GDPR and the Australian Privacy Act 1988: Key Differences

In May 2018 the European Union (EU) introduced the General Data Protection Regulation (GDPR), a law that outlines how personal data can be accessed and increasing the privacy of citizens throughout the EU.

The GDPR requires businesses (in the EU) to declare what personal data they’ve sourced and their intended use of it, empowering individuals and letting them control their own privacy.

Upon its implementation, inboxes around the world were swamped with notifications from businesses ensuring that we’ve individually consented to be part of their mailing list and sharing their personal data.

Though the GDPR strictly applies to businesses within the EU, if an Australian business with an established presence in the EU monitors user behaviour, they needed to comply as well. This resulted in Australian businesses distributing emails in a similar fashion to our EU counterparts.

While Australians complied with the GDPR, since 1988 Australia has had a similar law in place to protect the privacy and identity of citizens, the Australia Privacy Act.

So, what are the major differences between GDPR and The Australian Privacy Act? Some of the major differences are summarised below.

Who does each one apply to?

General Data Protection Regulation (GDPR): The GDPR applies to all businesses, regardless of size, that gather personal data from EU citizens. This applies to businesses located in the EU or outside the EU that offer goods and services to EU citizens or monitor their behaviour.

Australian Privacy Act (APA): As well as businesses, the APA applies to most Australian Government agencies, all private sector and not-for-profits with annual turnover of $3 million and all private health service providers. Not applicable to all small businesses ($2 million or less annual turnover).

What this means: Though similar, the APA doesn’t require all businesses to follow this act whilst organisations in the private sector must with an emphasis on industry and turnover.

An establishment functioning in the EU must declare their intentions, whilst an EU establishment working in a nation outside the EU does not have to declare their intentions to that outside nation.

What does each one apply to?

GDPR: This applies to personal data, defined as any data that relates to an identified or identifiable natural person (a living individual).

APA: The APA’s application is to personal information, defined as information or opinion about an identified individual or information that makes an individual identifiable.

What this means: While they appear similar, data and information are two different things. Data is raw information, the basis for things like statistics. Information, on the other hand, is the end result, taking those statistics and declaring the findings.

The GDPR requires businesses to declare what they do with that raw information. APA, on the other hand, focuses on information used to directly identify an individual. The difference is APA doesn’t require businesses to declare what data they’re tracking.

Consent to provide data and information

GDPR: Consent must be freely given by individuals with clear affirmation they understand the agreement.

APA: The individual is adequately informed before providing consent and has the capacity to understand and communicate their consent. This consent must be given voluntarily.

What does this mean: This refers to sharing data that requires personal information such as name, email, employment, position etc. In both the EU and Australia it must be clearly defined both what your data will be used for and what you receive in return.

Individual rights

GDPR: Individuals hold complete power over their personal data and have the right to erase, adjust and object to any data that regards to them.

APA: Businesses must adjust, destroy or de-identify information of an individual either upon request by the individual or the information is longer used for its intended purpose.

What does this mean: While the GDPR empowers the individual, APA gives this responsibility to the business to manage individuals information.


In summary, there are some key similarities with the GDPR and APA. With rapid change in the digital space it remains to be seen what the most effective use of these regulations is, both aiming to protect citizens digital privacy. Until then, keep an eye on the fine print and read the terms and conditions.

Learn more about the GDPR and APA here.

Leave a Comment

Your email address will not be published. Required fields are marked *