The Privacy Act 1988 (Privacy Act) is the principal piece of Australian legislation protecting the handling of personal information about individuals. This includes the collection, use, storage and disclosure of personal information in the federal public sector and in the private sector.
Other statutory provisions also affect privacy and separate privacy regimes apply to state and territory public sectors.
The Privacy Act is supported by the Privacy Regulation 2013 and the Privacy (Credit Reporting) Code 2014.
The Notifiable Data Breaches scheme commenced as part of the Privacy Act on 22 February 2018.
The scheme requires businesses – who are subject to the Privacy Act – to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when there’s a data breach of personal information that poses risk of serious harm.
Does GDPR apply to Australia?
GDPR applies to Australian organisations with an established presence in the EU - for example, having a branch office in one or more of the EU member states.
Providers of banking, insurance and superannuation services must notify the Australian Prudential Regulatory Authority (APRA) of information security incidents within 72 hours. Find out more from DLA Piper.
The parliament of Australia has passed cybersecurity laws aimed at cracking down on increasingly harmful ransomware attacks and data breaches that have shaken the country since 2022.
In 2022, Australia amended its existing Privacy Act with a bill known as the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 to include substantial changes related to cybersecurity.
Firstly, it raised fines for companies that suffer “serious” or “repeated” data breaches.
Secondly, it gave the Office of the Australian Information and Privacy Commissioner (OAIC) new regulatory and oversight powers. The law affects any organisation that does business in Australia, even if they don’t collect the personal information of Australians.
To implement the Australian Cyber Security Strategy 2023-2030, the government has introduced a series of legislative reforms in two parts.
The first is to introduce new cybersecurity legislation to bridge gaps for things like secure-by-design principles, ransomware reporting, and establishing a Cyber Incident Review Board.
The second part is to amend the existing Security of Critical Infrastructure Act 2018 (SOCI Act). This will:
Introduce new regulations about data retention.
Allow the government to manage critical infrastructure businesses in the event of major cyber incidents.
Simplify information sharing.
Consolidate security requirements in the telecommunications sector.
Australia has not yet enacted any specific statutes or regulations that directly regulate AI. To date, Australia's response to AI has been voluntary and includes the AI Ethics Principles published in 2019 (the "AI Ethics Principles")
The information here is not, and doesn’t intend to be, legal advice.
All information, content, and materials are for general information only. The information may not be the most up-to-date, legally or otherwise and may not be exhaustive. This website contains links to other websites – these are for convenience; Brit does not recommend or endorse the contents of the third-party sites.
Read the latest insights from our cyber security partners.