In the previous post we examined the applicable data governance frameworks in the APAC region, with a specific focus on the Osaka Declaration. The success of the Osaka Declaration depends on different APAC countries adopting a common framework of data governance rules.
In this post, we examine the data governance framework in Australia, from the perspective of grounds of data processing and obligations on organisations (II);rights guaranteed to individuals (III); rules governing cross-border data flows (IV); the penal and enforcement framework (V); and the exemptions given to law enforcement agencies (VI). Part VII concludes.
Australia regulates data protection through both federal and state laws. In this post, we focus on the Privacy Act, 1988 (Cth), which is the federal privacy law in Australia. The Privacy Act is centred around 13 enumerated principles for data collection and use (“Australian Privacy Principles” or “APP”). Compliance with the Privacy Act and complaints under the Privacy Act are mainly overseen by the Office of the Australian Information Commissioner (“OAIC”).
II. Data processing and other obligations of APP entities
Scope of the Act
The Privacy Act regulates “APP entities”, which are individuals, private sector entities with an annual turnover of more than AUD 3 million, and all Commonwealth Government and Australian Capital Territory government agencies.
Notice and consent
The Privacy Act, through the APPs, imposes limitations on the collection, storage, use, and disclosure of personal information by APP entities. For instance, personal information, other than sensitive information, must only be collected if it is “reasonably necessary”. Thus, consent is not required for the collection of personal information. However, collection of sensitive information additionally requires the consent of the individual, or an authorization/requirement under law or by a court/tribunal order.
At the time of collection, or as soon as practicable after, APP entities must give notice to individuals regarding this collection. Consent is required under various circumstances such as to disclose sensitive information about an individual for direct marketing or use data collected for a secondary purpose.
Consent can be both express and implied. Consent must be: informed; voluntary; current, specific; and given by an individual who has to the capacity to understand, and the ability to communicate their consent. Opt-out consent can be valid, but the opt-out option should be clearly and prominently presented, not bundled with other options, the implications of not opting out explained to the individual, and the consequences of failing to opt out are not serious. Thus, an individual can withdraw their consent “at any time” in an easy and accessible manner, after being made aware of the potential consequences of their withdrawal. It is generally believed that once consent has been given by an individual, they do not have any substantial right to restrict processing of their data.
APP entities must take reasonable steps to protect personal information from misuse, interference, loss; as well as unauthorized access, modification, and disclosure.
Data breach notification
APP entities must notify the OAIC when they have reasonable grounds to believe that an “eligible data breach” has occurred. An eligible data breach is an unauthorized access to, or disclosure of, personal information, which would likely result in “serious harm” to the individual concerned. As long as it is practicable, the APP entity must notify the individual concerned as well, while also recommending steps they should take in response to the breach. These changes in the Privacy Act were introduced through an amendment in 2017 and in one year, saw an increase of 712% in data breach notifications (compared to the voluntary notification regime prior to that).
Privacy by design
APP entities must take reasonable steps to implement practices, procedures, and systems that will ensure compliance with the APP and deal with complaints. The OAIC refers to this as a “privacy management plan”. As part of its template, it requires entities to adopt a privacy by design approach. This includes conducting privacy impact assessments.
III. Individual rights
The Privacy Act recognizes key individual rights through the APPs. These include:
- Right to anonymity: Individuals have to be provided the option to not identify themselves or to use pseudonyms when dealing with an APP entity. The APP entity is not required to provide these options where collection is authorized by law, a court/tribunal order to deal with identified individuals, or if it would be impractical for the APP entity to deal with such individuals who have not identified themselves.
- Right to data quality: Personal information collected and disclosed has to be accurate, up to date, complete,  and relevant.
- Right to access data, except where it would pose a serious threat to the health of others, unreasonably impact the privacy of others, or a government agency holding the data has a lawful reason for non-disclosure.
- Right to correct data, as is reasonable under the circumstances, to ensure that information held is accurate, relevant, up to date, complete and not misleading. On an individual’s request, these corrections must be notified to other APP entities, as long as it is not impractical or unlawful to do so.
- Right to deletion: This is slightly different from the right to be forgotten recognised under the GDPR. Under the Privacy Act, reasonable steps must be taken by an APP entity to de-identify or delete personal information about an individual once its purpose has been served (unless the information is in a Commonwealth Record and is required by law to be retained).
- Right to object to marketing: Any APP entity engaged in direct marketing must provide individuals with a simple means of opting out from receiving marketing communication.
Interestingly, unlike the GDPR and the proposed Personal Data Protection Bill, 2019 in India, the Privacy Act in Australia does not recognize a right to data portability. Individuals only have a right to request access to a copy of their personal data, but not to port it. In 2017, the Australian Government announced that it would introduce a “Consumer Data Right” (“CDR”), which would “give consumers greater access to and control over their data…. and compare and switch between products and services”, similar to the right to data portability. The CDR is expected to be introduced first in the banking sector, then in the energy sector, followed by the telecommunication sector starting early 2020. The Australian Competition and Consumer Commission has been given the role of lead regulator of the CDR. The OAIC is tasked with handling complaints under the CDR scheme.
IV. Cross-border data flows
An APP entity can disclose personal information to an overseas recipient, only after taking reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles. The law ensures the accountability of the APP entity by holding it liable for the actions of the overseas entity, if the latter were to breach the APP Principles.
If the APP entity has a reasonable belief that the transferred data will be subject to “substantially similar” data protection and enforcement framework overseas; or if the data subject consents to such disclosure of information, then the APP entity can simply disclose the personal information overseas. The Act has other exemptions, such as permitting the cross-border disclosure of personal information between law enforcement agencies.
In general, Australia does not have any broad-based data localization requirements. However, certain sector-specific restrictions exist. For instance, electronic health records containing personal identifying information of an individual (held for the purpose of the “My Health Record system”) cannot be held or taken outside the country, nor can information relating to these records be processed outside Australia. This is in line with the Australian government’s policy of shaping international rules that facilitate the cross border flow of data and information and focus on digital assets, while protecting individual privacy.
V. Enforcement framework
The OAIC investigates the complaints it receives from individuals or initiates investigations on its own about acts and practices that may interfere with individuals’ privacy.
As part of its investigatory powers, the OAIC can attempt conciliation of complaints; make preliminary inquiries; require a person to give information or documents, examine witnesses, or to attend a compulsory conference; and transfer the matter to an alternate complaint body in certain circumstances. After the conclusion of an investigation, the OAIC makes a determination. An APP entity can either accept an enforceable undertaking or judicial proceedings are initiated to enforce a determination. For instance, in November 2018, the Department of Health executed an enforceable undertaking following improper de-identification procedures used to release the data of claimants of certain medical benefits, which was then accepted and published by OAIC.
Civil penalties can be imposed on entities requiring them to pay a pecuniary penalty for a violation of the Privacy Act. Civil penalties, undertakings relating to compliance with the Privacy Act, and injunctions are all enforceable in court.
External dispute resolution
The OAIC can recognize external dispute resolution schemes (“EDR scheme”)that offer independent, quick, and fair dispute resolution over specific privacy-related complaints. An EDR Scheme handles both privacy and broader non-privacy issues, and any complaints on mis-handling of personal information in that sector can be made directly to the EDR scheme, instead of the OIAC. For instance, At a federal level, the OAIC recognizes the Australian Financial Complaints Authority as an EDR scheme for the banking, financial planning, insurance sectors.
VI. Exemption given to law enforcement agencies
The Privacy Act makes certain exception for “enforcement related activities”, which include prevention, detection, investigation, prosecution or punishment of criminal offences and breaches of law; the conduct of surveillance, intelligence gathering, and monitoring activity; and the protection of public revenue. For instance, the general right to access information can be denied on the ground that it would likely prejudice an enforcement related activity. Similarly, law enforcement agencies (called “enforcement bodies” under the law) are exempt from notifying individuals about data breaches or giving a copy of a statement to the OAIC, if there are reasonable grounds to believe that such notification would likely prejudice an enforcement related activity. Enforcement bodies can also collect sensitive information about an individual, without their consent, if they reasonably believe that it is reasonably necessary for, or directly related to, the entity’s functions or activities.
In 2018, Australia also brought a controversial amendment to its law governing telecommunications, computer access warrants, and search warrants. Under this law, law enforcement agencies have easier access to encrypted data to safeguard national security or enforce serious offences. This is achieved by requiring designated communication providers to remove a form of encryption or authorisation (electronic protection), provide technical information, install certain software or equipment, facilitate access to services/data processing device/software, and most importantly, conceal from its users that the company has done these acts.
The only safeguard that has been incorporated, after significant criticism is that designated communications providers cannot be required to implement or build a ‘systematic weakness’ or a ‘systematic vulnerability’ into their electronic protection method such as encryption or authorisation. A review of the working of the law is expected to be concluded this year. 
In this series, we examine the data governance frameworks of several APAC countries. This will help us determine whether there is a common minimum framework in place to take forward the goal of the Osaka Declaration. Australia has a strong privacy law in place, with clearly laid out privacy principles and no broad-based data localization requirement, although a wide berth is given to law enforcement agencies. Interestingly, unlike other countries, consent is not the primary basis of processing personal data. This will prove to be an interesting comparison with the next country that we examine as part of our series – Singapore.
This piece was authored by Ikigai Law team
 For instance, New South Wales has enacted the Privacy and Personal Information Protection Act 1998; the State of Victoria has enacted the Privacy and Data Protection Act, 2014; the Australian Capital Territory has enacted the Information Privacy Act, 2014. Western Australia and South Australia do not have their own privacy laws.
 An APP Entity is an “agency or organization” under Section 6 of the Privacy Act, 1988 to whom the Act applies. Although the Australian Privacy Act refers to “APP entities”, many data protection legislations such as the European GDPR use the term “data controllers” and “data processors” to refer to the organisations covered under the law.
 Section 6(1) read with Sections 6C and 6D read with Section 13, Privacy Act, 1988. See also DLA Piper, Data Protection Laws of the World: Australia, available at https://www.dlapiperdataprotection.com/index.html?t=law&c=AU.
 The OAIC has released detailed guidance on the interpretation and application of the Australian Privacy Principles. See Office of the Australian Information Commissioner (OAIC), Australian
Privacy Principles Guidelines: Privacy Act, 1988 (2019), available at https://www.oaic.gov.au/assets/privacy/app-
 APP 3.1 and APP 3.2, Privacy Act, 1988.
 APP 3.3(a), Privacy Act, 1988.
 APP 5.1, Privacy Act, 1988.
 APP 6.1(a) and APP 7.4, Privacy Act, 1988.
 Section 6(1), Privacy Act, 1998.
 OAIC, APP Guidelines, supra note 6, at 11.
 Ibid., at 12.
 ICLG, Australia: Data Protection, 2019, available at https://iclg.com/practice-areas/data-protection-laws-and-regulations/australia
 APP 11.1, Privacy Act, 1988.
 Section 26WK, Privacy Act, 1998
 Section 26WA read with Section 26WE(2), Privacy Act, 1998.
 Section 26WL(2), Privacy Act, 1998, which lists out the circumstances under which the notification requirement is activated. See also Section 26WK(3)(d) read with Section 26WR(4)(d), Privacy Act, 1998.
 Privacy Amendment (Notifiable Data Breaches) Act 2017. See also OAIC, Notifiable Data Breaches Scheme: 12 Month Insight Report (2019), available at https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/notifiable-data-breaches-scheme-12month-insights-report/
 APP 1.2, Privacy Act, 1998.
 OAIC, Privacy Management Plan Template (For Organisations), available at https://www.oaic.gov.au/privacy/guidance-and-advice/privacy-management-plan-template-for-organisations/.
 APP 2, Privacy Act, 1988. See also OAIC, APP Guidelines, supra note 6.
 APP 10.1. and APP 10.2, Privacy Act, 1988.
 APP 10.2, Privacy Act, 1988 in respect of disclosure of personal information.
 APP 12.1 to 12.3, Privacy Act, 1988.
 APP 13.1, Privacy Act, 1988.
 APP 13.2, Privacy Act, 1988.
 APP 11.2, Privacy Act, 1988.
 APP 7.2(c)-(d) and APP 7.3(c)-(e), Privacy Act, 1988.
 Section 19, Personal Data Protection Bill, 2019, available at http://126.96.36.199/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf
 Australian Competition & Consumer Commission, Consumer Data Right, available at https://www.accc.gov.au/focus-areas/consumer-data-right-cdr-0.
 Section 16C read with APP 8, Privacy Act, 1988.
 APP 8.2(a)(i), APP 8.2(b), Privacy Act, 1988.
 APP 8.2(c)-(f), Privacy Act, 1988.
 APP 8.2(f), Privacy Act, 1988.
 Section 77, My Health Records Act, 2012, available at https://www.legislation.gov.au/Details/C2017C00313.
 Government of Australia, Australia’s Tech Future: Delivering a Strong, Safe, and Inclusive Digital Economy (2018), available at https://www.industry.gov.au/sites/default/files/2018-12/australias-tech-future.pdf, at 38.
 Sections 36, 40, and 41, Privacy Act, 1988.
 Section 40A, Privacy Act, 1988.
 Section 42, Privacy Act, 1988.
 Sections 44-46, Privacy Act, 1988.
 Section 50, Privacy Act, 1988.
 Section 52 read with Section 55A and 80V, Privacy Act, 1988.
 OAIC, Department of Health: Enforceable Undertaking, available at https://www.oaic.gov.au/privacy/privacy-decisions/enforceable-undertakings/department-of-health-enforceable-undertaking/#undertaking.
 Sections 16A, 17, and 26V, Privacy Act, 1988.
 Sections 95, 95A, and 95AA, Privacy Act, 1988 empowering the OAIC to approval of guidelines issued by the National Health and Medical Research Council.
 OAIC, Rules and Guidelines, available at https://www.oaic.gov.au/privacy/the-privacy-act/rules-and-guidelines/
 Sections 80U, 80V, and 80W, Privacy Act, 1988 read with Section 82, Regulatory Powers (Standard Provisions) Act, 2014.
 Section 35A, Privacy Act, 1988.
 OAIC, External Dispute Resolution Schemes, available at https://www.oaic.gov.au/privacy/privacy-complaints/external-dispute-resolution-schemes/.
 Section 6(1), Privacy Act, 1988.
 APP 12.3(i), Privacy Act, 1988.
 Section 26WN, Privacy Act, 1998.
 Section 26WS, Privacy Act, 1998.
 APP 3.4(d), Privacy Act, 1988.
 Section 317C of Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 defines designated telecommunication providers as including carriage or carriage service providers, carriage service intermediaries, providers of electronic services, developers of software used for listed carriage services and electronic services, manufacturers of customer equipment and data processing devices.
 Section 317E, Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018.
 Systematic weakness has been defined to mean a weakness that affects a whole class of technology, but does not include a weakness that is selectively introduced to one or more target technologies that are connected with a particular person. For this purpose, it is immaterial whether the person can be identified.
 Systematic vulnerability has been defined to mean a vulnerability that affects a whole class of technology, but does not include a vulnerability that is selectively introduced to one or more target technologies that are connected with a particular person. For this purpose, it is immaterial whether the person can be identified.
 Section 317ZG(1), Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018.
 Parliament of Australia, Review of the amendments made by the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, available at https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Intelligence_and_Security/AmendmentsTOLAAct2018.