The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.
The information provided in the map is meant to serve as a helpful guide and is not intended to be legal advice.
Australia
International Regulations
Australian Privacy Act of 1988 & the Australian Privacy Principles
Privacy Act of 1988, as amended, including the Australian Privacy Principles (“APPs”) which replaced the National Privacy Principles and Information Privacy Principles on March 12, 2014.
Highlights
Territorial Scope:
The Privacy Act and the corresponding Australia Privacy Principles (“APPs”) apply to government agencies, organizations, and business operators (“APP Entity”) operating inside and outside of Australia but with an Australian link and exceeding the revenue threshold of $3,000,000. The organization or business has an Australian link if they carry out business in Australia or external Territory and collects or holds Personal Information in Australia or an external Territory.
The APPs do not apply to the collection, holding, use or disclosure of Personal Information by an individual, or to Personal Information held by an individual only for purposes of, or in connection with their personal family or household affairs. Excluded from the scope of the APPs are also Credit Reporting bodies, which are regulated under a subdivision of the Act.
Further, the obligations imposed by the APPs do not apply in “permitted general situations” and “permitted health situations” as defined further below.
Lawfulness of Processing:
Processing is lawful only if and to the extent that the information is collected directly from the individual, unless at least one of the following applies:
- If the entity is an Agency, the individual or a competent person, has given consent to the processing of his or her Personal Information for one or more specific purposes;
- If the entity is an Agency, and is authorized under applicable law or court order, to collect information other than from the individual;
- It is unreasonable or impractical to collect the information directly from the individual.
APP Entity Obligations:
- Implement practices, procedures, and systems to ensure the entities’ activities are compliant with the Australian Privacy Principles and to permit the entity to comply with any requests or complaints from individuals for compliance with the APPs.
- Publish a clear and up to date Privacy Policy informing individuals about the Personal Information the entity collects or holds, the purpose of collection, use or disclosure, international transfers, the rights individuals are entitled to and how their complaints may be handled. Notify the individual, at the time of collection or as soon as reasonably practical, that the entity is collecting their personal information including if information is collected from someone other than the individual.
- Provide individuals the opportunity to interact with the entity in an anonymous manner or using a pseudonym, unless the entity is authorized by law to interact with an identifiable individual, or it is impracticable to deal with the individual without identifying them.
- Refrain from collecting Personal Information unless the information is necessary for one or more of the entities' functions or activities.
- An entity may only process Sensitive Information if the individual whom the information pertains to consents to the collection of the information and the information is reasonably necessary for one or more of the entity’s functions or activities.
- If the APP Entity receives unsolicited Personal Information, it is required to determine whether it would be permitted to collect the information under the APPs. If determined that the entity could not have collected the Personal Information, it will undertake measures to safely destroy or de-identify the information.
- Not use the Personal Information other than for the purpose for which it was collected unless the Individual has consented, or the Individual would reasonably expect the entity to use or disclose the information for the secondary purpose, or such use or disclosure is required under applicable law, a general permitted purpose or health situation exists, or the entity deems it reasonably necessary.
- An entity may not use Personal Information for direct marketing unless the specific conditions proscribed by the APPs are met.
- An APP Entity (other than Agency) must not adopt a government related identifier as its own and must not use or disclose government related identifiers unless reasonably necessary to verify the identity of the individual, to fulfil its obligations to an agency, is authorized by law, or if the entity believes disclosure is necessary for an enforcement activity.
- Take steps to confirm the Personal Information is accurate, up-to date and complete.
- Implement appropriate technical and organizational measures to prevent unauthorized destruction or unlawful access to Personal Information, and when information is no longer needed to take reasonable steps to destroy the information.
Data Subject Rights:
The APP Entity shall respond to the Individual within a reasonable time of the receipt of the request. Under the APPs, subject to certain exceptions, an Individual is entitled to the following rights:
- Right to access;
- Right to correct;
- Right to not have their Personal Information processed for purposes of direct marketing through unsolicited electronic communications.
Cross-border Data Transfers to Third Parties:
A disclosure of Personal Information to a third party in a foreign country may be undertaken if:
- The third-party recipient is subject to a law, binding corporate rules or binding agreement which provide an adequate level of protection substantially similar to the principles for lawful processing of the APPs, and the individual has mechanisms at their disposal to enforce the above rules or schemes.
- The entity informs the individual and the individual consents to the transfer.
- The disclosure is required or authorized by Australian law.
- A Permitted General Situation exists.
- The entity is an Agency, and the disclosure is required for enforcement activities and the recipient performs functions similar to that of an enforcement body.
Alternatively, before disclosing Personal Information to a third-party in a foreign country the APP Entity must take reasonable steps to verify the overseas recipient does not breach the Australian Privacy Principles.
Eligible Data Breach Notification:
- Timeline for Notification to the Commissioner: If an entity becomes aware that there are reasonable grounds to believe that there has been an eligible data breach, the entity must notify the Commissioner, as soon as reasonably practicable after the entity becomes aware. The notification to the Commissioner must contain a statement that:
- Provides the identity and contact details of the entity;
- Describes the data breach that the entity has reasonable grounds to believe has occurred;
- Describes the kind of information is affected;
- A recommendation regarding measures to be taken by the Individuals to mitigate the possible adverse effects of the security compromise.
- Requirements for Notification to Individuals: If practicable the entity must notify the contents of the statement outlined above to each individual to whom the information relates or notify the contents of the above statement to each of the individuals who are at risk from the eligible data breach. If that is impractical, the entity will display such information prominently on the website or via news media. Such notification may be mandated by the Commissioner.
More Details
Definitions:
- APP Entity: An Agency, organization, or small business operator. For purposes of this Act an Agency means a Minister, Department, federal government, court, police, or any other state entity; an Organization means an individual, corporate, partnership, trust or any other unincorporated association that is not a small business operator, agency State or territory. A small business exemption may apply to a business with an annual turnover for the previous financial year of $3,000,000 or less.
- Eligible Data Breach: An unauthorized access to, unauthorized disclosure of, loss of Personal information by an entity that is likely to result in serious harm to the Individual to whom the information relates.
- Consent: Express or implied consent.
- Individual: The person to whom the personal information relates.
- Personal Information: Any information or opinion about an identified individual or an individual who is reasonably identifiable, regardless of whether the information or opinion is true or not, or whether the information or opinion is recorded in a material form or not.
- Government Related Identifier: An identifier of an individual that has been assigned by an agency, State or Territory authority, agent of an agency or state, a contracted service provider of the government.
- Permitted General Situation: Personal Information is collected for preventing serious threat to life; for purposes of taking action in relation to an unlawful activity, locating a missing person, conducting an alternative dispute resolution process, performing diplomatic consular functions, conducting special defense force activities.
- Permitted Health Situation: Includes collection of Personal Information for purpose of providing health services, and information used and disclosed for certain research and other purposes.
- Sensitive Information: Personal Information revealing an individual’s race or ethnic origin, political opinions, or membership in a political association, religious or philosophical beliefs, professional association or trade union membership, biometric information, genetic information concerning health or a natural person’s sexual orientation and information on criminal behavior.
Penalties:
The Privacy Act empowers the Commissioner to pursue an order before the Federal Court of the Federal Circuit Court, that an entity has failed to comply with the Act and be subject to a maximum penalty of $2,500,000 for a non-corporate entity; and for a corporate entity in an amount not exceeding the greater of $50,000,000 or three times the value of the benefit obtained by the corporation, or 30% of the corporation’s adjusted turnover for the period at issue.
Remedies, Liability, and Complaints:
- Right to Lodge a Complaint with the Commissioner: Every Individual has the right to lodge a complaint with the Commissioner if the individual considers that the processing of Personal Data relating to him or her infringes APPs and the entity has failed to comply with an individual request.
Effective Date:
July 1, 2020