What U.S. Businesses Need to Know
Introduction: Why Australian Privacy Law Matters to U.S. Companies
Australia’s Privacy Act 1988 (Cth) is the cornerstone of the country’s federal privacy and data protection framework. Enacted more than three decades ago, the Act has evolved significantly through amendments responding to digital technologies, cross‑border data flows, and increasingly serious cyber incidents. Today, it regulates how personal information about individuals is collected, used, disclosed, stored, and secured across both the public and private sectors in Australia.
For U.S. businesses, the Privacy Act is not limited to Australian‑incorporated entities. Legislative amendments have substantially expanded its extraterritorial reach, and foreign organisations that “carry on business in Australia” may be subject to Australian privacy obligations even if personal information is collected or stored entirely outside Australia. As a result, U.S. companies offering digital services, online platforms, software, financial products, or other cross‑border offerings that target or serve Australian individuals increasingly fall within scope.
This page outlines what U.S. businesses need to understand about the Australian Privacy Act: who it applies to, how “personal information” is defined, the core obligations imposed by the Australian Privacy Principles (APPs), cross‑border disclosure rules, data breach notification duties, enforcement risk, and how Australian privacy law compares in structure to other global regimes such as the GDPR.
Overview of the Privacy Act 1988
The Privacy Act 1988 is the primary federal statute regulating the handling of personal information in Australia. It applies to Australian Government agencies and to many private sector organisations, collectively known as APP entities. These entities are required to comply with a principles‑based privacy framework set out in the 13 Australian Privacy Principles, which govern the full lifecycle of personal information handling.
The Act is administered and enforced by the Office of the Australian Information Commissioner (OAIC), an independent regulator with powers to investigate complaints, conduct audits and assessments, and bring civil penalty proceedings in serious cases. The Privacy Act also contains specialist regimes governing credit reporting, tax file numbers, and certain health- and research‑related activities, but the APP framework is the central compliance reference point for most businesses.
Over time, the Privacy Act has been amended to respond to data breaches and public concern about organisational accountability. Notably, reforms in 2022 significantly increased available penalties and expanded extraterritorial coverage, reflecting Australia’s intent to hold both domestic and overseas organisations accountable for privacy failures involving Australians’ data.
Who Must Comply: APP Entities and Coverage Thresholds
Unlike regimes that apply universally, the Privacy Act applies only to entities that meet the statutory definition of an APP entity. These include:
- All Australian Government agencies.
- Private sector organisations with annual turnover exceeding AUD 3 million.
- Certain entities regardless of turnover, including health service providers, credit reporting bodies, credit providers, and organisations that trade in personal information.
- Entities that have voluntarily opted in to Privacy Act coverage.
Many smaller Australian businesses fall outside the Act due to the “small business exemption,” although this exemption has been criticised and is under active review. From a U.S. perspective, the exemption is often irrelevant: foreign organisations may be subject to the Act even if they have no physical Australian presence and no Australian subsidiary.
What matters instead is whether a foreign organisation has an “Australian link.” Legislative amendments in December 2022 broadened this concept significantly by removing the requirement that a foreign entity collect or hold personal information in Australia. Today, a foreign organisation generally has an Australian link if it carries on business in Australia, even if all personal information is collected or processed offshore.
Extraterritorial Application and “Carrying on Business in Australia”
For U.S. companies, the extraterritorial application of the Privacy Act is one of the most important and frequently misunderstood aspects of Australian privacy law.
Historically, foreign organisations were subject to the Act only if they both carried on business in Australia and collected or held personal information in Australia. The 2022 amendments removed the second limb, meaning that carrying on business in Australia alone is now sufficient to trigger the Act’s application.
The Privacy Act does not define “carrying on business,” but regulators and courts have interpreted the concept broadly. Relevant indicators may include offering goods or services to Australian customers through a website, targeting Australian users, having Australian‑based clients, using Australian‑facing marketing, or otherwise monetising engagement with Australian individuals. As a result, many U.S. technology companies, software providers, and digital platforms may be subject to the Act even in the absence of an Australian office or employees.
For U.S. businesses accustomed to GDPR‑style extraterritorial rules, this approach will feel familiar in principle, though the statutory mechanics differ.
What Is “Personal Information” Under Australian Law?
The Privacy Act defines personal information broadly as any information or opinion about an identified individual, or an individual who is reasonably identifiable, whether the information is true or not and whether it is recorded in material form. This definition is intentionally expansive and captures traditional identifiers as well as digital and inferred data.
Examples include names, contact details, photographs, online identifiers, IP addresses, location data, and behavioural information collected through analytics or tracking technologies. Opinions about an individual may also constitute personal information, even if those opinions are subjective or inaccurate.
A subset of personal information is classified as sensitive information, which includes health information, biometric information, genetic data, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, and criminal history. Sensitive information is subject to heightened protection and generally may be collected only with consent and where reasonably necessary for an organisation’s functions or activities.
The Australian Privacy Principles: Core Compliance Obligations
The operational heart of the Privacy Act lies in the 13 Australian Privacy Principles (APPs). These principles apply to most APP entities and regulate governance, collection, use, disclosure, security, and individual rights relating to personal information.
The APPs are deliberately principles‑based and technology‑neutral, allowing flexibility in how organisations design compliance programs. At a high level, they fall into four thematic areas:
- Governance and transparency, including the requirement to maintain a clear and up‑to‑date privacy policy and to manage personal information openly (APP 1).
- Collection and use limitations, regulating how and when personal information may be collected, used, or disclosed (APPs 3–7).
- Integrity and security, requiring organisations to ensure information quality, protect personal information, and dispose of it securely when no longer needed (APPs 10–11).
- Individual access and correction rights, granting individuals the ability to access and correct their personal information (APPs 12–13).
Non‑compliance with any APP constitutes an “interference with the privacy of an individual” and may give rise to regulatory action.
Collection, Use, and Disclosure of Personal Information
Under the Privacy Act, organisations must collect personal information only where it is reasonably necessary for their functions or activities. Collection must generally be lawful and fair, and individuals must be notified of the collection and relevant details, such as the purposes of collection and how the information may be used or disclosed.
Use and disclosure of personal information are primarily governed by APP 6, which limits use or disclosure to the primary purpose for which the information was collected, unless an exception applies. Exceptions include situations where the individual has consented, where the secondary purpose is related and reasonably expected, or where disclosure is required or authorised by law.
For U.S. companies, these purpose‑limitation concepts may require careful alignment with internal data reuse practices, particularly where data collected for product or service delivery is later reused for analytics, product improvement, or marketing.
Cross‑Border Disclosure of Personal Information
Australia has taken a distinctive approach to international data flows. Rather than prohibiting cross‑border transfers, the Privacy Act imposes accountability‑based obligations on organisations that disclose personal information overseas.
Under APP 8, before disclosing personal information to an overseas recipient, an APP entity must take reasonable steps to ensure that the recipient does not breach the APPs in relation to that information. If the overseas recipient mishandles the information in a way that would breach the APPs, the Australian entity may be held accountable for that conduct.
There are exceptions to this requirement, including where the individual has expressly consented or where the disclosure is required or authorised by law. Nevertheless, the accountability framework means that U.S. headquarters, cloud providers, and vendors receiving Australian personal information may indirectly subject Australian entities—and their foreign affiliates—to compliance risk.
Data Security and Retention Obligations
APP 11 requires organisations to take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. What constitutes “reasonable steps” depends on multiple factors, including the nature and sensitivity of the information and the organisation’s size and resources.
APP 11 also requires organisations to destroy or de‑identify personal information when it is no longer needed for any purpose for which it may lawfully be used or disclosed. For U.S. businesses accustomed to indefinite data retention practices, this requirement emphasises the need for defensible retention policies and disposal processes.
Individual Rights: Access and Correction
The Privacy Act grants individuals enforceable rights to access their personal information and to request correction where information is inaccurate, out‑of‑date, incomplete, irrelevant, or misleading. Organisations must respond to access and correction requests within a reasonable period and may refuse access only on limited statutory grounds.
Unlike some other regimes, the Privacy Act does not provide an express right to erasure in all circumstances, but access and correction rights remain a central feature of Australian privacy compliance.
The Notifiable Data Breaches Scheme
In 2018, Australia introduced the Notifiable Data Breaches (NDB) scheme, now a permanent part of the Privacy Act. Under the scheme, APP entities must notify affected individuals and the OAIC when they experience an eligible data breach—that is, a data breach likely to result in serious harm to individuals, and where remedial action cannot prevent that risk.
Entities must carry out an assessment of a suspected breach within 30 days and notify “as soon as practicable” once an eligible breach is identified. For U.S. businesses operating in multiple jurisdictions, the NDB scheme adds another layer to global incident response planning and reporting obligations.
Enforcement, Remedies, and Penalties
The OAIC has broad enforcement powers, including the ability to investigate complaints, initiate own‑motion investigations, and seek civil penalties through the Federal Court. Amendments in 2022 significantly increased maximum penalties for serious or repeated interferences with privacy, reflecting heightened regulatory and public expectations following major breaches in Australia.
In addition to regulatory action, individuals may seek remedies in certain circumstances, and reputational damage following privacy failures has proven significant in the Australian market.
Practical Compliance Considerations for U.S. Businesses
For U.S. businesses, Australian privacy compliance often begins with a threshold assessment: determining whether activities amount to carrying on business in Australia and therefore create an Australian link. Where the Act applies, organisations should map Australian data flows, review privacy notices and consent mechanisms, assess cross‑border disclosures, and integrate Australian breach notification rules into global incident response plans.
Companies with existing GDPR or global privacy frameworks will find conceptual similarities but should not assume automatic compliance. Australian law uses different structuring mechanisms, accountability models, and exemptions that warrant jurisdiction‑specific analysis.
How Our Firm Assists
Our firm advises U.S. and multinational organisations on compliance with the Australian Privacy Act, including applicability assessments, APP compliance frameworks, cross‑border disclosure structuring, and incident response obligations. We help clients align Australian requirements with existing U.S. and international privacy programs while addressing local enforcement expectations.
If your organisation collects or processes personal information relating to Australian individuals, we can assist in developing a practical and defensible Australian privacy compliance strategy.