The privacy principles enshrined in the Australia Privacy Act provide for robust protection of consumer information. The following are the eight consumer rights provided under the Australia Privacy Act of 1988:
- Know why their personal information is being collected, how it will be used and who it will be disclosed to;
- Have the option of not identifying oneself, or of using a pseudonym in certain circumstances;
- Ask for access to their personal information;
- Stop receiving unwanted direct marketing;
- Ask for their personal information that is incorrect to be corrected;
- Make a complaint about an organization or agency the Privacy Act covers, if the consumer thinks that the organization or governmental agency mishandled the consumer’s personal information, and
- In certain cases, consumers must be notified of a data breach that is likely to result in serious harm to affected individuals.
Collection of Personal Information
The Australia Privacy Act does not provide a definition for personal information. Rather, it notes that the concept of what personal information means will vary. Generally, information will be considered personal information if it can identify, or can reasonably identify an individual. The Office of the Australian Information Commissioner’s (OAIC’s) website includes a non-exhaustive list of some examples that me qualify as personal information:
- An individual’s name, signature, address, phone number or date of birth
- Sensitive information, which includes an individual’s
- Racial or ethnic origin
- Political opinions or associations
- Religious or philosophical beliefs
- Trade union membership or associations
- Sexual orientation or practices
- Criminal record
- Health or genetic information
- Some aspects of biometric information
- Credit information
- Employee record information
- Internet protocol (IP) addresses
- Voice print and facial recognition biometrics (because they collect characteristics that make an individual’s voice or face unique)
- Location information from a mobile device (because it can reveal user activity patterns and habits).
The Integrity and correction of personal information
Consumers have the right to correct an organization or governmental agency that holds information about them that is inaccurate, out of date, incomplete, irrelevant, and misleading. To do this, consumers should first request to access their personal information from an organization or governmental agency. Only the consumer, or a legal guardian or authorized agent, can request to correct the information. Then, the organization or governmental agency has 30 days to respond to the consumer’s request. If the organization or governmental agency refuses to honor the consumer’s request, then they must, in writing, alert the consumer as to the reasons for refusing to correct the consumer’s personal information. They must also include in the writing that the consumer has the right to request that a statement be associated with their personal information, and they must include how the consumer can go about filing a complaint with the OAIC.
Consent to the handling of personal information
The Privacy Act recognizes two types of consent: express and implied when handling personal information. This is an important distinction from the General Data Protection Regulation (GDPR) which only recognizes express consent. Under the GDPR, consent from the data subject means “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” On the other hand, an organization or governmental agency under the Australia Privacy Act does not need a consumer’s express consent to handle their non-sensitive personal information so long as they reasonably believe that the consumer has impliedly given their consent. For example, an organization or governmental agency can alert a consumer, through writing, that they will disclose the individual’s information for another purpose unless that individual opts out within thirty days. If the consumer does not respond within those thirty days, then the organization or governmental agency may assume the consumer has impliedly consented to the disclosure. While consumers in Australia could impliedly consent to a business operating in Australia, such consent would not be valid if that business was also operating in the European Economic Area (EEA). It is important that businesses operating in both jurisdictions standardize their consent collection processes to ensure consumer’s rights are being upheld.
However, consumer consent must be informed, voluntary, and current and specific. Consumers have the right to withdraw their consent at any time. Once a consumer withdraws their consent, an organization or governmental agency cannot rely on past consent for any future use or disclosure of their personal information.
Changes to Australia privacy laws on the horizon
I am a third year at UIC John Marshall law school in Chicago. After my first year of law school I spent the summer clerking for Vandenack Weaver LLC in Omaha, NE and during my second year of law school I worked for Chicago Daily Law Bulletin as a content specialist. I am passionate about privacy and cybersecurity law and serve as the liaison for the Chicago Bar Association’s Cyber Law and Data Privacy Committee.