GDPR and Privacy Act Comparison: What Australian Businesses Need to Know

## Two Privacy Frameworks Australian businesses may need to comply with both the Privacy Act 1988 (Australia) and the General Data Protection Regulation (GDPR - European Union). Understanding both is essential for businesses operating internationally. ## The Australian Privacy Act ### Who It Covers The Privacy Act applies to: - Australian Government agencies - Businesses with annual turnover over $3 million - Health service providers - Businesses that trade in personal information - Credit reporting bodies and credit providers - Certain other specified organisations Small businesses under $3 million are generally exempt, though some activities bring them into scope. ### Key Requirements The Australian Privacy Principles (APPs) require: **Collection:** Only collect necessary personal information with transparency about purpose. **Use and disclosure:** Use information only for collected purpose unless consent obtained. **Data quality:** Take reasonable steps to ensure accuracy and completeness. **Data security:** Protect against misuse, interference, loss, and unauthorised access. **Access and correction:** Allow individuals to access and correct their information. **Cross-border disclosure:** Requirements when sending data overseas. **Notifiable data breaches:** Report eligible breaches to OAIC and affected individuals. ### Enforcement The Office of the Australian Information Commissioner (OAIC) enforces the Privacy Act: - Investigation powers - Enforceable undertakings - Civil penalties up to $50 million for serious breaches ## The GDPR ### Who It Covers GDPR applies to: - Organisations established in the EU - Organisations outside the EU that offer goods/services to EU residents - Organisations that monitor behaviour of EU residents Australian businesses with EU customers may fall within scope. ### Key Requirements GDPR requirements include: **Lawful basis:** Processing requires valid legal basis (consent, contract, legitimate interest, etc.). **Transparency:** Clear, accessible information about processing. **Purpose limitation:** Data used only for specified purposes. **Data minimisation:** Collect only what is necessary. **Accuracy:** Keep data accurate and up to date. **Storage limitation:** Retain only as long as necessary. **Security:** Appropriate technical and organisational measures. **Accountability:** Demonstrate compliance actively. **Individual rights:** Access, rectification, erasure, portability, objection. **Breach notification:** Report breaches within 72 hours. **Data protection officer:** Required for certain organisations. **Data protection impact assessments:** For high-risk processing. ### Enforcement EU data protection authorities enforce GDPR: - Investigations and audits - Corrective measures - Fines up to €20 million or 4% of global annual turnover ## Comparing the Frameworks ### Scope and Application **Privacy Act:** Generally businesses over $3M turnover in Australia. **GDPR:** Broader, based on where data subjects are located, not where business is. GDPR has extraterritorial reach that can capture Australian businesses dealing with EU residents. ### Consent Requirements **Privacy Act:** Consent is one basis for collection and use, but not the only one. **GDPR:** Consent must be freely given, specific, informed, and unambiguous. Higher standard. Both require consideration of consent, but GDPR is more prescriptive. ### Individual Rights **Privacy Act:** Access and correction rights. **GDPR:** Broader rights including erasure ("right to be forgotten"), portability, objection. GDPR provides more extensive individual rights. ### Breach Notification **Privacy Act:** Notify OAIC and affected individuals for eligible data breaches "as soon as practicable." **GDPR:** Notify supervisory authority within 72 hours; notify individuals without undue delay for high-risk breaches. GDPR has stricter timing requirements. ### Data Protection Officers **Privacy Act:** No requirement. **GDPR:** Required for certain organisations (public authorities, large-scale monitoring, special category data). ### Data Transfer **Privacy Act:** Reasonable steps to ensure overseas recipients comply with APPs. **GDPR:** Strict requirements for transfers outside EU, requiring adequacy decisions or appropriate safeguards. GDPR is more restrictive on international transfers. ### Penalties **Privacy Act:** Up to $50 million for serious or repeated interferences. **GDPR:** Up to €20 million or 4% of global turnover. Both can impose significant penalties. ## Practical Compliance ### Determine Applicability Assess which frameworks apply: 1. Does your business fall under the Privacy Act? 2. Do you offer goods/services to EU residents? 3. Do you monitor behaviour of EU residents? 4. What personal information do you handle? ### Implement Common Controls Many requirements overlap: - Privacy notices explaining data handling - Consent mechanisms where required - Data security measures - Access and correction procedures - Breach detection and response - Staff training - Data minimisation and retention practices ### Address GDPR-Specific Requirements If GDPR applies: - Document lawful basis for processing - Implement additional individual rights - Prepare for 72-hour breach notification - Consider data protection officer requirement - Address international transfer requirements - Conduct data protection impact assessments where required ### Documentation Both frameworks expect documentation: - Privacy policies - Processing records - Consent records - Breach response procedures - Training records - Security measures documentation ## For Small Businesses ### Even If Exempt from Privacy Act Good practice regardless: - Basic privacy practices build trust - Prepares for growth or scope changes - May be required by customers or partners - Reduces risk of problems ### If Dealing with EU Customers Consider GDPR implications: - May need to comply regardless of size - Risk assessment for EU activities - Proportionate compliance measures - Consider whether EU market is worth the compliance burden ### Proportionate Approach Scale to your situation: - Larger operations need more formal programs - Small operations can implement basics - Focus on high-risk areas first - Improve over time ## Common Mistakes ### Assuming Exemption Assuming rules do not apply: - Small business exemption has exceptions - GDPR applies based on customers, not size - Even exempt organisations should follow good practice ### Consent as Default Relying on consent for everything: - Other lawful bases may be more appropriate - Consent must be genuine and withdrawable - Over-reliance on consent creates problems ### Ignoring International Aspects Not considering cross-border implications: - Where are customers located? - Where does data flow? - What laws apply in each jurisdiction? ### Treating Compliance as One-Time Set and forget: - Both frameworks require ongoing compliance - Regular review and updates needed - New processing activities need assessment ## Getting Help When to seek professional advice: **Legal:** Complex compliance questions, specific obligations, breach response. **Technical:** Implementing security controls, data mapping, technical compliance. **Consulting:** Building compliance programs, gap assessments, training. Both privacy frameworks protect individuals while enabling legitimate data use. Understanding and complying with applicable requirements protects your business and builds trust with customers.