Critical Privacy Law in Australia

Navigating Data Protection in a Digital World

Privacy law protection has become essential as we navigate a data-driven era where smartphones, cloud platforms, and artificial intelligence are integral to daily life and commerce. The scale and speed at which personal information is collected, stored, and shared, by both government and the private sector, has made robust privacy law regulation critical.

While Australian common law does not recognise a standalone right to privacy, statutory protections have evolved significantly. This article outlines current privacy law protections, including major reforms introduced in 2024.

Defining ‘Personal Information’ Under Privacy Law

The Privacy Act 1998 (Cth) defines Personal Information as:

“Information or an opinion about an identified individual, or an individual reasonably identifiable, irrespective of accuracy or whether recorded in material form.”

This includes but are not limited to:

• Names, addresses, and contact details
• Date of birth, gender, and racial or ethnic origin
• Sexuality and relationship status

Enhanced protections for Special Categories:

• Sensitive Information: Political associations or opinions, religious beliefs, trade union membership, sexual orientation, and criminal records.
• Health Information: Physical or mental health status, disabilities, health services accessed, genetic data, or biometric information.
• Other protected categories: Tax File Numbers, electoral roll details, spent convictions, and telecommunications metadata.

Federal Framework: Privacy Act 1998 (Cth)

The Privacy Act applies to:

• All Australian Federal government agencies
• Private organisations that:
  • Has an annual turnover of $3 million or more;
  • Provides a health service (e.g., GP clinics, pharmacies);
  • Trades in Personal Information sharing;
  • Is a credit reporting body;
  • Is a service provider under a Commonwealth contract;
  • Has voluntarily opted into the Privacy Act.

2024 Privacy Law Reforms: Key Changes

• Stronger Penalties (replacing the previous $2.1 million cap):
  • Up to $50 million in fines;
  •  3 times the value of any benefit obtained; or
  • 30% of domestic turnover, whichever is highest.
• New Individual Rights:
  • Right to Erasure: Individuals may request deletion of outdated or unnecessary personal data
  • Enhanced Consent Requirements: Clear, plain-language explanations are mandatory before collection of personal information.
• New and Stricter Business Obligations:
  • Mandatory Breach Notifications within 72 hours to the OAIC and affected parties
  • Privacy Impact Assessments (PIAs) required for high-risk data projects
  • Child Data Restrictions: Stronger controls on collecting personal data from minors

Exceptions

Employee records (directly related to current/former employment relationships) remain exempt from most APPs, though still subject to Fair Work Act 2009 and state obligations. This is a specific nuance within privacy law.

Australian Privacy Principles (APPs)

The 13 APPs form the foundation of privacy law compliance. While their structure remains unchanged, the 2024 reforms introduced key refinements:

APP	Core Obligation	2024 Reform Emphasis
APP 1	Open and transparent management	Policies must use clear and concise language and be easily accessible
APP 3	Collection of solicited personal information	Prohibits indiscriminate or automated data scraping
APP 5	Collection notification	Notices must avoid legal jargon
APP 8	Cross-border disclosures	Tighter oversight of international data transfers
APP 11	Security of personal information	Mandates proactive security audits and breach response planning
APP 12/13	Access to/correction of personal information	Faster response timelines (30 to 15 business days)

International Application

The Privacy Act applies to foreign entities if they:

• Are incorporated in Australia;
• Have central management or control in Australia;
• Collect or hold Australian individuals’ data

NSW Privacy Framework: PPIPA and HRIPA

The Privacy and Personal Information Protection Act 1998 (PPIPA) regulates state public sector agencies through 12 Information Protection Principles (IPPs), including:

• Lawful: Collection must serve a lawful purpose.
• Direct: Information collected directly from individuals (exceptions: minors/parental consent).
• Open: Explain why data is collected, how it’s used, and rights to access/correct.
• Relevant: Data must be accurate, up-to-date, and non-excessive.
• Secure: Implement safeguards against unauthorised access/loss.
• Transparent: Disclose stored information and usage purposes.
• Accessible: Provide access without unreasonable delay/cost.
• Correct: Allow amendments to inaccurate data.
• Accurate: Verify relevance/accuracy before use.
• Limited: Use data only for its original purpose (exceptions: consent/public safety).
• Restricted: Disclose only with consent or for directly related purposes.
• Safeguarded: Never disclose sensitive data without consent (exceptions: imminent safety threats).

Health Information remains covered by the Health Records and Information Privacy Act 2002 (HRIPA) and its 15 Health Privacy Principles.

In NSW, covert surveillance in workplaces is regulated under the Workplace Surveillance Act 2005 (NSW), which limits the use of video, audio, and computer monitoring.

Key Exemption: Employee Records

Employee records in the context of current or former employment are largely exempt from the Privacy Act, though still subject to:

• The Fair Work Act 2009 (Cth)
• State-based workplace and surveillance laws

Penalties for Non-Compliance

• Federal breaches:
  • Up to $50 million fines
  • Disqualification or civil penalties for company directors
• NSW breaches (PPIPA or HRIPA):
  • Binding orders from the NSW Privacy Commissioner
  • Compensation payments to affected individuals
  • Orders enforceable through NCAT or the Supreme Court

How We Help Navigate These Changes

Citilawyers assists with:

• Compliance audits against 2024 APP reforms
• Data breach response strategies for the new 72-hour reporting rules
• Redrafting privacy policies in line with the plain-language standards and consent reforms
• Representation in OAIC/NSW Privacy Commissioner investigations

The reforms signal Australia’s commitment to modernising privacy law safeguards in our data-driven era. For organisations, compliance is now both a legal imperative and a competitive advantage, demonstrating respect for those whose information you hold. Understanding privacy law is more critical than ever.

If you require guidance tailored to your circumstances? Contact us for a confidential discussion.