Technology Law FAQ

The Privacy Act 1988 (Cth) applies to "APP entities" — Commonwealth agencies and most private sector organisations with annual turnover above $3m, plus some smaller operators (health service providers, credit providers). Reform proposals would remove the small business exemption.

The 13 APPs set out obligations around collection, use, disclosure, storage, access, correction, and cross-border disclosure of personal information. APP 11 (security) and APP 8 (cross-border disclosure) generate the most compliance work in technology practice.

The NDB scheme requires APP entities to notify the OAIC and affected individuals where there is an "eligible data breach" — unauthorised access, disclosure, or loss that is likely to result in serious harm. Assessment must be completed within 30 days.

Serious harm includes physical, psychological, emotional, financial, or reputational harm. The OAIC considers the type and sensitivity of information, the circumstances of the breach, and the nature of the harm. Identity fraud risk is a common basis for serious harm findings.

No AI-specific statute exists yet. Existing frameworks (Privacy Act, ACL, anti-discrimination, copyright, Corporations Act) apply. The government released voluntary AI Safety Standards and Interim Response on high-risk AI in 2024, with mandatory guardrails for high-risk settings flagged for 2025–26.

Only within the primary purpose of collection or a related secondary purpose that would be reasonably expected, with consent, or where APP 6 otherwise permits. Training is typically a secondary purpose — a specific consent or a prominent collection notice is the safer path.

Standard form SaaS contracts with consumers or small businesses (up to 100 employees / $10m turnover since 2023) are subject to the unfair contract terms regime. Unfair terms attract civil penalties since November 2023.

The Security of Critical Infrastructure Act 2018 (Cth) imposes obligations on critical infrastructure assets across 11 sectors (communications, data storage, energy, financial, healthcare, and others). Obligations include registration, mandatory cyber incident reporting, and risk management programs.

A cloud service may be a "critical data storage or processing asset" if it stores or processes business-critical data of critical infrastructure entities. Thresholds and specific asset definitions are set by the SOCI Rules. Registration triggers ongoing obligations.

Under the SOCI Act, reportable cyber incidents affecting critical infrastructure must be reported to ASD: within 12 hours for significant impacts, within 72 hours for relevant impacts. NDB scheme timelines (30 days assessment) run in parallel for personal information.

The Online Safety Act 2021 (Cth) establishes the eSafety Commissioner's cyberbullying, image-based abuse, and adult cyber abuse complaints schemes, the Basic Online Safety Expectations, and industry codes. It imposes takedown and transparency obligations on online service providers.

Data flow diagrams, collection notices, consent records, contracts with third parties, cross-border disclosure mapping, security controls assessment, retention schedule, and risk matrix. Quillio can generate a PIA draft from these inputs and cross-reference APP obligations.

Yes, with APP 8 compliance. Disclose the overseas country in the privacy policy, take reasonable steps to ensure the overseas recipient does not breach the APPs (contractual, audit, due diligence), and consider whether consent is required. The entity remains accountable for acts of the overseas recipient in most cases.

OAIC penalties now reach $50m (or 30% of adjusted turnover, or three times benefit). Class actions are also emerging (Medibank, Optus). Direct response costs (forensics, notification, remediation) routinely exceed $1m for medium incidents, $10m+ for major ones.

Privacy Act APP 11 applies to personal information generally. The My Health Records Act covers the My Health Record system specifically. State health records legislation (e.g. Health Records Act 2001 (Vic), HRIP Act 2002 (NSW)) imposes additional obligations in some jurisdictions.

There is no strict limitation for OAIC complaints, but delay can be grounds to decline. Representative complaints and individual complaints can be made. Federal Court direct actions for serious or repeated interferences can also be possible under reform proposals.

The GDPR distinction is not formally adopted. The Privacy Act applies the APPs to any entity that holds or handles personal information, regardless of whether it is a processor or controller in GDPR terms. Contractual flow-downs are still used but the statutory regime treats the handler as accountable.

No general regulatory framework for automated decision-making yet exists in Australia. Anti-discrimination laws, the Privacy Act, and sector rules (credit, insurance) apply. Privacy reform proposes a right to meaningful information about automated decisions and ADM transparency.

A simple SaaS order form review: $2,000–$8,000. A mid-complexity enterprise MSA: $15,000–$60,000. A large outsourcing or cloud migration: $100,000+. Specific risk work (privacy, IP, exit assistance) often dominates the cost.

Before launching a new data-handling feature, before any model training that uses customer data, during any data incident, before signing an enterprise customer MSA, and before any M&A or cyber insurance placement. Incident-time lawyer engagement also preserves privilege.