While Australia's legislation shares a lot with the GDPR, and both laws aim to achieve many of the same things, they are actually very different in substance and effect.

This article will compare and contrast key elements of these two privacy laws and see how they apply in practice.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



Overview of the Two Laws

Australia's Privacy Act 1988 provides a set of principles to be applied when working with personal information. These are known as the "Australian Privacy Principles" (APPs). Among other things, they provide rules about transparency, direct marketing, and security of personal information.

The EU General Data Protection Regulation (GDPR) sets out rules and guidance about how personal information should be treated. And as well as the specifics, the law provides a set of general principles that must permeate all acts of data processing.

Before we look at the GDPR and the Privacy Act in detail, it's important to note that the laws use different terminology in places.

Differences in Terminology

Differences in Terminology

The GDPR doesn't actually contain the word "privacy," and the Privacy Act doesn't contain the term "data protection." Although this seems like a significant difference, the two terms can be used interchangeably for our purposes.

The GDPR uses the term "personal data," whereas the Privacy Act uses "personal information." Although the GDPR and the Privacy Act use different terms, the two laws are essentially describing the same concept: information associated with an identifiable individual. However, they do interpret this concept somewhat differently.

EU law has found a particularly broad range of types of information to constitute "personal data." For example, tracking cookies and other online identifiers are considered personal data under EU law, and websites aimed at EU consumers need to earn consent for setting cookies.

The same is not true under Australian law.

We'll be using the term "personal information" throughout this article, in reference to both laws.

Principles of Data Protection in the GDPR

Principles of Data Protection in the GDPR

The GDPR offers people in the EU a higher level of protection and control over their personal information than exists anywhere else in the world.

Like the Privacy Act 1988, the GDPR also contains a set of principles. These are set out at Article 5.1. They are as follows:

  1. Lawfulness, fairness and transparency
  2. Purpose limitation
  3. Data minimization
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality

In addition to these six core principles, the GDPR provides a seventh principle of "accountability" at Article 5.2. This requires "data controllers" (we'll look at what this means below) to be accountable for applying with all six principles.

Australian Privacy Principles

Australian Privacy Principles

The Australian Privacy Principles (APPs) are contained in Schedule 1 of the Privacy Act. The APPs are the best-known and, for the purposes of most Australian businesses, the most important section of the Privacy Act.

The APPs relate to the following areas:

  1. Open and transparent management of personal information
  2. Anonymity and pseudonymity
  3. Collection of solicited personal information
  4. Dealing with unsolicited personal information
  5. Notification of the collection of personal information
  6. Use or disclosure of personal information
  7. Direct marketing
  8. Cross-border disclosure of personal information
  9. Adoption, use or disclosure of government related identifiers
  10. Quality of personal information
  11. Security of personal information
  12. Access to personal information
  13. Correction of personal information

Who Must Comply with Each Law?

Who Must Comply with Each Law?

An important difference between the two laws is that the GDPR is much broader in scope than the Privacy Act.

The APPs

The Privacy Act (and therefore the APPs) only applies to certain people, known as "APP Entities."

An APP Entity is:

  • An Australian or Norfolk Island government agency (including ministers, courts and government departments)
  • An Australian business with a turnover of more than $3 million AUD
  • An Australian business with a turnover of less than $3 million AUD that:
    • Trades in personal information,
    • Provides health services, or
    • Has opted-in to be bound by the APPs

Certain APPs apply differently to "agencies" (typically public bodies) and "organizations" (including businesses).

The GDPR

The GDPR can potentially apply to anyone in the world, so long as they:

  • Offer goods and services to people or businesses in the EU (whether paid or for free), or
  • Monitor the behavior of people who are in the EU (including via behavioral advertising)

This means any individual, company, charity, government body, etc., must comply with the GDPR whenever they are processing the personal information of people in the EU.

There are no exceptions to this based on turnover or company size. Even a small commercial website run by one lone developer would have to adhere to the law.

The GDPR divides companies (etc.) who process personal information into two categories: Data controllers and data processors.

  • Data controllers determine the purposes and means of processing personal information, deciding how and why personal information is processed.
  • Data processors process personal information on behalf of a data controller.

Companies who primarily act as data processors will also almost always "control" some personal data (for example, of their employees and clients), and so they will also be data controllers in some respects.

Both types of company are beholden to all the principles of data processing - but only data controllers are held accountable to them by law (with certain exceptions).

Privacy Policy Requirements

Privacy Policy Requirements

Transparency is an important part of both laws covered the GDPR's data protection principle "a" and Articles 12-14, and by the Privacy Act's APP 1. To comply with the transparency obligations of either law, it's essential to have a Privacy Policy.

Your company's Privacy Policy can be read by anyone who might come into contact with your company. It's not a contract. It's a notification of the ways in which you process personal information.

The APPs

Under the APPs, an APP Entity must have a compliant Privacy Policy that contains information about:

  • What types of personal information it collects and stores
  • How it collects and stores personal information
  • The purposes for which it collects, stores and otherwise uses or discloses personal information
  • How individuals can exercise rights over their personal information
  • How to make a complaint about the company
  • Information about potential overseas transfers of personal information

The GDPR

The GDPR's transparency obligations are more demanding. Data processors are not required to operate a Privacy Policy. However, as mentioned, data processors are almost always data controllers in respect of certain activities, and so most will need a Privacy Policy that covers these activities.

GDPR-compliant Privacy Policies are required to include all the information required under the APPs. They also must contain some additional information, including:

  • Contact details of certain representatives within the company
  • Details of how long personal information is stored
  • The company's "lawful basis" for processing personal data

There are also specific rules about when such information should be presented to individuals.

Consent Requirements

The rules around consent are not confined to any specific principle in either law. Consent is mentioned throughout the GDPR, particularly at Article 7. In the Privacy Act, consent is mentioned in APPs 3, 6, 7 and 8.

Consent is an important concept under both the GDPR and the APPs. But it is possible, under both laws, to collect, use or share someone's personal information without their consent in certain circumstances.

The APPs

The Privacy Act 1988 recognizes two types of consent - express and implied consent.
Neither express nor implied consent is defined in the Privacy Act.

You can think of express consent as an expression of an individual's wishes, for example in writing.

Implied consent is a little more complicated. Another Australian law, the Spam Act 2003, offers some insight into what implied consent can mean. The Spam Act recognizes that a person may have impliedly given their consent to receive marketing communications from a business if:

  • They have published their contact details online, without an accompanying request not to receive marketing communications, or
  • They have an existing relationship with the business

The GDPR

The GDPR's definition of consent is much stricter. Consent is:

"any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."

This is a very high threshold, and does not include "implied" consent.

EU law requires consent for cookies. Australian businesses (and businesses located elsewhere) that are delivering personalized marketing in the EU must consider how they will implement a cookie consent solution into their website.

The GDPR also states that "it shall be as easy to withdraw as to give consent," which obliges companies to build facilities into their websites and apps to allow a customer to withdraw consent at any time, and as easily as consent was given.

Direct Marketing Requirements

Direct Marketing Requirements

The GDPR and the Privacy Act take rather different approaches to the regulation of direct marketing. The GDPR (as usual) is much stricter. Rules relating to direct marketing are set out both by the GDPR and the Privacy Act 2003 (under APP 7).

Separate laws also exist, both in the EU (the ePrivacy Directive) and Australia (the Spam Act 2003 privacy law), that specifically regulate certain types of direct marketing activity.

The APPs

Under the APPs, there are several circumstances in which a business might be able to send a person direct marketing material. Here are two examples:

  1. The business collected the individual's contact details directly, and the individual would reasonably expect to receive direct marketing materials from the business. This might be because:
    • The individual expressly consented to this
    • The individual was informed that this would happen
  2. The business collected the individual's contact details directly or from a third party, and the individual would not reasonably expect to receive direct marketing materials from the business, but either:
    • The individual has expressly consented to this, or
    • It would be impractical to obtain their consent

Under both scenarios, there must be a method by which the individual can opt out.

Under the second scenario, the individual's attention must be drawn to this opt-out method via a prominent statement in each marketing message.

The GDPR

Under the GDPR, a business will almost always need an individual's express, specific consent before they can send them direct marketing.

It is possible under the GDPR, in some circumstances, for an individual to receive direct marketing where they have not specifically consented to it. This would require the business sending the marketing material to conduct a Legitimate Interests Assessment in order to show that their interest in sending the material outweighs their consumer's right not to receive it.

This, admittedly, is a little bit like "implied consent." But sending direct marketing material without express consent under the GDPR is only likely to be justifiable where there is a strong pre-existing relationship between the customer and the business.

Individuals have an absolute right to object to receiving direct marketing and can withdraw their consent if they have given it.

Rights Over Personal Information

Rights Over Personal Information

Both laws provide individuals with certain rights over their personal information. In the GDPR, these rights are set out across Chapter 3. In the Privacy Act, they are covered in APPs 12 and 13.

The APPs

If a business (or other APP Entity that qualifies as an "organization") holds personal information about an individual, APP 13 requires it to "give the individual access to the information." The business can charge a fee that is "not excessive."

Certain exceptions apply. For example, the business is not required to provide access if doing so would compromise the privacy of others, or prejudice a criminal investigation.

If a business holds inaccurate or out-of-date personal information about an individual, it must correct this information on request. The business cannot charge for this service.

In both scenarios, the business must respond within a "reasonable period."

The rules are slightly different for APP Entities that qualify as "agencies."

The GDPR

In much the same way as the APPs, the GDPR requires data controllers to provide access to and to rectify personal information on request. Data processors must assist their data controllers to carry out such requests, where necessary.

The GDPR also provides individuals with certain other rights over their personal information, including:

  • The right to erasure ("the right to be forgotten")
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • The right not to be subject to automated decision-making or profiling

Charging for the facilitation of any of these rights is not permitted unless a request is "manifestly unfounded or unreasonable." Requests must normally be fulfilled within one month.

Data Security Requirements

Data Security Requirements

Both laws provide varying rules and guidance on how to keep personal information secure. The GDPR covers security at Article 32. The Privacy Act covers this topic at APPs 2 and 11.

Rather than looking at each law in turn, we're going to look at how they're similar and how they're different in the area of data security.

Similarities

Both laws place a general obligation to keep data secure. For the most part, however, they stop short of mandating particular methods by which to do this.

Both laws require that:

  • Steps are taken to ensure personal information is protected against loss, interference or misuse
  • Personal information is securely erased where required
  • Pseudonymization is used to disguise personal information where appropriate

Data breaches (i.e. the loss of, or unauthorized access to, personal information) are treated quite similarly under both laws. Broadly speaking:

  • Data breaches must be reported to the authorities as soon as possible
  • Only breaches of sufficient seriousness must be reported
  • A breach might not need to be reported if the personal information has been encrypted

Differences

The GDPR requires that companies have certain policies and procedures in place to help them assess and manage risk.

For example, companies who are planning to undertake high-risk data processing must undertake a Data Protection Impact Assessment (DPIA). In most contexts, companies will also need to have a Data Protection Policy which sets out the expectations on staff to treat data securely.

In certain situations, companies subject to the GDPR who have suffered a data breach must notify not only the authorities but also the individuals who might be affected by the breach.

There is a strict time limit of 72 hours by which to report a breach.

Summary

Here are some of the main similarities and differences between the GDPR and the APPs:

  • Scope:
    • The APPs apply to "APP entities" which can be either "organizations" or "agencies"
    • The GDPR applies to "data controllers" and "data processors"
  • Privacy Policy
    • Both laws require a Privacy Policy that discloses key privacy information
    • The GDPR's Privacy Policy requirements are more extensive
  • Consent
    • The APPs recognize "implied" or "express" consent
    • The GDPR only recognizes "express" consent
  • Direct marketing
    • The APPs allow for direct marketing to be sent with the implied consent of the recipient
    • The GDPR generally only allows for direct marketing to be sent with the express consent of the recipient
  • Rights over personal information
    • The APPs require organizations to provide access to personal information and rectify inaccurate personal information
    • The GDPR recognizes these rights, along with six additional rights
  • Data security
    • Both laws require companies to take steps to protect personal information
    • The GDPR goes further in its requirements