Data protection is afforded in Australia by the Privacy Act’s in each State and Territory. These laws regulate the collection, use and disclosure of information about individuals and businesses. With the development of technology and the omnipresent threat of cyber-criminals and hackers, the law is constantly needing to evolve to provide sufficient safeguards for the data and personal information of internet users. In 2018, the following legislative developments have reached Australia.

On 22 February 2018, the Notifiable Data Breaches Scheme was enacted under Part IIIC of the Privacy Act 1988. The new legislation holds all Government agencies, businesses and not-for-profits organisations with an annual turnover of at least $3 million, to notify it’s members, or the individuals whose personal information that relevant entity holds, within 30 days of any eligible data breach.

An eligible data breach occurs when there is unauthorised access, disclosure or loss of personal information held by the entity the breach is “likely to result in serious harm to any of the individuals to whom the information relates.

The penalty for an entity who does not report any breach within the 30 day time limit can range up to $360,000 for individuals and up to $1.6 million for organisations.

The changes come after Uber admitted to covering up the hacking of 57 million users’ data and paying the hackers $132,000 to delete it. The data breach reportedly exposed users’ names, email addresses and phone numbers from all around the world.

On 25 May 2018, the European Union (EU) introduced the GDPR in response to the increase in data theft and the threat of online hacking.

Companies and individuals in Australia is that the GDPR applies to personal data of individuals held by organisations that have an office in the EU, where activities are related to offering goods or services to individuals in the EU or monitoring behaviour of individuals in the EU.

Penalties for non-compliance for the GDPR can reach the greater of either €20 million ($31.15 million) or 4% of the companies annual turnover.

If you have concerns you are non GDPR compliant or if you have any queries on Data Protection laws in Australia, please contact Jarrod Ryan ( or Alyce Cassettai ( at Ryan & Co Solicitors.