Australian Privacy Compliance for Global Businesses
The Australian Privacy Principles govern how Australian and international organizations handle personal information - with recent reforms dramatically increasing penalties and expanding regulatory powers.
Why Australian Privacy Compliance Is Increasingly Critical
The Australian Privacy Act 1988 and its 13 Australian Privacy Principles (APPs) govern the collection, use, disclosure, and storage of personal information by Australian Government agencies and private sector organizations with annual turnover exceeding $3 million. The APPs cover the full personal information lifecycle - from collection notice requirements through to retention limits and cross-border disclosure rules.
Australia's Privacy Act has undergone significant reform. The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 increased maximum civil penalties from $2.22 million to $50 million (or three times the value of the benefit obtained, or 30% of adjusted turnover in the relevant period) for serious or repeated interferences with privacy. The Notifiable Data Breaches (NDB) scheme requires mandatory notification to the OAIC and affected individuals for eligible data breaches.
International organizations are frequently caught off guard by Australian privacy obligations. The extraterritorial reach of the Privacy Act extends to organizations that carry on business in Australia - including US and EU companies with Australian customers, employees, or operations. Dark Rock's privacy team structures Australian Privacy Act compliance programs for multinational organizations, leveraging synergies with GDPR and CCPA programs where applicable.
Our Approach
Applicability & Scope Analysis
We determine whether the Australian Privacy Act applies to your organization (including extraterritorial application analysis), identify which entity types and data categories are in scope, and assess any industry-specific obligations (health information, credit reporting, tax file numbers, etc.) that layer on top of the general APPs.
APP Gap Assessment
We assess your organization's practices against all 13 APPs: open and transparent management (APP 1), anonymity options (APP 2), collection limits (APPs 3-4), notice requirements (APP 5), use and disclosure limits (APPs 6-7), direct marketing (APP 7), cross-border disclosures (APP 8), government identifiers (APP 9), data quality (APP 10), security (APP 11), access rights (APP 12), and correction rights (APP 13).
Program Implementation
We implement the required privacy program elements: Privacy Policy update per APP 1 requirements, collection notices per APP 5, consent mechanisms for sensitive information, cross-border transfer due diligence and contractual protections under APP 8, Notifiable Data Breach assessment and notification procedures, data retention and destruction schedules, and access/correction request handling workflows.
NDB Readiness & Ongoing Compliance
The Notifiable Data Breaches scheme requires a 30-day assessment window after becoming aware of a potential eligible data breach. We build your NDB response plan, establish breach notification procedures and templates for OAIC and individual notifications, and implement ongoing privacy governance including staff training and annual privacy policy reviews.
What You Get
- Privacy Act applicability analysis and entity scope determination
- Personal information inventory and data flow mapping
- Gap assessment against all 13 Australian Privacy Principles
- Privacy Policy update compliant with APP 1 transparency requirements
- Collection notice templates per APP 5
- Cross-border disclosure assessment and APP 8 contractual safeguards
- Notifiable Data Breach response plan and notification templates
- Individual access and correction request handling procedures
- Privacy governance framework with staff training program
$50M
Maximum civil penalty for serious or repeated privacy interferences under Australia's strengthened enforcement regime - up from $2.22M before 2022 reforms.
