Privacy Act AU: Australia's Privacy Act 1988 Explained
Understand Australia's Privacy Act 1988, who it applies to, the 13 APPs, penalty amounts, and what your business must do to comply.
The Privacy Act AU, formally known as the Privacy Act 1988 (Cth), is Australia's primary federal law governing how organisations and government agencies handle personal information. If your business operates in Australia, serves Australian customers, or collects data from Australian residents, this Act sets the legal requirements you must follow.
This guide covers the scope of the Privacy Act AU, the 13 Australian Privacy Principles, who must comply, the penalty regime, the ongoing reform process, and the practical steps you need to take. This content is educational and does not constitute legal advice. Consult a qualified Australian privacy lawyer for advice specific to your situation.
What the Privacy Act AU Covers
The Privacy Act 1988 was enacted to promote and protect the privacy of individuals and to regulate how personal information is handled by Australian Government agencies and certain private sector organisations. The Act has been amended numerous times since its introduction, with the most significant recent changes coming through the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 and the ongoing review that began with the Attorney-General's Privacy Act Review Report published in February 2023.
The Act regulates "personal information," which Section 6(1) defines as "information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not." This definition is broader than the GDPR's concept of personal data in some respects, because it includes opinions about an individual, not just factual data.
The core obligations are set out in the 13 Australian Privacy Principles (APPs), contained in Schedule 1 of the Act. These principles regulate the full lifecycle of personal information: from the point of collection through to use, disclosure, storage, and eventual destruction.
Who Must Comply with the Privacy Act AU
Not every Australian business falls under the Privacy Act. The Act applies to "APP entities," a term defined in Section 6(1) that encompasses two categories.
Organisations
Private sector organisations are covered if they meet any of these criteria:
- Annual turnover exceeds 3 million AUD: This is the primary threshold. Once your revenue crosses this line, all 13 APPs apply to your handling of personal information.
- Health service providers: Medical practices, pharmacies, allied health services, and any organisation providing a health service are covered regardless of turnover.
- Businesses that trade in personal information: If you sell, exchange, or otherwise deal in personal information, you are covered regardless of turnover. This includes data brokers and certain marketing firms.
- Credit reporting bodies and credit providers: These entities are subject to additional obligations under Part IIIA of the Act.
- Contracted service providers for Commonwealth Government contracts: If your contract involves handling personal information, you are covered for that contract's duration.
- Opt-in small businesses: Organisations under the 3 million AUD threshold can voluntarily opt in to coverage by notifying the OAIC.
- Organisations prescribed by regulations: The government can extend coverage to specific sectors or types of organisations.
Government agencies
All Australian Government agencies are APP entities by default. State and territory government agencies are covered by their own separate privacy legislation rather than the federal Act.
Extraterritorial reach
Section 5B of the Privacy Act establishes extraterritorial application. An overseas organisation is covered if it has an "Australian link," meaning it carries on business in Australia or collects personal information from individuals located in Australia. This means a foreign website that actively targets Australian users or collects their data may need to comply with the Privacy Act AU, even without a physical presence in the country.
The 13 Australian Privacy Principles
The APPs are the operational heart of the Privacy Act AU. Each principle addresses a specific aspect of personal information handling. Below is a practical summary of what each requires.
APP 1: Open and transparent management
Organisations must take reasonable steps to implement practices, procedures, and systems that ensure compliance with the APPs. This includes maintaining a clearly expressed and up-to-date privacy policy. Your privacy policy must describe the kinds of personal information you collect, how you collect and hold it, the purposes of collection, how individuals can access and correct their information, and how they can complain.
APP 2: Anonymity and pseudonymity
Individuals must have the option of dealing with you anonymously or using a pseudonym, where practicable. Exceptions apply where identification is required by law or where it is impracticable for the organisation to deal with unidentified individuals.
APP 3: Collection of solicited personal information
You may only collect personal information that is reasonably necessary for your functions or activities (or directly related, for agencies). Sensitive information, which includes health data, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, and biometric data, can only be collected with consent and where reasonably necessary.
APP 4: Dealing with unsolicited personal information
If you receive personal information you did not solicit, you must determine whether you could have collected it under APP 3. If not, you must destroy or de-identify it as soon as practicable, provided it is lawful and reasonable to do so.
APP 5: Notification of collection
At or before the time of collection, you must take reasonable steps to notify individuals about:
- Your identity and contact details
- The purposes of collection
- Whether collection is required by law
- The consequences of not providing the information
- Your usual disclosures of that type of information
- Your privacy policy and how to access it
- Whether you are likely to disclose the information overseas, and if so, the countries involved
APP 6: Use or disclosure of personal information
Personal information may only be used or disclosed for the primary purpose for which it was collected, or for a secondary purpose that the individual would reasonably expect and that is related (or directly related, for sensitive information) to the primary purpose. There are exceptions for consent, enforcement of criminal law, reducing threats to life or health, and legal proceedings.
APP 7: Direct marketing
You may only use personal information for direct marketing if the individual would reasonably expect it, or if you have obtained consent. In all cases, you must provide a simple mechanism for the individual to opt out. Sensitive information cannot be used for direct marketing without explicit consent.
APP 8: Cross-border disclosure
Before disclosing personal information to an overseas recipient, you must take reasonable steps to ensure the recipient does not breach the APPs. You remain accountable for the overseas recipient's handling of the information unless an exception applies, such as the individual's consent after being informed that APP 8 protections will not apply.
APP 9: Adoption, use, or disclosure of government-related identifiers
Organisations must not adopt government-related identifiers (such as tax file numbers or Medicare numbers) as their own identifiers. Use and disclosure of these identifiers are restricted to situations where required by law or necessary to verify identity.
APP 10: Quality of personal information
You must take reasonable steps to ensure the personal information you collect, use, or disclose is accurate, up to date, complete, and relevant for the purpose of use or disclosure.
APP 11: Security of personal information
Organisations must take reasonable steps to protect personal information from misuse, interference, loss, unauthorized access, modification, and disclosure. When personal information is no longer needed for any purpose permitted under the APPs, you must take reasonable steps to destroy it or ensure it is de-identified. This principle is closely linked to the Notifiable Data Breaches scheme, which requires reporting eligible breaches to the OAIC.
APP 12: Access to personal information
On request, you must give an individual access to the personal information you hold about them. Access must be provided within 30 days. Refusal is permitted in limited circumstances, such as where access would pose a serious threat to life or safety, or would unreasonably impact the privacy of other individuals.
APP 13: Correction of personal information
If you hold personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading, you must take reasonable steps to correct it. Individuals can also request correction, and you must respond within 30 days.
Penalties Under the Privacy Act AU
The penalty regime was significantly strengthened by the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022, which received Royal Assent on 12 December 2022. Before this amendment, the maximum civil penalty was 2.22 million AUD, a figure widely regarded as insufficient to deter large corporations.
Current maximum penalties
For serious or repeated interferences with privacy by an organisation, the maximum civil penalty is now the greatest of:
- 50 million AUD
- Three times the value of the benefit obtained directly or indirectly from the breach
- 30% of the organisation's adjusted turnover during the relevant period
These figures align with the penalty structure in Australian competition and consumer law, reflecting Parliament's view that privacy violations can cause harm comparable to anti-competitive conduct.
OAIC enforcement powers
The OAIC has a range of enforcement tools beyond civil penalties:
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate Now- Infringement notices: For specified breaches, the OAIC can issue notices imposing set penalties without court proceedings.
- Enforceable undertakings: Organisations can agree to specific compliance measures, which become legally binding.
- Determinations: Following an investigation, the Commissioner can make a determination requiring the organisation to take specific actions, pay compensation, or make an apology.
- Court injunctions: The OAIC can apply to the Federal Court for orders restraining conduct or requiring specific actions.
- Assessments: The OAIC can conduct assessments of whether an organisation is complying with the APPs, either proactively or in response to a complaint.
The Notifiable Data Breaches scheme
Part IIIC of the Privacy Act, which took effect on 22 February 2018, requires APP entities to notify the OAIC and affected individuals when an eligible data breach occurs. An eligible data breach exists where unauthorized access to, unauthorized disclosure of, or loss of personal information is likely to result in serious harm to any of the affected individuals.
Failure to comply with the NDB scheme can result in civil penalties and is treated as an interference with privacy.
The Privacy Act Review and Proposed Reforms
The Australian Government's review of the Privacy Act has been underway since 2020, with the Attorney-General's Department publishing a comprehensive review report in February 2023. The report contains 116 proposals for reform, many of which would substantially change the obligations on businesses.
Key proposed changes
Several proposals are particularly significant for website operators and digital businesses:
- Removing the small business exemption: The review proposes removing the 3 million AUD turnover threshold, which would bring approximately 2.4 million additional Australian businesses under the Act.
- Introducing a right of erasure: Similar to the GDPR's "right to be forgotten" under Article 17, individuals would be able to request deletion of their personal information.
- Expanding the definition of personal information: The proposal would clarify that technical identifiers such as IP addresses, device IDs, and location data constitute personal information.
- Introducing a right to object to targeted advertising: Individuals would have the right to opt out of their personal information being used for targeted advertising.
- Statutory tort for serious invasions of privacy: A new cause of action would allow individuals to sue for serious invasions of privacy, independent of the OAIC complaint process.
- Children's privacy protections: Enhanced protections for children's personal information, including a Children's Online Privacy Code.
The government released its response in September 2023, agreeing or agreeing in principle to the majority of proposals. Legislative implementation is expected in stages, with some changes already introduced through the Privacy and Other Legislation Amendment Bill.
What this means for businesses
Even if you currently fall below the 3 million AUD threshold, the removal of the small business exemption means you should begin preparing for compliance now. Organisations that already operate under the APPs should monitor the reform process and be ready to adapt when new requirements take effect.
Compliance Obligations for Websites
For website operators, the Privacy Act AU imposes specific practical requirements that you must address in your infrastructure, policies, and procedures.
Privacy policy requirements
APP 1 requires a clearly expressed and up-to-date privacy policy. For websites, this means a dedicated privacy policy page that is easily accessible, typically linked from the footer of every page. Your policy must cover the matters specified in APP 1.4, including:
- The kinds of personal information you collect (names, emails, IP addresses, cookie data, device identifiers)
- How you collect it (forms, cookies, analytics tools, third-party services)
- The purposes of collection
- How individuals can access and correct their information
- How you handle overseas disclosures
- Your complaint handling process
Using a privacy policy generator can help you create a compliant initial draft that covers the required elements, though you should review it against your specific data practices.
Cookie and tracking compliance
While the Privacy Act does not have a standalone cookie consent requirement equivalent to the EU's ePrivacy Directive, the collection of personal information through cookies and tracking technologies falls under APP 3 (collection) and APP 5 (notification). If your website uses analytics, advertising, or social media tracking that collects personal information, you must disclose this in your privacy policy and ensure you have a lawful basis for the collection.
The OAIC has indicated that IP addresses and device identifiers can constitute personal information, and the proposed reforms would make this explicit. Implementing a consent management platform provides transparency and gives users control over tracking, which is good practice even before the reforms are finalized.
Data breach preparedness
The NDB scheme means you need a documented process for identifying, assessing, and reporting eligible data breaches. Your plan should cover how you detect unauthorized access, the criteria for assessing whether serious harm is likely, and the procedures for notifying the OAIC (within 30 days of becoming aware of the breach, or sooner if practicable) and affected individuals.
TermsBox helps website operators stay on top of their compliance posture by scanning sites for tracking technologies and data collection points, then keeping legal documents updated to reflect actual practices.
How the Privacy Act AU Compares to Other Privacy Laws
Understanding where the Privacy Act sits relative to other major privacy laws helps businesses that operate across jurisdictions.
Compared to the GDPR
The GDPR and the Privacy Act share many principles but differ in significant ways:
- Scope: The GDPR applies to all organisations processing EU residents' data, regardless of size. The Privacy Act's 3 million AUD threshold exempts many small businesses (though this may change).
- Legal basis for processing: The GDPR requires a specific legal basis from a closed list (consent, contract, legitimate interest, etc.) under Article 6. The Privacy Act does not use the same framework; instead, it focuses on whether collection is reasonably necessary.
- Consent: The GDPR requires opt-in consent for most tracking cookies. The Privacy Act currently has no equivalent cookie consent requirement, though reform proposals may change this.
- Penalties: GDPR fines can reach 20 million EUR or 4% of global turnover. The Privacy Act's maximum of 50 million AUD or 30% of adjusted turnover can be higher in absolute terms for large companies.
- Right to erasure: The GDPR includes this under Article 17. The Privacy Act currently does not, but the reform proposals would add it.
Compared to the CCPA/CPRA
California's privacy laws differ from the Privacy Act in their opt-out model for personal information sales, the specific right to know what data has been collected, and their focus on consumer rights in commercial contexts. The CCPA applies to businesses meeting specific revenue or data volume thresholds, while the Privacy Act uses the annual turnover test.
Compared to New Zealand's Privacy Act 2020
New Zealand's legislation is the closest equivalent to the Privacy Act AU, with 13 Information Privacy Principles that broadly mirror the APPs. The two countries' privacy frameworks are closely aligned, and both participate in cross-border enforcement cooperation through the OAIC and the New Zealand Office of the Privacy Commissioner.
Frequently Asked Questions
What is the Privacy Act AU?
The Privacy Act AU refers to the Privacy Act 1988 (Cth), Australia's principal federal privacy legislation. It regulates how Australian Government agencies and private sector organisations with annual turnover above 3 million AUD collect, use, store, disclose, and manage personal information. The Act contains the 13 Australian Privacy Principles (APPs) and is enforced by the Office of the Australian Information Commissioner (OAIC).
Who must comply with the Australian Privacy Act?
The Privacy Act applies to Australian Government agencies and private sector organisations with annual turnover exceeding 3 million AUD. It also covers health service providers, businesses that trade in personal information, credit reporting bodies, and certain small businesses that opt in or are prescribed by regulations. Overseas organisations that collect personal information from Australian residents and have an Australian link may also be subject to the Act.
What are the penalties for breaching the Privacy Act AU?
Following the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022, the maximum civil penalty for serious or repeated interferences with privacy is the greater of 50 million AUD, three times the value of the benefit obtained from the breach, or 30% of the organisation's adjusted turnover during the relevant period. The OAIC can also issue infringement notices, accept enforceable undertakings, and seek injunctions through the Federal Court.
Does the Australian Privacy Act apply to overseas businesses?
Yes. Section 5B of the Privacy Act 1988 includes extraterritorial provisions. An overseas organisation is covered if it has an Australian link, meaning it carries on business in Australia, collects or holds personal information in Australia, or collects personal information from Australian individuals. If any of these criteria are met, the organisation must comply with the 13 Australian Privacy Principles regardless of where it is headquartered.