What It Is

The Privacy Act 1988 (Cth) is Australia's foundational federal legislation establishing economy-wide standards for handling personal information. It imposes a principles-based framework via the 13 Australian Privacy Principles (APPs) on government agencies and private sector entities exceeding AU$3 million turnover, plus targeted small businesses. The risk-based approach mandates "reasonable steps" contextualized by entity size, data sensitivity, and harm potential.

Key Components

• 13 APPs spanning collection, use/disclosure, security (APP 11), cross-border (APP 8), data quality, and individual rights.
• Notifiable Data Breaches (NDB) scheme requiring notifications for breaches likely causing serious harm.
• Oversight by OAIC with investigations, audits, and penalties up to AU$50 million or 30% turnover. No certification; compliance demonstrated through governance and evidence.

Why Organizations Use It

Ensures legal compliance avoiding severe penalties; mitigates breach risks, enhances governance. Builds stakeholder trust, supports transborder flows, and aligns with reforms for competitive advantage in data-driven markets.

Implementation Overview

Phased risk-based program: gap analysis, policy/governance design, technical controls, incident readiness, audits. Scalable across sizes/sectors; OAIC guidance drives ongoing assessments.

What It Is

The EU Artificial Intelligence Act (Regulation (EU) 2024/1689) is a comprehensive EU regulation providing a horizontal, risk-based framework for AI governance. Published in the Official Journal on 12 July 2024 and entering force on 1 August 2024, it prohibits unacceptable-risk practices, imposes strict controls on high-risk systems, transparency duties on limited-risk AI, and minimal oversight on others. Scope spans the AI value chain, applying extraterritorially to non-EU providers whose outputs affect the EU.

Key Components

• Four risk tiers: unacceptable (banned), high-risk (Annex I/III), limited (transparency), minimal.
• High-risk requirements: risk management (Art. 9), data governance (10), documentation (11-13), human oversight (14), cybersecurity (15).
• GPAI model duties (Ch. V); hybrid enforcement via AI Office and national authorities.
• Fines up to 7% global turnover; CE marking, conformity assessments.

Why Organizations Use It

• Mandatory for EU market access and legal compliance.
• Mitigates safety, rights, discrimination risks.
• Builds stakeholder trust, enables competitive differentiation.
• Supports innovation via sandboxes, standards presumption.

Implementation Overview

Phased rollout (6-36 months); inventory/classify AI, build QMS/RMS, conduct assessments. Applies universally, especially high-impact sectors like employment, biometrics; cross-functional, audit-driven.