individuals:

  • Right of access. Subject to certain exceptions, entities must provide data subjects with access to their personal data.

  • Right of correction. An entity must take reasonable steps to correct a data subject's personal data at their request.

  • Right of complaint. Data subjects can complain to the Commissioner about the handling of their personal data by entities bound by the Privacy Act.

Broadly, the key privacy obligations for entities bound by the Privacy Act are as follows:

  • Entities must take reasonable steps to implement procedures that ensure compliance with the APP and make available a privacy policy that addresses a list of prescribed matters (APP 1).

  • Entities must comply with certain restrictions when collecting personal data (such as obtaining consent to the collection of sensitive information) (APP 3).

  • Entities must notify data subjects of certain matters when personal data is collected (APP 5).

  • Subject to certain exceptions, if an entity holds personal data that was collected for a particular purpose, it must not use or disclose that information for another purpose without the data subject's consent (APP 6).

  • Subject to certain exceptions, before an entity discloses personal data to an overseas recipient, the entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs (APP 8). In certain circumstances, the entity can be deemed liable for any breach of the APP committed by the overseas recipient.

  • Entities must take reasonable steps to protect the personal data they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure (APP 11).

 
4. What is the jurisdictional scope of the privacy law rules?

The Privacy Act applies to acts or practices engaged in within Australia.

The Privacy Act also extends to acts or practices engaged in outside Australia by any entity with an Australian link. An entity has an "Australian link" if it was formed or incorporated in Australia. An entity that was formed or incorporated outside of Australia can also have an Australian link if both:

  • It carries on business in Australia.

  • The personal data was collected by the entity in Australia.

According to the Australian Privacy Principle Guidelines (that is, a non-binding set of guidelines issued by the Information Commissioner (Commissioner)), a foreign company that collects the personal data of Australians will have an Australian link if it has some activity in Australia that forms part of its business (for example, the company has a website that offers goods or services to countries including Australia).

In addition, in certain circumstances an entity may be held liable where it discloses personal data overseas and the overseas recipient breaches the Australian Privacy Principles in relation to that data.

 
5. What remedies are available to redress the infringement of those privacy rights?

Non-compliance with the Privacy Act can result in the following sanctions:

  • Determinations. The Commissioner can (either in response to a complaint or an own-motion investigation) make determinations that:

    • an act or practice constitutes an interference with privacy;

    • the entity must take specified steps to ensure that the act or practice is not repeated or continued;

    • the affected data subject is entitled to compensation or other redress (the Commissioner can award compensation for "loss or damage", which includes injury to the data subject's feelings or humiliation suffered by the data subject).

For example, in the determination entitled 'EQ' and Great Barrier Reef Marine Park Authority [2015] AICmr 11 (2 February 2015), the Commissioner ordered that the complainant be compensated A$5,000 for non-economic loss and the respondent conduct a review of its training for its staff and its agents who handle personal data.

If the determination was made in response to an investigation conducted by the Commissioner on its own motion, the Commissioner can commence proceedings to enforce the determination. If the determination was made in response to a data subject's complaint, either the Commissioner or the data subject can commence proceedings to enforce the determination. If proceedings to enforce a determination are commenced, the court will consider whether the offending entity has breached the Privacy Act by way of a fresh hearing of the case.

In addition, the Commissioner, the data subject or any other person has the right to commence proceedings to seek injunctive relief where an entity has engaged, or is proposing to engage, in any conduct that would constitute a breach of the Privacy Act.

  • Penalties. The Commissioner can apply to the court for a civil penalty order. For serious or repeated breaches of the Privacy Act, these can be:

    • A$360,000 for individuals; or

    • A$1.8 million for corporations.

These penalties are regulatory fines and cannot be used to compensate data subjects.

The Commissioner also has powers to:

  • Audit an entity's compliance.

  • Accept written undertakings (and commence proceedings to enforce them).

 
6. Are there any other ways in which privacy rights can be enforced?

In the absence of a statutory tort of privacy invasion, in certain circumstances data subjects may be able to turn to other causes of action for redress. These can include claims for:

  • Breach of confidence. Privacy breaches can be pursued through an action for breach of confidence. In Australia, damages for distress are available in successful claims for breach of confidence. However, plaintiffs relying on a breach of confidence have generally shown that their confidential information was deliberately disclosed by the entity.

  • Breach of contract. Data subjects can commence action for breach of contract by relying on an express or implied contractual promise by an entity to keep personal data secure. However, damages will not be recoverable unless the data subject can prove actual economic harm.

  • Negligence. Negligent invasions of privacy can be actionable under the common law tort of negligence. The data subject would need to establish that physical injury, psychiatric illness, property damage or financial loss has been suffered because of the defendant's negligent breach.

 

Contributor profiles

Michael Morris, Partner

Allens

T +61 7 3334 3279
E michael.morris@allens.com.au
W www.allens.com.au
Professional qualifications. LLB (Hons) BBus; Solicitor, Queensland, Australia
Areas of practice. Communications; technology; intellectual property; data protection.

Emily Cravigan, Senior Associate

Allens

T +61 7 3334 3409
E emily.cravigan@allens.com.au
W www.allens.com.au

Professional qualifications. LLB (Hons) BA; Solicitor, Queensland, Australia

Areas of practice. Communications; technology; intellectual property; data protection.


{ "siteName" : "PLC", "objType" : "PLC_Doc_C", "objID" : "1248017019311", "objName" : "Privacy in Australia overview", "userID" : "2", "objUrl" : "http://us.practicallaw.com/cs/Satellite/us/resource/1-574-4405?null", "pageType" : "Resource", "academicUserID" : "", "contentAccessed" : "true", "analyticsPermCookie" : "2-7fcc06b0:15b13964f3b:385", "analyticsSessionCookie" : "2-7fcc06b0:15b13964f3b:386", "statisticSensorPath" : "http://analytics.practicallaw.com/sensor/statistic" }