Last review date: 31 December 2024

☒         applies to organizations located in the jurisdiction

☒         applies to organizations located outside of the jurisdiction offering goods or services to data subjects in the jurisdiction

☒         other

The Privacy Act applies to acts done, or practices engaged in, outside Australia and the external Territories by agencies and by organizations, or small business operators, that have an "Australian link."

An organization or small business operator has an "Australian link" if the organization or operator is:

• An Australian citizen
• A person whose continued presence in Australia is not subject to a limitation as to time imposed by law
• A partnership formed in Australia or an external Territory
• A trust created in Australia or an external Territory
• A body corporate incorporated in Australia or an external Territory
• An unincorporated association that has its central management and control in Australia or an external Territory

Since changes to the Privacy Act were implemented in late 2022, an organization or small business operator that does not satisfy any of the above criteria has an Australian link if the organization or operator carries on business in Australia or an external Territory.

The phrase "carries on business in Australia" is interpreted broadly to apply to any organization targeting Australian customers and can include data collected through an overseas site if collected from data subjects in Australia. There are two determinations and a series of related preliminary decisions that consider whether foreign companies have an Australian link for the purposes of the Privacy Act. In its response to the report on the review of the Privacy Act, the Government indicated that it agrees that further consultation should be undertaken to decide whether an additional criterion that personal information is connected to Australia should be added to narrow the current extra-territorial scope of the legislation.

In the meantime, even though the Privacy Act does apply outside Australia where there is an "Australian link," the legislation expressly acknowledges that certain overseas acts or practices are exempt from breaching the APPs: acts and practices engaged in outside Australia that are required by the applicable law of a foreign country will not constitute a breach.

The MHR Act's provisions are mostly of general application, but it contains some provisions specifically applicable to healthcare providers and to repository operators, portal operators and contracted service providers. The MHR Act applies within Australia (including its external Territories).

State and Territory privacy laws generally only apply to State and Territory public sector bodies. However, State and Territory health records laws in NSW, ACT and Vic apply to public and private sector organizations that are "health service providers" or which "collect, hold or use health information."

Surveillance laws are of general application to any person conducting surveillance, and workplace surveillance laws apply to employers proposing to conduct surveillance of workers. These State and Territory laws do not provide for extra-territorial application.

Telecommunications laws apply typically to carriers and carriage service providers as defined in the Telecommunications Act, within and outside of Australia. Certain provisions also apply to other actors in the telecommunications sector.

The SOCI Act applies primarily to operators of critical infrastructure assets and reporting entities as defined in section 5 of that Act, as well as managed service providers for those assets within and outside of Australia. An asset is not a critical infrastructure asset if, or to the extent to which, the asset is located outside Australia.