Clients regularly ask us whether they need to comply with Australian privacy laws.
This question most often arises in the context of the Privacy Act 1988 (Cth) (Privacy Act), which is the key source of Australian privacy law at the federal level. The Privacy Act governs the way certain businesses and federal government agencies must handle, use and manage personal information. This is largely through the Australian Privacy Principles set out in Schedule 1 of the Privacy Act.
If you are an Australian business with an annual turnover greater than $AU3 million you will need to comply with the Privacy Act. You may also be required to comply if you have a turnover of $AU3 million or less but fall into a special category of business as defined by the Privacy Act.
If your business is based outside Australia but still carries on business in Australia, you may also be subject to compliance obligations because the Privacy Act has extraterritorial reach. This applies whether or not you collect or hold personal information from a source in Australia. In its present form, the Privacy Act's extraterritorial application is broader than many privacy laws in other jurisdictions including the EU General Data Protection Regulation, one of the stricter regimes.
Further details on who must comply with the Privacy Act is described below.
If you are an Australian business and an "APP entity" you must comply with the Privacy Act.
APP entities are generally any business with an annual turnover of greater than $AU3 million. This includes businesses structured as individuals (including a sole trader), body corporates, partnerships, unincorporated associations or trusts.
There are certain special categories of businesses with a turnover of $AU3 million or less that are also considered APP entities. These include businesses that:
- are related to another business with an annual turnover of $AU3 million or above;
- provide a health service and hold health information other than in an employee record (for example, a doctor's clinic);
- are in the business of buying and selling personal information; or
- are contracted service providers under a Commonwealth government contract.
This means that if you are a business with an annual turnover of $AU3 million or less you do not legally need to comply with the Privacy Act unless you fall under one of these special categories.
Businesses outside of Australia
The Privacy Act also applies to certain businesses outside of Australia. In short, if you are a business operating outside of Australia and have an Australian link then you must comply with the Privacy Act.
Your business will be taken to have an Australian link if it is established in Australia or carries on business in Australia.
The reach of the Privacy Act extends to any overseas entity that is conducting business-related activities in Australia, even if the bulk of the business is conducted outside of Australia or even if it has no office in Australia. It also applies whether or not personal information is held or collected from a source in Australia, which was a nexus previously required under the Privacy Act. The removal of this nexus is a recent change, introduced by the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022. The change has come under some criticism as it extends the application of the Privacy Act to the regulation of personal information with no direct connection to Australia. The Attorney-General's Department has been tasked to consider this issue further as part of its ongoing Privacy Act review to see whether it is necessary for the Privacy Act to provide for any additional Australian link requirement. The Australian government's Privacy Act Review Report arising from the Privacy Act review clarified that the intention is to ensure that the Privacy Act only applies to personal information connected with Australia and that further consultation will be needed to determine whether additional criteria is needed to demonstrate an Australian link that is focused on personal information being connected to Australia.
The Office of the Australian Information Commissioner, the government regulator for the Privacy Act, has published in its Australian Privacy Principles Guidelines various factors that may be considered in assessing if an organisation carries on business in Australia. These factors include, among others, whether the entity has a place of business in Australia; has a website that targets and provides goods or services to Australian customers; has personnel carrying out business activities for it in Australia; has purchase orders acted upon in Australia; or is the registered proprietor of trade marks in Australia. It is possible that you will be considered to be carrying on business in Australia if you meet a combination of these factors.
Also, a May 2023 decision by the Administrative Appeals Tribunal in Clearview AI Inc and Australian Information Commissioner  AATA 1069 confirmed that the repetitive collection of personal information from Australian servers, necessary to make up and support business overseas, will be sufficient to establish that an organisation is carrying on business in Australia.
Your business will generally not be regarded as carrying on business in Australia solely on the basis that a purchase order can be placed in Australia or that you have a website that can be accessed from Australia. This means that if your website can be accessed from Australia but does not appear to be targeting Australian customers, or is generally not frequented by Australian individuals, then it is possible you will not need to comply with the Privacy Act.
Reforms on the horizon
It is estimated that around 95% of businesses in Australia are not required to comply with the Privacy Act as they have a turnover of less than $3 million per annum. From a public policy perspective, this is seen as inadequate protection of personal privacy in today's digital age where the majority of businesses, including small businesses, are dealing with personal information in their business.
The Australian government's Privacy Act Review Report from the Privacy Act review proposes a plan to remove this value threshold so that organisations have to comply with the Privacy Act regardless of their turnover. It is proposed that further assessment is required before this occurs. The Australian government has suggested an impact analysis be undertaken to determine how this plan will impact on small businesses. This assessment will be used to inform the support small businesses may need to adjust their privacy practices to comply with the Privacy Act. Following this assessment, appropriate support will be developed to ensure small businesses are in a position to comply with their obligations. A determination will also be made to assess the most appropriate way for small businesses to meet their obligations and there may be a code developed that covers this.
Under the proposed reforms, small businesses will be required to comply with the Privacy Act in relation to the collection of biometric information for use in facial recognition technology and must obtain consent to trade in personal information, regardless of the further assessment to be conducted.
Certain exemptions that apply to political parties and journalists are also intended to be adjusted moving forward.
Consultation on the proposals remains ongoing and there have been no legislative amendments proposed to date. Therefore, there is still some time before the proposals are actually implemented. Nevertheless, consider taking the time to assess how these potential change might impact your business. Keep watching this space and we will keep you updated on the reforms. For further information on the reforms proposed by the Privacy Act Review Report more generally you can consider our earlier update here.
Think about compliance
If you are a business that needs to comply with the Privacy Act, then you should consider how this law applies to your business and take necessary steps to ensure compliance before you undertake any activity involving personal information. The extraterritorial provisions may also impact how you should structure your operations and conduct business in Australia even if you are not an Australian company or Australian-based business.
If you are not legally required to comply with the Privacy Act, it is likely that your business partners or customers will expect you to comply with data security and handling practices that are aligned with the requirements of the Privacy Act anyway. Structuring your business and data collection, storage and handing practices in a way that complies with the Privacy Act can therefore be an important means of fostering confidence in your business and customer relationships.
If you would like advice on whether Australian privacy laws apply to your business, how to set up your business to meet compliance obligations or general advice on how the reforms proposed by the Privacy Act review might impact your business, then please feel free to get in touch with us.
Note that this article is not intended to provide legal advice or offer comprehensive guidance.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.