The Short Answer
Yes — Australian privacy law is less strict than GDPR. GDPR (General Data Protection Regulation) applies to any business collecting data from people in the EU, regardless of where the business is located. The Australian Privacy Act is more flexible and applies to Australian businesses. If you have both Australian and EU users, follow GDPR (it's stricter), which will keep you compliant with Australian law too.
Key Differences at a Glance
| Aspect | Australian Privacy Act 1988 | GDPR (European Union) |
|---|---|---|
| Applies to: | Australian businesses collecting personal data | Any business collecting data from EU residents |
| Consent: | Not required for most data collection (except marketing) | Explicit opt-in consent required for most collection |
| Data breach notification: | "As soon as practicable" if serious | Within 72 hours of discovery, to authorities and users |
| Data Protection Officer: | Not required | Mandatory for large organizations and public bodies |
| Right to be forgotten: | No explicit right (only data access/correction) | Users can request deletion of personal data |
| Fines for breach: | Compensation orders from OAIC; rare criminal penalties | Up to 4% of global annual revenue or €20 million |
Consent Requirements
Australian Privacy Act: Explicit consent is NOT required for most data collection. You can collect data for legitimate purposes (processing orders, customer service, analytics). However, if you plan to use data for marketing (e.g., newsletters, promotional emails), you must get opt-in consent.
GDPR: Explicit opt-in consent is required before collecting most personal data. This is a major difference. You can't use cookies for analytics without user consent. You can't collect email addresses without the user agreeing. The default must be opt-in, not opt-out.
Practical implication: If you have EU users, implement cookie consent banners and require explicit opt-in for non-essential tracking. This same standard will exceed Australian requirements.
Data Breach Notification
Australian Privacy Act: You must notify affected individuals "as soon as practicable" if there's a breach involving serious harm to privacy. You must also notify the Office of the Australian Information Commissioner (OAIC). There's no hard deadline like 72 hours — it depends on the severity.
GDPR: You must notify the relevant authority (data protection authority) within 72 hours of discovering a breach. Users must also be notified without undue delay if their data is at high risk. This is stricter and faster.
The "Right to Be Forgotten"
Australian Privacy Act: Doesn't include an explicit right to erasure. Users can request correction of inaccurate data, but deletion is at the business's discretion (unless there's a legal reason to delete).
GDPR: Users have a right to erasure ("right to be forgotten"). They can request that you delete their personal data, and you must comply (with limited exceptions). This is a major burden for businesses that retain data for accounting or legal reasons.
Privacy Impact Assessments
Australian Privacy Act: No mandatory privacy impact assessment. Best practice, but not required.
GDPR: "Data Protection Impact Assessments" are mandatory for high-risk processing (e.g., large-scale collection, automated decision-making, special categories of data like health records). Documentation is required.
Data Protection Officer
Australian Privacy Act: No requirement. A Privacy Officer is recommended, but not mandated.
GDPR: Large organizations (>250 employees, public bodies, regular monitoring of individuals, large-scale processing of special categories of data) must appoint a Data Protection Officer (DPO). The DPO handles compliance, breaches, and user requests.
Penalties and Enforcement
Australian Privacy Act:
- The OAIC can investigate complaints and order remedies
- Compensation is typically individual-focused (e.g., $5,000–$50,000 for serious breaches)
- Criminal prosecution is rare
- No percentage-of-revenue fines
GDPR:
- Data protection authorities (e.g., EDPB, national DPAs) enforce
- Fines up to €20 million or 4% of global annual revenue (whichever is higher)
- Even small breaches can trigger massive fines
- Highly enforceable; regulators actively pursue violations
Example: Meta (Facebook) was fined €1.2 billion in 2021 for GDPR violations. An equivalent breach under Australian law would result in far smaller compensation.
What If You Have Both Australian and EU Users?
Best practice: Follow GDPR standards. This means:
- Implement cookie consent banners asking for opt-in permission
- Get explicit consent before marketing emails
- Have a process to delete user data on request
- Notify authorities and users within 72 hours of a breach
- Document your data processing activities
- Ensure overseas transfers have legal mechanisms (like Standard Contractual Clauses)
If you comply with GDPR, you'll automatically exceed Australian Privacy Act requirements and stay compliant in both jurisdictions.
Overseas Data Transfers
Australian Privacy Act: APP 1.2 requires notification if data goes overseas. But there's no strict mechanism — you just disclose that data is overseas and may not have equivalent privacy protections.
GDPR: Strict rules. You can only transfer personal data to countries with "adequate" data protection (like Australia, EU member states). For other countries (like the USA), you need legal mechanisms like Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs). Illegal transfers can trigger massive fines.
When to Hire a Privacy Lawyer
If you're an Australian business with EU users, or a global business with Australian operations, consider consulting a privacy lawyer who understands both jurisdictions. This is especially critical if you:
- Process data from a large number of EU residents
- Use third-party processors located overseas
- Handle sensitive data (health, financial, children's data)
- Are subject to regulations like GDPR Schrems II or privacy shield disputes
Generate your Privacy Policy in 2 minutes
Answer a few questions. Get a lawyer-reviewed document ready to use — free.
Generate now →