The Federal Parliament passed major changes to Australian privacy law on 28 November 2012. The regime affects every business that collects “Personal Information”, which is defined by the Privacy Act 1988 (Cth) as any information that identifies a person or could be used to identify a person (‘Personal Information’). It is highly likely that your business is collecting such information.

The changes to the law will come into force in March 2014. This article will cover the most important changes.


The new laws grant the Privacy Commissioner major new powers to take the initiative with investigations and audits to ensure compliance with privacy law. The Commissioner’s new powers are bolstered by the ability to impose fines of up to $1.1 million on corporations that do not comply with the law.


When the new laws come into force, the “Australian Privacy Principles” (‘APPs‘) will replace the current “National Privacy Principles”. The APPs will bring into force a number of new principles, the most important of which are summarised below.

1 – Open and Transparent Management of Personal Information

In most cases, businesses will need to publish a privacy policy on their website. The Principle is very prescriptive about which matters should be covered by the privacy policy.

4 – Unsolicited Personal Information

If a business receives Personal Information that it does not solicit, it has a reasonable period to decide if it could have collected that information on its own behalf under the APPs. If the business decides that it could not have collected the information itself, it must make the information anonymous or destroy it.

5 – Notification of Collecting Personal Information

When a business collects Personal Information, it must notify the person of, amongst other things, the identity of the entity collecting the information and whether or not the information is likely to be disclosed to overseas recipients.

8 – Cross Border Disclosure of Personal Information

This principle increases the responsibility of any business storing data offshore. If an Australian business discloses Personal Information to a foreign entity, and that foreign entity breaches the Australian Privacy Principles in respect of that Personal Information, the Australian business will be treated as if it has breached the law itself. It is possible to gain consent from individuals to avoid this liability, but the threshold for consent is much higher than under current law.


Sit tight for now. The principles are untested, and many of them are open to a wide range of interpretations. The new law does not come into force until March 2014, and in the interim, the Office of the Australian Information Commissioner has announced that it will “help businesses and government agencies by releasing guidance materials, including guidelines on the application of the new APPs and how they will apply to everyday situations.” We will keep you updated as we get a clearer idea on how the APPs will be applied to the real world.

Like our technology articles?  Checkout our blog at