Privacy policies for technology companies: Australian Privacy Act and beyond

The Privacy Act applies to Australian Government agencies and private sector organisations with an annual turnover of more than $3 million. However, certain categories of organisations are covered regardless of turnover — including health service providers, operators of a business that trade in personal information, and organisations prescribed by regulation.

Many technology startups fall below the $3 million turnover threshold and assume the Privacy Act doesn't apply to them. This is increasingly risky. Proposed amendments to the Privacy Act would remove the small business exemption entirely. Even where the exemption currently applies, organisations that collect and handle personal data should be building compliant practices now.

Regardless of the Privacy Act threshold, state and territory privacy legislation may apply. And if your platform collects data from users in the EU, GDPR obligations apply regardless of your company's location or revenue.

Under the Australian Privacy Principles, your privacy policy must explain the kinds of personal information you collect, how you collect it, why you collect it, how you use and disclose it, whether you disclose it to overseas recipients, how individuals can access their information, and how to make a complaint.

Beyond the minimum requirements, a comprehensive technology company privacy policy should also address your use of cookies and tracking technologies, your data retention periods, your security measures, and your use of third-party analytics and advertising tools.

Each of these elements should be accurate. A privacy policy that describes data practices you don't follow — or omits practices you do follow — creates greater legal risk than no privacy policy at all. When the Office of the Australian Information Commissioner (OAIC) investigates a complaint, they compare the policy to actual practices.

GDPR applies to organisations that offer goods or services to EU residents or monitor the behaviour of EU residents — regardless of where the organisation is located. Australian technology companies with EU users are subject to GDPR.

Key GDPR obligations beyond the Australian Privacy Act include: obtaining explicit consent for certain processing activities; honouring the right to erasure (right to be forgotten) and data portability; appointing a Data Protection Officer in certain circumstances; and conducting data protection impact assessments for high-risk processing.

If you handle EU personal data, your privacy policy needs to address GDPR rights — including how EU users can exercise them. Enterprise customers in Europe will contractually require a Data Processing Agreement (DPA) that documents your GDPR compliance obligations.

The Notifiable Data Breaches (NDB) scheme under the Privacy Act requires organisations to notify affected individuals and the OAIC when a data breach is likely to result in serious harm. The notification must be made as soon as practicable after the organisation becomes aware of the breach.

Technology companies need an incident response plan that covers how to identify a data breach, who is responsible for assessing its severity, when notification is required, and how notifications will be made. Having this plan documented before a breach occurs — and tested against actual scenarios — is both best practice and evidence of genuine compliance effort.

The consequences of a notifiable breach that is not reported are significantly worse than the consequences of a properly managed and reported breach. Transparency, when required, is always the better course.