Sweeping changes to Australia's privacy laws that took effect on March 12, 2014, make the country a global standard-setter in protecting its citizens' personal data. A comprehensive update of Australian privacy laws, the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (PAA), imposes specific requirements regarding the collection, storage and use of consumers' personal information on companies that do business in Australia and have revenue of over $3 million. The Office of the Australian Information Commissioner (AIC) is empowered to enforce the PAA's mandates by imposing fines of up to $1.7 million for serious or repeated invasions of privacy.

At first blush, the requirements imposed by the PAA may seem of a piece with those imposed by the European Union and other privacy-centric jurisdictions, and with the privacy principles promulgated by the Obama Administration. Indeed, the thirteen new Australian Privacy Principles (APPs) established by the PAA (which replace the existing National Privacy Principles and Information Privacy Principles) strike many of the same notes as the Consumer Privacy Bill of Rights proposed by the White House in February 2012: transparency, access, accuracy, security, and so forth, the “usual suspects” in privacy regulation.

But the sense of familiarity may be misleading; the privacy regime imposed by the PAA is easily as strict as any in the EU, and has the potential to be even stricter, depending on its interpretation by the AIC. In particular, the PAA's restrictions on collection of information that is either publicly available or obtained from sources other than the data subject create a “right not to be profiled” so comprehensive that it would likely not pass First Amendment muster if enacted in the United States.