Australia Privacy Act vs GDPR: How Do They Differ?

If your business needs to handle personal information across many countries, you are likely applicable to the Australia Privacy Act and GDPR.

As a result, you have to navigate several data privacy regulations. The more you delve into the regulatory landscape, the more you unravel the nuanced similarities and differences between data privacy laws worldwide.

Let's learn all about the differences and similarities between the Australia Privacy Act vs GDPR in this guide.

Let's dive right in.

Key Takeaways

• The Privacy Act 1988 of Australia applies to government agencies and organizations with a yearly turnover of AUD$3 million.
• The GDPR applies to any business that operates in the EU or processes the personal data of EU residents.
• The key differences between the Australia Privacy Act vs. GDPR are in the territorial scope, who it applies to, fines, and some definitions (for instance, data controllers & processors vs APP entities),

What is the Australia Privacy Act?

The Australia Privacy Act (The Privacy Act 1988) oversees how Australian government agencies and companies with a yearly turnover of more than AUD$3 million collect, store, and process the personal information of Australian citizens.

Brandon Weibe, General Counsel and Head of Privacy at Transcend, expands with his insights on the Australia Privacy Act:

"Passed in 1988, the Australia Privacy Act (APA) implemented new requirements around how businesses and government agencies handle personal data. With 13 Australian Privacy Principles, the law gives organizations some flexibility in the way they structure their data processing practices."

It has been amended several times since, with the most recent amendment on 18th October 2023 and a large amendment expected for 2024.

The legislation was an answer to the growing need to protect Australian citizens against privacy infringements and give them a stronger voice in how organizations can process their personal information.

At the same time, the Australia Privacy Act also aims to bring a much-needed culture of transparency and accountability in the business world.

The Privacy Act is based on 13 Australian Privacy Principles (APP). These are:

1. Open and Transparent Management of Personal Information

This principle requires businesses in Australia and those processing the personal information of Australian citizens to have clear and accessible policies regarding data collection, use, and disclosure.

Meeting the principle of open and transparent management of personal information requires having privacy policies that explain the company’s data processing practices and regularly updating them.

2. Anonymity and Pseudonymity

The principle of anonymity and pseudonymity aims to give individuals more control over their personal information by allowing them to remain anonymous or act under a pseudonym when communicating with a business, if possible.

On their end, companies can demonstrate that they respect their users’ privacy by providing more opportunities to interact with them without the users having to reveal their true identities.

3. Collection of Solicited Personal Information

The third principle of the Australia Privacy Act states that businesses can only collect personal information if it is “reasonably necessary” for their activities and functions.

To meet this principle, businesses need to make sure their data collection practices are specifically targeted and that the information they collect aligns with the right business needs.

4. Dealing with Unsolicited Personal Information

Where businesses obtain unsolicited personal information, this principle requires determining if such information could have been obtained lawfully. If not, de-identified or destroyed immediately.

The best way to meet this principle is to have clear procedures for collecting and using unsolicited personal information.

5. Notification of the Collection of Personal Information

Principle 5 of the Privacy Act is there to empower individuals to make informed decisions about their data by requiring companies to inform their users of the collection of their data, including the purpose and who they will share it with.

The most important step in meeting this requirement is to have clear communication with users, whether directly or via privacy statements on the website, through which businesses can inform them about their data collection practices.

6. Use of Disclosure of Personal Information

Businesses should use or disclose personal information only for the purpose it was collected.

As such, companies must have strong policies regarding the use and disclosure of their customer’s personal information.

7. Direct Marketing

According to this principle, companies must offer an opt-out for data subjects who do not want to get direct marketing communication and want to protect their privacy.

Having a clear and easy-to-use opt-out mechanism for users to set up their marketing communication is the key to meeting this principle.

8. Cross-Border Disclosure of Personal Information

Before disclosing their customer’s personal information overseas, companies must first make sure that the recipient has adequate privacy standards as well.

This is why, to meet this principle, it’s crucial to thoroughly investigate the overseas recipient and ensure they follow similar privacy standards and principles. If not, it’s essential to ensure that the data is protected when transferred to the recipient.

9. Adoption, Use, or Disclosure of Government-Related identifiers

This principle prevents and restricts the unnecessary collection, use, and disclosure of government-related identities. These include any numbers, letters, symbols, or a combination of those assigned by a government entity that can be used to identify a person or verify their identity.

To meet the 8th principle, companies must work to eliminate the use of government-related identifiers where it’s not necessary.

10. Quality of Personal Information

The principle of quality of personal information requires that the data organizations collect is relevant, accurate, and up-to-date and that it serves its intended purpose.

Businesses must enable their customers to update their data and also have regular data quality checks in place.

11. Security of Personal Information

When handling personal information, businesses must ensure its security and protect it from disclosure, loss, and unauthorized access. This requires the implementation of robust security measures.

Meeting this principle requires establishing a culture of security awareness within a company by educating and training employees on the data security best practices and regularly performing risk assessments, among other things.

12. Access to Personal Information

This principle empowers data subjects with the right to access personal information that companies hold about them.

Companies must have clear processes for handling these requests from their users and provide adequate information on the data they hold.

13. Correction of Personal Information

Finally, the last principle of the Australia Privacy Act empowers individuals to correct any inaccurate or out-of-date personal information that a business may hold about them,

The principle of correction of personal information necessitates that companies enable their users to easily update their information and to have clear data correction request procedures.

Additionally, The Privacy Act 1988 also grants individuals rights, such as:

1. The right to know why their personal information is collected, how it will be used, and who it will be disclosed to
2. The right to not identify themselves or to use a pseudonym in specific circumstances
3. The right to ask for access to the personal information an entity is holding about you
4. The right to stop getting unwanted direct marketing
5. The right to have inaccurate personal information corrected
6. The right to complain about the mishandling of your personal information by a government agency or organization the Act covers

• Need compliance help with the APA? Talk to us for a free consultation to find out how your company can become compliant today.

What is the GDPR?

Brandon says:

"The General Data Protection Regulation (GDPR) is a comprehensive privacy law that applies to any country based in the EU or that markets goods or services to EU citizens.

The GDPR went into effect in May 2018—implementing privacy and data protection requirements for businesses under its scope, while granting data subjects (EU citizens protected by the law) new rights and more control over how their personal data is collected and used."

The EU implemented the GDPR in May 2018, replacing the previous Data Protection Directive of 1995 with the intent of better coordinating data privacy laws in different EU member states and giving individuals more power in protecting their privacy.

The 7 key principles of GDPR, are:

1. Lawfulness, Fairness, and Transparency

The GDPR principle of lawfulness, fairness, and transparency is very similar to the 1st principle of the Australia Privacy Act in that it instructs businesses to process personal information legally and be transparent about it.

Companies must have exhaustive privacy policies that express the legal basis for data collection, use, or disclosure, as well as communicate openly with data subjects.

2. Purpose Limitation

Personal data can only be collected for a specified and legitimate purpose, according to the GDPR.

To comply with this principle, organizations must ensure their processing activities have a clear and lawful purpose and perform regular assessments of such activities.

3. Data Minimization

This principle calls for companies to only collect data if it is necessary for the specific processing purpose and eliminate or minimize any unnecessary data processing.

Businesses must go through the data they collect, as well as limit their collection to what is strictly necessary for its intended and specified purpose.

4. Accuracy

Next, the GDPR principle of accuracy insists on companies having accurate and up-to-date personal information about individuals, as well as taking prompt and reasonable steps to correct inaccurate information.

Organizations ought to regularly review and update the data they hold for accuracy, along with having clear processes for data validation and correction.

5. Storage Limitation

The next principle limits how long companies can store information they have collected lawfully. Per the principle of storage limitation, data should be stored only as long as it is strictly necessary for the specific purpose it is collected.

That’s why, to meet this principle, companies need to have established data retention policies and additionally to regularly delete the data they no longer need.

6. Integrity and Confidentiality

Businesses must put necessary and stringent security measures in place to protect individuals’ data from disclosure, modification, unauthorized access, or destruction.

The key to meeting this GDPR principle lies in nurturing a culture of data security in the company and enforcing best data security practices, including using appropriate security measures.

7. Accountability

Finally, the principle of accountability requires organizations to demonstrate their adherence to the GDPR by appointing a Data Protection Officer (DPO) and conducting regular privacy impact assessments.

Meeting this principle calls for clear and extensive data processing practices documentation, which is regularly updated and reviewed, including privacy policies.

Likewise, the GDPR also outlines several data subject rights that consumers have:

1. The right to access their personal data that is being processed
2. The right to rectify or correct inaccurate and incomplete personal data
3. The right to erase their personal data
4. The right to restrict the processing of their personal data
5. The right to object to the processing of their personal data
6. The right to receive their personal data in a format that allows them to transfer the data to another organization if they want to

• Need compliance help with the GDPR? You're in luck because we're here for a free consultation on how you can get your company compliant today.

Differences Between the Australia Privacy Act vs GDPR

Brandon says:

"Though the GDPR and the Australia Privacy Act do have areas of overlap, there are several notable differences. In general, the GDPR has a wider scope and is considered more stringent, with more severe consequences, than the APA."

Let's learn more about how the main differences between the Australian Privacy Act vs GDPR:

Scope

The Privacy Act 1988 applies to Australian government agencies and organizations (APP entities), including those in external Territories. The Act also applies to businesses that have an Australian link.

An entity, such as a company, will have an Australian link if:

• It was formed in Australia
• Is controlled in Australia
• Or it conducts business and collects or holds personal data in Australia.

(the business operator is an Australian citizen, has a continued presence in Australia, or has formed a partnership in Australia.

The GDPR, on the other hand, applies to businesses that operate in the European Union or that process the personal data of EU citizens.

Also, while the Privacy Act applies to businesses with an annual turnover of over AUD$3 million and excludes small businesses with a turnover of less than that, the GDPR applies to all businesses regardless of their size or annual revenue.

APP Entities vs Data Controllers & Processors

The Privacy Act does not distinguish between data controllers and processors the same way the GDPR does. Instead, it uses the term “APP entities” for all public bodies it applies to.

The Office of the Australian Information Commissioner (OAIC) defines “APP entities” as:

“Organizations and Australian Government agencies that are subject to the Australian Privacy Principles.”

These can be:

• Australian government agencies
• Large private sector organizations (banks, airlines, etc.)
• Small businesses that collect and use the personal information of consumers

The GDPR distinguishes between “data controllers” and “data processors”.

Data controllers are defined as:

“Natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”

While a “data processor” is defined as:

“Natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”

Individual Rights

The Australia Privacy Act also grants individuals rights, including:

1. The right to know why their personal information is collected, how it will be used, and who it will be disclosed to
2. The right to not identify themselves or to use a pseudonym in specific circumstances
3. The right to ask for access to the personal information an entity is holding about you
4. The right to stop getting unwanted direct marketing
5. The right to have inaccurate personal information corrected
6. The right to complain about the mishandling of your personal information by a government agency or organization the Act covers

Likewise, the GDPR also outlines several data subject rights that consumers have:

1. The right to access their personal data that is being processed
2. The right to rectify or correct inaccurate and incomplete personal data
3. The right to erase their personal data
4. The right to restrict the processing of their personal data
5. The right to object to the processing of their personal data
6. The right to receive their personal data in a format that allows them to transfer the data to another organization if they want to

While these rights appear the same, they differ slightly. Most notably, the APA includes the right to use pseudonyms or stop getting direct marketing. The GDPR grants the rights to object to the processing of personal data of individuals and to get the data in a transferable format.

Automated and Non-Automated Data Processing

There is no distinction between processing information by automated vs. non-automated means under the Australian Privacy Act.

The EU GDPR applies to processing by both automated and non-automated means if the data is part of a filing system.

Conducting DPIAs

The Privacy Act does not require a Data Protection Impact Assessment (DPIA). Instead, it recommends it as a “good practice” for businesses.

GDPR requires conducting DPIAs if the data processing poses a high risk to the rights and freedoms of an individual.

Children and Age of Consent

The Privacy Act uses the Family Law Act 1975 definition of a “child” as:

“A person who is under 18 (including a person who is an adopted child).”

The Act does not specify the age of consent.

The GDPR does not itself have a definition of a “child” or “children”. Instead, this is left to the Member states.

The age of consent is 16, although Member states can lower this to 13.

Fines & Penalties

In case of civil violations, the Commissioner can apply to the Australian Federal Court or Federal Circuit Court to order a fine of up to:

• AUD$2,500,000 for an individual or,
• AUD$50,000,000 for a business, or
• 3X the value it has gained (directly or indirectly) that can be attributed to the violation or
• 30% of the organization’s turnover during the period of the violation (adjusted)

The GDPR has two sets of fines:

• Minor or Tier 1 violations incur a €10,000,000 fine, or 2% of the total global turnover for the last year (whichever is higher)
• Major or Tier 2 violations incur a €20,000,000 fine, or 4% of the total global turnover for the previous year (whichever is higher)

Similarities between the Australia Privacy Act vs GDPR

However, despite the differences, there are also several similarities between Australia Privacy Act vs GDPR,

Personal Information Definition

The APA defines “personal information” as:

“Information or opinion about an identified individual or an individual who is reasonably identified.”

The GDPR defines “personal data” as:

“Any information relating to an identified or identifiable natural person (data subject).

Data Security Measures

Both data privacy laws demand that companies must implement strong data security measures, including encryption.

Companies must also establish and nurture a culture of data security by educating and training employees in using data security tools and best practices.

Consent

According to The Privacy Act, consent must be freely given and informed. The Act also differentiates between “implied” consent, meaning consent derived from the individual’s actions, and “express” consent, or consent that the individual gives explicitly and voluntarily.

Under the General Data Protection Regulation, consent must be freely given, specific, informed, and unambiguous and it cannot be implied but only expressly given.

Legitimate Interest

APP entities are not allowed to process or collect personal data without reasonable necessity. They also must not collect, use, or disclose sensitive information without consent unless:

• The information is reasonably necessary for the APP entities’ functions or activities.
• For permitted health situations (public health and public safety research or is relevant to public health and safety).
• It is required/authorized by an Australian law or court order.

Under GDPR, legitimate interest includes:

• The individual giving explicit consent to data processing.
• The processing is necessary for the public interest or public health.
• Is necessary for establishing, exercising, or defending a legal claim.

Accountability and Transparency

Lastly, both regulations emphasize the need for accountability and transparency by companies and the ability to demonstrate it.

How Can Captain Compliance Help?

By partnering with us, you can stay a step ahead of the data privacy game thanks to our experts guiding hands through the labyrinth of the regulatory landscape of Australia and the EU.

We are your one-stop solution for your company’s data privacy & compliance needs.

Get in touch with us for a complimentary consultation for your company today.

FAQs

Is there a GDPR equivalent in Australia?

The equivalent of the EU’s General Data Protection Regulation (GDPR) is called The Privacy Act 1988. This law applies to Australian government agencies and organizations with a revenue of more than AUD$3 million annually.

Understand the differences between GDPR vs CCPA vs LGPD in this article.

Is privacy law in Australia protected by the Constitution?

The Australian Constitution does not implicitly mention the “right to privacy.” Rather, certain state laws aim to protect the privacy of Australian citizens in various ways.

Read what data privacy and compliance services we offer to protect your business and customers.

Who does the Privacy Act apply to in Australia?

The Privacy Act 1988 applies to certain government agencies and organizations with an annual turnover of over 3 million dollars and some other organizations.

Find out who the CPRA applies to.

What are the three types of privacy recognized by law in Australia?

The law in Australia has three types of privacy:

1. Physical privacy
2. Information privacy
3. Surveillance

What is Global Privacy Control, and how does it affect your data privacy?

What are the consequences of breaching the Privacy Act in Australia?

Breaching the Privacy Act in Australia can lead to a fine of $2,500,000 for an individual or up to $50,000,000 for an organization, or three times the value it has directly or indirectly gained as a result of the violation, or 30% of the adjusted turnover during the violation’s period.

What will PIPL non-compliance cost you?