Australian businesses more often than not will need to have a privacy policy on their website. However, there are circumstances where your privacy policy will also need to be compliant with the General Data Protection Regulation (GDPR). The GDPR is a set of regulations protecting individuals in the EU. On the other hand, the Privacy Act (1988) protects individuals inside Australia.
In this article, we’ll outline the differences between GDPR and Australian privacy policies.
GDPR Privacy Policy
The GDPR requires that all businesses operating in the EU have a privacy policy on their website. This policy informs your users how you will handle their data. Further, some key provisions in the GDPR are:
- The definition of personal data as being data that relates to the identification of a person in the EU
- Your privacy policy must be in clear and accessible language
- You must advise users how you will process their data
- You need to also inform users of their rights. These include being informed, access, rectification, erasure, restricted processing, data portability and objection
Australian businesses will need to have a GDPR privacy policy on their website if they:
- Have operations in the EU
- Service customers who are citizens of EU countries
Privacy Act 1988 (Cth)
The Privacy Act 1988 (Cth) regulates the handling of information by government agencies and businesses which have a turnover of more than $3 million per year. Further, privacy requirements are based on the 13 Australian Privacy Principles (APPs) that deal with the collection and handling of personal information.
Section 6 of the Privacy Act 1988 (Cth) defines personal information as being:
- Information or an opinion that relates to an identifiable or reasonably identifiable person
In Australia, consent by individuals through the processing of their information can also be either implied or expressed.
Australian Privacy Law v GDPR
Australian privacy law and the GDPR cover a similar scope, but are different in their requirements. All EU businesses are required to have a GDPR-compliant privacy policy, however not all Australian businesses are under the Privacy Act. If your business does not have operations in the EU or provide goods or services to individuals in the EU, your privacy policy will not need to be GDPR compliant.
It’s important to ensure that you comply with privacy laws which apply to your business and heavy fines can apply for non-compliance. If you’re unsure as to which type of policy you should have on your website, it may also be wise to contact a privacy lawyer.