AUSTRALIA Law and Practice Contributed by: Andrew Stone, Dhanushka Jayawardena, Andrew Choi and Chris Kinsella, Holding Redlich
Cross-Border Disclosure Before disclosing personal information overseas, enti - ties must take reasonable steps to ensure the over - seas recipient does not breach the Privacy Act 1988 (Cth) or to ensure the individual consents to the dis - closure. Data Breach Notification Entities must notify the Office of the Australian Infor - mation Commissioner, as well as individuals affected by eligible data breaches that are likely to result in serious harm. Anonymity and Pseudonymity Where practicable, entities must give individuals the option to deal with them anonymously or by using a pseudonym. These obligations apply primarily to private sector organisations with an annual turnover of AUD3 million or more – although there are some exceptions and specific rules for different types of entities. 4.13 Anticipated Changes for Investors Material changes to the AML/CTF laws in Australia will take effect in 2026. These changes will apply in phases: • from 31 March 2026 – for entities already subject to the AML/CTF regime; and • from 1 July 2026 – for newly regulated “tranche 2 entities”. Relevantly in relation to the alternative funds indus - try, this includes persons who assist in equity or debt financing relating to: • a body corporate (or proposed body corporate); or • a “legal arrangement” (or proposed legal arrange - ment) (eg, a fund structured as a trust, or a partner - ship. What follows is a summary of the key features of the changed AML/CTF laws. Risk Assessments As of 2 October 2025, an obligation to undertake a risk assessment is not expressly stated in the AML/CTF Act and inferred from disparate requirements in the
• AML/CTF programmes – reporting entities must prepare and regularly review written programmes that document measures identified in the preced - ing paragraphs to identify and mitigate money laundering and terrorism financing risks specific to their business. 4.12 Data Security and Privacy for Investors Data collection in Australia is regulated under the Pri - vacy Act 1988 (Cth). The following summary outlines the main obligations relevant to alternative fund man - agers under the Privacy Act 1988 (Cth). Collection and Notification Entities must collect personal information lawfully and fairly, only when necessary for their functions or activi - ties. They must take reasonable steps to notify indi - viduals about the collection, including the purposes for collection, how the information will be used and disclosed, and how individuals can access and cor - Personal information can only be used or disclosed for the primary purpose it was collected, or for related secondary purposes that individuals would reasonably expect. Disclosure to third parties generally requires consent unless specific exceptions apply (such as law enforcement purposes or where required by law). Data Quality and Security Entities must take reasonable steps to ensure per - sonal information is accurate, up-to-date, complete, and relevant. They must also implement reasonable security safeguards to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. Access and Correction Individuals have the right to request access to their personal information and seek corrections if it is inac - curate, out-of-date, incomplete, irrelevant, or mislead - ing. Entities must respond to these requests within reasonable timeframes and generally provide access unless specific exceptions apply. rect their information. Use and Disclosure
25 CHAMBERS.COM
Powered by FlippingBook