While Australia's legislation shares a lot with the GDPR, and both laws aim to achieve many of the same things, they are actually very different in substance and effect.
This article will compare and contrast key elements of these two privacy laws and see how they apply in practice.
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
- 1. Overview of the Two Laws
- 1.1. Differences in Terminology
- 1.2. Principles of Data Protection in the GDPR
- 1.3. Australian Privacy Principles
- 2. Who Must Comply with Each Law?
- 2.1. The APPs
- 2.2. The GDPR
- 3.1. The APPs
- 3.2. The GDPR
- 4. Consent Requirements
- 4.1. The APPs
- 4.2. The GDPR
- 5. Direct Marketing Requirements
- 5.1. The APPs
- 5.2. The GDPR
- 6. Rights Over Personal Information
- 6.1. The APPs
- 6.2. The GDPR
- 7. Data Security Requirements
- 7.1. Similarities
- 7.2. Differences
- 8. Summary
Overview of the Two Laws
Australia's Privacy Act 1988 provides a set of principles to be applied when working with personal information. These are known as the "Australian Privacy Principles" (APPs). Among other things, they provide rules about transparency, direct marketing, and security of personal information.
The EU General Data Protection Regulation (GDPR) sets out rules and guidance about how personal information should be treated. And as well as the specifics, the law provides a set of general principles that must permeate all acts of data processing.
Before we look at the GDPR and the Privacy Act in detail, it's important to note that the laws use different terminology in places.
Differences in Terminology
The GDPR doesn't actually contain the word "privacy," and the Privacy Act doesn't contain the term "data protection." Although this seems like a significant difference, the two terms can be used interchangeably for our purposes.
The GDPR uses the term "personal data," whereas the Privacy Act uses "personal information." Although the GDPR and the Privacy Act use different terms, the two laws are essentially describing the same concept: information associated with an identifiable individual. However, they do interpret this concept somewhat differently.
EU law has found a particularly broad range of types of information to constitute "personal data." For example, tracking cookies and other online identifiers are considered personal data under EU law, and websites aimed at EU consumers need to earn consent for setting cookies.
The same is not true under Australian law.
We'll be using the term "personal information" throughout this article, in reference to both laws.
Principles of Data Protection in the GDPR
The GDPR offers people in the EU a higher level of protection and control over their personal information than exists anywhere else in the world.
Like the Privacy Act 1988, the GDPR also contains a set of principles. These are set out at Article 5.1. They are as follows:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality
In addition to these six core principles, the GDPR provides a seventh principle of "accountability" at Article 5.2. This requires "data controllers" (we'll look at what this means below) to be accountable for applying with all six principles.
Australian Privacy Principles
The Australian Privacy Principles (APPs) are contained in Schedule 1 of the Privacy Act. The APPs are the best-known and, for the purposes of most Australian businesses, the most important section of the Privacy Act.
The APPs relate to the following areas:
- Open and transparent management of personal information
- Anonymity and pseudonymity
- Collection of solicited personal information
- Dealing with unsolicited personal information
- Notification of the collection of personal information
- Use or disclosure of personal information
- Direct marketing
- Cross-border disclosure of personal information
- Adoption, use or disclosure of government related identifiers
- Quality of personal information
- Security of personal information
- Access to personal information
- Correction of personal information
Who Must Comply with Each Law?
An important difference between the two laws is that the GDPR is much broader in scope than the Privacy Act.
The Privacy Act (and therefore the APPs) only applies to certain people, known as "APP Entities."
An APP Entity is:
- An Australian or Norfolk Island government agency (including ministers, courts and government departments)
- An Australian business with a turnover of more than $3 million AUD
- An Australian business with a turnover of less than $3 million AUD that:
- Trades in personal information,
- Provides health services, or
- Has opted-in to be bound by the APPs
Certain APPs apply differently to "agencies" (typically public bodies) and "organizations" (including businesses).
The GDPR can potentially apply to anyone in the world, so long as they:
- Offer goods and services to people or businesses in the EU (whether paid or for free), or
- Monitor the behavior of people who are in the EU (including via behavioral advertising)
This means any individual, company, charity, government body, etc., must comply with the GDPR whenever they are processing the personal information of people in the EU.
There are no exceptions to this based on turnover or company size. Even a small commercial website run by one lone developer would have to adhere to the law.
The GDPR divides companies (etc.) who process personal information into two categories: Data controllers and data processors.
- Data controllers determine the purposes and means of processing personal information, deciding how and why personal information is processed.
- Data processors process personal information on behalf of a data controller.
Companies who primarily act as data processors will also almost always "control" some personal data (for example, of their employees and clients), and so they will also be data controllers in some respects.
Both types of company are beholden to all the principles of data processing - but only data controllers are held accountable to them by law (with certain exceptions).
- What types of personal information it collects and stores
- How it collects and stores personal information
- The purposes for which it collects, stores and otherwise uses or discloses personal information
- How individuals can exercise rights over their personal information
- How to make a complaint about the company
- Information about potential overseas transfers of personal information
GDPR-compliant Privacy Policies are required to include all the information required under the APPs. They also must contain some additional information, including:
- Contact details of certain representatives within the company
- Details of how long personal information is stored
- The company's "lawful basis" for processing personal data
There are also specific rules about when such information should be presented to individuals.
The rules around consent are not confined to any specific principle in either law. Consent is mentioned throughout the GDPR, particularly at Article 7. In the Privacy Act, consent is mentioned in APPs 3, 6, 7 and 8.
Consent is an important concept under both the GDPR and the APPs. But it is possible, under both laws, to collect, use or share someone's personal information without their consent in certain circumstances.
The Privacy Act 1988 recognizes two types of consent - express and implied consent.
Neither express nor implied consent is defined in the Privacy Act.
You can think of express consent as an expression of an individual's wishes, for example in writing.
Implied consent is a little more complicated. Another Australian law, the Spam Act 2003, offers some insight into what implied consent can mean. The Spam Act recognizes that a person may have impliedly given their consent to receive marketing communications from a business if:
- They have published their contact details online, without an accompanying request not to receive marketing communications, or
- They have an existing relationship with the business
The GDPR's definition of consent is much stricter. Consent is:
"any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."
This is a very high threshold, and does not include "implied" consent.
EU law requires consent for cookies. Australian businesses (and businesses located elsewhere) that are delivering personalized marketing in the EU must consider how they will implement a cookie consent solution into their website.
The GDPR also states that "it shall be as easy to withdraw as to give consent," which obliges companies to build facilities into their websites and apps to allow a customer to withdraw consent at any time, and as easily as consent was given.
Direct Marketing Requirements
The GDPR and the Privacy Act take rather different approaches to the regulation of direct marketing. The GDPR (as usual) is much stricter. Rules relating to direct marketing are set out both by the GDPR and the Privacy Act 2003 (under APP 7).
Under the APPs, there are several circumstances in which a business might be able to send a person direct marketing material. Here are two examples:
- The business collected the individual's contact details directly, and the individual would reasonably expect to receive direct marketing materials from the business. This might be because:
- The individual expressly consented to this
- The individual was informed that this would happen
- The business collected the individual's contact details directly or from a third party, and the individual would not reasonably expect to receive direct marketing materials from the business, but either:
- The individual has expressly consented to this, or
- It would be impractical to obtain their consent
Under both scenarios, there must be a method by which the individual can opt out.
Under the second scenario, the individual's attention must be drawn to this opt-out method via a prominent statement in each marketing message.
Under the GDPR, a business will almost always need an individual's express, specific consent before they can send them direct marketing.
It is possible under the GDPR, in some circumstances, for an individual to receive direct marketing where they have not specifically consented to it. This would require the business sending the marketing material to conduct a Legitimate Interests Assessment in order to show that their interest in sending the material outweighs their consumer's right not to receive it.
This, admittedly, is a little bit like "implied consent." But sending direct marketing material without express consent under the GDPR is only likely to be justifiable where there is a strong pre-existing relationship between the customer and the business.
Individuals have an absolute right to object to receiving direct marketing and can withdraw their consent if they have given it.
Rights Over Personal Information
Both laws provide individuals with certain rights over their personal information. In the GDPR, these rights are set out across Chapter 3. In the Privacy Act, they are covered in APPs 12 and 13.
If a business (or other APP Entity that qualifies as an "organization") holds personal information about an individual, APP 13 requires it to "give the individual access to the information." The business can charge a fee that is "not excessive."
Certain exceptions apply. For example, the business is not required to provide access if doing so would compromise the privacy of others, or prejudice a criminal investigation.
If a business holds inaccurate or out-of-date personal information about an individual, it must correct this information on request. The business cannot charge for this service.
In both scenarios, the business must respond within a "reasonable period."
The rules are slightly different for APP Entities that qualify as "agencies."
In much the same way as the APPs, the GDPR requires data controllers to provide access to and to rectify personal information on request. Data processors must assist their data controllers to carry out such requests, where necessary.
The GDPR also provides individuals with certain other rights over their personal information, including:
- The right to erasure ("the right to be forgotten")
- The right to restrict processing
- The right to data portability
- The right to object
- The right not to be subject to automated decision-making or profiling
Charging for the facilitation of any of these rights is not permitted unless a request is "manifestly unfounded or unreasonable." Requests must normally be fulfilled within one month.
Data Security Requirements
Both laws provide varying rules and guidance on how to keep personal information secure. The GDPR covers security at Article 32. The Privacy Act covers this topic at APPs 2 and 11.
Rather than looking at each law in turn, we're going to look at how they're similar and how they're different in the area of data security.
Both laws place a general obligation to keep data secure. For the most part, however, they stop short of mandating particular methods by which to do this.
Both laws require that:
- Steps are taken to ensure personal information is protected against loss, interference or misuse
- Personal information is securely erased where required
- Pseudonymization is used to disguise personal information where appropriate
Data breaches (i.e. the loss of, or unauthorized access to, personal information) are treated quite similarly under both laws. Broadly speaking:
- Data breaches must be reported to the authorities as soon as possible
- Only breaches of sufficient seriousness must be reported
- A breach might not need to be reported if the personal information has been encrypted
The GDPR requires that companies have certain policies and procedures in place to help them assess and manage risk.
For example, companies who are planning to undertake high-risk data processing must undertake a Data Protection Impact Assessment (DPIA). In most contexts, companies will also need to have a Data Protection Policy which sets out the expectations on staff to treat data securely.
In certain situations, companies subject to the GDPR who have suffered a data breach must notify not only the authorities but also the individuals who might be affected by the breach.
There is a strict time limit of 72 hours by which to report a breach.
Here are some of the main similarities and differences between the GDPR and the APPs:
- The APPs apply to "APP entities" which can be either "organizations" or "agencies"
- The GDPR applies to "data controllers" and "data processors"
- The APPs recognize "implied" or "express" consent
- The GDPR only recognizes "express" consent
- Direct marketing
- The APPs allow for direct marketing to be sent with the implied consent of the recipient
- The GDPR generally only allows for direct marketing to be sent with the express consent of the recipient
- Rights over personal information
- The APPs require organizations to provide access to personal information and rectify inaccurate personal information
- The GDPR recognizes these rights, along with six additional rights
- Data security
- Both laws require companies to take steps to protect personal information
- The GDPR goes further in its requirements