Skip to Content Skip to Navigation

The Australian Privacy Act is one of Australia’s key privacy laws that regulates how Australian government agencies and certain organisations can use personal information.

First introduced in 1988, the Privacy Act has recently been amended to strengthen its existing data protection measures, particularly in response to current online privacy issues and revelations such as the Facebook and Cambridge Analytica scandal.

In this article, we’ve pulled out four key highlights of the new reforms and how they stack up against the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) laws.

A new online privacy code will hold social media companies accountable

The proposed Online Privacy Bill, which is currently open for review before its final submission to the Attorney General in January 2022, has four main objectives.

Firstly, it recommends the creation of a binding online privacy (OP) code that will determine which social media and online platforms will need to comply with the legislation and how they will be expected to implement it.

Prior to the introduction of this bill, a company could only be subject to the Privacy Act if they collected or held personal data from sources inside of Australia.

With the new reforms, however, any overseas entities that conduct business in Australia accountable will now be heavily penalised for breaching user privacy.

Both the GDPR and the CCPA take a similar tack to defining the scope of their regulations, in that they apply to any organisation that does business in or interacts with users who are based in their respective regions (again, subject to certain criteria).

Companies will face fines of up to $10m for privacy breaches

For too long, Big Tech companies have enjoyed fairly lax penalties (if any at all) for breaching user privacy, and even more so in Australia where the Privacy Act has not been brought up to date to regulate modern and emerging technologies.
With the new reforms, however, privacy regulators will have greater powers to enforce the laws with even tougher punishments for repeated violators of the Act.

According to the draft bill, penalty fines will be calculated as three times the value of the benefits that the company would have derived from their conduct, or 10% of their domestic annual turnover (whichever works out to be greater).

The GDPR similarly doles out its financial penalties in this way, ensuring the severity of the fine matches the nature of a company’s conduct and their size as an organisation.

Social media platforms will be required to verify users’ ages and secure parental consent

As added protections for young users, social media companies that operate in Australia will need to take reasonable steps to verify their users’ age and secure parental consent for users aged under 16.

Companies will also need to give primary consideration to the best interests of children who use their platforms, such as making sure their privacy policy is clearly communicated and understood and that increased data privacy protections and safety measures are in place.

The CCPA has similar conditions for companies that handle children’s personal information, with some slight differences.

For example, children aged between 13 and 16 can “opt in” to the sale (or sharing) of their personal information, however only children aged under 13 will need the consent of a parent or guardian to do so.

The intent behind this mandate isn’t just to protect younger users’ safety when using certain platforms, but also to help restrict access to explicit or potentially harmful online material, such as online pornography or bullying.

Companies must cease disclosing personal information, if requested by users

Another key issue that the reforms target is how large data broker companies collect and sell people’s personal information to third party advertising networks.

To give Australians more control over their privacy and overall experience online, the bill will enable users to request that their personal information not be shared or used for direct marketing purposes.

Both the GDPR and CCPA have similar “rights” for users, such as the former’s ‘Right to Object’ and the CCPA’s ‘Right to Opt Out’ of the sale of their personal information.

While the new privacy laws are still under review, with some lingering questions on their effectiveness and actionability, it’s a long-awaited step in the right direction from the Australian government which is still playing catch-up with other sweeping online privacy reforms around the world.

Get started with our Australian privacy policy generator

Don’t have a privacy policy yet? Save yourself the time and trouble of writing your own policy from scratch with our privacy policy generator for Australian websites.

Generate Your Australian Privacy Policy Now