If you think data collection under Australia Privacy Law only refers to your customers filling out forms on your website, think again.
In the Uber case, the Office of the Australian Information Commissioner (OAIC) decided that data collection via “any means,” including cookies and similar technologies, is also subject to the Australia Privacy Act (APA).
Keep reading to learn if this applies to you and how you can comply.
What is the landscape around privacy laws in Australia?
The Australia Privacy Act 1988 is the main legislation that imposes various requirements on businesses for how they can collect and use Australians’ personal information. The Act’s primary goal is to enhance the protection of Australians’ personal information.
Does the Australia Privacy Act (APA) apply to you?
The Australia Privacy Act applies to your organization if the following conditions are met:
1. Personal Scope of the Act
The Act applies to all Federal government agencies and to all businesses, except “(..) organizations (including all their related bodies corporate each) with less than AUD 3 million (approx. €1.9 million) annual turnover at any time”, registered political parties, and state or territory authorities or instrumentalities.
Businesses will also automatically be subject to the Australia Privacy Act if they use or disclose personal information for a benefit or collect and use health information.
Note on personal information: Under the Australia Privacy Act, personal information is defined as information or an opinion about an identified individual or an individual who is reasonably identifiable:
In short, even if a business’s annual turnover is below the threshold, it will still have to comply with the Australia Privacy Act if it processes personal information for a benefit or if it collects health information.
2. Territorial Scope of the Act
The Australian Privacy Act applies to both Australian and foreign organizations that carry on business in Australia.
Following the Uber decision, the Privacy Act applies to all foreign organizations deemed to be 'carrying on business' in Australia, whether or not this includes actively collecting personal information in Australia.
3. Material Scope of the Act
All processing activities such as collection, sharing, and use related to personal information fall under the scope of the Act. However, anonymized data or de-identified data is not subject to the Act.
New draft Privacy Bill, new requirements
In March 2019, The Australian Government announced that it would introduce a new Online Privacy Bill (OPB) to strengthen the protection of personal information on social media and other online platforms.
The new privacy bill will impose new requirements on how personal data can be collected and used via social media platforms and online channels.
The Online Privacy Bill will apply to organizations that:
- Collect personal information about an individual in the course of or in connection with providing access to information, goods, or services by use of an 'electronic service'; and
- Have over 2.5 million end-users in Australia in the past year, or if an organization did not carry on business in the previous year, 2.5 million users in the current year.
The Online Privacy Bill will introduce requirements such as specific rules on how organizations should obtain consent from children and other vulnerable people. Additionally, when an individual requests that his/her data should not be disclosed to third parties or used, the organization should implement reasonable steps to comply with such requests.
Alongside this Act, other laws apply to specific sectors and organizations, including the Privacy Credit Reporting Code or specific regulations relating to health information and tax file numbers (TFNs).
Requirements to comply with the Australia Privacy Act (APA)
Any organization that is subject to the Australia Privacy Act 1988 is called an “APP Entity” and must comply with the 13 principles of the Act:
Individuals should be provided with the option of not being identifiable or to use a pseudonym, subject to limited exceptions;
APP Entities can only collect “solicited” information;
APP Entities should manage unsolicited personal information in compliance with specific standards;
APP Entities must inform individuals about the collection and use of their information in a specific manner;
APP Entities should only disclose personal information to third parties under specific circumstances and subject to specific conditions;
An APP Entity may only use or disclose personal information for direct marketing purposes if certain conditions are met;
An APP Entity must fulfill certain requirements before it discloses personal information to overseas recipients;
An APP Entity can only adopt a government-related identifier of an individual as its own identifier or use or disclose a government-related identifier of an individual under certain circumstances;
APP Entities should ensure that the personal information they hold is accurate and up-to-date;
An APP entity must take reasonable steps to protect the personal information it holds from misuse, interference, and loss and from unauthorized access, modification, or disclosure. It also has obligations to destroy or de-identify personal information in certain circumstances.
An APP Entity must fulfill individuals’ requests to access their personal information if specific conditions are met;
APP Entities must keep the personal information they hold correct.
Do I need a cookie consent banner on my website in Australia?
There is no cookie-specific law in Australia.
However, under the Australia Privacy Act, organizations need to obtain consent if they are collecting sensitive personal information such as data related to health, race, criminal record, or sexual orientation, or to use or disclose personal information for a purpose other than the purpose it was collected for.
The transparency principle under the APA mentions that APP entities must take reasonable steps either to notify the individual of certain matters or to ensure the individual is aware of those matters, including:
- The organization entity’s identity and contact details
- The facts and circumstances of the collection
- Whether the collection is required or authorized by law
- The purposes of the collection
- The consequences if personal information is not collected
- The entity’s usual disclosures of personal information of the kind collected by the entity
- Whether the entity is likely to disclose personal information to overseas recipients and, if practicable, the countries where they are located.
These can be displayed in a consent banner, which you can learn more about on our blog:
Complying with EU & UK GDPR and E-privacy directive
Beyond their activity in Australia, most global Australian organizations are subject to other privacy laws that cover cookie banner requirements.
If your website and business operations target EU & UK-based individuals, it is likely that you will be subject to the European Union and United Kingdom's strict cookie compliance requirements under two distinct regulations: The General Data Protection Regulation (GDPR) and the E-Privacy Directive.
How to comply with the E-Privacy Directive?
The E-Privacy Directive includes rules on how businesses can store cookies and similar technologies on EU users’ devices.
It should be noted that each EU country and the UK has implemented the E-Privacy Directive into their national laws by making changes, and businesses should check country-based differences for compliance.
However, the E-Privacy Directive introduces the following requirements when it comes to cookies:
- As a rule, cookies cannot be stored on user devices unless the user provides consent to the storage of cookies.
There are two exceptions to this consent rule:
- If the cookie is necessary for the transmission of a communication over an electronic communications network, consent is not needed.
- If the cookie is strictly necessary in order to provide an information society service explicitly requested by the subscriber or user., consent is no longer required.
How to comply with EU and UK GDPR?
In addition to the E-Privacy Directive, businesses must also comply with the EU and the UK GDPR when they collect personal information via cookies.
While legitimate interest seems like a convenient option to avoid asking for consent, it is far from being so. Different EU data protection authorities published guidance on whether consent is required for different cookie categories, and each country has different requirements.
Partnering with global Privacy UX experts will be instrumental in making sure you're navigating the regulatory intricacies of each country.
How Didomi can help
The data privacy revolution may have started in Europe with the GDPR, but it is rapidly spreading across the world, and the growing number of privacy fines from Australia and the new Online Privacy Bill shows that businesses cannot overlook Australia when it comes to privacy compliance.
Customer privacy has to become a priority for brands, and for Australian businesses, this means complying with local and international privacy regulations.
Talk to an expert and find out how Didomi can help you turn privacy into a business opportunity: