What are Australia's requirements for Consent Requirements?

Consent or reasonable necessity for primary purpose. Consent must be informed, voluntary, current, and specific. Reform proposals to strengthen consent requirements.

What are Australia's requirements for Cookie/Tracking?

No specific cookie consent requirement. Spam Act covers commercial electronic messages but not cookie consent. Reform may introduce cookie/tracking provisions.

Regulation Finder/Australia

Australia

Substantial

Privacy Act 1988 (as amended)

Authority: Office of the Australian Information Commissioner (OAIC) | Enforcement: Active | Enacted: December 1988

Overview

Australia's Privacy Act 1988, built around 13 Australian Privacy Principles (APPs), is undergoing its most significant reform since enactment. The 2023-2025 reform process is introducing a right to erasure, children's privacy code, and enhanced enforcement powers. The Notifiable Data Breaches scheme (2018) is well-established.

14-Topic Coverage

Data Protection Authority

Fully Addressed

OAIC led by the Australian Information Commissioner. Powers include investigations, determinations, enforceable undertakings, and civil penalty proceedings.

Privacy Act Part V, Australian Information Commissioner Act 2010

Data Subject Rights

Partially Addressed

Rights to access and correction. No current right to erasure (reform underway). No data portability right yet. Right to complain to OAIC.

APPs 12-13

Cross-Border Transfer

Fully Addressed

APP 8 requires reasonable steps to ensure overseas recipient complies with APPs. Transferor remains liable for overseas recipient's breaches.

APP 8

Breach Notification

Fully Addressed

Notifiable Data Breaches (NDB) scheme since 2018. Must notify OAIC and affected individuals of eligible data breaches likely to cause serious harm.

Privacy Act Part IIIC

DPO Requirements

Not Addressed

No mandatory DPO. However, APP entities must take reasonable steps to implement practices, procedures, and systems for compliance.

APP 1

Children's Data

Partially Addressed

No specific age threshold in current law. Children's Privacy Code being developed as part of reforms. Age verification and parental consent mechanisms expected.

Privacy Act reform proposals

Penalties & Enforcement

Fully Addressed

Substantially increased in 2022: up to AUD 50 million, 30% of turnover, or 3x benefit obtained. Previously capped at AUD 2.1 million. Active enforcement post-Optus and Medibank breaches.

Privacy Act Section 13G

Sector-Specific Rules

Fully Addressed

My Health Records Act for health data, Consumer Data Right (CDR) for banking/energy, Telecommunications Act for metadata retention, Credit Reporting Code.

My Health Records Act, CDR, Telecommunications Act

AI & Automated Decisions

Partially Addressed

Voluntary AI Ethics Framework (8 principles). No specific legislation yet. Privacy Act reform may introduce rights regarding automated decisions.

Australia AI Ethics Framework 2019

Data Localisation

Not Addressed

No general data localisation requirement. Government data may be subject to hosting requirements under Hosting Certification Framework.

Hosting Certification Framework

Significant Data Fiduciary

Not Addressed

No direct equivalent. Privacy Act applies based on annual turnover threshold (AUD 3 million) with exemptions for small business.

Privacy Act Section 6D

Government Data

Fully Addressed

APPs apply to Australian Government agencies. Freedom of Information Act provides access rights. National security agencies have some exemptions.

Privacy Act, FOI Act 1982

Key Statistics

Maximum Penalty: AUD 50 million or 30% of turnover or 3x benefit
Authority: OAIC

Coverage Summary

Fully Addressed7/14

Partially Addressed3/14

Not Addressed4/14

Pending0/14

Quick Navigation

Related Guides

DPDPA 2023 — Complete Guide

20 min read

Need Compliance Help?

Our data privacy team can help you navigate Australia's regulations.

Book a Consultation