BY Stephen Cavey | 21 January 2021
The EU’s General Data Protection Regulation (The GDPR) is widely recognized amongst both privacy specialists and the broader business community. It sets out rules and regulations on how organizations and business entities should handle personal data and information of European citizens and applies to businesses globally.
In contrast to the GDPR, many people are unaware that Australia too has its own privacy law, sometimes referred to in closed circles as the “Australian GDPR”, but is formally called The Privacy Act 1988. This Australian Privacy Act was originally introduced in late 1988, and has since undergone over 80 revisions that incorporate various updates and amendments. Most notable of these amendments was in 2014 when it introduced a set of Australian Privacy Principles (APPs) that must be adhered to when working with personal identifiable information (PII) in an effort to give individuals power over how their personal data is shared and used. While the Australian Privacy Act shares some similarities with the EU’s GDPR, there are substantial differences that businesses should be aware of.
Below we’ll walk through five key differences between the two acts and how organizations can set out to achieve compliance with the Australian Privacy Act. Let’s explore.
Believe it or not, the GDPR does not contain the word “privacy” and the Privacy Act does not include the phrase, “data protection”. Whilst this appears to be a significant difference between the laws, you can think of the terms interchangeably.
The concept of identifiable information is also given its own unique term under each law. The GDPR refers to the information as “personal data” and the Privacy Act calls it “personal information.” Having two terms to describe identifiable information is actually a good way to differentiate the laws because the GDPR and Privacy Act each categorize identifying information uniquely. For example, the GDPR considers tracking website cookies as personal data whereas the Privacy Act does not specifically define this as being included in the definition (however does not guarantee exclusion either).
Both the GDPR and the Privacy Act contain core principles. The GDPR has a set of several principles — lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability. The Australian Privacy Act is made up of almost double the amount of rules called the Australian Privacy Principles (APPs) which we noted earlier as being the most substantial update. The APPs help to give order and clarity about how organizations must address transparency, protection of Personally Identifiable Information (PII) and even direct marketing. These APPs are made up of 13 principles which are as follows:
The GDPR’s policies are even stricter. The same privacy policies apply but in addition to the Privacy Act’s rules, organizations must also share
There are also specificifications about when privacy policies should be shared with individuals by the organization.
Australia and Europe both recognize that consumer consent is important. Both laws call for “expressed” consent, which typically means that consumers have agreed in writing to the use of their personal information. However, the GDPR’s definition of consent is stricter as there is no “implied” consent like in The Privacy Act. Implied consent is a little more difficult to navigate but it essentially assumes that when a customer does one thing, they are implying they consent to their personal information being collected, used, or stored given they have voluntarily supplied the information in combination and on the basis that the individual has the ability to provide, understand and communicate.
Both laws require an obligation to keep data safeguarded and PII to be securely erased when necessary. Additionally, under both laws, data breaches are expected to be reported to authorities as soon as possible. Both laws also require companies to report data breaches to individuals if the event is severe enough.
In the Australian context, the test for reporting is if the data breach is likely to result in harm to the individuals to whom the information relates to. Another key difference is that GDPR upholds organizations to have policies and procedures in place to manage risk, whereas the APPs are not that proactive.
As previously stated, the Australian Privacy Act has undergone over 80 amendments in its 33 year history and will continue to evolve into the modern era to address new security, privacy issues, and concerns as they become mainstream.
The Australian Information Commissioner and Privacy Commissioner, Ms Angelene Falk confirmed in her 2020 privacy update that the Information Commissioner’s Office is undergoing a review of the Privacy Act to ensure it remains fit for purpose in the digital age.
Ground Lab’s data privacy and security solutions are designed to ensure the safety and protection of your personal data by enabling organizations to discover and remediate all their data across multiple types and locations. Our flagship solution, Enterprise Recon will help your organization gain compliance for both the GDPR and Australian Privacy Act as the regulatory measures continue to evolve.
Ready to learn more? Schedule a demo with a Ground Labs expert today.
Share this article!
Want to keep up with all our blog posts? Subscribe to our newsletter!
As companies all around the world continue have large portions of their workforce remote, the need to keep their data safe and protected is even more critical. To help companies navigate this new reality and mitigate security risks, we are providing a 90-day complimentary version of our flagship solution—Enterprise Recon. Learn more about it here.
Please submit the form below and we’ll contact you to schedule a discovery call. Want to skip the email? Go here to schedule a meeting directly on our calendar.