Date: 10 October 2017
In this Privacy Tracker series, we look at laws from across the globe and match them up against the EU General Data Protection Regulation. The aim is to help you determine how to avoid duplication as you move toward GDPR compliance and help you focus your efforts. In this installment, elevenM’s Tim de Sousa compares Australia’s Privacy Act 1988 with the GDPR.
The Privacy Act is the foundation of Australia’s national privacy regulatory regime. Its genesis lies in the 1980 guidelines issued by the Organisation for Economic Cooperation and Development. Since it came into force in 1988, the Privacy Act has undergone two key rounds of amendments: the expansion of the application of the act to private sector businesses in 2000, and the extensive updates to the act in 2014 following a comprehensive review by the Australian Law Reform Commission.
The Privacy Act is intended to provide a basis for nationally consistent privacy regulation, facilitate the free flow of information outside of Australia while ensuring that individual privacy is respected, provide a complaint mechanism, and to implement Australia’s international privacy obligations. Most of these objectives are achieved by the Australian Privacy Principles, set out in Schedule 1 of the act. The APPs impose obligations regarding the collection, use, disclosure, storage and disposal of “personal information” about individuals, as well as obligations relating to access and correction and credit reporting.
The APPs apply to “APP entities” — that is, Australian, Australian Capital Territory, and Norfolk Island government agencies and private sector businesses. Individuals and “small business operators” — businesses with an annual turnover of less than AUD $3 million, are exempt from the operation of the act. Unlike the GDPR, the Privacy Act does not distinguish between data controllers and data processors — any APP entity that holds personal information must comply with the APPs.
Summary of the APPs
APP 1: Open and transparent management of personal information
This first APP requires APP entities to manage personal information in an “open and transparent way,” including taking reasonable steps to ensure that they comply with the APPs. APP 1 is similar in effect to GDPR Article 5 Principle 2, which requires controllers to be able to demonstrate compliance with the obligations set out in Principle 1. Principle 1(a) also requires data processing to be done in a “transparent manner.”
APP 2: Anonymity and pseudonymity
APP 2 requires APP entities to give individuals the option of not identifying themselves, or of using a pseudonym unless a listed exception applies.
There is no direct analog to this provision in the GDPR. However, it should be noted that the GDPR may apply to pseudonymous information (see Recital 28).
APP 3: Collection of solicited personal information
APP 3 outlines when an APP entity can collect personal information that it has asked for. In particular, this APP requires that organizations only collect personal information where it is reasonably necessary or directly related to their functions or activities, and by “lawful and fair means.” Higher standards are applied to the collection of “sensitive information” (see comparison table below); specifically, sensitive information may only be collected with consent, or where a listed exception applies.
A comparison can be drawn here to GDPR Article 5, which requires data collected for “specified, explicit and legitimate purposes” and be processed “lawfully [and] fairly” (Principle 1(a) and (b)).
APP 4: Dealing with unsolicited personal information
APP 4 requires APP entities to destroy or de-identify unsolicited personal information that they could not have otherwise collected under APP 3.
There is no direct analog in the GDPR; however, it should be noted that the GDPR does not permit collection of personal data without a specified, explicit purpose.
APP 5: Notification of the collection of personal information
APP 5 requires APP entities to notify individuals (or otherwise ensure that they are aware) of specified matters when they collect their personal information (for example, by providing individuals with a collection statement).
Again, Articles 13–14 also impose requirements for the provision of privacy information that is substantially similar to the matters specified in APP 5, as well as additional obligations (see APP 1 above).
APP 6: Use or disclosure of personal information
This APP outlines the circumstances in which an APP entity may use or disclose personal information that it holds. Where an APP entity has collected personal information for a specific purpose and wishes to use it for a secondary purpose, APP 6 provides that entities may not do so unless the individual has consented, it is within their reasonable expectations, or another listed exception applies. Exceptions include circumstances involving health and safety and law enforcement.
GDPR Article 6 similarly requires that personal data may only be processed where the data subject has consented to one or more of the specific purposes of the processing, or another listed scenario applies. For example, where the processing is necessary to perform a contract or comply with a legal obligation.
APP 7: Direct marketing
APP 7 provides that an organization that is an APP entity may only use or disclose personal information for direct marketing purposes if certain conditions are met. In particular, direct marketing messages must include a clear and simple way to opt out of receiving future messages, and must not be sent to individuals who have already opted out. Sensitive information about an individual may only be used for direct marketing with the consent of the individual.
GDPR Article 21 provides individuals with, among other things, the right to object to the use of their personal data for direct marketing.
APP 8: Cross-border disclosure of personal information
This principle requires an APP entity, before it discloses personal information to an overseas recipient, to take reasonable steps to ensure that the recipient does not breach the APPs in relation to that information. Personal information may only be disclosed where the recipient is subject to a regulatory regime that is substantially similar to the APPs, where the individual has consented, or another listed exception applies. APP entities may be liable for the acts and practices of overseas recipients in certain circumstances (s16).
Chapter 5 of the GDPR provides that transfers of personal data outside of EU jurisdiction may only be made where the recipient jurisdiction has been assessed as “adequate” in terms of data protection, where sufficient safeguards (such as a binding contract or corporate rules) have been put in place, or a listed exception applies. The European Commission has not, to date, assessed Australia as adequate.
APP 9: Adoption, use or disclosure of government related identifiers
APP 9 provides that an organization that is an APP entity may not adopt a government related identifier of an individual as its own identifier, or use or disclose such an identifier unless a listed exception applies. There is no direct analog to this provision in the GDPR.
APP 10: Quality of personal information
APP 10 requires APP entities to take reasonable steps to ensure the personal information it collects, uses or discloses is accurate, up-to-date and complete.
Accuracy and currency of the information are mentioned in Article 5 of the GDPR (Principle 1(d); “every reasonable step must be taken” to ensure that inaccurate personal data is “rectified without delay.”
APP 11: Security of personal information
This APP requires APP entities to take reasonable steps to protect the personal information they hold from misuse, interference and loss, and from unauthorized access, modification or disclosure. This provision is a frequent focus of investigations into APP entities conducted by the Australian Information Commissioner.
GDPR Article 5 similarly requires that data processing be undertaken in a manner “that ensures appropriate security of the data” (Principle 1(f)). Further, Article 32, requires the data controller and the processor to implement appropriate technical and organizational measures to ensure a level of security appropriate (taking into account the state of the art, the costs of implementation and nature, scope, context and purposes). Those measures must also address the confidentiality, integrity and availability of the data.
APP 11.2 provides that APP entities must also take reasonable steps to destroy or de-identify personal information that they no longer require for a lawful business purpose.
GDPR Article 5 imposes a similar storage limitation — personal data may “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed” (Principle 1(e)). However, the GDPR also explains that “personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1).”
APP 12: Access to personal information
APP 12 requires APP entities to give an individual access to the personal information about them that the entity holds, on request by that individual. APP 12 imposes procedural requirements around access and includes limited exceptions.
Article 15 of the GDPR imposes a similar right of access, with additional rights to know information about the collection and envisaged the use of the data (such as recipients or potential recipients, likely storage period, and safeguards for overseas transfers).
APP 13: Correction of personal information
APP 13 requires APP entities to take reasonable steps to correct personal information they hold about an individual, on request by the individual. This APP also imposes procedural requirements and includes limited exceptions.
GDPR Article 16 imposes a similar but stronger right; data subjects have the absolute “right to obtain … without undue delay the rectification of inaccurate personal data concerning [them].”
|Topic||GDPR||Privacy Act 1988|
|Personal data||Any information:
(a) Relating to an identified or identifiable natural person;
(b) An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
|The Privacy Act governs the handling of “personal information,” defined as “information or an opinion about an identified individual, or an individual who is reasonably identifiable:
(a) whether the information or opinion is true or not; and
(b) whether the information or opinion is recorded in a material form or not.” (s6(1)).
|Data subject||Relating to an identified or identifiable natural person.||“Individual” is defined as “a natural person” (s6(1)).
Regulator guidance indicates that a deceased person is not a natural person (APP Guidelines para. B95).
|Controller||The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or member state law, the controller or the specific criteria for its nomination may be provided for by Union or member state law.||The Privacy Act does not distinguish between controllers and processors.
Instead, the APPs apply to any APP entity that collects personal information.
The definition of “APP entity” includes:
• Most Australian Government agencies
• All private sector and not-for-profit organizations with an annual turnover of more than AUS $3 million
• All private health service providers, and
• Some small businesses (i.e., that trade in personal information for a benefit, are a contracted service provider to the Australian Government, or are a credit reporting body; ss 6(1), 6A).
|Processor||A natural or legal person, public authority, agency or another body that processes personal data on behalf of the controller. However, GDPR does also have a definition for “third party”: A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
(11) “consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
|“Consent” is defined as “express consent or implied consent” (6(1)).
Regulator guidance indicates that the four key elements of consent are:
• The individual is adequately informed before giving consent
• The individual gives consent voluntarily
• The consent is current and specific
the individual has the capacity to understand and communicate consent (APP Guidelines para. B. 35).
|Sensitive data||Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
Listed exceptions apply.
|“Sensitive information” is a subset of personal information and is defined as:
• Information or an opinion (that is also personal information) about an individual’s:
◊ Racial or ethnic origin
◊ Political opinions
◊ Membership of a political association
◊ Religious beliefs or affiliations
◊ Philosophical beliefs
◊ Membership of a professional or trade association
◊ Membership of a trade union
◊ Sexual orientation or practices, or
◊ Criminal record
• Health information about an individual
• Genetic information (that is not otherwise health information)
• Biometric information that is to be used for the purpose of automated biometric verification or biometric identification, or
• Biometric templates (s 6(1)).
APP 3 provides that sensitive information about an individual must not be collected unless the individual consents and the collection is reasonably necessary for an APP entity’s functions or activity, or a listed exception applies.
|Transfer of personal data to third countries or international organisations||Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organization shall take place only if the conditions laid down in Articles 44–50 are complied with by the controller and processor to ensure that the level of protection of natural persons guaranteed by the GDPR. Transfers on the basis of an adequacy decision and methods such as BCR, Contract Clauses, etc. or in the case of EU-U.S. transfer, the Privacy Shield.
|APP 8 provides that, before disclosing personal information outside of Australia, a business must take reasonable steps to ensure that the recipient does not breach the APPs in relation to the information unless a listed exception applies. An APP entity that discloses personal information to an overseas recipient is accountable for a breach of the APPs by the recipient in relation to the information (s 16C; exceptions apply).|
|Right to restriction of processing||Article 18:
“The data subject shall have the right to obtain from the controller restriction of processing [where a specified ground applies].”
|Right to be forgotten||Article 17:
“The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay [where a specified ground applies].”
APP 11.2 requires that APP entities must destroy or de-identify personal information that they no longer require for a lawful business purpose.
However, individuals have no right to require APP entities to destroy or de-identify the information that they hold about them.
|Data portability||Article 20:
“The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.”
|No direct equivalent.
APP 12.1 provides that if an APP entity holds personal information about an individual, the entity must, on request by the individual, give the individual access to the information. APPs 12.2 and 12.3 list exceptions.
APP 12.5 provides that the entity must take reasonable steps to give access in a way that meets the needs of the entity and the individual.
|Data breach notification||Article 33:
“… the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority …”
Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural personas, the controller shall communicate the personal data breach to the data subject without undue delay.”
|Amendments to the Privacy Act to introduce a mandatory data breach notification requirement will come into force on February 22, 2018.
APP entities that experience “eligible data breaches” (that generate a “likely risk of serious harm” to affected individuals) must give a statement in a prescribed format to the Information Commissioner as soon as practicable (s26WK), and to affected individuals (26WL).
If it is unclear whether a breach is eligible, APP entities must conduct an assessment within 30 days of becoming aware of the breach (s26WH).
|Penalty||Under Article 83:
• Up to 10,000,000 EUR, or in the case of an undertaking, up to 2 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher for infringements of obligations such as controllers and processors, the certification body, and the monitoring body.
• Up to 20,000,000 EUR, or in the case of an undertaking, up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher for infringements of obligations such as principles of processing, conditions for consent, data subject’s rights, transfer beyond EU, etc.
Under Article 84, each member state can lay down the rules on other penalties applicable to infringements of GDPR in particular for infringements which are not subject to Article 83 and can take all measures necessary to ensure that they are implemented.
|A breach of the APPs is an “interference with privacy (s13). Serious or repeated interferences with privacy may be subject to a civil penalty of up to AUD $2.3 million for companies (s13G).”|