Australia
Summary
Law: Privacy Act 1988 (No. 119, 1988) (as amended) (the Privacy Act)
Regulator: The Office of the Australian Information Commissioner (OAIC)
Summary: The Privacy Act, which includes a set of Australian Privacy Principles, provides general personal data protection requirements and provisions, including the right to access and to be informed. The Privacy Act does not explicitly refer to 'data controllers' or 'data processors,' nor does it include provisions regarding data protection officer appointments or Data Protection Impact Assessments. On February 22, 2018, the 'notifiable data breaches' provisions of the Privacy Act came into effect, requiring mandatory notification of all 'eligible data breaches' to the OAIC and affected individuals. In 2019 the Australian Government passed the Treasury Laws Amendment (Consumer Data Right) Bill, which provides consumers with the right to data portability to switch between products and services.
Notably, the Australian Parliament approved the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (the 2022 Bill), which came into effect on December 13, 2022. The 2022 Bill significantly increases penalties for repeated or serious privacy breaches by companies that fail to take adequate care of customer data and provides the OAIC with greater powers to resolve privacy breaches and quickly share information about data breaches to help protect impacted customers.
On February 16, 2023, the Attorney General released a Privacy Act Review Report (the Report) outlining 116 proposed legislative reforms to the Privacy Act, informed by feedback received in response to its Issues Paper and a Discussion Paper. Subsequently, on September 12, 2024, the Privacy and Other Legislation Amendment Bill 2024 (the 2024 Bill) was introduced to Parliament. The 2024 Bill seeks to implement 23 of the legislative proposals from the Report including strengthening the enforcement powers of the OAIC, establishing provisions related to children's online privacy, automated decision-making, and data breaches. The 2024 Bill also creates a statutory tort for serious invasions of privacy and amends the Criminal Code Act 1995 to create new privacy-related criminal offenses.