GDPR vs Australian Privacy Principles

Written by John Lister (FreePrivacyPolicy Legal writer) and last updated on 14 August 2025.

GDPR vs Australian Privacy Principles

Both Europe's GDPR and Australia's Privacy Act are based around explicitly stated principles for personal data privacy. These principles affect what businesses can and can't do with personal data, as well as influencing the way courts and regulators interpret any ambiguities in the law's implementation.

Here's what you need to know.

Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.

  1. Click on the "Free Privacy Policy Generator" button, located at the top of the website.
  2. Select where your Privacy Policy will be used:
  3. FreePrivacyPolicy: Privacy Policy Generator - Select platforms where your Privacy Policy will be used - Step 1

  4. Answer a few questions about your business:
  5. FreePrivacyPolicy: Privacy Policy Generator - Answer a few questions about your business - Step 2

  6. Enter the country and click on the "Next Step" button:
  7. FreePrivacyPolicy: Privacy Policy Generator - Enter the country - Step 2

  8. Continue with building your Privacy Policy while answering on questions from our wizard:
  9. FreePrivacyPolicy: Privacy Policy Generator -  Answer on questions from our wizard - Step 3

  10. Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.

    FreePrivacyPolicy: Privacy Policy Generator - Enter your email address - Step 4

    That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.



Australia Privacy Principles

Australia's Privacy Act is anchored on a set of 13 "Australia Privacy Principles." The main offense under the law is to do anything that is "contrary to, or inconsistent with" any of the principles. This concept works alongside the specific requirements and measures included in the law.

These are the 13 principles along with the most important specific requirements that stem from each principle:

Open and Transparent Management of Information

You must have a Privacy Policy.

Anonymity and Pseudonymity

You must respect people's request to be anonymous or use a pseudonym, unless doing so is impractical or unlawful.

The Department of Foreign Affairs and Trade explains how this can work in practice:

Department of Foreign Affairs and Trade: You can remain anonymous

Collection of Solicited Personal Information

You can only collect personal information where you need it for one of your functions.  You must collect it by fair and lawful means, normally from the individual the information is about. Collecting sensitive information normally requires consent from the individual.

Dealing With Unsolicited Personal Information

If you get hold of personal information without having solicited it, you must check if it would have been lawful to collect it. If not, you must destroy or de-identify it.

Notification of the Collection of Personal Information

You must give people a range of details when you collect their personal information (including if you get it from someone else). This includes your identity and contact details; why you are collecting the information (including whether a court or tribunal says you must); who you share it with (and whether they are overseas); and what happens if you can't get the information.

Use or Disclosure of Personal Information

Normally you must collect information for a stated purpose. This means you can't use it for another purpose requiring consent unless one of the following applies:

  • The individual consents.
  • The individual would reasonably expect you to use it for the other purpose.
  • A court says you must use the information.

Direct Marketing

You can't use personal information for direct marketing unless not only did the individual give you the data, but they would reasonably expect you to provide the data for direct marketing. Even then, you must have a simple opt-out mechanism that the individual has chosen not to use.

You can't use sensitive personal information for direct marketing on an opt-out basis. You need explicit consent from the individual.

The Australian Communications and Media Authority explains what counts as sensitive personal information:

Australian Communications and Media Authority: Sensitive information

Cross-Border Disclosure of Personal Information

You can only share personal information with somebody outside of Australia in four situations:

  • You've made sure the recipient will follow the privacy principle.
  • Laws in the other country protect the personal information to the same standard.
  • The individual has explicitly consented to you sharing the data.
  • You are legally required to disclose it.

You can't use a government-related identifier (for example a passport number) to identify somebody unless that law says you must.

Quality of Personal Information

You must keep personal information records accurate, up-to-date and complete. You must check this is still the case before using or sharing the information.

Security of Personal Information

You must secure personal information against unauthorized access, disclosure or modification. Once you no longer need it for the original purpose, you must destroy or de-identify it unless you're legally required to keep it.

The Department of Home Affairs details some of the ways it secures data:

Department of Home Affairs: Storage and Data Security

Access to Personal Information

Normally you must tell people about the personal information you hold about them if they ask for it. The main exceptions are if doing so would be unsafe, illegal, or compromise legal proceedings. The way this works in practice varies slightly between government agencies and businesses.

Correction of Personal Information

You must normally correct any inaccurate or incomplete information if the person the information is about asks you to do so. They can also ask you to pass on the correction to anyone you've shared the information with.

The Department of Industry, Science and Resources details access and correction in its Privacy Policy:

Screenshot from Department of Industry, Science and Resources

GDPR Principles

The General Data Protection Regulation (GDPR) is based around six sets of principles, which are stated at the start of the legislation.

Processing Personal Data

You must follow (and prove you are following) six key rules:

  • Process the data lawfully, fairly and transparently.
  • Collect the data for a specific purpose and only use it for that purpose.
  • Only collect the minimum amount of data needed for that purpose.
  • Keep the data up to date and accurate.
  • Keep the data only as long as needed for the specific purpose, then either delete or de-identify it.
  • Secure the data against unauthorized access, loss, data or damage.

Lawful Bases

You must be able to show the processing is necessary for one of the following reasons, known as a lawful basis:

  • The individual consented to processing for the specific purpose.
  • You must do it to fulfil a contract.
  • You must do it to follow a law.
  • You do it to protect somebody's vital interest (ie, their life.)
  • You must do it in the public interest.
  • You need to do it for your legitimate interests (business aims), and this doesn't override the individual's privacy rights.

Serve Legal shows which lawful basis applies to which type of processing:

Serve Legal: Legal Basis for processing

You can only use consent as a lawful basis if you can prove the person made a meaningful, active and informed choice to consent. They must be able to withdraw the consent at any time. You can't normally make consent a mandatory condition for providing a service unless there's no way to do it without processing the data.

Normally children must be 16 to legally consent to data processing, but individual countries can choose to lower this, with a minimum age of 13. If a child is below the age limit, you will need the consent of somebody with parental responsibility (which could include a guardian.)

Special Categories

Some forms of data, often called sensitive data, have special rules. Examples include data about racial origin, beliefs, health, sex life or sexual orientation, plus genetic data. You can't use the legitimate interest lawful basis to process this data. Individual countries can choose to rule that you can't use consent for this data.

Criminal Convictions

You can't process personal data about criminal convictions and offenses unless you are acting in official authority, or an individual country has a law that specifically says you can.

Processing Which Does Not Require Identification

This principle is somewhat technical and often confuses people. Put very simply, it means that if you process personal data and don't know who it is about, you don't need to identify somebody just to make sure you are complying with the GDPR. For example, if somebody asks if you hold any personal data about them, you don't have to identify the subject of every piece of anonymous data you hold, just in case it's about them.

GDPR Rights

Although the GDPR Privacy Principles are a key part of the law, they are not its only important list. The law also explicitly sets out people's rights over their personal data. Protecting these rights is the fundamental purpose of the law. You need to understand and pay attention to the rights for two reasons:

  • Because a court or regulator may use "protecting privacy rights" as the key factor when ruling on any ambiguity, interpretation or application of the GDPR.
  • Because you need to take account of the effect on privacy rights when deciding if legitimate interests is an appropriate legal basis to carry out a particular set of processing.

In summarized form, the rights people have are:

  • To know how and why you process personal data (through a Privacy Policy.)
  • To get specific details (such as who you'll share it with) when you collect or otherwise obtain data.
  • To find out what data you hold about them (a data access request).
  • To correct any errors in the data.
  • To have you delete data when you no longer need it or have the right to use it,
  • To have you temporarily stop using data, for example during a dispute about its legality.
  • To be told when you have acted on a request about collecting, deleting or not using data.
  • To get a copy of the data in a suitable format to take elsewhere (eg to a rival service provider.)
  • To object to data processing done for direct marketing or under the legitimate interest basis. (This must trigger a review by you to see if the objection is valid.)
  • To not have their data used for automated processing (sometimes called profiling) unless legally or contractually necessary.

Briefed explains how it uses automated processing and the consequences of opting out of such data use:

Briefed AI and Automated Decision Making: Opt-out of data usage

Do Both Laws Apply to Me?

The two laws have different types and extents of scope, so it's very possible a company could be affected by one, both or neither law for the same processing.

In simplified terms, the GDPR applies if:

  • The data subject (the person the data is about) is in a covered country.
  • The data processor (you) has a presence in a covered country, including subsidiaries and local offices.
  • The data processing itself is in a covered country (for example, in a data server center.)

The rules cover any EU member country. The rules also cover Iceland, Liechtenstein, Norway through a legal agreement, while almost identical rules cover the United Kingdom through its national laws.

Australia's Privacy Act doesn't take account of your location or the location of the processing. Instead, it applies if the data is about an Australian resident and you fall into one of three categories:

  • Australian government agencies.
  • Organizations with an annual turnover above $3 million (AUD).
  • Organizations in specific areas such as health, credit reporting, buying or selling personal information, and carrying out Australian government contracts.

This means it's perfectly possible to come under both laws for the same processing. It also means that if you serve users or customers internationally (including running a website that uses people's personal data in some way), you'll need to follow both sets of privacy principles.

Tourism Australia explains how and when it comes under the two laws:

Tourism Australia: Australia Privacy Act and GDPR

Key Differences Between Australia's Privacy Act and the GDPR

For the most part, following the principles of one of these two laws will take you most of the way towards following the principles of the other. This includes basic measures such as:

  • Having a Privacy Policy.
  • Securing data.
  • Using data only for specific purposes.
  • Keeping data up to date.
  • Getting consent to use sensitive data.
  • Making sure data is protected to the same standards if you share it with somebody in another country.

Here are a few key differences to watch out for:

  • Direct marketing may be acceptable under "legitimate interests" under the GDPR, but you must get explicit consent for it under Australia's Privacy Act.
  • You can often refuse to treat somebody as anonymous or use a pseudonym under the GDPR but must respect such a request under Australia's Privacy Act.
  • You don't need to identify a specific lawful basis under Australia's Privacy Act: it being necessary for one of your functions is normally enough. With GDPR you must be able to identify (and prove) which specific lawful basis applies.
  • You can rely on implied or opt-out consent for some forms of data processing (not sensitive data) under Australia's Privacy Act. Under the GDPR, if you rely on consent as a lawful basis, it must be express consent, meaning active, intentional and informed.
  • The GDPR distinguishes between data controllers and data processors: the latter only process data under the instructions of the former. The rules mean the data controller is legally responsible for the processing but must have a binding agreement to force the data processor to follow the rules. Australia's Privacy Act doesn't make such a distinction.
  • Under the GDPR you don't need parental consent to process data about a child aged 16 or 17 Under Australia's Privacy Act, if a child is aged 15-17 you will need parental consent if the child lacks the maturity to make an informed decision.
  • Under the GDPR you must keep a record of your data processing. This isn't mandatory under Australia's Privacy Act.

The Access Group explains its role as a data processor rather than data controller:

Access Group: Data Processor Role

Summary

Both Australia's Privacy Act and GDPR vs Australian Privacy Principlesthe GDPR are based around sets of principles, which have several common points. In both cases, the specific requirements of the law, plus any interpretation and implementation, are heavily based on following these principles. The GDPR also incorporates privacy rights for individuals.

While following one law's principles will go a long way to following the others you must watch out for some key differences. With the GDPR you need to identify a lawful basis for processing, make sure any consent is explicit (not opt-out), keep a record of data processing, and make sure you have a binding agreement to follow the GDPR if you hire a data processor. 

With Australia's Privacy Act, you need to get explicit consent for direct marketing and honor requests for anonymity