Australia Privacy Act and Privacy Principles: an overview

Author

Read time

23 mins

Published

Nov 25, 2025

Summary

The Australia Privacy Act 1988 and its 13 Privacy Principles (APPs) regulate how organizations collect, use, and protect personal data in that country. Learn about its scope, rights, obligations, enforcement, and ongoing reforms.

The Privacy Act 1988 is Australia’s backbone of privacy and data protection. Its scope extends across both private and public sector entities, and its principles-based framework helps organizations adapt to evolving technologies and business practices.

For professionals in marketing, compliance, or legal roles, understanding the Privacy Act and the Australian Privacy Principles (APPs)is essential to handling the personal data of Australians responsibly, reducing regulatory risk, and building trust with residents of the country.

While the Privacy Act shares a number of the GDPR’s requirements, there are some differences, including in compliance thresholds and enforcement. We look at the Act as it was implemented and up to its most recent reforms to bring it up to current standards for protecting privacy and data.

Key takeaways

Key Takeaways

The 13 Australian Privacy Principles (APPs) form the core framework for collecting, using, disclosing, and securing personal information.

The law applies extraterritorially to entities outside Australia that handle personal data of Australian residents.

Organizations must have a lawful basis for processing data, obtain valid consent when required, and respect individual rights.
The Office of the Australian Information Commissioner (OAIC) enforces the Privacy Act, with significant penalties for noncompliance.
Compliance requires documented policies, staff training, and technical safeguards.

Ongoing reforms aim to align the Privacy Act with changing technologies and global standards like the GDPR.

What is the Australia Privacy Act?

Enacted in 1988, the Australia Privacy Act regulates how personal information is collected, used, disclosed, and managed by Australian government agencies and many private sector organizations. The Privacy Act is federal, applying to residents across the country and not just individual states.

Over time, amendments have addressed digital technologies, cross-border data flows, and emerging risks.

The Privacy Act aims to:

Protect individuals’ privacy and data
Promote transparency and accountability in data handling
Balance individual rights with organizational and public interest needs

The law applies to federal government agencies and private sector organizations with an annual turnover above AUD 3 million. Some smaller organizations — such as health service providers or entities trading in personal data — are also covered.

What are the Australia Privacy Principles?

The Privacy Act’s centerpiece is the set of 13 Australian Privacy Principles (APPs), which apply to most regulated entities. The APPs give organizations flexibility in implementation. They cover:

Open and transparent management of personal information,
Anonymity and pseudonymity,
Collection of solicited personal information,
Dealing with unsolicited personal information,
Notification of collection of personal information,
Use or disclosure of personal information,
Direct marketing,
Cross-border disclosure of personal information,
Adoption, use, or disclosure of government-related identifiers,
Quality of personal information,
Security of personal information,
Access to personal information,
Correction of personal information

Extraterritoriality

The Privacy Act applies beyond Australian borders. Any overseas entity that collects or holds personal data about Australian residents in connection with its Australian business operations must comply. It doesn’t matter if the business is located in Australia or not. This is comparable to the GDPR and various other privacy regulations.

For example, a US-based marketing platform or a European SaaS provider offering services to Australian customers may fall within scope of the Privacy Act if it processes Australians’ personal data.

Key definitions of terms

The Privacy Act has a number of standard definitions to help clarify scope, meaning, and enforcement. These are found under Part II, the Interpretations section.

Personal information: Information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion
Sensitive information: Includes health, genetic, biometric, racial, political, religious, or sexual orientation data. Handling requires stricter safeguards

Agency: Entities that can possess or control personal information, including:
- Government ministers
- Government departments
- Companies
- Bodies established or appointed for public purposes
- A person holding or performing the duties of an office
- Federal or Australian Capital Territory courts
- Australian Federal Police

APP entity: Any agency or organization subject to the APPs
Consent: Express or implied consent, which must be voluntary, informed, current, and specific

Individual: A natural person, so does not apply to a household or corporate entity

Collector: The organization or authority legally treated as responsible for gathering personal information, where responsibility for personal information rests with the agency or authority, not any individual employee or member who handles it

Record-keeper: An agency that is in possession or control of a record of personal information

Principles or requirements for data processing

Achieving and maintaining compliance with Australia’s Privacy Act and Privacy Principles requires a multifaceted approach. Organizations must comply with specific legal requirements for data processing, understand the definition of consent, and uphold data subjects’ rights. We look at key obligations and relevant exceptions.

Australian Privacy Principle 1: open and transparent management of personal information

Australian Privacy Principle 1 mandates open and transparent management of personal information by APP entities. This means clearly communicating how, when, and why personal data is collected and used, including through a comprehensive privacy policy.

Compliance requires establishing and regularly updating practices, procedures, and systems to adhere to the APPs, handle inquiries/complaints, and provide an accessible privacy policy that details:

Types of information collected
Collection and holding methods
Purposes of use and disclosure
Individual access/correction rights
Privacy compliance inquiry and complaint mechanisms and procedures
Potential overseas data disclosure (with countries if practicable)

Australian Privacy Principle 2: anonymity and pseudonymity

Australian Privacy Principle 2 mandates that APP entities provide individuals with the option to interact anonymously or pseudonymously, unless legally required or impractical. (Anonymization of personal information is covered under APP 11.) Internal policies should align with public notices regarding identification necessity and handling anonymity requests.

Compliance requirements include:

Enable anonymous channels
Limit exceptions to legal mandates or impracticality
Document identification requirements and exceptions
Review workflows for “name optional” fields
Ongoing staff training

Australian Privacy Principle 3: collection of solicited personal information

Australian Privacy Principle 3 governs the collection of solicited personal information by APP entities, with stricter rules for sensitive data, emphasizing fairness and collection source.

Best practices include mapping data fields to business purposes, obtaining explicit consent and legal basis for sensitive data, and standardizing compliant collection methods free of dark patterns.

Compliance includes collecting personal information only for stated purposes, through fair and lawful means, and directly from the individual unless otherwise authorized. Sensitive information collection is permitted only under specific exceptions, e.g., consent, legal requirement, permitted general or health situations, enforcement body necessity, or non-profit membership.

Australian Privacy Principle 4: dealing with unsolicited personal information

Australian Privacy Principle 4 outlines how entities must handle unsolicited personal information. This includes promptly assessing if the information could have been collected under APP 3. If not, and it’s not a governmental record, the information must be destroyed or de-identified as soon as practicable.

If retention is permitted, it should be treated as if collected under APP 3, applying APPs 5–13. Best practices include implementing an intake triage system, maintaining standard operating procedures for secure destruction, and applying APPs 5–13 for retained data.

Australian Privacy Principle 5: notification of the collection of personal information

Australian Privacy Principle 5 mandates that entities notify individuals about personal data collection and use, and about how to exercise their rights. This includes:

Informing individuals about data access and use at or before collection (or as soon as practicable)
Providing entity contact details
Explaining indirect collection circumstances
Detailing legal authority for collection
Specifying collection purposes and consequences of non-provision
Identifying usual disclosures
Linking to privacy policy for data access and complaint handling
Disclosing international data transfers

Best practices include embedding APP 5 notices in all intake channels, maintaining a disclosure registry, and ongoing staff training on individual rights and complaint management.

Australian Privacy Principle 6: use or disclosure of personal information

Australian Privacy Principle 6 limits how APP entities use or disclose personal information. Generally, information should only be used for its primary collection purpose, with specific exceptions.

Compliance requires limiting use to the primary purpose unless there’s an applicable exception, e.g., individual consent, legal requirement, permitted general/health situation, or enforcement-related activity.

Special rules exist for biometric information disclosed to enforcement bodies. Overseas disclosures are also subject to APP 8, which covers international data transfers or cross-border disclosure.

Entities must map all uses/disclosures to the primary purpose or a documented APP 6 exception, and for enforcement-related activities, assess and record the “reasonably necessary” test. APP 8 checks — due diligence or informed consent — are required before overseas data release.

Australian Privacy Principle 7: direct marketing

Australian Privacy Principle 7 regulates direct marketing, requiring strict conditions, opt-out rights, and extra protections for sensitive information. Direct marketing is defined as using personal information to promote goods or services via various channels, e.g., phone, SMS, email, social media, or online ads.

Compliance requirements:

For non-sensitive information:
- Collected directly: Target only if the individual would reasonably expect it, provide a simple opt-out, and cease if they opt out
- Collected indirectly or no reasonable expectation: Market only with consent (or if impracticable), provide a simple opt-out, include a prominent opt-out statement, and cease if the individual opts out
For sensitive information: Use for direct marketing only with consent
For contracted service providers: Market only if information was collected for the contract and its use/disclosure is necessary for that obligation
Honor opt-out requests for direct marketing and requests for data sources within a reasonable time frame and for free, unless impracticable/unreasonable.
Comply with other relevant laws like the Do Not Call Register Act 2006 and the Spam Act 2003

To implement best practices:

Map direct marketing activities to APP 7 exceptions
Record and securely store valid consent
Embed clear opt-outs in every message
Maintain automated suppression lists
Stop communications and data collection promptly after requests
Verify lawful sources for third-party data
Run dual checks for channel-specific laws

Australian Privacy Principle 8: cross-border disclosure of personal information

Australian Privacy Principle 8 outlines conditions for international data transfers. APP entities must ensure overseas recipients handle personal information according to APPs and may be accountable for third-party conduct (section 16C of the Privacy Act).

Compliance requires taking reasonable steps, typically through enforceable contracts, to ensure recipients follow APP-equivalent privacy standards.

Entities must differentiate between “use,” where data remains under control and “disclosure,” where data leaves control, and rely only on permitted exceptions like similar laws, informed consent, legal authorization, or permitted general situations.

Best practices include:

Mapping cross-border data flows
Conducting transfer risk assessments
Including strong privacy clauses in contracts
Being transparent in privacy policies
Ensuring specific, informed, and documented consent, when used

Australian Privacy Principle 9 regulates how organizations adopt, use, or disclose government-related identifiers like government-assigned numbers, such as driver’s licence numbers, Australian passport numbers, or Tax File Numbers (TFN).

Compliance requires that organizations should not adopt government identifiers as their own unless legally mandated or authorized. The use and disclosure of these identifiers should be limited to specific exceptions, which include:

Identity verification
Legal obligations
Enforcement
Permitted general situations
Prescribed circumstances

For customers, it’s recommended to generate and use internal IDs, rather than using government identifiers as primary keys. When relying on exceptions, it is important to document the necessity and legal basis.

Access and further disclosure of government identifiers should be restricted to the minimum required purpose, prohibiting their reuse for marketing or profiling. Organizations should also update policies, contracts, and training to reflect APP 9 limits and incorporate checks into vendor integrations.

Australian Privacy Principle 10: quality of personal information

Australian Privacy Principle 10 mandates that entities ensure the quality — accuracy, completeness, relevance, and currency — of personal information they collect, use, or disclose. “Reasonable steps” for compliance vary based on factors like information sensitivity, entity size, potential adverse consequences of flawed data, and practical constraints.

If data comes from a highly reliable source, additional steps may not be needed, but the decision must be justifiable. Regular data quality reviews are also recommended.

Best practices include:

Implementing audit and correction procedures with staff training
Using standardized data formats
Allowing individuals to update their information
Verifying external data
Assessing data relevance before using it for new purposes

Australian Privacy Principle 11: security of personal information

Australian Privacy Principle 11 mandates APP entities to safeguard personal information from misuse, interference, loss, unauthorized access, modification, or disclosure. It also requires secure destruction or de-identification of information no longer needed.

Compliance involves implementing proportionate security measures based on data sensitivity, processing volume, and risk, protecting data throughout its lifecycle, regularly assessing retention needs, and applying safeguards during de-identification.

Best practices include:

Maintaining a privacy and security framework that includes access controls, encryption, vendor management, breach response
Keeping a data inventory and retention schedule
Using standardized procedures
Regularly testing security controls
Providing ongoing staff training

Australian Privacy Principle 12: access to personal information

Australian Privacy Principle 12 grants individuals the right to access their personal information held by APP entities, with limited exceptions. Government agencies have 30 days to respond, while other organizations must respond within a reasonable timeframe. Access should be provided in the requested format when practical, with reasonable fees for cost recovery.

Compliance requires responding within the set timeframe, verifying identity before granting access (denying if identity cannot be reasonably verified), and providing written reasons and complaint information if access is partially or wholly refused, or if the requested method is refused.

Access can be refused for reasons like:

Risk to life
Unreasonable impact on privacy
Ongoing legal proceedings
Unlawful disclosure
Frivolous requests
Commercially sensitive evaluative information

Best practices include the following, and automated solutions can help with response times and resource management where there are a high volume of requests:

Maintaining clear intake and verification procedures
Triaging requests early
Applying consistent assessment criteria for exceptions
Documenting all decisions
Tracking response times
Logging communications, refusals, redactions, and complaints

Australian Privacy Principle 13: correction of personal information

Australian Privacy Principle 13 grants individuals the right to request corrections to their personal information held by APP entities and requires entities to ensure data accuracy.

Entities must correct information upon request or when inaccuracies are identified, responding promptly and without charge. If a correction is made, entities should inform previously disclosed organizations if requested and practicable.

Refusals to correct information require entities to provide written reasons, complaint information, and, if requested, a statement from the individual noting their disagreement.

Best practices include:

Establishing clear correction processes
Verifying identity and new information
Maintaining secure, accurate records
Integrating correction procedures into privacy policies and staff training

Legal requirements for data processing

Unlike the GDPR, the Australia Privacy Act does not prescribe a set of lawful bases for processing. Instead, entities compliance obligations arise from the APPs and sector-specific rules. Consent is especially critical when handling sensitive information and for direct marketing.

There are several parts to defining consent, involving how it’s requested and how it’s obtained. For compliance and building trust, implementing best practices is recommended.

Individuals can withdraw their previously granted consent at any time, and organizations must make it as easy to withdraw as it was to give. Once an individual has withdrawn consent, the organization can’t rely on past consent for future use or disclosure of the individual’s personal information.

The OAIC defines consent as having to be express or implied. Express consent means that it is clearly given, e.g., verbally or in writing, such as signing a form or ticking a box. Express consent is best practice for sensitive information.

Implied consent is a form of consent that may be inferred from a person’s conduct and the circumstances, but only if it’s reasonable for the organization to believe valid consent exists, e.g., after offering an opt-out option.

Bundled consent occurs when an organization seeks one overall consent for multiple uses or disclosures of personal information, without enabling the data subject to choose which ones they agree to.

Organizations should not request bundled consent, and individuals should not agree to it, unless the request meets the following conditions:

Individuals can opt out of specific collections, uses, or disclosures
Clear details about each proposed use or disclosure are provided
The consequences of refusing any part of the consent are clearly explained

Conditions for valid consent under the Australian Privacy Act mirror those in many other global data privacy laws, and center around the data subject being able to understand what they’re consenting to and actively making choices.

Valid consent must be:

Informed: Individuals must understand how their personal information will be handled and the consequences of consenting or refusing. Relevant information and consent requests should be clear and free of technical or legal jargon.
Voluntary: Consent must be freely given without pressure, considering the options and consequences of refusal.
Current and specific: Consent applies only to the specific situation and time given. Organizations must clearly state why they seek consent and avoid vague or open-ended requests. This ties to purpose limitation requirements.
Given by someone with capacity: The individual must understand the decision, its consequences, and be able to communicate it rationally. If they lack capacity, e.g., due to age, illness, or language barriers, consent should come from an authorized representative, and the individual should still be involved as much as possible.

Organizational applicability and data subjects’ rights

Under the Australian Privacy Act, individuals have a variety of rights regarding their data and privacy. Australian Government agencies and APP-covered organizations (with annual turnover more than AUD 3 million) are responsible for upholding these rights, as are smaller entities that handle health information, trade in personal data, or perform certain credit-related activities.

Entities that are considered organizations under the Act are:

an individual, including a sole trader (though generally an individual acting in a personal capacity is exempt)
a body corporate
a partnership
any other unincorporated association
a trust

Entitles not defined as organizations include small business operators, registered political parties, state or territory authorities, or state-run entities like universities, hospitals, and port authorities.

Data subjects’ rights

The Privacy Act’s data subject rights contain a number of similarities to international laws like the GDPR, but don’t fully mirror them. For example, Australians don’t have the right to erasure (“be forgotten”) or to data portability under the Act. They do have the right to complain about mishandling, however, which is also enshrined in Canada’s PIPEDA.

Right to be informed: Know why their personal information is collected, how it will be used, and who it will be disclosed to.
Right to use a pseudonym (where practicable): Individuals may choose not to identify themselves or to use a pseudonym in certain circumstances.
Right to access: Request access to their personal information, including health information.
Right to correction: Ask for incorrect or incomplete personal information to be corrected.
Right to opt out of direct marketing: Stop receiving unwanted direct marketing, e.g., promotional emails or personalized ads.
Right to complain: Lodge a privacy complaint about an APP-covered organization or agency if the individual believes their information has been mishandled.

Australian Privacy Act compliance requirements and responsibilities

Responsibilities and compliance requirements for organizations are covered mainly in the APPs. Their stipulations are in line with other global privacy laws.

Governance and accountability

Maintain clear privacy management practices, procedures, and systems.
Assign responsibility, e.g., by assigning a privacy officer, and adopt a privacy by design approach.
Publish a clear, free of charge, accessible, up-to-date privacy policy that can be provided on request, which includes:
- Kinds of personal information that the entity collects and holds
- How the entity collects and holds personal information
- Purposes for which the entity collects, holds, uses and discloses personal information
- How an individual may access personal information about themselves that is held by the entity, and seek the correction of such information
- How an individual may complain about a breach of the Australian Privacy Principles and how the entity will deal with such a complaint
- Whether the entity is likely to disclose personal information to overseas recipients
- If the entity is likely to disclose personal information to overseas recipients, the countries in which such recipients are likely to be located if it is practicable to specify

Collection, use, and disclosure

Collect only information reasonably necessary for business functions, by lawful and fair means.
Notify individuals when collecting their data.
Limit use or disclosure to the stated purpose, unless an exception applies.
Apply extra safeguards for cross-border disclosures.

Data quality and security

Take reasonable steps to keep information accurate, current, and complete.
Protect against misuse, interference, loss, or unauthorized access.
Destroy or de-identify data when no longer needed.

Access and correction

Provide individuals access to their personal information and correct inaccuracies or incomplete data.

Supplementary obligations

The OAIC and supporting regulations also include several additional obligations for privacy compliance.

Implement a privacy management framework to embed, evaluate, and improve compliance.
Conduct privacy impact assessments for new or changed projects.
Manage and monitor third-party service providers to ensure equivalent privacy protections.

Exceptions to the scope of the law and principles

A variety of entities, operations, and types of data processing are exempt from the Australian Privacy Act and APPs or out of the laws’ scope.

Small businesses

Includes organizations with annual turnover of under AUD 3 million, unless they:

Provide health services and hold health information
Trade in personal information
Are contracted service providers to a Commonwealth agency
Are credit reporting bodies or operate under other specific laws, e.g., industry regulations

Employee records

Involves collection and handling of personal information about privacy-sector organizations’ current or former employees if used or handled directly in relation to their employment relationship, e.g., payroll or performance records, but does not include:

Job applicants (before employment begins)
Government agencies

Political parties, political representatives, and candidates

The exemption applies when collecting, using, or disclosing personal information for purposes like campaigning or fundraising.

Media organizations and individuals

The exemption applies when these entities are engaged in journalism, though published privacy standards like a media code of practice must be observed.

Personal, family, or household use

This applies in a purely personal capacity, such as keeping a personal address book or social media use for private purposes.

State and territory government agencies

Most are regulated under separate state or territory privacy laws

Security, law enforcement, and intelligence

Also includes some other agencies for specific activities relating to law enforcement, court proceedings, or public interest matters.

Legally required or authorized acts

APP entities may be exempt from obligations where an act or practice is required or authorized by an Australian law or a court/tribunal order, e.g., statutory reporting or subpoenas.

Enforcement and penalties

The Office of the Australian Information Commissioner (OAIC) enforces the Act through complaint investigations, audits, and Commissioner-initiated actions.

The Commissioner can levy a variety of penalties, including tiered fines for corporations:

Tier 1: up to AUD 66,000 for non-incorporated entities or AUD 330,000 for corporations for specified administrative failures
Tier 2: up to AUD 660,000 for individuals or AUD 3.3 million for corporations for moderate offences
Tier 3: up to AUD 2.5 million for individuals or AUD 50 million for a corporation, or three times the value of any benefit obtained, or 30 percent of adjusted turnover during the breach period, whichever is greatest, for the most serious offences

The Commissioner can apply varying numbers of penalty units depending on the nature and severity of violations. Fines are based on the number of penalty units.

The Commissioner can also issue compliance notices, order injunctive relief, and violations involving health data or unauthorized cross-border transfer can result in a two-year prison sentence.

How to achieve and maintain compliance with the Australian Privacy Act and APPs

Download checklist

Here is a summary of key steps that organizations can take to meet their obligations under the Privacy Act 1988 and the Australian Privacy Principles (APPs). These actions support compliance, protect businesses, and also demonstrate accountability while building trust.

Governance and accountability

Integrate privacy by design practices into systems, products, and projects through the entire lifecycle.
Create and maintain a clear, accessible, up-to-date privacy policy explaining what information is collected, how it is used and disclosed, and how individuals can access, correct, or complain about its handling.
Appoint a privacy officer (where legally required) or designate responsibility for privacy compliance.
Provide regular privacy and data protection training for staff.
Review and update data processing, privacy procedures, and security measures regularly.

Collect only the personal information necessary for business functions.
Use lawful and fair collection methods; avoid misleading or coercive tactics.
Obtain express consent for sensitive information such as health or biometric data.
Obtain informed consent for overseas disclosures where applicable.
Provide an easy opt-out for all marketing and stop sending marketing communications and/or materials immediately when a person opts out.
Ensure all marketing activities also comply with the Spam Act 2003 and Do Not Call Register Act 2006.
Assess any unsolicited personal information received and destroy or de-identify it promptly if it could not have been lawfully collected.

Data processing purposes and disclosure

Use or disclose personal information only for the primary stated collection purpose
Record any secondary uses or disclosures and confirm they meet APP exceptions, such as consent or legal obligation.
Identify any overseas disclosures of personal information.
Include privacy clauses in contracts requiring foreign recipients to protect data to APP standards.

Data quality and security

Verify that personal information collected is accurate, complete, and current.
Conduct regular reviews and updates of stored data.
Protect personal information from misuse, loss, and unauthorized access.
Review access controls, encryption, and vendor security measures regularly.
Destroy or de-identify information that is no longer required for business or legal purposes.
Establish clear processes for handling access and correction requests.
Respond to access requests within a reasonable time (30 days for government agencies).
Provide written reasons and complaint information if access or correction is refused.

Data breach management (Notifiable Data Breaches scheme)

Maintain an up-to-date data breach response plan.
Assess suspected breaches quickly and document findings.
Notify the OAIC and affected individuals when a breach is likely to cause serious harm.

Government compliance requirements (Australian Government Agencies Privacy Code) and compliance maintenance

Complete mandatory privacy impact assessments (PIAs) for high-risk projects.
Maintain a register of PIAs and update governance and training requirements accordingly.
Map data flows across systems, vendors, and countries.
Standardize privacy notices across all data collection points.
Keep a record of all consents, opt-outs, and data-sharing agreements over time.
Maintain a schedule for retention and secure destruction of records.
Review breach response procedures and conduct simulation exercises.

Updates to the Australia Privacy Act

The Australian Government proposed major reforms via the Privacy and Other Legislation Amendment Bill 2024, which were passed in November 2024. Some updates are in force now or have dates when they will come into force. Additional updates are proposed for a future “tranche 2.”

Privacy Act updates in force now or to come

Doxxing offence: New criminal penalties for publishing personal info to cause harm (in force December 2024).
International data transfer “whitelist”: Streamlines compliant overseas disclosures (in force December 2024).
OAIC enforcement powers expanded: Broader investigation and penalty tools (in force December 2024).
Enhanced security and breach reporting duties: Updated “reasonable steps” and notification details (in force December 2024).
Privacy tort: Individuals can sue for serious invasions of privacy (in force June 2025).
Automated decision-making disclosure: Entities must state when personal data is used for significant decisions (by December 2026).
Children’s Online Privacy Code: To be developed by December 2026.

Privacy Act proposed “tranche 2” updates

Potential future updates that have been discussed include:

Remove or narrow the small-business exemption.
Strengthen employee records privacy protections.
Introduce a “fair and reasonable” test and tighter consent rules for data use and marketing.
Introduce a controller/processor distinction, mirroring the GDPR.
Update definitions and individual rights (access, correction, erasure).

Topic	Australia	European Union
Scope / coverage	Federal agencies and most private organizations handling personal data of people in Australia; small business exemption below $3 million turnover (with notable carve-outs)	Controllers and processors handling personal data of people in the EU/EEA, regardless of establishment
Framework	Principles-based via 13 APPs; operational flexibility	Rules-based with defined obligations and legal bases
Lawful basis	No exhaustive list; obligations flow from APP 3 and sector rules. Consent central for access to sensitive information and direct marketing	Six lawful bases: consent, contract performance, legal obligation, vital interests, public task, legitimate interests (Art. 6 GDPR)
Consent model	Voluntary, informed, current, and specific; express recommended for sensitive information; implied may be acceptable in limited contexts. Must be easy to withdraw (APPs 3, 7, 8)	Freely given, specific, informed, unambiguous; explicit; must be easy to withdraw (Art. 7 GDPR)
Sensitive data	Sensitive information (health, genetic, biometric, etc.) faces stricter conditions; consent typically required (APP 3)	Special categories face a processing prohibition unless a specific condition (e.g., explicit consent) applies (Art. 9 GDPR)
Individuals’ rights	Access, informed, use of a pseudonym (where practicable), correction, opt out of direct marketing, complain (APPs 2, 5, 7, 12, 13)	Access, informed, correction, erasure (to be forgotten), restrict processing, data portability, object to processing, regarding automated profiling and decision-making (Chapter III GDPR))
Privacy notices	Clear, accessible privacy policy; collection notices at or before data collection (APP 5)	Provide transparency through clear, accessible notice at or before data collection (Arts. 13–14 GDPR)
Direct marketing	Restricted (APP 7); consent often required; must offer opt-out.	Legitimate interest or consent depending on channel and national e-privacy rules; robust opt-out requirements (Art. 21 GDPR)
Data minimization	Collect only what’s reasonably necessary for stated purpose(s) (APP 3)	Explicit principle along with storage limitation to collect only what’s reasonably necessary for stated purpose(s) and retain it only as long as needed to fulfill the purpose (Art. 5 GDPR)
Purpose limits	Restrict use/disclosure to primary stated purpose unless exception applies or new consent obtained (APP 6)	Explicit principle; restrict use/disclosure to primary stated purpose unless exception applies or new consent obtained (Art. 5 GDPR)
Security	Reasonable steps (technical and organizational measures) to protect personal information (APP 11)	Security of processing with technical/organizational measures (Art. 32 GDPR)
(Data) privacy impact assessments (PIA / DPIA)	PIA recommended and common new projects, changes to information handling, and high-volume/risk initiatives (APP 1)	DPIA mandatory when using new technologies, adopting automated processing, high-volume/risk processing or systemic monitoring (Art. 35 GDPR)
Breach notification	Notifiable Data Breaches (NDB) scheme: notify OAIC and affected individuals when likely to cause serious harm (APP 11)	Notify supervisory authority within 72 hours if risk to individuals; notify individuals if high risk (Art. 33 GDPR)
International transfers	Reasonable steps so overseas recipients don’t breach APPs; accountability often remains with the sender; consent or “substantially similar” regimes can apply (APP 8)	Based on adequacy decisions, standard contractual clauses, binding corporate rules, or specific derogations (Chapter V GDPR)
Extraterritoriality	Applies to overseas entities carrying on business in Australia and handling Australians’ personal information (APP 8)	Applies to entities inside/outside EU/EEA offering goods/services to, or monitoring behavior of, people in the EU/EEA (Art. 2 GDPR)
Enforcement	Office of the Australian Information Commissioner (OAIC) investigates, assesses, and initiates actions; Tiered penalties, up to AUD 50 million (levy of penalty units), 3X benefit, or 30% of adjusted turnover for the breach period; plus corrective powers and possible prison sentences	National data protection authorities (DPA) in EU Member States (Chapter VI GDPR); tiered penalties with administrative fines up to €20 million or 4% of worldwide annual turnover (whichever is higher), plus corrective powers (Arts. 82–83 GDPR)
Privacy by design	Expected via reasonable steps, PIAs, and APPs alignment (APP 1)	Explicit expectation across principles and DPIA regime (Art. 25 GDPR)
Records and accountability	Policy, notices, training, and security practices expected; accountability inferred (APP 1, 10–12)	Explicit accountability is explicit; requires records of processing, processor contracts, and demonstrable compliance (Art. 5 GDPR)
Children	No single statutory age threshold; OAIC guidance emphasizes capacity and parental involvement depending on maturity; parental consent generally required under age 15	Consent age generally 16 (Member States may set it between 13–16); special protections for children’s data (Art. 8 GDPR)

Easy, flexible, scalable consent management

Increase conversion rates while building long-term trust and protecting your business with automated data privacy compliance.

Learn more

Celestine Bahr

Director Legal, Compliance & Data Privacy, Usercentrics GmbH

Read bio

Stay in the loop

Join our growing community of data privacy enthusiasts now. Subscribe to the Usercentrics newsletter and get the latest updates right in your inbox.

Frequently asked questions

The Privacy Act 1988 is Australia’s main law governing data privacy and how personal information is collected, used, and protected by organizations and government agencies. It aims to promote transparency, accountability, and individuals’ rights to control their data.

The Act applies to most Australian government agencies and private-sector organizations with an annual turnover above AUD 3 million. Smaller entities must also comply if they handle sensitive information or provide health-related services.

The 13 APPs are legally binding standards under the Privacy Act. They cover the entire data lifecycle — from collection and storage to use, disclosure, access, and security — to ensure that personal information is managed responsibly and fairly.

The Act protects “personal information,” which means any data that can identify an individual. This includes names, contact details, financial data, health records, and online identifiers like IP addresses.

Individuals have rights to access their data, be informed about its use and disclosure, to use a pseudonym (where practicable), to request correction, opt out of direct marketing, and to complain about violations.

Organizations can face regulatory investigations, enforcement actions, and significant civil penalties, which are tiered by severity, up to AUD 50 million (via levy of penalty units), three times the benefit of the violating activity, or 30 percent of adjusted turnover for the breach period. The OIAC also has corrective powers and there can be prison sentences for certain offences. Beyond legal risk, data breaches can seriously damage brand reputation and customer trust.

Direct marketing activities are restricted, and businesses using tracking technologies or digital advertising tools must obtain clear consent for collecting personal information online in most cases. They must also offer clear and easily accessible opt-out, and withdrawing consent must be as easy as giving it.

Yes, the Australian Government has proposed (and passed some) major reforms via the Privacy and Other Legislation Amendment Bill 2024 to strengthen individual rights, increase penalties, and align Australia’s framework more closely with global privacy standards like the GDPR. Businesses should prepare for stricter consent and reporting rules.

Article