Law Library Stacks

Back to Online Privacy Law

The federal Privacy Act 1988 provides the framework for the protection of personal information in the online context in Australia. The law is intended to be technology-neutral and, rather than providing prescriptive rules, it sets out a principle-based approach that can be tailored to apply to different situations. Oversight and complaints functions are performed by an independent Privacy Commissioner. The legislation also provides for a degree of self-regulation on the part of industry groups and for the Privacy Commissioner to produce education and guidance material for businesses, government agencies, and the public. There is no established cause of action for invasion of privacy in Australian constitutional, statutory, or common law.

Major privacy reforms are being considered by the Australian parliament following a complete review of the legislation by the Australian Law Reform Commission in 2008. In 2011, a Senate committee also expressed some concerns about the adequacy of the current framework to protect online privacy following an investigation and submission process on this issue. Further proposals not in the present bill that may be developed by the government include a statutory cause of action for invasion of privacy, data retention requirements, new obligations relating to children and young people, and a mandatory data breach notification system.

I. Legal Framework

The  federal  Privacy  Act  1988  provides  the  primary  legislative  framework  for  the protection of privacy (including online data protection) by private organizations in Australia.[1]. The Australian Constitution and state constitutions do not contain provisions relating to the protection of privacy, and there is no entrenched bill of rights at the federal level.[2]

The Privacy Act is primarily a principle-based framework that applies to the collection, use, storage, and destruction of “personal information.” Such information is defined as “information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.”[3] In addition, the Act contains protections relating to the collection and use of a subset of personal information referred to as “sensitive information,” covering information or opinions about such things as an individual’s racial or ethnic origin, political opinions, and religious beliefs.[4]

The relevant provisions of the Privacy Act for the purposes of this report apply to “organisations.” These are defined in section 6C as including individuals, body corporates, partnerships, any other unincorporated associations, and trusts. “Small business operators” are generally excluded from the definition and therefore from the application of the Privacy Act requirements.[5] Such entities are defined in section 6D as businesses with annual sales of less than AU$3 million (about US$3 million).[6] However, a small business that holds health information; “discloses personal information about another individual to anyone else for a benefit, service or advantage”; or “provides a benefit, service or advantage to collect personal information about another individual from anyone else” would be subject to the relevant provisions in the Act.[7] Other businesses are also able to opt into Privacy Act coverage.[8]

Organizations subject to the Privacy Act are required to operate in accordance with the National Privacy Principles (NPPs),[9]which are set out in Schedule 3 of the Act. The NPPs cover the collection, use, and disclosure of personal information, as well as data quality, data security, openness, access and correction, the use of identifiers, anonymity, transborder data flows, and the collection of sensitive information. The NPPs and the public sector equivalent, the Information Privacy Principles (IPPs), were largely based on the Organisation for Economic Co-operation and Development (OECD) privacy principles developed in 1980, with some additions.[10] They are essentially the “minimum standards” for how businesses and other private sector organizations should collect personal information, for use and disclosure of personal information, and in relation to “ensuring that the personal information they hold is accurate and secure.”[11]

The Act also makes provisions for privacy codes to be developed by industry organizations.[12] Such codes must provide at least as much protection as the NPPs. Once a code has been approved by an independent regulator—the Privacy Commissioner[13]—it becomes binding on entities that are registered with the relevant organization.[14] The Privacy Codes Register currently cites only two approved privacy codes: the Market and Social Research Privacy Code and the Queensland Club Industry Privacy Code.[15] A draft Internet Industry Privacy Code, developed by the Internet Industry Association and submitted for registration in 2003, is currently under consideration by the Privacy Commissioner.[16]

Back to Top

II.  Current Law

The provisions in the Privacy Act relating to private sector organizations, including the NPPs and the privacy code provisions, were enacted in 2000[17] as “part of the Commonwealth Government’s commitment to enacting balanced privacy legislation for the private sector to ensure that full advantage may be taken of the opportunities that electronic commerce presents for Australian business within Australia and overseas.”[18] In particular, one of the objectives of the reforms was to ensure that the system for handling personal information in the private sector is compatible with the European Union Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (Directive 95/46/EC)[19] in order to remove “any potential barriers to international trade.”[20]

Since the introduction of the NPPs, the wording and application of the law in relation to developments in the capabilities and use of online technologies[21] have been the subjects of various reviews and discussions, including an investigation into the adequacy of online privacy protection for Australians by the Senate’s Environment and Communications References Committee, completed in April 2011,[22] and a report proposing large-scale privacy law reform completed by the Australian Law Reform Commission (ALRC) in 2008.[23]

As indicated in the overview of the legal framework above, the Privacy Act sets out standards for the management and use of personal information by way of broad principles, rather than a large number of prescriptive rules.[24] According to the explanatory memorandum to the Privacy Amendment (Private Sector) Bill 2000, the NPPs were intended to be technology- neutral.[25] There are therefore no provisions that apply specifically to different methods or technologies for obtaining and storing information.

Various self-regulatory instruments and guidance material relating to online privacy have been produced by industry groups as well as by the Privacy Commissioner and other government entities. The Privacy Commissioner is of the view that Australia should take a multifaceted approach to online privacy protection that includes a range of formal and informal mechanisms. The Senate committee expressed general agreement, stating that “given jurisdictional boundaries and the transnational nature of the Internet, it would be impossible for legislation alone to adequately protect the privacy of Australians online, and accordingly it is clear that educational programs and international engagement must form part of any successful approach to privacy,” and also that “[s]elf-regulation will have a key role in this regard in setting industry best- practice benchmarks.”[26]

The following sections provide information on how the various aspects of the NPPs can be seen to apply in relation to the protection of privacy in the context of developments in online technologies. Information is also provided on some of the areas where there has been a focus on education and self-regulation.

A.  Key Principles Relating to Online Data Protection

The NPPs are not expressed as positive individual privacy rights but rather as general standards for data collection and protection that should be applied by different organizations. Many of the principles include limitations or exceptions to the general concepts. The following are some the core concepts reflected in the NPPs:

  • The collection of a data subject’s personal information must be necessary for one or more of an organization’s functions.
  • Personal information must be collected “only by lawful and fair means and not in an unreasonably intrusive way.”[27]
  • An organization must “take reasonable steps” to ensure that a data subject whose personal information is collected is aware of “the identity of the organization and how to contact it; the fact that he or she is able to gain access to the information; the purposes for which the information is collected”; the organizations (or types of organizations) to which information could be disclosed; any law that requires the information to be collected; and the consequences to the individual if all or part of the information is not collected.[28]
  • Unless certain criteria apply, an organization must not use or disclose a data subject’s personal information for a purpose other than the primary purpose of collection.
  • An organization “must take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date”[29] and must    protect it from misuse, loss, and unauthorized access,  modification, or disclosure.
  • If personal information is no longer needed for the purpose for which it was collected, an  organization must take reasonable steps to destroy or “permanently de-identify” that information.[30]

1.  Principles Relating to Behavioral Advertising

The opportunities to conduct targeted or behavioral online advertising have expanded greatly in recent years due to developments in online technologies and the way that people use them. Various principles may be relevant to this practice, including NPP 2.1(c), which allows for personal information (but not sensitive information) to be used for the secondary purpose of direct marketing, provided that it is impracticable to get the data subject’s consent before using the information; the data subject is given the opportunity to opt out from further communications; and the data subject has not already requested not to be sent direct marketing material.

Australian government entities have identified that this and other principles may not provide for comprehensive regulation of, for example, the tracking of users’ web browsing or key words in emails in order to conduct online behavioral advertising. The Attorney-General’s Department, cited in the Senate committee’s 2011 report, has stated that “there is nothing to prevent web-based email service providers filtering emails in such a manner under Australia’s telecommunications interception legislation, because of the fact that users agree to the filtering when they sign up to the email service.”[31] Furthermore, not all information collected would be considered “personal information” under the Privacy Act, although the Privacy Commissioner is of the view that, over time, the aggregation of the data may enable identification of individuals.[32] The Commissioner stated:

What we would like to see as much as possible in that context is choice—choice for the individual to know what is happening and choice to be able to at least opt out if not opt in to that sort of marketing, where it is effective and will work.[33]

The Senate committee’s report also noted that while search engines such as Google may currently provide a choice to opt out, the relevant policies and procedures are often complex and difficult  for  users  to  navigate,[34] and  pointed  out  various  industry  groups’  efforts  at  self-regulation through the development of guidelines related to online behavioral advertising standards.[35] These guidelines include the need for explicit consent prior to engaging in third- party online behavioral advertising as well as the option to withdraw such consent.[36] Having also considered the US Federal Trade Commission’s (FTC’s) investigation of the issue, the committee recommended that the Privacy Commissioner work with interested parties to “develop and impose a code which includes a ‘Do Not Track’ model.”[37]

2. Principles Relating to the Protection of Minors

The Privacy Act does not contain specific provisions regarding the rights or protection of information relating to minors. The ALRC noted:

There is no federal legislation specifically addressing the privacy of children and young people. While the Privacy Act 1988 (Cth) applies to individuals under the age of 18, there is no provision dealing explicitly with the particular needs of children and young people. It is not always clear how the Act applies to these individuals, or who can and should make decisions about privacy on behalf of an individual under the age of 18.[38]

With regard to young people, the Privacy Commissioner’s guidelines on the application of the NPPs state:

The Privacy Act does not specify an age after which individuals can make their own privacy decisions. Determining the decision-making capabilities of a young person can be a complex matter, often raising other ethical and legal issues. Organisations will need to address each case individually.[39]

There is a range of educational programs and guidance material available in Australia to assist organizations, families, and young people themselves to take appropriate action with regard to the personal information of minors. Resources include targeted websites on Internet safety and privacy, guidance to advertisers on managing images of children in the online context, and guidance documents produced by the Privacy Commissioner on matters such as social networking. The Senate committee received submissions stating that online privacy is a strong focus in most schools, although it is not currently a mandatory requirement in the curriculum.[40]

The ALRC considered issues related to young people and privacy in its 2008 report, including developments in the use of online social networking sites by young people.[41] It noted that the various sites have age restrictions, but found that these are regularly ignored by young people. In the context of social networking sites, it recommended the expansion of programs targeting young people as well as self-regulation, rather than the development of a regulatory approach such as that contained in the Children’s Online Privacy Protection Act in the US.

The ALRC also examined issues relating to the capacity of young people to consent and make decisions regarding their personal information. It recommended that a system of individual assessment be formally incorporated into the Privacy Act, along with a minimum age of presumption of capacity,[42] and that the “Direct Marketing” principle referred to above include additional protections for children under the age of fifteen.[43]

3.  Smartphone Applications and Location Information

Some of the educational materials produced by the Privacy Commissioner and other agencies highlight the need for individuals to consider privacy issues when using smartphones. The Australian government also has a range of initiatives relating to cyber security,[44] cyber safety, and the digital economy[45] that include consideration of issues relating to developments in smartphone technology, such as the ability to track, record, and share location information. The privacy issues relating to smartphone use as well as social networking were a particular focus of Privacy Awareness Week 2012, when Australians were “urged to take stock of their web privacy settings and to pay more attention to the terms and conditions attached to smartphone applications before they sign up.”[46]

B.  Consent

There is no distinct privacy principle requiring that an organization obtain the consent of a data subject in relation to the collection, storage, and use of their personal information. However, consent is relevant to the operation of some of the NPPs. According to the ALRC,

Consent is either framed as an exception to a general prohibition against personal information being handled in a particular way or as a basis to authorise the handling of personal information in a particular way. Significantly, in each case, consent is not the only exception to a stated prohibition, nor the only basis for permitting the handling of personal information in a particular way.[47]

The Privacy Act 1988 contains a broad definition of consent, which includes either “express consent or implied consent.”[48] The Privacy Commissioner has stated:

Consent means voluntary agreement to some act, practice or purpose. It has two elements: knowledge of the matter agreed to, and voluntary agreement. Consent can be express or implied. Express consent is given explicitly, either orally or in writing. Implied consent arises where consent may reasonably be inferred in the circumstances from the conduct of the individual and the organisation. Consent is invalid if there is extreme pressure or coercion.

Only a competent individual can give consent although an organisation can ordinarily assume capacity unless there is something to alert it otherwise. Competence means that individuals are capable of understanding issues based on reasoned judgments and communicating their decisions. The general law about competence and incapacity will apply to the issue of consent.[49]

The Senate committee’s report on online privacy protection noted that “people are often required to consent to numerous pages of legalese, waiving their privacy rights, in order to use web-based services,”[50] and that

[w]hile the Privacy Act has long allowed consent to justify the waiver of privacy rights in the offline sphere, it seems to the committee that the over-use of complex consent forms has increased exponentially with the expansion of online services.[51]

The committee also considered, and agreed with, the views expressed by the FTC regarding the ineffectiveness of online privacy notices and consent forms, and recommended legislative changes as well as practical guidance to address the issue.[52]

C.  Transparency

NPP 5 requires organizations to set out, in a document that is available to anyone on request,  “clearly  expressed  policies”  on  the  management  of  personal  information.    It  also requires that an organization, on request, take “take reasonable steps” to let a data subject know what sort of personal information it holds, for what purposes, and how it is collected and used. In addition, NPP 1.3 requires that, at or before the time that an organization collects personal information, it must take reasonable steps to make the data subject aware of a list of matters, including the identity of the organization, the fact that the data subject can gain access to the information, the purposes for which the information is collected, and the organizations to which such information is usually disclosed.

The Explanatory Memorandum to the 2000 Amendment Bill explicitly noted these latter transparency requirements with respect to collecting information online:

Where information is collected via the internet, NPP 1.3 would require that a policy statement appear on the web page notifying the individual of contact details of the organisation collecting the information and outlining in what circumstances, and for what purposes personal information (such as an email address, name or other personal details including purchasing habits linked to an email address) is collected.[53]

The Privacy Commissioner’s guidance document on the NPPs includes the following advice to organizations that collect information online: “If an organisation collects personal information using a cookie, web bug or other means, it could give the NPP 1.3 information in a statement clearly available on the web site; for example, it could be linked directly from the homepage and other pages that make use of the devices.”[54]

D.  Anonymity

NPP 8 requires that, “[w]herever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation.” According to the ALRC, this principle was “intended to affect the design of new technologies that collect more information than is necessary when an organisation transacts with individuals.”[55] However, an organization could argue that allowing for an individual to remain anonymous is impracticable for various reasons, including their own systems and needs in terms of being able to identify people conducting transactions. The Privacy Commissioner’s guidelines simply state that “[a]nonymity is an important element of privacy. In some circumstances, it will not be practicable to do business anonymously. In others there will be legal obligations that require identification of the individual. This principle is not intended to facilitate illegal activity.”[56]

E.  Security

NPP 4 requires that an organization take reasonable steps to protect personal information from “misuse and loss” and from “unauthorized access, modification or disclosure.” Organizations must also seek to destroy or “permanently de-identify” information that is no longer needed. The Privacy Commissioner’s guidelines refer to the protection of personal information through maintaining measures relating to physical security of premises, computer and network security, communications security, and personnel security.[57] “Reasonable steps” will depend on the circumstances of the organization and the type of information held, including the possible harm that would arise from a security breach.[58]

F.  Complaints Mechanisms

The Privacy Commissioner handles complaints relating to private organizations and government agencies. The Privacy Act provides that “an individual may complain to the Commissioner about an act or  practice  that  may  be  an  interference  with  the  privacy  of the individual.”[59]

The Privacy Commissioner can only investigate complaints if the complainant has already complained to the respondent organization, unless the Commissioner determines that it was not appropriate for the individual to make such a complaint.[60] The Commissioner may decide not  to  investigate  a  complaint  in certain circumstances,[61] for example if the Commissioner considers that the respondent has adequately dealt with the complaint or has not yet had adequate opportunity to do so.[62] Representative complaints may be made where an act or practice may interfere with the privacy of two or more people.[63]

Various requirements and powers are relevant to the conduct of investigations by the Commissioner, including natural justice principles and the ability to examine people under oath. In addition to the Privacy Commissioner, the Australian Communications and Media Authority and the Telecommunications Industry Ombudsman may receive privacy complaints such as those relating to spam and some other Internet-related complaints.[64] The Human Rights Commission can also receive complaints or have these referred to them by the Privacy Commissioner if the issue relates to the functions of that entity under various statutes.[65]

G.  Sanctions and Remedies

Following the investigation of a complaint, the Commissioner can either make a determination dismissing the complaint or can find the complaint substantiated and make a declaration that may specify various remedies. For instance, the Commissioner may rule that the respondent organization interfered with the privacy of an individual and should not repeat or continue the relevant conduct; that the respondent should take a particular course of action to redress any loss suffered by the complainant; or that the complainant is entitled to a specific amount of compensation. However, the Privacy Commissioner has apparently only once considered a claim for compensation  in  making  a  determination  relating  to  a  breach  of the NPPs.[66]

Enforcement proceedings relating to a determination can be brought in the Federal Court or Federal Magistrates Court by the complainant or the Privacy Commissioner.[67] There is no right of appeal in relation to determinations made by the Commissioner, although it is possible to seek judicial review of the administrative actions of the Commissioner in reaching a determination (for example, on the grounds of a breach of natural justice, abuse of power, or unreasonableness).[68]

Some criminal sanctions are available under the Privacy Act, primarily in relation to breaches of credit reporting rules.[69] The Privacy Act also allows any party to take an action directly to the Federal Court to obtain an injunction against breach of one of the NPPs without first complaining to the Privacy Commissioner. However, this avenue  has  only  been utilized twice.[70]

The ALRC report includes a discussion of developments in Australian courts in relation to a tort of invasion of privacy. There is currently no statutory recognition of such a cause of action, but the High Court has left open the possibility of the development of the tort at common law, and two lower courts have held that it is a part of the common law of Australia.[71] The ALRC has proposed the formulation of a statutory cause of action for breach of privacy.

H.   Cross-border Application

Section 5B of the Privacy Act specifies that the provisions of the Act, including the NPPs and the functions and powers of the Privacy Commissioner, may be applied extraterritorially, provided that there is an organizational or an operational link with Australia.

  • Organizational link: the Act applies to organizations that are Australian citizens or residents, or a partnership, trust, or company that is formed in Australia, or an unincorporated association that is managed or controlled in Australia
  • Operational link: where an organization carries on business in Australia or the personal information was collected and held in Australia[72]

The intent of this provision was to prevent companies from avoiding the requirements of the legislation by moving personal information overseas.

The Act only applies to personal information about an Australian citizen or resident and therefore does not cover information transferred into Australia that relates to overseas individuals. As stated in the Explanatory Memorandum to the 2000 Amendment Bill,

Where a foreign organisation collects personal information about Australians outside Australia, the Act will only apply if the information is transferred into Australia. Once the information is held in Australia, the Act will apply to acts and practices outside Australia in relation to that information.

Where a foreign organisation collects personal information about Australians overseas and holds that information overseas, the Act will not apply except to the extent that National Privacy Principle  9  applies  to the  transfer  of  personal  information to  that organisation from an organisation in Australia.[73]

In relation to the latter point made in the above excerpt, NPP 9 on data transfers specifies that the act of exporting or transferring personal data by an organization within Australia to a foreign country is a breach of privacy unless certain criteria are met. The principle is based on the restrictions on international data transfers set out in European Union Directive 95/46.[74]

In order to enhance cross-border enforcement efforts, the Privacy Commissioner is involved in a range of international forums aimed at improving relationships with privacy regulators in other jurisdictions. In terms of legal questions, however, the Privacy Commissioner’s report to the Senate committee stated that “there is uncertainty as to how this provision [section 5B] operates with respect to personal information submitted over the internetby an individual in Australia to an organisation based overseas.”[75] In particular, the Privacy Commissioner suggested that the requirement to collect information in Australia was ambiguous in the context of online transactions where the point of uploading the information is Australia but the point of receipt is overseas.[76]

I. Data Retention Requirements

In the past two years, there has been some discussion and speculation about the possible introduction of a data retention framework similar to the European Directive on Data Retention.[77] Such a framework would require entities to retain certain information and enable access to law enforcement agencies on request. The April 2011 Senate committee report considered the issue and potential proposal in detail and included an explanation of existing practices in Australia, particularly under the Telecommunications (Interception and Access) Act 1979.[78] The report explained that there is currently no requirement for an Internet service provider (ISP) to retain metadata relating to the online communications of its customers, although law enforcement agencies do have the power to authorize the disclosure of such data by the ISP if it has been retained. To obtain the content of online communications, the relevant agency must present a warrant.[79]

A representative of the Attorney-General’s Department was quoted by the Senate committee as stating that the government had not made a firm decision about a data retention proposal.[80] The Committee considered a number of submissions on the possible proposal and stated that it had a number of concerns about the proposal itself as well as the way it had been handled by the government.[81]

The Cybercrime Legislation Amendment Bill[82] introduced in June 2011 seeks to amend the Telecommunications (Interception and Access) Act 1979 and other relevant legislation “to ensure  that  Australian  legislation  is  compliant  with  the  Council  of  Europe  Convention  on Cybercrime requirements in order to facilitate Australia’s accession to the Convention.”[83] The amendment bill contains provisions relating to the preservation of stored communications upon receipt of a request from the Australian Federal Police on behalf of certain foreign countries.[84] However, it does not seek to introduce a complete system for mandatory data retention or to allow warrantless access by law enforcement officials.[85]

Some documents relating to the government’s development of a data retention proposal were released later in 2011.[86] Most recently, in May 2012, it was reported that public consultation on the issue of data retention and access by law enforcement officials would be conducted by a parliamentary joint committee that has been tasked with reviewing national security legislation.[87] So far, full details of the possible proposal have not been released, and the government has said that it will decide whether to pursue reforms once it has examined the Senate committee’s findings.[88]

Back to Top

III. Role of Data Protection Agencies

As stated by the ALRC in its review of the privacy law framework in Australia, in a principles-based system “the regulator plays a particularly significant role.”[89] The Privacy Commissioner is an individual, independent regulator supported by an office.[90] The Privacy Act1988’s broad approach involves setting out the functions of the Privacy Commissioner (primarily in Parts IV and V) and then providing the “powers” to do all things necessary for the performance of those functions.[91] In addition to receiving and investigating complaints about acts or practices of both public and private sector entities, the Commissioner’s functions include

  • approving privacy codes and reviewing their operation;
  • proposed enactments that might authorize interference with the privacy of individuals or otherwise have an adverse effect on privacy;
  • monitoring developments in data processing and computer technology to ensure that any adverse effects on privacy are minimized;
  • promoting an understanding and acceptance of the privacy principles and publishing guidelines on various matters relating to privacy;
  • undertaking educational programs for the purpose of promoting the protection of individual privacy; and

  • making recommendations to the government regarding the need for legislative or administrative action in the interests of privacy of individuals.[92]

The Privacy Act provides some scope for the Privacy Commissioner to initiate investigations on his or her own motion.[93] However, such investigations cannot result in enforceable determinations.[94] The Privacy Commissioner also has the power to issue Public Interest Determinations following a request from a public or private entity. These determinations state that “an act or practice of an Australian or ACT Government agency, or a private sector organisation, which may constitute a breach of an Information Privacy Principle, a National Privacy Principle or an approved privacy code, shall be regarded as not breaching that principle or approved code for the purposes of the Act.”[95]

When carrying out his or her duties and exercising power under the Act, the Privacy Commissioner must have regard to the “protection of human rights and social interests that compete with privacy, including the general desirability of a free flow of information” and takeinto account Australia’s international obligations and international guidelines that are being developed in relation to the protection of individual privacy.[96]

Back to Top

IV. Court Decisions

As there is no constitutional or statutory cause of action relating to breaches of privacy, and no confirmed privacy tort at common law, matters relating specifically to online privacy have generally not come before the Australian courts.[97]

Back to Top

V. Public and Scholarly Opinion

Developments in online technology, their impact on personal privacy, and the regulatory response are subjects of considerable discussion in Australia by the executive and parliamentary bodies at the federal and state levels, as well as the Privacy Commissioner and other independent agencies, the business and technology sectors, academics, the media, and the public. There have been various public surveys in recent years regarding attitudes to privacy,[98] including in relation to the online environment. The following are some of the areas of comment and concern in surveys, the media, and scholarly articles.

A. Data Breaches

There have been several significant data breaches by various entities in recent years that have affected Australians.[99] Such breaches have been widely covered by the media. The importance and extent of this issue led to the Privacy Commissioner recently releasing newguidelines  regarding  the  handling  of  personal  information  security  breaches  by  agencies and organizations.[100]

One survey indicates that Australians are most concerned about data security in the context of the privacy of their financial information and identity theft.[101] The survey also indicated that the public strongly favors the introduction of compulsory data breach notification rules, which were also recommended by the ALRC in its 2008 report.[102] Other criticisms of the current framework include that the Privacy Commissioner lacks sufficient powers, or has not made sufficient use of existing powers, to penalize organizations financially for serious data security and other NPP breaches.[103]

B.  Online Behavioral Advertising

Another area of increasing discomfort on the part of the public is online behavioral advertising.[104] Discussions of this issue include references to the complexity of privacy policies, the ability for companies to easily obtain consent to collect information, and the weaknesses of the NPPs in terms of regulating the collection of information using cookies.[105] In one survey, 95% of people preferred that “do not track” rules be developed.[106]

C. Notification, Consent, Access, and Deletion

In surveys, members of the public have expressed a desire to be notified and have control over what information is collected about them online as well as to be able to access what is held about them and request deletion.[107] There is also quite a high level of awareness about the privacy implications of sharing information online, including through social networking sites, with people seeking to opt out of having their information collected. For example, 69% of respondents in a survey said that they have “refused to use an application or Web site because it collects too  much  personal  information,  with   79%   simply   refusing   to   provide personal information.”[108]

Academics have also discussed the issue of consent in relation to the “borderless” nature of the Internet.[109] One commentator noted the ease with which consent can be used as a “miracle cure” for breaches of the NPPs in this and other contexts.[110] In the Privacy Commissioner’s 2007 survey of attitudes to privacy, 90% of respondents were concerned about their personal information being sent overseas without their knowledge or consent.[111]

Back to Top

VI. Pending Reforms

The government produced its “first stage response” to 197 of the ALRC’s 295 recommendations in October 2009 and agreed to develop legislation to implement many of the proposals.[112] Following a release of an exposure draft of new privacy principles, the Senate Finance and Public Administration Committee completed an inquiry and public submission process in June 2011.[113] On May 23, 2012, the government introduced the Privacy Amendment (Enhancing Privacy Protection) Bill 2012,[114] which implements more than half of the ALRC’s recommendations. In her speech on the bill to the parliament, the Attorney-General stated that

[i]n an online world, we are increasingly sharing our personal information on social networking sites and paying our bills and buying [sports] tickets over the internet. While these technological changes bring immense benefits to working families, there are risks. That’s why Labor is tightening up the rules around how companies and organisations can collect, use and disclose personal information.[115]

The model of using principle-based law with a small number of prescriptive rules, together with guidance and oversight by a regulatory body, is maintained in the bill. Key amendments that are relevant to the protection of privacy online[116] include the following:

  • A single set of principles that will apply to both the public and private sectors, to be known as the Australian Privacy Principles (APPs). These will also be restructured to better reflect the “life cycle” of personal information.[117]
  • An amendment to the definition of “personal information” to include the notion of a “reasonably identifiable individual.” This is aimed at bringing the definition into line with international standards and precedents while ensuring that it remains technology- neutral and flexible.[118]
  • A new division (“APP codes”) will provide for the development of codes of practice regarding how one or more of the APPs will be applied or complied with by a particular sector. The Privacy Commissioner may request that such  a  code  be developed and breaches will be investigated along with breaches of the APPs.[119]
  • A new privacy principle on direct marketing will require companies to provide a clear and simple way for opting out of receiving direct marketing materials.[120]
  • Changes to the protections for individuals when companies disclose personal information overseas, including requiring that Australian entities take  reasonable steps to ensure that an overseas recipient does not breach the APPs. The accountability approach is based on the APEC Privacy Framework[121] and OECDGuidelines, rather than the EU Data Protection Directive of 1996, which the current NPP 9 is based on.[122]
  • A new requirement for organizations to develop detailed privacy policies that are clear and accessible. The policies will be required to be kept up-to-date and state whether information is likely to be disclosed to overseas recipients, and if so, in which countries.[123]
  • A higher standard of protection will apply in relation to sensitive information.[124]

  • Enhanced functions and powers for the Privacy Commissioner, including allowing him or her to make determinations to direct organizations to take specific steps to stop certain conduct or take reasonable action to redress any loss or damages suffered.[125]
  • The ability for the Privacy Commissioner to obtain “enforceable undertakings” from organizations, following which a court can issue appropriate orders, including for compensation to be paid.[26]
  • The Privacy Commissioner will be able to apply to the court for a civil penalty order against organizations for serious or repeated breaches of privacy.[127]
  • The Privacy Commissioner will be able to conduct privacy performance assessments of organizations.[128]

The bill has been referred to the House Standing Committee on Social Policy and Legal Affairs for consideration and public consultation.[129] Once the bill is passed, the government will turn to its second stage response to the ALRC’s report, which will include the recommendations relating to children and young people, a system of compulsory notification of serious data breaches, and a statutory cause of action for serious invasions of privacy.  This latter issue hasalready been the subject of a government discussion paper released in September 2011.[130] The government is now considering submissions received in response to the paper.[131]

Back to Top

Prepared by Kelly Buchanan
Chief, Foreign, Comparative, and International Law Division I
June 2012

[1] Privacy Act 1988 (Cth), Other federal laws that are relevant to the protection of individuals’ privacy online include the Telecommunications Act 1997, Telecommunications (Interception and Access) Act 1979, the SPAM Act 2003, and the Cyber Crime Act 2000. For general information on federal laws containing provisions relating to the protection of privacy, see AUSTRALIAN LAW REFORM COMMISSION (ALRC), FOR YOUR INFORMATION: AUSTRALIAN PRIVACY LAW AND PRACTICE [ALRC REPORT 108], paras. 2.2–2.9 (Aug. 12, 2008, last modified Sept. 1, 2010), Privacy%20Regulation%20in%20Australia/federal-regulation-privacy, full report available at also Office of the Privacy Commissioner, Private Sector Information Sheet 26, Interaction Between the Privacy Act and the Spam Act (Aug. 2008),
.  Australian states and territories also have privacy laws that apply primarily to public sector entities, although some also have laws relating to information collected by private health- care providers. For general information on state privacy laws, seeALRC REPORT 108, paras. 2.10–2.88,

[2] See Graham Greenleaf, Australia, at 2 & 7, in European Commission Directorate-General Justice, Freedom and Security, Comparative Study on Different Approaches to New Privacy Challenges, in Particular in the Light of Technological Developments (Douwe Korff ed., May 2010),

[3] Privacy Act 1988 (Cth) s 6. For a discussion of this definition, see ALRC REPORT 108, supra note 1, paras. 6.2–6.6,

[4] Privacy Act 1988 (Cth) s 6. For a discussion of this term, seeALRC REPORT 108, supra note 1, paras. 6.88–6.122,

[5] Privacy Act 1988 (Cth) s 6C(1). Registered political parties and public sector agencies or authorities are also excluded from the definition of organizations, with different provisions applying to such entities. There is also an exemption for private individuals acting in a nonbusiness capacity (s 7B(1)), and obligations in the legislation relating to the protection of personal information do not apply to processes carried out by a person solely for the purposes of, or in connection with, his or her “personal, family or household affairs” (s 16E).

[6] Id. s 6D(1).

[7] Id. s 6D(4)(c)–(d).

[8] Id. s 6E. See also Register of Businesses That Have Opted into Privacy Act Coverage, OFFICE OF THE AUSTRALIAN INFORMATION COMMISSIONER (OAIC), (last visited June 5, 2012).

[9] Privacy Act 1988 (Cth) s 16A; see also s 13A(1)(b), which states that “an act or practice of an organisation is an interference of privacy if . . . the act or practice breaches a National Privacy Principle in relation  to the personal information that relates to the individual.” To the extent that an approved privacy code is in effect in relation to the particular organization, the code will apply in place of the NPPs.


[12] Privacy Act 1988 (Cth) pt IIIAA.

[13] The Privacy Commissioner is the federal regulator for privacy in Australia. There are also state-level commissioners responsible for enforcing the privacy laws of those states.

[14] See Privacy Act 1988 (Cth) s 16A; see also s 13A(1)(a), which states that “an act or practice of an organisation is an interference of privacy if . . . the act or practice breaches an approved privacy code that binds the organisation in relation to personal information that relates to the individual.”

[15] Privacy Codes Register, OAIC, (last visited Apr. 30, 2012).

[16] Id. The draft Internet Industry Privacy Code of Practice is available on the website of the Internet Industry Association (IAA), Information relating to the draft code can also be found in IAA Privacy Virtual Taskforce, IIA,
(last visited June 11, 2012).

[17] Privacy Amendment (Private Sector) Act 2000 (Cth),

[18] Privacy Amendment (Private Sector) Bill 2000: Explanatory Memorandum, supra note 11, at 1.

[19] Directive 95/46/EC, of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L 281) 31,

[20] Privacy Amendment (Private Sector) Bill 2000: Explanatory Memorandum, supra note 11, at 14.

[21] Examples of technologies that may be used to collect, store, and transmit information about individuals  in the online environment include developments relating to Internet search engines, cookies, social networking sites, cloud computing, smartphones and application software (apps), location detection technology, and Voice over Internet Protocol. See Protecting Your Privacy on the Internet, OAIC, visited June 4, 2012).

[22] Information relating to this inquiry, including copies of submissions and the committee’s final report, are available on the committee’s website: Senate Standing Committees on Environment and Communications: The Adequacy of Protections for the Privacy of Australians Online, PARLIAMENT OF AUSTRALIA,
(last visited June 4, 2012).

[23] ALRC REPORT 108, supra note 1.

[24] See Privacy Act Snapshot, OAIC, (last visited June 4, 2012).

[25] Privacy Amendment (Private Sector) Bill 2000: Explanatory Memorandum, supra note 11, at 9.

[26] The Senate, Environment and Communications References Committee, The Adequacy of Protections for the Privacy of Australians Online [Senate Committee Report] 21–22 (April 2011),

[27] Privacy Act 1988 (Cth), sch 3 cl 1.2.

[28] Id. sch 3 cl 1.3.

[29] Id. sch 3 cl 3.

[30] Id. sch 3 cl 4.2.

[31] Senate Committee Report, supra note 26, at 37.

[32] See Privacy Fact Sheet 4 – Online Behavioural Advertising: Know Your Options, OAIC,

[33] Senate Committee Report, supra note 26, at 41.

[34] Id.

[35] See, e.g., Australian Association of National Advertisers (AANA), AANA Code of Ethics (Jan. 1, 2012),

[36] Senate Committee Report, supra note 26, at 44.

[37] Id. at 45.


[40] Senate Committee Report, supra note 26, at 18.

[44] See Cybersecurity, DEPARTMENT OF BROADBAND, COMMUNICATIONS AND THE DIGITAL ECONOMY, (last modified Apr. 11, 2012); and Cyber Security, ATTORNEY-GENERAL’S DEPARTMENT, (last visited June 4, 2012).

[45] See Connecting with Confidence: Optimising Australia’s Digital Future, AUSTRALIAN GOVERNMENT, (last visited June 4, 2012); and The Cyber White Paper: Connecting with Confidence, DEPARTMENT OF THE PRIME MINISTER AND CABINET, white_paper_factsheet.cfm (last updated June 3, 2011).

[46] Press Release, Australian Human Rights Commission, Privacy Rights Exists [sic] in a Virtual World (Apr. 23, 2012),

[47] ALRC REPORT 108, supra note 1, para. 19.3,

[48] Privacy Act 1988 (Cth) s 6.


[50] Senate Committee Report, supra note 26, at 30.

[51] Id. at 31.

[52] Id. at 31–32.

[53] Privacy Amendment (Private Sector) Bill 2000: Explanatory Memorandum, supra note 11, at 129.



[57] Id. at 44.

[58] 44–45.

[59] Privacy Act 1988 (Cth) s 36(1).

[60] Id. s 40(1A).

[61] Id. s 41(1).

[62] Id. s 41(2).

[63] Id. s 36(2)–(2A).

[64] See Senate Committee Report, supra note 26, at 8.

[65] See Functions of the Australian Human Rights Commission, AUSTRALIAN HUMAN RIGHTS COMMISSION, (last visited June 4, 2012).

[66] Graham Greenleaf & Katrine Evans, Privacy Enforcement Strengthens in Australia & New Zealand UNSWLRS 4 (2012), available at (referring to Rummery and Federal Privacy Commissioner and Anor AATA 1221 (Nov. 22, 2004), available at

[70] Graham Greenleaf, Major Changes in Asia Pacific Data Privacy Laws: 2011 Survey, UNSWLRS 3 (2012), available at

[72] Greenleaf, supra note 2, at 13.

[73] Privacy Amendment (Private Sector) Bill 2000: Explanatory Memorandum, supra note 11, at 56.


[75] Senate Committee Report, supra note 26, at 45.

[76] Id. at 46.

[77] See, e.g., Ben Grubb, Inside Australia’s Data Retention Proposal, ZDNET (June 16, 2010),; and Ben Grubb, Govt Wants ISPs to Record Browsing History, ZDNET (June 11, 2010),

[78] Telecommunications (Interception and Access) Act 1979 (Cth),

[79] Senate Committee Report, supra note 26, at 58.  See also OAIC, Information Sheet (Private Sector) 7, Unlawful Activity and Law Enforcement (2001),

[80] Senate Committee Report, supra note 26, at 54.

[81] Id. at 68–69. See also John Hilvert, Senate Committee Warning on ISP Data Retention, SC MAGAZINE (Apr. 8, 2011),,senate-committee-warning-on-isp-data-retention.aspx.

[82] Cybercrime Legislation Amendment Bill 2011 (Cth),; and Cybercrime Legislation Amendment Bill 2011, PARLIAMENT OF AUSTRALIA,
(last visited June 4, 2012).

[83] Parliament of Australia, Bills Digest No. 31 2011-12,

[85] Josh Taylor, Roxon Goes Public on Data Retention, ZDNET (May 4, 2012),

[86] Attorney-General’s Department, Briefing to the Attorney-General on Online Privacy Inquiry – Response Recommendation 9 (Sept. 22, 2011),; and Documents Concerning the Current Status of Data Retention Scheme Considerations, ATTORNEY-GENERAL’S DEPARTMENT (May 21, 2012),

[87] Darren Pauli, Govt Wants Public Vote on Data Retention, ITNEWS (May 4, 2012),; Luke Hopewell, Data-Retention Inquiry Hits Speed Bump, ZDNET (May 17, 2012),; and Stephanie McDonald, Ozlog: Government Pushes Ahead with Data Retention Plans, COMPUTERWORLD (May 28, 2012),

[88] Renai LeMay, Data Retention Proposal Still Hazy, Even Within Govt, DELIMITER (May 31, 2012),

[90] See id., para. 46.10,
.  The functions of the Office of the Privacy Commissioner were integrated into the Office of the Australian Information Commissioner in 2010.  See Privacy Complaints, OAIC, (last visited June 4, 2012).

[92] Privacy Act 1988 (Cth) s 27.

[93] Id. s 40(2).

[94] ALRC REPORT 108, supra note 1, para. 45.23,
. For completed own motion investigations, see Investigation Reports—Privacy, OAIC, (last visited June 4, 2012).

[95] Public Interest Determinations, OAIC, (last visited June 30, 2012).

[96] Privacy Act 1988 (Cth), ss 29(a)–(b). See also ALRC REPORT 108, supra note 1, paras. 46.36–46.46,

[97] For discussion about developments relating to the tort of invasion of privacy in Australia, see Des Butler, A Tort of Invasion of Privacy in Australia?, 29(2) MELB. U.L. REV. 339 (2005),; Peter D. Applegarth, The Tort of Privacy Invasion in Australia After Jane Doe, QLD. J. SCHOL. 9 (2009),; and Penelope Watson, Remedies for Novel Torts: Invasion of Privacy, 1 J. AUST. LTA 391 (2008),

[98] The Privacy Commissioner has commissioned surveys on community attitudes to privacy every few years, with the most recent being completed in 2007. The next survey is expected to be conducted this year. See Community Attitudes, OAIC, (last visited June 5, 2012).

[99] See, e.g., Press Release, Timothy Pilgrim, Australian Privacy Commissioner, OAIC, Investigation into Sony Data Breach (May 4, 2011),
; Press Release, Office of the Privacy Commissioner (NSW), Privacy Commissioner Concerned about Continued Database Security Breaches (Oct. 18, 2011),

[100] Data Breach Notification: A Guide to Handling Personal Information Security Breaches, OAIC (Apr. 2012),

. See also Australians Demand Online Data Breach Notification: UC Survey Reveals, UNIVERSITY OF CANBERRA MEDIA, updated May 1, 2012);and Supratim Adhikari, Internet Users Seek Mandatory Data Breach Guidelines: Survey, TECHNOLOGY SPECTATOR (May 1, 2012),

[102] Id.; and ALRC REPORT 108, supra note 1, paras. 51.73–51.109,

[103] See Bruce Arnold, Care Don’t Share: What Medvet Breach Says About Australian Privacy Laws, THE CONVERSATION (Aug. 8, 2011),; and Greenleaf, supra note 2, at 32–33.

[104] Press Release, OAIC, Privacy—It’s All About You (Apr. 27, 2012),

[105] Sharon Nye, Internet Privacy—Regulating Cookies and Web Bugs, PRIVACY L. & POL. R. 26 (2002),

[106] The Personal Information Project, UNIVERSITY OF QUEENSLAND, CENTRE FOR CRITICAL AND CULTURAL STUDIES, (last visited June 8, 2012).

[107] Id.

[108] Press Release, University of Queensland, Centre for Critical and Cultural Studies, Australians Concerned for Online Privacy (Mar. 16, 2012),

[109] Dan Svantesson, Protecting Privacy on the “Borderless” Internet—Some Thoughts on Extraterritoriality and Transborder Data Flow, 19(1) BOND L. REV. 168 (2007),

[110] Id. at 181–83.


[112] Australian Government, Enhancing National Privacy Protection: First Stage Response to the Australian Law Reform Commission Report 108 (Oct. 2009), The government has not yet responded to the Senate committee’s report regarding the adequacy of the current privacy framework for protecting the information of Australians online.

[113] Information relating to this inquiry, including submissions received and the final two-part report, is available on the Parliament of Australia’s website, Exposure Drafts of Australian Privacy Amendment Legislation,
(last visited June 8, 2012).

[114] Privacy Amendment (Enhancing Privacy Protection) Bill 2012, PARLIAMENT OF AUSTRALIA,
(last visited June 4, 2012); AGD Privacy Act Amendments, ATTORNEY-GENERAL’S DEPARTMENT, (last modified May 25, 2012); Privacy Reforms, ATTORNEY-GENERAL’S DEPARTMENT, (last modified Mar. 16, 2012); and Press Release, Nicola Roxon, Minister for Emergency Management, Attorney-General for Australia, Privacy Reform Laws Introduced into Parliament (May 23, 2012),

[115] Privacy Amendment (Enhancing Privacy Protection) Bill 2012, Second Reading: Nicole Roxon (May 23, 2012),

[116] House of Representatives, Privacy Amendment (Enhancing Privacy Protection) Bill 2012: Explanatory Memorandum,

[117] Id. at 1–2, 52–53.

[118] Id. at 60–61.

[119] Id. at 4.

[120] Id. at 81.

[122] Id. at 70, 83.

[123] Id. at 73–74.

[124] Id. at 54, 74–76.

[125] Id. at 5.

[126] Privacy Amendment (Enhancing Privacy Protection) Bill 2012, Second Reading, supra note 115. An enforceable undertaking is a type of enforcement action that may be used instead of a court action or as part of a settlement.  The ALRC explains that an enforceable undertaking is “essentially a promise enforceable in court. A breach of the undertaking is not contempt of court but, once the court has ordered the person to comply, a breach of that order is contempt.”  ALRC Report 108, supra note 1, para. 50.53,

[127] Privacy Amendment (Enhancing Privacy Protection) Bill 2012: Explanatory Memorandum, supra note 116, at 5, 49.

[128] Privacy Amendment (Enhancing Privacy Protection) Bill 2012, Second Reading, supra note 115.

[129] Inquiry into the Privacy Amendment (Enhancing Privacy Protection) Bill 2012, PARLIAMENT OF AUSTRALIA, HOUSE STANDING COMMITTEE ON SOCIAL POLICY AND LEGAL AFFAIRS, Parliamentary_Business/Committees/House_of_Representatives_Committees?url=spla/
(last visited June 4, 2012).

[130] Department of the Prime Minister and Cabinet, Issues Paper: A Commonwealth Statutory Cause of Action for Serious Invasion of Privacy (Sept. 2011),
; and A Commonwealth Statutory Cause of Action for Serious Invasion of Privacy, Department of the Prime Minister and Cabinet, (last updated Nov. 1, 2011).

[131] The submissions are being progressively published online at A Commonwealth Statutory Cause of  Action for Serious Invasion of Privacy, ATTORNEY-GENERAL’S DEPARTMENT,
(last modified June 12, 2011).

Back to Top



Last Updated: 10/30/2017