Disclosure: Privacy Australia is community-supported. We may earn a commission when you buy a VPN through one of our links. Learn more.
Australian Online Privacy Laws Explained (2022)
If you plan on starting an eCommerce business or a blog in 2022, it is important that you’re aware of the current online privacy laws before you launch your site.
Studying online privacy laws will give you information that may impact you as an individual or your business.
As a business, it is your responsibility to protect the personal information of your customers. At the same time, it is also your responsibility as an individual to protect yourself online.
As an internet user, you can protect your personal data by managing who has access to your personal information and understanding what they can and cannot do with it.
Australian Online Privacy Laws That You Must Know About in 2022
At the end of the day, you wouldn’t give your personal information to any old soul you see in the streets, so why would you allow any old agency or organization to do as they please with your personal data?
While there is currently no individual law that regulates online privacy, a range of state and federal laws apply. In this up-to-date guide, we will be covering the online privacy laws in Australia that mustn’t be ignored.
The Federal Privacy Act 1988: Legal Framework
The Privacy Act 1988 is one of the most important laws that deals with online privacy that you must know about in 2022.
This law covers organisations including sole traders and trusts that operate in Australia with an annual turnover of $3 million or more.
If your business has a yearly revenue of $3 million or less, you might also have certain responsibilities under the act depending on what you do, the type of business you own and how it is run.
- Private-sector health providers
- Credit providers or credit reporting bodies
- Residential tenancy database operators
- Contractors providing services under a contract with the Australian Government
- Businesses that sell or purchase personal information on the dark web
If your business happens to be covered by the Privacy Act, you must act in accordance with the thirteen Australian Privacy Principles (APPs). These principles are essentially the foundation of the privacy protection framework in the Privacy Act and they govern matters including the collection, use and disclosure of personal information.
If you’re unsure how to manage customer information, we highly recommend taking a look at the Australian Privacy Principles guidelines so that you better understand your duties. These requirements include:
- Taking reasonable steps to protect personal information before disclosing the data overseas (APP 8).
- Taking reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure (AP 11).
- Giving individuals or customers access to their personal information when requested (APP 12).
Regardless of whether or not your business is covered by the Privacy Act 1988, you should always handle the personal information of your customers with care.
Customer Information Laws in Australia
As a business owner, you are solely responsible for protecting the personal information of your customers from theft, misuse, interference, loss, unauthorised access, modification and disclosure.
As legally required by the Privacy Act 1988, you are also in charge of destroying or de-identifying your customers’ personal data once you no longer require it.
But what’s classed as personal information under the Privacy Act?
According to the Australian Privacy Principles guidelines, personal data comprises information that can be used to identify an individual, such as your customers’:
- Date of birth
- Telephone number
- Place of work
- Bank account details
- Medical records
- Information regarding their opinions
Personal Data Breaches: The NDB
As of February 2018, every agency or organisation that the Privacy Act covers must comply with the Notifiable Data Breaches (NDB) scheme.
If a data breach occurs and is likely to cause serious harm, you must notify the individuals involved, as well as the Office of the Australian Information Commissioner (OAIC).
What Is a Data Breach?
Data breaches happen when an agency or organisation loses personal information or the information is liable to access or exposure. This can occur when a database is hacked or a device containing personal information is either lost or stolen.
Your Individual Rights Under the Privacy Act
While you may think that the Privacy Act only covers agencies and organisations with high annual revenues, the Australian law also gives individuals control over how their personal data is handled.
As an individual, the Privacy Act allows you to:
- Know exactly how your personal data is being gathered, used and disclosed
- Request access to your personal data
- Have the choice of not identifying yourself. Sometimes you can even use a pseudonym, rather than your real name
- Stop receiving direct marketing from organisations attempting to sell you a product by email, text message etc.
- File a complaint about an agency or organisation that violates the Privacy Act regarding your personal data
- Ask organisations to correct personal information that may be incorrect
Protecting Your Personal Information Online
There are a number of ways you can protect your information online, but understanding which methods really work can be a time-consuming task.
To save you the hassle, we have listed below the top 7 best ways to protect your information online.
- Use a quality VPN service
- Copy of Keep your passwords private
- Beware of public WiFi connections
- Don’t overshare personal information on social media sites
- Encrypt your data
- Safely dispose of personal information when getting rid of a computer or a mobile device
- Be aware of impersonators looking to gain access to your personal information
Trade Marks Act 1995
If you plan on starting your very own blog or online business, you should avoid using business trademarks and logos in your posts or on your site. In Australia, Christmas Island, the Cocos (Keeling) Islands and the Norfolk Islands, trademarks are protected from being replicated under the Trade Marks Act 1955 (Commonwealth).
Be that as it may, you can use trademarks to compare different services or products on your site so long as you don’t mislead anyone by impersonating a company representative. You should also avoid being misleading when describing the products or services.
Can You Sue Someone for Defamation in Australia?
If you’re a business owner who believes someone is publishing false information or malicious comments about you or your company, you could sue for defamation.
Australian Defamation Law was designed to protect both businesses and individuals from damaging statements that may harm their reputation.
In Australia, there are two types of defamation that you could be sued for:
- Slander: Oral or written communication, including false statements that can harm an individuals’ reputation.
- Libel: Written defamation, including published false information that can damage an individuals’ reputation.
Freedom of Speech and Censorship
Compared with other countries across the globe, freedom of speech is not explicitly protected in Australia. Despite several attempts to legislate for a Bill of Rights, Australia lacks explicit laws that guarantee the right to freedom of speech. Instead, it is believed that basic freedoms are protected by the common law.
Protection for human rights can also be found in the Constitution and legislation passed by the State, Territory Parliaments or Commonwealth Parliament.
Australian Online Privacy Laws in Action
Facebook Sued by OAIC for Repeated Privacy Violations: The Privacy Act 1988 in Action
On March 9, the Australian Information Commissioner announced that it was suing Facebook over a privacy breach that violated over 300,000 Australians.
The Commissioner claimed that the personal information of Facebook users in Australia was unlawfully disclosed to the This Is Your Digital Life (TIYDL) application, breaching the Privacy Act 1988.
This data was then disclosed to Cambridge Analytica, a British political consulting firm that used the information for political profiling. The information was then used to predict and influence voters in the 2016 US Federal Election and the UK Brexit vote.
The most unsettling thing about all of this is that Facebook knew that the personal information of its users was being collected back in 2015, yet it did not inform it’s users during that period. As a result of the privacy breach, Facebook could face a substantial fine of $529 billion or more.
This isn’t the first time Facebook has been fined for violating the privacy of its users.
In 2019, the United States Federal Trade Commission (FTC) fined the social media giant $5 billion for privacy violations. A year earlier, the Information Commissioner’s Office (ICO) fined the company £500,000 for breaches of the UK data protection law. At the time, this was the maximum fine permitted by the Data Protection Act 1998.
The Future of Australian Online Privacy Laws
As Australia attempts to return to normal following the effects of COVID-19, organisations across the country are being forced to make drastic changes to their usual business operations.
In recent months, companies across the globe have been forced to process more personal information than usual in an effort to prevent and control the spread of COVID-19. This involves data that the Department of Health says is necessary to identify the risk of the Coronavirus and to implement appropriate measures to control the virus.
When collecting data, agencies must reduce the collection, use and disclosure of personal information where possible. The employee records exemption may also apply when handling the personal information of staff members. It is important to note that an employee’s personal data is not covered by the Privacy Act 1988.
In light of just how much personal data is being collected, used and disclosed, the Australian Competition and Consumer Commission (ACCC) suggests that the definition of “personal information” should be adjusted to include technical information. This includes device identifiers, IP addresses and location data.
In response to the inquiry, the Australian Government has made a commitment to further negotiations with regard to strengthening consent requirements and existing notice under the Australian Privacy Act 1988.
The government may also introduce a direct right of action for those looking to bring actions in court for compensation the invasion of privacy and interferences under the Australian Privacy Act.