AUSTRALIA Law and Practice Contributed by: Dennis Miralis and Jack Dennis, Nyman Gibson Miralis
lar purposes. For example, where information if voluntarily provided in relation to a significant cybersecurity incident, the NCS Coordinator disclose this information in “coordinating the whole of Government response” or otherwise to inform Commonwealth ministers; who may then disclose this information for a “permitted cyber security purpose” such as mitigating material risks that prejudice Australia’s social/economic stability, defence or national security. This may include sharing and international transfers of information to foreign authorities or co-ordinated partnerships. Market Transfers Privacy Act The primary legislation governing data transfers in Australia is the Privacy Act, which was rel - evantly amended by the Privacy and Other Leg - islation Amendment Act 2024 (Cth) (the “2024 Privacy Amendments”) on 29 November 2024. Prior to these amendments, international (cross- border) disclosures of personal information were addressed primarily by APP 8. This principle required APP entities to “take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Aus - tralian Privacy Principles”. What is “reasonable” depends on one’s specific circumstances but will usually involve a contract incorporating the APPs and the Australian entities monitoring or at least assessing the overseas entity’s systems. Importantly, APP 8 is not limited to where there is active transfer of data but rather extends to wherever data is accessible to an overseas entity (eg, stored on servers in Australia, but acces - sible by overseas entities). The 2024 Privacy Amendments introduces an adequacy regime, meaning there is now a mech - anism by which the Government can prescribe
a “white list” of countries and binding schemes that are recognised as being on par with APP 8. Consumer Data Right In respect of data transfers more generally, Part IVD of the Consumer Act regulates the han - dling (including sharing) of CDR. The CDR was rolled out to the banking and energy sectors in 2020 and 2022 respectively. Although it was to continue into the superannuation, insurance and telecommunications sectors (and then into the non-bank lenders and Buy Now Pay Later products), the government paused the roll out in 2023, commissioned a report in August 2024 (which found that compliance costs exceeded initial estimates) and is now considering amend - ments to “reset” the CDR, involving the simplifi - cation of the customer consent progress and the encouragement of operational enhancements to reduce the barriers to participation in the CDR. Prohibitions Certain information is prohibited from being held or taken outside Australia, such as records held for the purposes of the My Health Record sys - tem. Breach of this prohibition could result in a maximum criminal penalty of five years impris - onment and AUD99,000; or a civil penalty of AUD495,000. Cybercrime For completeness, it should also be noted that unauthorised access to computer systems (hacking, forceable transfers, etc) is criminalised by both State and Federal legislation. For exam - ple, persons suspected of unauthorised access to computer systems are charged pursuant to Section 478.1 of the Criminal Code, which pro - vides for the offence of “Unauthorised access to, or modification of, restricted data”.
23
CHAMBERS.COM
Powered by FlippingBook