Lawpath Blog
How Does the GDPR Differ From Australian Privacy Law?

How Does the GDPR Differ From Australian Privacy Law?

Understanding the differences between GDPR and Australian Privacy Law is important for Australian businesses. Read about them here.

17th October 2019
Reading Time: 5 minutes

The Australian Privacy Principles (APPs), which form part of the Privacy Act 1998 (Cth) (‘Privacy Act’), regulate how personal information can be collected and used within Australia. Similarly, the European Union’s (EU) General Data Protection Regulation (GDPR) was introduced for the same reason, but within the EU. The GDPR principles will affect many Australian businesses, especially those that are internationally focused. Therefore, it is important that you understand the differences between the GDPR and Australian Privacy Law, as you may unintentionally contravene some of the principles. This article will outline the differences between the two laws, so that you can ensure you’re in compliance with them.

Application of GDPR and APPs to businesses


The GDPR applies to data processing activities of businesses that are ‘data processors’ or ‘controllers’:

  • With an establishment in the EU; or
  • Outside the EU, that offer goods and/or services to individuals in the EU or monitor the behaviour of individuals in the EU

According to Article 4 of the GDPR, a ‘controller’ determines how and why personal data is processed, and a ‘processor’ processes data on behalf of the controller. Simply put, a data processor (or controller) is a business that decides to collect information and has a connection to the EU.

Some examples of Australian businesses that may be covered include:

  • Australian businesses with an office in the EU
  • Some Australian businesses whose website is available worldwide and uses cookies or other data processing techniques

Australian Privacy Act

The APPs in schedule 1 of the Privacy Act apply to:

  • Australian Government agencies;
  • all private sector and not-for-profit organisations with an annual revenue of more than $3 million;
  • health service providers; and
  • some small businesses

It is important that you understand whether your business needs to comply with the GDPR, because sometimes, a small business that may not need to comply with APPs may still need to adhere to the GDPR.

The Types of Regulated Information

The GDPR applies to ‘personal data’, which means ‘any information relating to an identified or identifiable natural person’. Some examples of ‘personal data’ include a name, location data, and any factors specific to that natural person.

Under the Privacy Act, businesses or organisations that collect ‘personal information’ are subject to the APPs and regulations. This has been defined to mean ‘information or opinion about an identified individual, or an individual who is reasonably identifiable’.

While the two terms appear similar, they have been interpreted quite differently. Under the GDPR, ‘personal data’ has been broadly interpreted to include other types of information that may not be regulated under Australian law, such as tracking cookies.


There are slight differences in the way consent for the collection of personal data/or information can be given under the GDPR and APPs. It is important that you understand what these differences are, so that you know whether you have or have not validly gained the consent of others to collect such information in the running of your business.


Article 4(11) of the GDPR states ‘consent’ must be:

  • freely given
  • specific
  • informed
  • an unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing

Thus, businesses (data processors or controllers) need to be able to demonstrate that the person has consented to the collection of their personal data. Requests for a person’s consent via a written document must also be easily accessible by that person and written in clear and plain language.


In Australia, consent to the collection of personal information can be either express consent or implied consent. This is different to the GDPR as it does not refer to express or implied consent. Furthermore, the GDPR requires businesses to clearly demonstrate consent has been given by the person. Therefore, Australian businesses covered by the GDPR may want to standardise their consent processes to ensure consistent privacy practices.

New Requirements in the GDPR

The APPs does not reflect thenNew rights for individuals under the GDPR. For instance, these include the right to:

  • the erasure of personal data
  • object at any time the processing of an individual’s personal data
  • data portability

Erasure of Personal Data

Under the erasure right, a person can ask a business to erase their personal data in certain situations where:

  • The information is no longer needed for the purpose it was originally collected for; or
  • The individual withdraws their consent

Objecting the Processing of Collected Data

A person is able to object at any time to the processing of their personal data. Note that this right applies to only certain types of processing, such as where the reason for processing is for legitimate business interests or direct marketing.

Data Portability

A person can ask for their personal data to be held by a business in a structured, commonly used, machine-readable format. It also gives a person the right to transmit that data to another business.

Comparison with APPs

There appears to be no equivalent rights under the Privacy Act. However, businesses have to take reasonable steps to destroy or de-identify personal information where they are no longer needed for a specific purpose. The APPs also allows a person the right to request access to and correction of their personal information. If the business does provide the person with access to their personal information, then the information must be given in the manner requested by them.

Data Breach Notifications

The GDPR provides a time frame for when breaches should be notified to authorities. Data breaches that will likely result in a high risk to the rights and freedoms of the individual, should be notified within 72 hours of becoming aware of the breach, to:

  • the affected individual; and
  • the relevant supervisory authorities in the country of the affected person

Contrastingly, the APPs requires APP entities to notify the Australian Information Commissioner of all eligible data breaches as soon as practicable after they are aware of it. Here, an eligible data breach is a breach likely to result in serious harm to a person to whom the information relates.


There are many commonalities between the GDPR and APPs, including the adoption of transparent information handling procedures. However, there are also notable differences between the two data protection regulations. Specifically, the newly introduced rights for individuals under the GDPR, which are not accurately reflected in the APPs. Australian businesses should understand these rights for individuals as it can often be a reason for a business’ breach. Therefore, businesses should first determine whether they will need to comply with the GDPR. If they do, then they will need to change how they deal with data. The best way to do this is to ensure that you have a comprehensive privacy policy in place for your business. For any uncertainties on whether your business will need to comply or is compliant with the GDPR, it is best to contact a privacy lawyer.

Don’t know where to start? Contact us on 1800 529 728 to learn more about customising legal documents and obtaining a fixed-fee quote from Australia’s largest lawyer marketplace.

Lola Chang

Lola is a Legal Tech Intern at Lawpath as part of the Content Team. She is in her final year of a Bachelor of Laws and Bachelor of International Studies (Major in China) at the University of Technology Sydney. She is interested in understanding the future of law and innovations in the legal industry.