Personal Privacy Rights in the Application Generation - JHK Legal Commercial Lawyers

23 July 2018

Personal Privacy Rights in the Application Generation

In the age of third party Application Programming Interfaces (“APIs”) such as internet banking applications, Facebook and Google Maps, the collection and distribution of personal data is shrouded in mystery. Unless of course you take the time to read the masses of information included in privacy policies. With recent media surrounding the issue it is clear that a large portion of the public may not be educated about the applications and the businesses behind them can collect and/or disclose their information.

What are the privacy rights under the law?

The Privacy Act 1988 (Cth) (“the Privacy Act”), and the 13 Australian Privacy Principles (“APP”) contained within it, are the relevant guidelines for privacy in Australia.

Definition of an APP Entity

These 13 principles are applicable to “APP entities”. An APP entity encompasses:

  • a Commonwealth Government agency; or
  • an organisation (including an individual, body corporate, partnership, unincorporated association,
    or trust).[i]

An APP entity does not include:

  • a State or Territory authority
  • small business operators, which are business with an annual turnover of $3 million or less. Unless the following exceptions apply:
    – The business provides a health service to another individual and holds any health information except in an employee record;
    – The business discloses personal information about another individual for a benefit, service or advantage, or provides a benefit, service or advantage to collect personal information;
    – The business is a contracted service provider for a Commonwealth contract; or
    – The business is a credit reporting body.[ii]

The Privacy Principles[iii]

The Principles as a whole are wide-ranging and cover a whole array of issues. However, the Principles specifically relevant to how your information may be collected and distributed and include:

APP 3:  Collection of solicited personal information

An APP entity must not collect personal information (other than sensitive information) unless the information is reasonably necessary for, or directly related to, one or more of the APP sentity’s functions or activities. Sensitive information must not be collected unless there is consent or the information is reasonably necessary for the APP entity’s functions. Sensitive information can include, but is not limited to:

  • racial or ethnic origin;
  • religious beliefs;
  • membership of a union;
  • criminal record; and
  • health information.

APP 6: Use or disclosure of personal information

An APP entity cannot disclose the information for a purpose (other than the purpose it was collected for), unless there is consent or one of the following applies:

  • there is a reasonable expectation that the APP entity would use or disclose the information; or
  • the use or disclosure is required or authorised by or under an Australian law or a court/tribunal; or
  • a permitted general situation exists. Examples of this include:
    – Lessening or preventing a serious threat to the life health or safety of an individual;
    – The establishment, exercise or defence of a legal or equitable claim; or
    – The purposes of a confidential alternative dispute resolution.
  • a permitted health situation exists. Examples of this include:
    – Providing a health service
    – Research relevant to public health or safety
    – Preventing a serious threat to the life, health or safety of the individual or an individual who is a genetic relative.

APP 7: Direct marketing

An organisation must not use or disclose personal information for the purpose of direct marketing. Exceptions to this include:

  • a reasonable expectation that the organisation would use or disclose the information for direct marketing; or
  • a simple means by which the individual may easily request not to receive direct marketing communications is provided; or
  • consent has been provided.

Sensitive information has more stringent requirements allowing for consent to be the only exception to the disclosure of sensitive information for the purposes of direct marketing.

What amounts to a breach of privacy?

If the business or organisation you are dealing with falls into the category of an APP entity, and collects, uses or discloses your information in a way that is conflicting with the Principles (and no relevant exception applies), this may amount to a breach.[iv]

Taking applications for example, you will commonly find the privacy policies and relevant information being grouped together. This is referred to as bundled consent, or a “click-wrap”. It is a common practice amongst software licenses and online transactions. The potential issue of a “click-wrap” is the effect it has on consent.

There is an argument that being unable to use a service until a “click-wrap” is accepted, or an inability to withhold consent on specific terms may have an influence on whether informed consent was provided.

The penalties for breaching the Privacy Act can amount to $1.8 million for corporate bodies or $360,000 for non-corporate bodies (including government departments/agencies, sole-traders, partnerships, trusts, unincorporated associations).

What can I do if I believe my privacy has been compromised?

If you believe that your privacy has been breached under the Act, you are an APP entity that might be in breach of the Principles, or would like further information, please contact your local JHK Legal office.

The above article is not intended to be a substitute for legal advice.



[i] Section 6 of the Privacy Act 1988 (Cth).

[ii] Ibid.

[iii] Schedule 1 of the Privacy Act 1988 (Cth).

[iv] Section 6A of the Privacy Act 1988 (Cth).