Australia Privacy Act: Everything You Need to Know in 2024

A series of data breaches cost Australian and other APAC companies millions in 2022, igniting a response from governments on a national and international level.

Here are some alarming statistics revealed by Thales in their 2022 "Data Threat Report" about companies in the region:,

• 50% of respondents reported experiencing security breaches, with 32% saying they'd experienced one in the last 12 months.

• Only 16% of respondents said they had complete knowledge of where their data was stored, and only 23% were able to classify data fully.

One of the countries that experienced the largest number of breaches was Australia. While several privacy laws and regulations are already in place, their legislation still needs to fully adapt to new technologies and lacks explicit requirements for data protection during collection, transfer, usage, and storage.

The Australian government has planned a major overhaul to address these issues in 2023 and 2024 onward, updating its data privacy laws to better protect the rights of individuals and prevent future breaches. Read on and learn:

• What Australian data privacy laws are in place now?
• What Australian data privacy laws are confirmed to come into effect?
• What Australian data privacy laws are expected to come?
• Data privacy laws in the rest of APAC
• What you can do to remain compliant with new privacy regulations

What Australian data privacy laws are in place now?

Australia's current privacy laws fall under the jurisdiction of the Privacy Act of 1988. The law spells out the following requirements for organizations (both public and private) that collect personal information:

• Lawful purpose: Personal information can only be collected for a lawful purpose that necessitates the collection of that information. Then that information can only be used or disclosed for the purpose it was originally intended/collected.

• Data quality: Organizations must maintain high data quality for the personal information they collect; it must be up-to-date, complete, and protected from misuse (i.e., loss, unauthorized access, modification, or disclosure).

• Consent: Individuals must provide consent for the collection, use, or disclosure of their personal information.

• Right to access and correct: Individuals have the right to request access and correct their personal information after it has been collected.

• Identifiers: If the government assigns a number or code (identifier) to an individual for identification purposes, companies are prohibited from disclosing that identifier unless authorized by law.

• Anonymity: Individuals must maintain the right to remain anonymous when dealing with an organization where it is lawful and practical.

• International data transfers: Personal information transferred outside of Australia must still be protected under a level of privacy protection comparable to domestic standards.

• Privacy policy: Organizations must have a clear and concise privacy policy outlining how they handle personal information.

• Complaints: Individuals can report breaches of the privacy act to the Australian Information Commissioner (OAIC).

What Australian data privacy laws are confirmed to come into effect?

After the series of data breaches we discussed in the introduction, the Australian government received a lot of pressure from the public to review and update its privacy policies. The Australian Competition and Consumer Commission's Digital Platforms Inquiry was tasked with assessing the Privacy Act of 1988 to see if it is sufficient for the modern data landscape, ensuring that it empowers consumers, protects their data, and serves the Australian economy.

This review led to the introduction of the Privacy Bill to parliament in October 2022. The bill contained the following suggested improvements:

• Increase the penalties for serious or repeat data breaches:

• • Maximum penalty raised from 2.2 million AUD to 50 million AUD, 30% of the company's turnover, or three times the benefit the company obtained from misusing personal information.

• Expanding the scope of the organizations covered by the privacy act to include extra-territorially qualifying foreign organizations.

• Granting more power to the Office of the Australian Information Commissioner (OAIC).

• • Seek information from organizations and assess data breach compliance.
  • Share information with other regulators.
  • Issue infringement notices if an organization doesn't comply with an OAIC request.

New South Wales New Privacy and Personal Information Protection Amendment Act 2022 (The PPIP Amendment act)

While it doesn't apply to all of Australia, the New South Wales region voted into power the New Privacy and Personal Information Protection Amendment Act 2022, which will come into force in December 2023. Applying to the major cities of Sydney, Newcastle, and Central Coast, this act could shed some light on future policies throughout Australia and, eventually, the APAC region. Here are some details about the PPIP Amendment act:

• Only affects public sector agencies. The PPIP does not apply to private businesses, only public sector agencies (i.e., statutory authorities, universities, and local councils) and state-owned corporations (Sydney Water, Water NSW, Essential Energy, Port Authority NSW).

• Introduces mandatory data breach notification scheme. When a data breach occurs, the organization must notify the OAIC and affected individuals if "serious harm" can occur. It outlined the following points:

• • Definition of a data breach. "Where there is unauthorized access or disclosure to personal information or personal information is compromised, and that breach or compromise is likely to cause serious harm to an individual."
  • Time limit. After a data breach occurs, organizations have 30 days to assess it and report it to the authorities.
  • Factors that make data breaches serious: sensitivity of personal information, whether cybersecurity or encryption can protect the information, likelihood of malicious intent, and nature of the harm that could occur. The commissioner can also establish individual guidelines for assessing data breaches.
  • When notifying the commissioner. Do so immediately. Detail what PII was affected, how the breach occurred, and the costs involved in detecting, assessing, and mitigating the breach. Then notify the affected individuals and issue a "sufficiently promoted" public notification.
  • You can avoid notifying if: You sufficiently and successfully mitigate the breach before serious harm can occur (and prevent it in the future) or if notifying can somehow put the individual or the organization in danger.

• New transparency requirements. The law also puts new transparency laws into effect, requiring organizations to be more public and transparent about their internal and external policies regarding the handling of PII data. It mandates:

• Publishing data breach policies. In a public place where anyone can find them.

• The Internal Register. Create an internal record of eligible data breaches that contains the following information:

• • Records of all data breaches
  • Details of the notification process
  • Type of breach
  • Mitigation measures
  • Overall estimated cost of the breach

• The Public Register. Create a public notification record of all data breaches that contains the following information:

• • Record of all data breaches
  • When the data breach occurred
  • What type of personal information was affected
  • Must be available on the organization's website for at least 12 months
  • Once published, you must inform OAIC how the public can access it.

What Australian data privacy laws are expected to come?

The Attorney General of Australia completed his review of the Privacy Act of 1988 in January 2022. The resulting legislation (the Privacy Bill and the PPIP Amendment) is just the tip of the iceberg for data privacy reform in Australia.

The Attorney General's reviews also resulted in the Privacy Act Discussion Paper, a formal review of the Privacy Act, and suggestions (from private and public organizations and experts) on how it can be improved. In September 2023, the Australian Attorney General outlined their intended response to the proposals in this report. Of the 116 recommendations, 38 were agreed, while 68 were agreed in principle. This discussion paper contains several proposals that have a high chance of being signed into Australian law in the coming years. Some of the more intriguing recommendations are:

• Expanding the definition of personal information to include new types of data (i.e., biometric data, online identifiers, and location data). This could impact some professional sports organizations as they collect biometric data on players. 

• Strengthening requirements for obtaining consent. Companies that collect a lot of data could come under more scrutiny when obtaining consent and what they can do once it's obtained. TikTok already faced some specific inquiries after the first wave of laws came into effect in 2023. Some of the suggestions related to this include the following:

• • Companies and agencies must provide individuals with clear and specific information about what PII they're collecting, how they will use it, and who will have access to it.
  • Explain the consequences of giving consent (i.e., if giving consent might impact the individual's access to certain services).
  • Mandating explicit consent for sensitive information (i.e., health records and ethnicity).
  • Right to withdraw consent.

• The right to erasure. Giving individuals the right to request the erasure of their PII from public and private records.

• Improving transparency. Requiring businesses and government agencies to provide clearer and more accessible information about how they handle PII.

• Clarifying the application of the privacy act to new technologies. New technologies such as artificial intelligence (AI) and the Internet of Things (IoT) may require their own legislation to ensure protection and data privacy. Data products are set to become a staple in Australia in 2024 and, given their out-of-the-box nature, new regulation is sure to follow suit. Some of that legislation might include:

• • Clarifying the PII definition to include data generated from data products, AI, and IoT devices.
  • Businesses should perform "privacy impact assessments" of new technologies before deploying them.
  • Organizations must provide information about how these technologies will affect individuals' PII.
  • Individuals should have the right to access and correct PII collected by these technologies.

• Simplifying Privacy Act Language. Simplifying the regulations and requirements' language to make compliance easier for individuals, businesses, and government agencies.

• Financial compensation. Making it possible for individuals to seek monetary compensation when their PII has been mishandled.

Data privacy laws in the rest of APAC

Although this article focused primarily on AU, it doesn’t mean nothing is happening in the rest of APAC. Some other countries, such as Singapore, New Zealand, India, and South Korea, have begun revamping their policies.

You can visit this link for a comprehensive list of privacy policies in each APAC nation. Here are some key takeaways on the APAC region's privacy laws and future implications.

New laws in place, and more to come.

Some other countries in the APAC region have also begun revamping their privacy policies. Here are some of the top examples:

• Singapore retooled its privacy laws in 2020. Among the several changes, they enhanced consent requirements, increased financial penalties, implemented their own mandatory breach notification system, strengthened enforcement powers, and much more.

• New Zealand is upgrading its long-standing privacy act. New Zealand also recently introduced the Privacy Act 2020, an update on the previous act from 1993. They also intend to increase penalties and implement a mandatory notification system. You can read more about it here.

• India and South Korea are also in talks about the adequacy of consent models. Along with other APAC nations, both countries are having high-level policy discussions about the adequacy of consent models moving forward, seeking a solution that better addresses consumers' rights and has a better defense against data breaches.

Consent-based models.

All these nations have some version of consent – a policy requiring individuals to confirm their personal data's use before it can be collected.

However, definitions of consent vary dramatically from country to country. Each has a different set of consent conditions, and no single requirement is present in every country. This situation has led some nations to consider adopting an accountability model, holding organizations responsible for the PII data they collect instead of consenting individuals.

A desire to harmonize legislation.

A new report has come forward that surveyed APAC countries about these differences in their privacy landscapes. All 14 nations have stated a "shared desire to harmonize" their PII frameworks to smooth international data transfer throughout the region and limit data breaches.

Adopting the "balancing test."

The same report about data privacy in the APAC region cited several nations' interest in embracing the EU's GDPR model of a "balancing test" to replace their current consent-based system.

The balancing test falls on the data controller to determine whether the collection of personal data is necessary for the interests or intents of the organization. The controller must weigh the interest of collecting the data against the potential impact on the data's subject by considering factors like:

• The nature and purpose of the processing.
• The types of data being processed.
• The potential benefits and risks of the processing
• The data subject's expectations.

If data collection doesn't negatively impact the subject's rights and freedoms, then no consent is required to collect the data; if it does, consent must be obtained to collect the data. This gives companies a lot more flexibility on when they should ask for consent and lowers the strain on regulatory agencies, limiting their causes to situations that directly affect the rights and freedoms of individuals.

What you can do to remain compliant with new privacy regulations

While it’s still rather unclear what will be required of companies in the APAC region, you don’t have to wait for specific rules for PII handling! You can take a future-proof approach by investing in a data classification solution. Begin by taking the necessary steps for classifying your sensitive data.

By building a data classification solution on top of an automated data catalog, you will balance data democratization and compliance. On the one hand, you will build a catalog of high-value data that will shorten time to data for AI and analytics teams. On the other hand, you will have an inventory of PII across your whole data landscape.

Next, you can implement an MDM solution to consolidate personal information and manage consents in one place while maintain the full data lineage to source data. Regardless of who needs access to the data, whether it's regulatory entities or individuals exercising their rights, having these capabilities will make it possible to find and provide it as soon as possible.

Get started with data protection today

Ataccama has helped companies across the globe achieve data privacy and protection compliance. Curious how you can become compliant? Check out this useful article on the necessary data management steps for remaining compliant in 2024. For example, we helped T-mobile automate PII protection on thousands of databases. Looking forward to hearing from you!