Revamped Australian Privacy Legislation
In a significant move to modernize privacy laws, the Australian Privacy Principles (APPs) have been updated, with enhanced details on cross-border disclosures, de-identification, sensitive information protection, security measures, direct marketing, and compliance with cloud computing policies.
The updated APPs, part of ongoing reforms, were enacted in December 2024, but many detailed updates are still pending implementation or under consultation.
One of the key changes involves cross-border disclosures. The APPs already required protection for personal and de-identified information when disclosed overseas. The updated reforms aim to strengthen these obligations, ensuring overseas recipients provide adequate protection and preventing de-identified data from re-identification except in limited circumstances.
De-identified information enjoys specific protections, including security obligations and restrictions on re-identification. The government has indicated it does not intend to make major changes to these protections, but the Privacy and Responsible Information Sharing Act (PRIS Act) reinforces these requirements.
The APPs also place a greater emphasis on protecting sensitive information. While no new explicit APP amendments were detailed in the recent tranche, the government is working towards reforms that expand the definition of personal information (which includes sensitive information), introduce fair and reasonable use tests, and increase accountability for handling such data.
Security measures are another focus area, with the Office of the Australian Information Commissioner (OAIC) emphasizing efforts against excessive collection and retention, data breaches, and ensuring responsible use. This implies strengthened enforcement of security obligations under the APPs with increased penalties and monitoring.
Direct marketing practices fall under the general use and disclosure principles of the APPs. The PRIS Act clarifies that direct marketing remains regulated under existing principles without additional standalone provisions.
Compliance with APPs in cloud computing contexts is also a priority, given the OAIC’s regulatory priorities on data security, cross-border disclosures, and accountability. This means businesses must continue assessing cloud service providers for privacy risks, ensuring contractual controls, and safeguarding information as part of the ongoing duty of care and best-interest obligations being introduced.
In summary, Australia’s APPs reforms emphasize a shift towards an outcomes-based approach, incorporating duties of care and best interest obligations beyond strict compliance boxes. Many specific details, especially relating to second tranche amendments like expanded definitions, new retention limits, and comprehensive use controls, are still awaiting legislation or further consultation.
Businesses should monitor ongoing legislative developments post-December 2024 and prepare to implement higher standards for transparency, security, cross-border protections, and responsible data use in line with the new expectations of the OAIC.
Meanwhile, in the United States, if approved by Governor Greg Abbott, Texas will become the 10th state to have comprehensive privacy legislation. The Texas Data Privacy and Security Act, modelled after the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (VCDPA), grants consumers the right to know what personal data is being collected, the right to access their personal data, the right to correct inaccuracies, the right to delete personal data, and the right to opt-out of the sale of their personal data.
Businesses that violate the Texas Data Privacy and Security Act may face penalties, including fines and lawsuits. The Act applies to businesses that collect, process, or sell personal data of Texas residents, regardless of where the business is located. HB 4, which includes provisions for consumer rights, data collection, data processing, data security, and data breach notification, has been passed by the Texas Legislature.
In the business realm, both Australia and the United States are wrangling with updated privacy laws to strengthen protection for personal and sensitive information. Specifically, the updated Australian Privacy Principles (APPs) aim to improve cross-border disclosures and security measures while the Texas Data Privacy and Security Act, if approved, would grant Texan consumers the right to know, access, correct, delete, and opt-out of the sale of their personal data.
Businesses in both countries should heed these changes and take measures to ensure compliance with the increasing privacy requirements, as non-compliance can lead to penalties and lawsuits.
