GDPR vs Australian Privacy Act 1988: What Australian Businesses with EU Customers Must Know

The European Union's General Data Protection Regulation (GDPR) applies to any organisation that processes personal data of individuals in the EU — regardless of where the organisation is located. An Australian business that sells products to EU customers, employs EU-based staff, or operates a website accessible to EU users is likely a GDPR-regulated entity. Combined with Australia's Privacy Act 1988 and the 13 Australian Privacy Principles, this creates a dual compliance obligation that many Australian businesses are unprepared for.

Does the GDPR Apply to Your Australian Business?

• You offer goods or services to EU individuals (even for free) — GDPR applies.
• You monitor the behaviour of individuals in the EU (web analytics, targeted advertising) — GDPR applies.
• You have EU-based employees whose personal data you process — GDPR applies.
• You only sell to Australians and have no EU connection — GDPR likely does not apply, but verify via a data mapping exercise.
• Australian privacy law (Privacy Act 1988) applies regardless of whether GDPR does. Both frameworks may apply simultaneously.

GDPR vs Privacy Act: Key Differences for Email

While both frameworks share foundational principles — lawful basis for processing, purpose limitation, data minimisation, security, individual rights — there are material differences that affect email compliance specifically. The GDPR requires an explicit, documented lawful basis for every processing activity. The Privacy Act primarily governs collection and handling without requiring a formal lawful basis for each activity. The GDPR's right to erasure (Article 17) is more expansive than Australia's — individuals can demand deletion of email records under GDPR in ways that go beyond current Privacy Act rights (though Australia's 2024 reforms are closing this gap). GDPR breach notifications must occur within 72 hours for high-risk breaches — significantly stricter than Australia's 30-day NDB window.

Areas Where GDPR Is Stricter

• 72-hour breach notification to supervisory authority (vs 30-day OAIC window under NDB scheme).
• Right to erasure — individuals can request deletion of personal data including email records in broader circumstances.
• Data Protection Impact Assessments (DPIAs) — mandatory for high-risk processing, no direct equivalent under Privacy Act.
• Data Protection Officer (DPO) appointment — required for large-scale data processors, no equivalent under Privacy Act.
• Explicit lawful basis for processing — must be documented; consent must be freely given, specific, informed, and unambiguous.
• Children's data — strict age verification requirements (13 in most EU member states); Australia's Children's Online Privacy Code is implementing similar rules.

Dual Compliance Email Strategy

For Australian businesses subject to both frameworks, the most efficient approach is to implement the stricter requirement in each area — which creates a combined standard that satisfies both. For email specifically: Australian-hosted email satisfies APP 8 and also aligns with GDPR's data transfer restrictions (the GDPR also restricts cross-border transfers, and the US has historically not had an EU adequacy decision). Australian data hosting is the single most efficient step for dual compliance. Consent-based email marketing (express opt-in with clear records) satisfies both the GDPR consent standard and the Spam Act 2003 consent requirement. Data breach response plans covering both the 72-hour GDPR supervisory authority notification and the 30-day OAIC notification ensure you're covered under both frameworks.