Blog Post
What is Australia's GDPR? Key differences to know
The EU’s General Data Protection Regulation (The GDPR) is widely recognized amongst both privacy specialists and the broader business community. It sets out rules and regulations on how organizations and business entities should handle personal data and information of European citizens and applies to businesses globally, and has inspired similar laws worldwide. In this post we'll explore the similarities and differences between the EU GDPR and the Australia Privacy Act — The Privacy Act 1988 — sometimes referred to as the “Australian GDPR.”
The Australian Privacy Act was originally introduced in late 1988, and has since undergone over 80 revisions that incorporate various updates and amendments. Most notable of these amendments was in 2014 when it introduced a set of Australian Privacy Principles (APPs) that must be adhered to when working with personal identifiable information (PII) in an effort to give individuals power over how their personal data is shared and used. While the Australian Privacy Act shares some similarities with the EU’s GDPR, there are substantial differences that businesses should be aware of.
Below we’ll walk through five key differences between the two acts and how organizations can set out to achieve compliance with the Australian Privacy Act. Let’s explore.
Differences between the Australian Privacy Act and the EU’s GDPR
1. Differences in terminology
Believe it or not, the GDPR does not contain the word “privacy” and the Privacy Act does not include the phrase, “data protection”. Whilst this appears to be a significant difference between the laws, you can think of the terms interchangeably.
The concept of identifiable information is also given its own unique term under each law. The GDPR refers to the information as “personal data” and the Privacy Act calls it “personal information.” Having two terms to describe identifiable information is actually a good way to differentiate the laws because the GDPR and Privacy Act each categorize identifying information uniquely. For example, the GDPR considers tracking website cookies as personal data whereas the Privacy Act does not specifically define this as being included in the definition (however does not guarantee exclusion either).
2. Regulation principles
Both the GDPR and the Privacy Act contain core principles. The GDPR has a set of several principles -- lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability. The Australian Privacy Act is made up of almost double the amount of rules called the Australian Privacy Principles (APPs) which we noted earlier as being the most substantial update. The APPs help to give order and clarity about how organizations must address transparency, protection of Personally Identifiable Information (PII) and even direct marketing. These APPs are made up of 13 principles which are as follows:
- Open and transparent management of personal information
- Anonymity and pseudonymity
- Collection of solicited personal information
- Dealing with unsolicited personal information
- Notification of the collection of personal information
- Use or disclosure of personal information
- Direct marketing
- Cross-border disclosure of personal information
- Adoption, use or disclosure of government related identifiers
- Quality of personal information
- Security of personal information
- Access to personal information
- Correction of personal information
3. Requirements
Transparency is an important part of both laws, and both require that companies have a “Privacy Policy”. However, there are differences between each act in what this Privacy Policy must contain. Under the Privacy Act, Australian organizations’ and their coinciding privacy policies must address:
- The type of personal information being gathered and stored
- How it is found and stored
- Why the information is kept and used
- How individuals can exercise their rights with their personal information
- How to file a complaint about a company's handling of an individual's PII
- Information about overseas relocation of personal information.
The GDPR’s policies are even stricter. The same privacy policies apply but in addition to the Privacy Act’s rules, organizations must also share
- Contact details of certain representatives within the organization
- Information about the length of time information is being stored
- The company's "lawful basis" for processing personal data.
There are also specificifications about when privacy policies should be shared with individuals by the organization.
4. Consent requirements
Australia and Europe both recognize that consumer consent is important. Both laws call for “expressed” consent, which typically means that consumers have agreed in writing to the use of their personal information. However, the GDPR’s definition of consent is stricter as there is no “implied” consent like in The Privacy Act. Implied consent is a little more difficult to navigate but it essentially assumes that when a customer does one thing, they are implying they consent to their personal information being collected, used, or stored given they have voluntarily supplied the information in combination and on the basis that the individual has the ability to provide, understand and communicate.
5. Data security
Both laws require an obligation to keep data safeguarded and PII to be securely erased when necessary. Additionally, under both laws, data breaches are expected to be reported to authorities as soon as possible. Both laws also require companies to report data breaches to individuals if the event is severe enough.
In the Australian context, the test for reporting is if the data breach is likely to result in harm to the individuals to whom the information relates to. Another key difference is that GDPR upholds organizations to have policies and procedures in place to manage risk, whereas the APPs are not that proactive.
The privacy act will continue to evolve
As previously stated, the Australian Privacy Act has undergone over 80 amendments in its 33 year history and will continue to evolve into the modern era to address new security, privacy issues, and concerns as they become mainstream.
The Australian Information Commissioner and Privacy Commissioner, Ms Angelene Falk confirmed in her 2020 privacy update that the Information Commissioner's Office is undergoing a review of the Privacy Act to ensure it remains fit for purpose in the digital age.
Manage data security with a Ground Labs solution
Ground Lab’s data privacy and security solutions are designed to ensure the safety and protection of your personal data by enabling organizations to discover and remediate all their data across multiple types and locations. Our flagship solution, Enterprise Recon will help your organization gain compliance for both the GDPR and Australian Privacy Act as the regulatory measures continue to evolve.
Ready to learn more? Schedule a demo with a Ground Labs expert today.