Support Centre

Australia

Summary

LawPrivacy Act 1988 (No. 119, 1988) (as amended) (the Privacy Act) 

Regulator: The Office of the Australian Information Commissioner (OAIC) 

Summary: The Privacy Act, which includes a set of Australian Privacy Principles, provides general personal data protection requirements and provisions, including the right to access and to be informed. The Privacy Act does not explicitly refer to 'data controllers' or 'data processors,' nor does it include provisions regarding data protection officer appointments or Data Protection Impact Assessments. On February 22, 2018, the 'notifiable data breaches' provisions of the Privacy Act came into effect, requiring mandatory notification of all 'eligible data breaches' to the OAIC and affected individuals. In 2019 the Australian Government passed the Treasury Laws Amendment (Consumer Data Right) Bill, which provides consumers with the right to data portability to switch between products and services.

Notably, the Australian Parliament approved the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (the 2022 Bill), which came into effect on December 13, 2022. The 2022 Bill significantly increases penalties for repeated or serious privacy breaches by companies that fail to take adequate care of customer data and provides the OAIC with greater powers to resolve privacy breaches and quickly share information about data breaches to help protect impacted customers.

On February 16, 2023, the Attorney General released a Privacy Act Review Report (the Report) outlining 116 proposed legislative reforms to the Privacy Act, informed by feedback received in response to its Issues Paper and a Discussion Paper. Subsequently, on September 12, 2024, the Privacy and Other Legislation Amendment Bill 2024 (the 2024 Bill) was introduced to Parliament. The 2024 Bill seeks to implement 23 of the legislative proposals from the Report including strengthening the enforcement powers of the OAIC, establishing provisions related to children's online privacy, automated decision-making, and data breaches. The 2024 Bill also creates a statutory tort for serious invasions of privacy and amends the Criminal Code Act 1995 to create new privacy-related criminal offenses.

Insights

On September 5, 2024, the Department of Industry, Science and Resources (DISR) published a paper on Safe and responsible AI in Australia: Proposals paper for introducing mandatory guardrails for AI in high-risk settings (the Proposed Guardrails). The DSIR also announced a public consultation on the paper to receive feedback which will be used to guide Australia's approach to artificial intelligence (AI) regulation.

OneTrust DataGuidance provides an overview of the proposed guardrails and how they compare to other emerging AI regulations, with expert comments provided by Alec Christie, from Clyde & Co LLP.

The Australian Government released the 2023-2030 Australian Cyber Security Strategy: Legislative Reforms Consultation Paper (the Consultation Paper) in December 2023. The Consultation Paper follows the Australian Government's 2023-2030 Australian Cyber Security Strategy (the Strategy). The Strategy aims to build 'cyber shields' to strengthen Australia's cyber defenses and build resilience against cyber-attacks. Katherine Sainty, Kaelah Dowman, and Sarah Macken, from Sainty Law, explore the current ransomware environment in Australia and the Government's proposed ransomware reporting obligations.

In an increasingly digitized world, safeguarding against cyber attacks has become pivotal for modern businesses. The alarming rate at which cyber attacks are evolving creates significant challenges for Australian businesses in maintaining data security and integrity. Data management is an important tool for businesses to mitigate cyberattacks and maintain strong security measures. Data management strategies, such as data minimization, data de-identification, and data governance frameworks help fortify a business's defenses against cybercriminals and limit risks associated with the collection, use, and storage of data assets. Katherine Sainty and Sarah Macken, from Sainty Law, look specifically at data governance, data minimization, and data de-identification, and how businesses can best utilize these to safeguard data.

Technological developments are advancing rapidly, creating an abundance of opportunities, and connecting people and systems globally. Approximately 99% of Australians use the internet, highlighting how technology has become an essential component of daily life, linking workplaces, schools, and homes. These advancements and an increased reliance on technology means Australians are more susceptible to cyber threats and cybercriminals are becoming more adaptable and proficient than ever before. There is mounting pressure on the Australian government to address cyber threats through regulation. On November 22, 2023, the Australian Government released the 2023-2030 Australian Cyber Security Strategy (the Strategy). Katherine Sainty, Kaelah Dowman, and Sarah Macken, from Sainty Law, discuss the development of the Strategy and how it will be released, as well as next steps.

The development and use of artificial intelligence (AI) is growing at unprecedented rates globally, with mounting pressure on Australian regulators to establish adequate frameworks to govern its use in Australia. While AI has the capacity to provide many benefits, the potential risks associated with its use and rapid growth must be considered by regulators.

In September 2023, the Digital Platform Regulators forum1 (DP-REG) published its joint submission (the Submission) in response to a Department of Industry, Science and Resources (DISR) consultation for their discussion paper, 'Supporting Responsible AI in Australia' (the Discussion Paper). Katherine Sainty, Lily O Brien, Kaelah Dowman, and Sarah Macken, from Sainty Law, discuss the contents of both the Submission and the Discussion Paper and some of the key benefits and risks of AI.

The spam email lurking in your junk folder could be more dangerous than you think. Every day, a substantial proportion of all emails and SMS messages sent across the globe are spam messages. With the risk of spam messages ranging from mere annoyance to large-scale cyber-attacks, regulators worldwide are cracking down on the bad actors who send these messages. As enforcement efforts ramp up in Australia and abroad, businesses that send marketing messages must pay careful attention to anti-spam regulation to make sure their messages are not classified as spam and to avoid significant financial and reputational damage. In this Insight article, Katherine Sainty and Lily O'Brien, from Sainty Law, explore the dangers of spam, Australia's anti-spam regime, and shifting enforcement attitudes.

On September 28, 2023, the Australian Government released its response to the Attorney General's Privacy Act Review Report (Response). The Response is the culmination of several years of work and several stages of reporting and engagement, following the initial recommendation in the Australian Competition and Consumer Commission's (ACCC) Digital Platforms Inquiry Report that the Privacy Act 1988 (Cth) No. 119 1988 (as amended) (the Privacy Act) be reviewed to assess its suitability for the digital age. 

The Response confirms that a modest number of issues will be addressed immediately (that is, in the first half of 2024) through appropriate legislative changes or formal guidance from the Office of the Australian Information Commissioner (OAIC), with a much greater number of issues referred for further investigation or consultation. We do not expect to see any concrete changes on those until late 2024 or beyond, and the Response notes that any major changes would also need to be subject to implementation lead times to enable parties to prepare appropriately. Accordingly, this is the first of various further steps to come.   

In this Insight article, Alex Hutchens, from McCullough Robertson, outlines the main themes coming out of the Response, summarizes the key changes in the short term, and provides a perspective on those changes that will be most critical to pursue longer term if the Privacy Act is to be fit for purpose in the now-pervasive digital environment and consistent with the leading privacy regimes around the world. 

Success in the legal industry requires firms to streamline business processes, improve efficiency, and focus their attention on delivering exceptional client service. The race to success has seen many firms adopt tools powered by artificial intelligence (AI). AI-powered tools have the potential to assist lawyers with conducting legal research, contract drafting, and document review more efficiently, allowing them to focus the time saved on advising on more complex legal issues, client service, and business development.

However, there are concerns about how lawyers can use AI-powered tools while simultaneously fulfilling their legally mandated professional duties if the security, accuracy, and quality of information of AI-powered tools are continuously questioned. Katherine Sainty, and Julia Colubriale, from Sainty Law, explore the application of AI-powered tools in the Australian legal profession and their interaction with the professional responsibilities under the Legal Professional Uniform Law 2014 (LPUL)1 and the Australian Solicitor's Conduct Rules 2015 (ASCR)2 that lawyers must adhere to when incorporating these tools into their legal practice.

The use of artificial intelligence (AI) in Australia's tech landscape is growing rapidly, presenting unique and unprecedented challenges to businesses and consumers. Since late 2022, the use of a form of AI called large language models (LLM) has grown exponentially. The generative AI market is expected to continue to grow to a value of $20.6 billion by 2032.

Katherine Sainty and Ottilia Thomson, from Sainty Law, examine LLMs, the balance between their potential benefits for businesses, coinciding privacy concerns, and potential AI-specific legislative reform.

May 7, 2023 saw the conclusion of Australia's annual Privacy Awareness Week (PAW). PAW is run by the Office of the Australian Information Commissioner (OAIC) in conjunction with state and territory privacy regulators and the Asia Pacific Privacy Authorities forum. Katherine Sainty and Ottilia Thomson, from Sainty Law, discuss the theme of PAW 2023 and the privacy basics that businesses need to consider.

The Attorney-General's Final Report1 on the Review of the Privacy Act 1988 (Cth) ('the Privacy Report'), published on 16 February 2023, considers enacting a right to be forgotten, also known as the right to erasure. This right would empower individuals to have more control over how organisations retain their personal information, giving them the right to delete their information. Katherine Sainty and Julia Colubriale, from Sainty Law, provide an overview of the right to be forgotten, the proposed amendment, its limitations, the significance, the implications for organisations, and how organisations can best prepare for the possibility that this right may be enshrined in Australian legislation.

The Australian Attorney-General's Department released the Privacy Act Review Final Report1 ('the Report') on 16 February 2023. The Report is a comprehensive review of the Privacy Act 1988 (Cth) ('the Privacy Act') and contains 116 recommendations for reforms to protect Australians in the digital age. Katherine Sainty, Ottilia Thomson, and Julia Colubriale, from Sainty Law, discuss the Report and its key recommendations.