Individual privacy is valued as a right in many countries around the world, and protection of privacy has become a vital concern for regulators. Yet different jurisdictions regulate these issues in different ways, making it both confusing for individuals and challenging for cross-border businesses. In our latest article, we hover above the tangled web of regulations in key international jurisdictions, and take a helicopter view of similarities and differences, and consider what this might mean for the development of Australian law.
Headlined by the Optus data breach in September 2022, some of Australia’s largest and most trusted companies have been recently impacted by data breaches. Telstra, Medibank, Woolworths and government departments such as NSW Health and the South Australian Government payroll system are just some of the high-profile targets.
According to global provider of cyber risk and privacy management solutions IT Governance, 41.9 million records were compromised by cyberattacks across the world in March 2023 alone.[1] By 2025, cybercrime is estimated to cost $10.5 trillion globally, increasing by 15 percent year over year.[2]
Data breaches can enable identity theft and other forms of fraud. The Australian Institute of Criminology reported that identity theft cost Aussies $3.1 billion in 2019, at an average of $300 per person per incident.[3]
The fallout of these breaches has led to the creation of significant new Australian laws in the past 8 months. You can read more about the changes in the Australian landscape here.
Source: [4]
As it stands, 137 countries have adopted some form of privacy legislation. The graphic above, sourced from the United Nations Conference on Trade and Development (UNCTAD) organisation, shows the 71% of countries with legislation seeking to protect consumer data and privacy. However, there are still countries with legislation in the draft stages or – worse still – no protection at all. This is particularly evident in lesser developed countries, with the UNCTAD reporting and uptake of only 48% in these areas.
Many developed privacy protection laws have begun operating extra-territorially, meaning businesses can be subject to the laws of a territory if they are collecting data from the subjects of that jurisdiction. For businesses operating across borders in different international markets, this matrix of domestic legislation adds a significant burden on operations, as they have to navigate various – and often opposing – regulations to conduct their business legally.
Australia introduced the Privacy Act 1988 (Cth) in 1988. This federal legislation covers the Australian Privacy Principles (APPs) and the Notifiable Data Breach Scheme (NDBS).
In Europe, the overarching legislation is the General Data Protection Regulation (GDPR), which was introduced in 2016 and adopted by all 27 member countries. It has become known as the world standard in privacy protection, and has been credited as the model for several other nations including Turkey, Mauritius, Chile, Japan, Brazil, South Korea, South Africa, Argentina, and Kenya.
Following Brexit, the UK formed its own legislation, the Data Protection Act 2018 (UK) (UK Act) which was amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (UK GDPR), which is tightly based on the EU GDPR but with slight modifications.
In the US, there is no singular federal law that covers the privacy of all types of data. Instead, it has a mix of federal laws that target specific types of data and specific populations. There are, however, three US states – California, Colorado and Virginia – that have three different comprehensive consumer privacy laws.
In Canada, the Consumer Privacy Protection Act (CPPA) is set to replace the existing Personal Information Protection and Electronic Documents Act (PIPEDA) in September of this year, marking a major federal overall for Canada’s privacy protection framework.
In China, the Personal Information Protection Law (PIPL) became effective on 1 November 2021, creating China’s first comprehensive law on personal data protection that will work in conjunction with the existing Cyber Security Law (CSL) and the Data Security Law (DSL).
In Hong Kong, The Personal Data (Privacy) Ordinance (PDPO) was passed in 1995 and took effect from December 1996, making it one of Asia’s longest standing data protection laws.
Finally, Japan’s Act on the Protection of Personal Information Act No. 57 of 2003 (APPI) applies to the collection and processing of personal information. The law was revised in 2017 and again in 2022, and in doing so became the first jurisdiction to earn an adequacy decision from the European Commission (EC).
Given the localised nature of privacy protection, below we have analysed and compared the laws of the 8 jurisdictions above, with respect to some key privacy elements.
Actionable right of privacy: To what extent do jurisdictions provide a cause of action for breach of privacy? In Australia, there is not an actionable right to privacy and the law does not expressly protect the right to personal privacy in the broader sense, nor does it include breaches by individuals in their personal capacity.
Federal Laws: To what extent do jurisdictions take a national approach to regulating privacy, compared to a State-by-State approach? In Australia, we have the Privacy Act in 1988 and its subsequent laws.
Privacy-Specific Regulator: Do jurisdictions have a specific regulator for privacy, or does it fall to other regulators? In Australia, this is done by the Office of the Australian Information Commissioner (OAIC).
Maximum Penalty: To what extent are entities handling personal information punished with fines or even potential imprisonment of responsible individuals? In Australia, the rules now provide for fines of $50m or more.
Controller/Processor distinction: To what extent are entities handling personal information regarded as controllers (meaning those who determine the purposes for and means by which personal data is processed) or mere processors (meaning those who processes personal data only on behalf of the controller)? Australian legislation does not distinguish between these two roles.
Special Categories: To what extent is certain information, such as health or financial information, subject to stricter treatment? In Australia, we have sensitive information, which includes information such as racial or ethnic origin, political opinion or sexual origins.
Consent by individuals: To what extent do jurisdictions require explicit consent by an individual for use of their personal information? In Australia, consent can be express or implied in most cases.
Minors: To what extent do jurisdictions provide for the age of consent by minors? Australia does not have a specific age of consent, but 15 is generally accepted.
Extra-territorial Scope: To what extent do jurisdictions seek to regulate privacy beyond their borders? In Australia, organisations with an ‘Australian link’ will be captured by Australian privacy law.
Right to be forgotten (erasure): To what extent do jurisdictions provide for the right of erasure or to be forgotten. There is no right to be forgotten in Australian privacy law.
Right to access personal information: To what extent do jurisdictions provide an individual with the right to access personal information held on them by an entity. In Australia, this right is established under Australian Privacy Principle 12.
| Key elements: | Australia | GDPR | UK | USA | Canada | Hong Kong | Japan |
Actionable right of privacy
|
❌
|
❌
|
❌
|
✅
Black v. Aegis Consumer Funding Group, Inc., 2001[5] |
✅
|
✅
|
❌
|
Federal Statute
|
✅
|
✅
|
✅
|
❌
|
✅
(CPPA comes into force 22 September 2023)
|
✅
|
✅
|
Privacy-Specific Regulator
|
✅
|
✅
|
✅
|
❌
(Only at State Level)
|
✅
|
✅
|
✅
|
Maximum Penalty
|
$50 million; 3x the benefit obtained; or 30% of adjusted turnover during breach | Greater of €20 million or 4% annual global turnover | Greater of: £17.5 million or 4% of annual global | Various: Federal: $1.5 million State: $7,500 per violation (CCPA) | Greater of: CA$25 million or 4% of global turnover | HKD 1 million, two years imprisonment, and daily fines if the offence continues | Imprisonment with labour for one year or a fine of not more than ¥1 million |
Controller/ Processor distinction
|
❌
|
✅
|
✅
|
❌
|
❌
|
✅
|
❌
|
Special Categories
|
✅
|
✅
|
✅
|
❌
|
❌
(courts to determine)
|
✅
|
✅
|
Consent by Individuals
|
Express or implied
|
Explicit
|
Statement or ‘clear affirmative action’
|
Opt-out consent’
|
Express or implied, documented consent under s 15
|
Required for “new purpose” outside initial scope, or for direct marketing
|
Not required to process PI, but prior oral / written consent needed if outside initial scope |
Minors
|
No specific age (generally under 15 does not have capacity) | Valid age of consent is 16
|
Valid age of consent is 13
|
Prohibits information gathering from children u/ 12 | Undefined
|
No special requirements for minors | Not specified (generally u/ 15 do not have capacity) |
Extra- Territorial Scope
|
APP entities or outside Australia by an organisation that has an ‘Australian link’
|
all EU member states and businesses with an ‘establishment’, control or process personal data of persons or monitor the behaviour of persons in the EU | UK business and businesses with an establishment in the UK, offer goods and services, and/or monitor behaviour in the UK | apply across different parts of the US only
|
CPPA does not address extra-territoriality
|
‘only persons being data user who has operations controlled in or from Hong Kong’[6]
|
applies to Japanese person or entity handling PI, applies extraterritorially when overseas entity obtains PI for its goods / services to a Data Subject in Japan |
Right to be forgotten
|
✅
|
✅
|
✅
|
❌
(only in California)
|
✅
|
✅
|
✅
|
Right to access personal information
|
✅
|
✅
|
✅
|
❌
|
✅
|
✅
|
✅
|
With AI and other emerging technologies increasing our tendency to be online, data breaches have become alarmingly frequent around the world. Legal commentators worldwide have observed that an internationally applicable data protection regime would be the ideal situation to protect privacy. However, the fragmented nature of nation states means that this is not a realistic goal. As a consequence, it is important to be aware of the different privacy rules, especially for businesses using personal information across boundaries.
E+Co are experts in privacy law. If you or your business require advice in relation to data protection or privacy legislation generally, please contact us below.
[1] Vikki Davies, ‘41.9m records compromised by cyber breaches in March 2023’ Cyber Magazine (Article, 6 April 2023) <https://cybermagazine.com/articles/41-9m-records-compromised-by-cyber-breaches-in-march-2023>.
[2] Steve Morgan, ‘Cybercrime To Cost The World $10.5 Trillion Annually By 2025’ Cyber Security Ventures (Article, 13 November 2020) <https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/>.
[3] Christie Franks and Russell G Smith, ‘Statistical Report 29 – National Identity Security Strategy: Identity crime and misuse in Australia 2019’ Australian Institute of Criminology (Report, 202) <https://www.aic.gov.au/sites/default/files/2020-08/sr29_identity_crime_and_misuse_in_australia_2019.pdf>.
[4] https://unctad.org/page/data-protection-and-privacy-legislation-worldwide
[5] U.S. Dist. LEXIS 2632 (S.D. Ala. Feb. 8, 2001).
[6] Administrative Appeals Board Administrative Appeal No. 15/2019.
