Australian Privacy Principles vs. the GDPR

Overview

This is the age of technology and legalities. Rights are taken very seriously, and the infringement of a person’s rights is entirely unacceptable. As a business or company, you have to be 100% sure that you are protecting your clients, and are protected by your Terms and Conditions (Ts & Cs) and Cookie Policy, etc.

To ensure that nothing is accidentally overlooked, you may need a professional privacy policy that abides by GDPR and Australian Privacy Principles (particularly if you’re in the EU or Australia). However, before you start engaging a business to help you with your GDPR sample policy or your Australian privacy policy, you may want to understand the difference between the two policies and how they came into effect.

The Privacy Act 1988 was created to protect and promote citizens’ privacy and control how Australian Government organisations deal with personal information. The Privacy Act includes 13 Australian Privacy Principles (APPs).

These apply to most Australian Government agencies and some private sector institutions and were implemented to regulate how companies with an annual turnover of more than $3 million handle sensitive personal data. These establishments are collectively classified as ‘APP entities.

GDPR stands for General Data Protection Regulation. This European Union (EU) legislation came into effect on May 25, 2018. This policy solidifies and expounds on the EU’s current intelligence safeguarding structure. GDPR takes the place of the 1995 Data Protection Directive, and it’s a new list of rules meant to allow EU citizens greater control over their private information.

How are the Australian Privacy Principles different from the GDPR?

1. Terminology

There are subtle differences between “personal data” and “personal information.”

• Personal Information – an opinion or information regarding a reasonably identifiable individual.
• Personal Data – any information regarding an identifiable natural person.

The Australian Privacy Principles refer to “Personal Information,” whereas the GDPR refers to “Personal Data.”

2. New Rights

As time has passed, new consumer rights have come into effect.  The GDPR reflects more of these rights than the Australian Privacy does, namely:

• The right to object to the processing of your data
• The right to the erasure of your data
• The right to data portability
• The right not to be subject to automated decision-making or profiling

In a sense, the GDPR is a more modern framework than the APPs.

3. Erasure

There are certain circumstances where this right allows a person to request that a business delete their data.  This can inform how you generate a privacy policy for your website, and the following are qualifying situations.

• The person decides they no longer want their data processed.
• The company no longer requires personal data for initial collection.
•  The circumstances of the collection of personal data were wrongful.

The “Erasure Right” is a trumped-up version of the “right to be forgotten.”

4. Objection to Processing

Did you know that your client has the right to refuse to process their personal data at any time? With this, the Australian Privacy Principles are one step ahead of the GDPR.  The GDPR requires the client to request the deletion of their personal data, but the APPs go a step further and state that:

• All businesses must destroy personal information they no longer need for a specific purpose.  That is, with or without the client requesting it.
• On top of this, on the occasions that the business provides an individual with access to their personal data, they must make the information available in the manner in which the individual requests it.

A good tip is to store all personal information in an easy-to-extract format and set up automatic alerts where clients can inform you if they intend to withdraw their consent.

5. Portability

Your client has the right to request that you hold their personal information in a data processor, in a commonplace, plus in an organised and machine-readable format.  Your client also has the right to dispatch their personal data to any other business or institution without interfering with the company they initially provided their data.

6. Consent

The Australian Privacy Principles require an individual to authorise, whether express or implied, the collection of their personal data.  The GDPR does not refer to consent being either implied or expressed.

It states, however, that a data processor must be able to provide proof that a person has given consent for the collection of their personal data.  If you decide to obtain your client’s approval via a written document, you must do so using precise, easy-to-understand terminology.

The two significant differences are:

• In Australia, something as simple as filling in a web form can pass for implied consent.
• The GDPR requires companies to demonstrate that consent has been obtained.

A good tip to ensure compliance with GDPR requirements is to get the client to simply click a “tick to accept” box alongside the statement:

“I consent to collect my personal data under this Privacy Policy.”

Although it is not essential in Australia, according to APP rules, that “tick to accept” box is imperative if you want to ensure GDPR compliance.

7. Data Breach Notifications

Regarding data breach notifications, Australian Privacy Principles have recently implemented new rules, which fall under the Notifiable Data Breaches Scheme.  Under the new scheme, APP entities are required to inform the Australian Information Commissioner of all eligible data breaches.

Any breach likely to result in grievous harm to the person to whom the information relates is regarded as an eligible breach.

• The APP entity has to ensure that the Commissioner is informed: “as soon as possible after they become aware of the breach.”
• The basic GDPR rules have a definite time frame to notify the authorities.

If a breach is likely to put the rights and freedom of individuals in jeopardy, the business must notify:

• The individual.
• The significant supervisory authority in the country of the affected EU resident.
• GDPR states that this must be done within 72 hours of the detected breach.

A data breach is a severe offence and can have serious repercussions.  A good tip is ensuring stringent security measures to prevent data breaches.

Also, prepare a “Data Breach Plan” like a fire-drill plan so that your business is ready to spring into action if a breach occurs.

That way, you can limit the damage and far-reaching effects of the breach, containing the problem.

Summary of Differences Between Australian Privacy Principles and GDPR

Here is a summary listing only the critical differences between the APPs and the GDPR Policies.

1. Terminology
   • Australian Privacy Principles refers to Personal Information
   • GDPR refers to Personal Data
2. Rights
   • APPs have 13 Australian Privacy Principles
   •  GDPR has eight user rights.
3. Objection to Processing
   • Australian Privacy Principles clients have the right to request their data be destroyed
   • GDPR regulations state that a business must destroy records that are no longer necessary, with or without the client’s request.
4. Consent
   • Australian Privacy Principles accept implied or express consent
   • GDPR accepts only express consent
5. Data Breach Notification
   • Australian Privacy Principles require authorities to be notified right after the breach has been detected.
   • GDPR required that authorities be notified within 72 hours of the breach being discovered.

Conclusion

There’s a lot more to business than just launching a website. There are compliance issues to consider, and you may need to create cookie policies, privacy policies, disclaimer policies, and more for your website.

As a business owner, you should consider these laws to avoid legal repercussions and whether you must comply with Australian privacy principles and the standard GDPR policy.

At GetTerms, we know compliance is a headache but we aim to make it simple. If you need a quick and affordable way to generate privacy policies for your website, our Comprehensive Policy Pack is the way to go.