Due to resource constraints, this old resource is no longer being maintained.

See the master version of this resource,
which is being maintained in its original location.

This document is a partner to pages on Privacy Laws of the Australian States and Territories, on Privacy Laws of the World and on International Instruments


This document provides access to Australian laws relevant to privacy, and to many resources that point to yet more laws. Please advise us of improvements that should be made. The links in this page are reviewed periodically. Please advise any broken links to the APF Web-Team.

The remainder of this document presents Commonwealth laws, which are relevant throughout the country. If you are looking for the laws of a State or Territory, those details are in another document. See: N.S.W., Victoria, Queensland, Western Australia, South Australia, Tasmania, A.C.T., Northern Territory.

This page contains the following sections:

The Privacy Act 1988, as amended (esp. in 1990, 2000 and 2012)

The primary statute is the Privacy Act 1988. The original version applied to the Commonwealth public sector. It was amended in 1990 to apply also to the credit reporting industry. It was then further amended in 2000 to apply to much of the private sector. The original statute was adequate, the 1990 credit reporting amendment reasonably strong, and the 2000 private sector amendment so bad that some people thought that it was the world's worst privacy legislation. Subsequently, the NSW Act challenged it for that mantle. But then the 2012 amendments were passed, which make the Privacy Act (Cth) unequivocally the most privacy-hostile data protection law in the world.

The law has all manner of exceptions, exemptions, authorisations and designed-in loopholes scattered through it, and the complexities are such that there are many unintended loopholes, ambiguities and uncertainities as well. Corporations and expensive lawyers and consultants spend a lot of time wading through the verbiage in order to find multiple ways in which organisations can breach data privacy, but not data privacy law.

The statute is here:

Important prior documents, 1988-2014:

The Attorney-General's Department's ComLaw database can also be used, by searching on 'Privacy Act', and then sifting through the hundreds of hits to find the particular document and version that you want.

The Privacy Act granted the National Health and Medical Research Council the extraordinary power to issue its own guidelines. For these, see:

The Spam Act 2003

The Spam Act 2003 came into effect on 10 April 2004. Under the new law it is illegal to send, or cause to be sent, 'unsolicited commercial electronic messages' that have an Australian link. The Australian Communications Authority enforces the Spam Act, and provides information about spam laws and spam security, and means for reporting spam.

Surveillance Laws

There is a vast array of legislation that authorises surveillance by Commonwealth agencies, much of it enacted since September 2001, most of it grossly excessive, and most of it subject to seriously inadequate controls. Valuable summaries are provided by the Commonwealth Parliamentary Library, but they keep disappearing every few years, because web-site re-designs are conducted with a cavalier attitude to history, and information policy standards in government seem to be non-existent, or else seriously inadequate. The latest round of searching, in November 2013, found the following:

As an apparently necessary precaution, APF has provided a mirror of the version of October 2007.

A statute of particular relevance is:


The Privacy Commissioner's site states that the Health Insurance Commission and the federal Department of Health and Family Services are bound by the Medicare and Pharmaceutical Benefits Programs privacy guidelines.

The Privacy Act granted the National Health and Medical Research Council the extraordinary power to issue its own guidelines. For these, see:


Key Government Agencies

Crimes Generally


Human Rights


The Possibility of a Tort of Invasion of Privacy

In Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd (2002) 208 CLR 199, a majority of the High Court held that Australian courts were not prevented from finding that there is a tort (or legal cause of action) of unjustified invasion of privacy. But they did not find that it existed on the facts of the case before them, and no other significant sign of life has ever been seen.

See also the ALRC's Recommendation of a Privacy Cause of Action ALRC (2008b).

Other Resources

The Office of the Federal Privacy Commissioner's Guide to Privacy Laws in Australia

The Office of the Federal Privacy Commissioner's Guide to State Privacy Laws

Caslon Analytics:

The Oz NetLaw Privacy Fact Sheet

Andrew Nemeth's site on NSW Photo Rights, incl. privacy

Two papers on history and issues, Clarke (1998a-) and Clarke (1998b-)

AustLII's Australian Subject-Index for Privacy

Greenleaf G.W. & Waters N. (Eds.) (1994-) 'Privacy Law & Policy Reporter', monthly, available from http://www.austlii.edu.au/au/journals/PLPR/

Gunning P. (2001) 'Central features of Australia's private sector privacy law' Privacy Law & Policy Reporter 7, 10 (May 2001) 189-199

Hughes G. (1991) 'Data Protection Law in Australia', Law Book Company, 1991

AMCRAN (2004) 'Terrorism Laws: ASIO, the Police and You', 2004, Australian Muslim Civil Rights Advocacy Network, July 2004, at http://www.amcran.org/booklet/TerrorLawsV1.html