Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Does the EU General Data Protection Regulation (GDPR) apply to Australian government agencies?

The EU General Data Protection Regulation (GDPR) generally applies to the data processing activities of data processors or controllers where:

  • an establishment of the controller or processor is in the EU
  • the controller or processor is outside the EU, and the processing activities are related to:
    • offering goods or services to individuals in the EU (irrespective of whether a payment is required)
    • monitoring the behaviour of individuals in the EU, where that behaviour takes place in the EU (see Article 3).

However, there is some complexity involved in assessing whether the GDPR applies or is intended to apply to Australian government agencies. Relevant considerations include whether the GDPR is intended to apply to foreign government agencies, and if so, whether European foreign state immunity laws apply to the agency's activities.

Foreign states are generally entitled to be granted immunity from the jurisdiction of the courts of another state. Exceptions depend on the laws of the particular jurisdiction, and may include commercial transactions of a foreign state. For more information about foreign state immunity, see the Attorney-General’s Department page on Foreign state immunity.

Agencies that consider that the GDPR may apply to their activities, particularly where those activities are of a commercial nature, are encouraged to seek their own legal advice.

For an overview of the GDPR requirements, see Privacy business resource 21: Australian business and the EU General Data Protection Regulation.