Breadcrumb

Australian data protection laws explained

Written by

The GoCardless content team comprises a group of subject-matter experts in multiple fields from across GoCardless. The authors and reviewers work in the sales, marketing, legal, and finance departments. All have in-depth knowledge and experience in various aspects of payment scheme technology and the operating rules applicable to each. The team holds expertise in the well-established payment schemes such as UK Direct Debit, the European SEPA scheme, and the US ACH scheme, as well as in schemes operating in Scandinavia, Australia, and New Zealand. See full bio

Last editedAug 20202 min read

As a business owner, it’s important to have a strong understanding of your rights and responsibilities when it comes to data protection. The penalties for regulatory breaches can be significant, including but not limited to severe fines, and as Australia’s data protection laws are changing all the time, you need to stay abreast of the latest developments. In fact, the latest iteration of data privacy in Australia, the Consumer Data Right (CDR), came into force in early 2020. Find out everything you need to know about Australian data privacy laws with our handy guide.

Understanding Australian data privacy laws

The Privacy Act of 1988, with addenda added via the Privacy Regulation 2013 and the Privacy Amendment (Notifiable Data Breaches) Act 2017, is the main legislation governing data privacy in Australia. The Privacy Act has 13 principles – referred to as the Australian Privacy Principle (APPs) – that provide a series of rules around data protection, direct marketing, and transparency. In short, the Data Protection Act provides consumers with the following rights:

The right to know why their personal information is being collected, who it’s going to be disclosed to, and how it’s going to be used.
The right to stop receiving direct marketing.
The right to ask for incorrect personal information to be corrected.
The right to make complaints about organisations or agencies covered by the Privacy Act that have mishandled their personal information.
The right to ask for access to their personal data.
The right to not be identified or to use a pseudonym in specific circumstances.

The Data Protection Act in Australia applies to government agencies, as well as organisations with an annual turnover of more than $3 million. However, it also covers certain small businesses, including public sector health service providers, credit reporting bodies, and businesses that sell/purchase personal information. Furthermore, businesses can opt into the Privacy Act if they so choose.

It’s important to note that APPs only require the “implied” or “express” right to use, collect, or share personal data. This is in stark contrast to data protection regulations in other parts of the world, such as GDPR, which requires “express” consent. In addition, you should remember that Australia data protection laws don’t provide the “right to be forgotten” as is ensured by GDPR.

Recently, new data protection laws in Australia came into force – the Consumer Data Right (CDR) – granting consumers even more control of their data. Now, let’s explore this recent Australian data protection law in a little more detail.

What is the Consumer Data Right (CDR)?

The Consumer Data Right was introduced in February 2020. It’s intended to provide consumers with greater control over the usage of their data, including the ability to share their data securely with third parties. Put simply, the CDR aims to help consumers monitor their utilities, finances, and other services, giving them the ability to switch between different providers more easily. The system is also intended to foster greater competition between service providers.

Eventually, the Australian government plans for the CDR to be an economy-wide right. Initially, however, it will be rolled out across the banking sector (from July 2020) – referred to as Open Banking (OB) – before it’s introduced to other sectors of the economy, including telecommunications and energy. The CDR system will be implemented by the ACCC and only ACCC-accredited businesses will be able to provide services via the CDR system.

So, what does CDR mean for data privacy in Australia? Essentially, consumer data will only be shared within the CDR system if they have provided consent, and only with their chosen providers. Consumers will have full control over what data is transferred, as well as what that data can be used for. In addition, consumers will be able to stop the collection of their data at any time, and they can ask for their data to be deleted if it is no longer needed.

We can help

GoCardless helps you automate payment collection, cutting down on the amount of admin your team needs to deal with when chasing invoices. Find out how GoCardless can help you with ad hoc payments or recurring payments.

Australian data protection laws explained

Understanding Australian data privacy laws

What is the Consumer Data Right (CDR)?

We can help

Over 85,000 businesses use GoCardless to get paid on time. Learn more about how you can improve payment processing at your business today.