The Australian Communications and Media Authority Act 2005 No. 44 establishes the Australian Communications and Media Authority (ACMA) as an independent telecommunications authority. Division 4 of the Act establishes that the Minister may give written directions to the ACMA in relation to the performance of its functions and the exercise of its powers. However, it is reported that the ACMA is independent from the government in the decision-making process.

My Health Records Act 2012 requires information relating to health records to be stored and processed within Australia unless the records do not include "personal information in relation to a healthcare recipient or a participant in the My Health Record System" or "identifying information of an individual or entity" (Section 77).

It is reported that credit reporting bodies are obligated to retain all comprehensive credit information within Australia or on a cloud service that complies with the published requirements of the Australian Signals Directorate (ASD), which, in practice, is likely to be an Australia-based cloud.

Under Australian Privacy Principle (APP) 8 of the Privacy Act, APP entities that disclose personal information to overseas recipients are required to take reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles (excluding APP 1), unless an exception applies. The "substantially similar regime" exception applies where the APP entity reasonably believes that the overseas recipient is subject to a law or binding scheme that, overall, affords a level of protection substantially similar to that of the APPs and provides mechanisms for individuals to enforce those protections. In December 2024, the Privacy Act was amended to allow the government to make regulations specifying jurisdictions or binding schemes that qualify under this first exception, although no such whitelist has been formally established to date. Second, data can be transferred across borders when the individual is expressly informed that, by consenting to the disclosure, APP 8.1 will not apply, and the individual subsequently provides consent. Third, the disclosure may be permitted if it is required or authorised by an Australian law or by an order of a court or tribunal. Fourth, an exception arises where a permitted general situation (excluding those related to legal or equitable claims or alternative dispute resolution) exists in relation to the disclosure. Fifth, if the APP entity is a government agency, and the disclosure is required or authorised under an international agreement to which Australia is a party that pertains to information sharing. Sixth, where the entity is an agency and reasonably believes that the disclosure is necessary for one or more enforcement-related activities conducted by or on behalf of an enforcement body, and the recipient performs similar functions or exercises comparable powers, the exception also applies.
Pursuant to Section 6, an “APP entity” includes both agencies and organisations. “Agencies” refer to Commonwealth government entities, including federal courts, as listed in the Privacy Act, while “organisations” encompass individuals, corporations, partnerships, unincorporated associations, and trusts, excluding small business operators, registered political parties, agencies, State or Territory authorities, and certain prescribed State or Territory instrumentalities.

Australia has joined several agreements with binding commitments to open transfers of data across borders. These include: Updated Singapore-Australia Free Trade Agreement (SAFTA, Chapter 14, Art. 13), the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP, Art. 14.11), the Australia - Peru Free Trade Agreement (Art. 13.11), the Indonesia - Australia Comprehensive Economic Partnership Agreement (Art. 13.11), the Australia -Hong Kong Free Trade Agreement and associated Investment Agreement [Art. 11.7(2) and 11.15(1)], the Australia - Singapore Digital Economy Agreement (Annex A Art. 23), and the Australia - United Kingdom Free Trade Agreement [14.10(2)].

The Privacy Act 1988 provides a comprehensive regime of data protection in Australia. The Privacy Act, which includes a set of Australian Privacy Principles, provides general personal data protection requirements and provisions, including the right to access and to be informed. Initially, the Act stipulated guidelines for how Australian government agencies should manage personal information. Subsequently, in 2000, the Privacy Amendment (Private Sector) Act extended these provisions to certain private sector organisations.
Sector-specific privacy regulations, particularly concerning telecommunications, are addressed by the Telecommunications Act 1997 and the Telecommunications (Interception and Access) Act 1979. Additional protections for healthcare information are provided under the My Health Records Act 2012 and the Healthcare Identifiers Act 2010. Businesses operating in industries such as financial services and gambling are required to adhere to the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 and its accompanying rules. Furthermore, the Security of Critical Infrastructure Act 2018 applies to entities that own, operate, or hold direct interests in assets across various sectors, including communications, energy, defence, financial services, transport, data processing or storage, supermarket and grocery supply chains, health and medical services, education, and space.

The Telecommunications (Interception and Access) Act 1979 requires a telecommunication service provider to keep specific telecommunications data relating to the services it offers for two years (187C). The dataset to be kept includes the subscriber, the accounts of telecommunications devices, the source of communication, the destination of a communication, the date, time, and duration of a communication, the type of communication, and the location of the equipment or line used (187AA). This retention scheme was inserted into the Act by the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015.

The Telecommunications (Interception and Access) Act 1979 grants criminal law enforcement agencies the authority to intercept real-time communications without a warrant. The Act addresses various types of interception warrants, including an interception warrant (Section 10), a telecommunications service warrant (Section 11A), a foreign communications warrant (Section 11C), and a stored communications warrant (Section 110). However, in emergency situations (Section 30) or for the purpose of developing and testing interception capabilities (Section 31A), law enforcement officers or agencies may intercept live communications without obtaining a warrant.

Sections 317L–317RA of the Telecommunications Act 1997 (Cth), as amended by the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, establish a mechanism whereby security and law enforcement agencies may issue Technical Assistance Notices (TANs) to communications providers. These notices require providers to take specified steps to assist agencies in performing their national security or criminal law enforcement functions.
The scope of application is broad, as “designated communications providers” include not only telecommunications carriers and service providers but also any entity that supplies electronic services, such as websites or encrypted messaging platforms. Recipients of a TAN may therefore be required to provide technical assistance, including facilitating access to encrypted communications. Notably, the framework permits such requests to be made without a warrant.

Under Australian law, trade secrets are treated as a subset of confidential information and are primarily protected under common law principles, complemented by relevant statutory provisions, including those contained in the Corporations Act 2001 and the Competition and Consumer Act 2010.
In addition, the Treasury Laws Amendment (2018 Measures No. 3) Act 2018 introduced specific provisions reinforcing the protection of confidential information. Together, this legal framework provides remedies against the unauthorised use or disclosure of such information. Available causes of action include claims for breach of confidence, with courts empowered to grant relief in the form of injunctions, damages, and an account of profits in cases of misappropriation.

Sections 36 and 101 of the Copyright Act contain safe harbour protections for carriage service providers such as Internet infrastructure providers and Internet Service Providers (ISPs). To qualify, these organisations must implement mechanisms to enable copyright owners to report infringing content on their platforms and request that action is taken to prevent the infringement (for example, disabling access to the content or terminating the accounts of infringing users).

According to Art. 34 of the Telecommunications Act 1997, telecommunications carriers have statutory rights of access to other carriers' towers and ducts, but such access is not mandated. Passive infrastructure sharing is practised in Australia's mobile sector: co-location is negotiated on a commercial basis. Carriers have regulated rights of access to towers owned by other carriers for the purposes of providing carriage services. The Telecommunications Act 1997 provides for carriers to grant other carriers access to telecommunications transmission towers, the sites of telecommunications transmission towers, and eligible underground facilities. The Australian Competition and Consumer Commission has issued a code that sets out conditions to be complied with in relation to the provision of access.
In addition, passive infrastructure sharing is also practised in Australia in the fixed sector: the Australian Competition and Consumer Commission has declared the following services: - line sharing service (LSS) - local carriage service (LCS) - fixed originating access service (FOAS) - fixed terminating access service (FTAS) - unconditioned local loop service (ULLS) - wholesale line rental (WLR) - wholesale ADSL service (WADSL). Once a service is declared, a network owner must provide access to the service upon request.

A basic legal framework on intermediary liability beyond copyright infringement is absent in Australia's law and jurisprudence. It is reported that the basis for third parties' liability for individuals' online actions is confusing and, viewed as a whole, largely incoherent. The result is significant uncertainty.

According to Section 8BG of the Telstra Corporations Act 1991 (as amended by Act No. 53 of 1999), foreign ownership of Telstra (the incumbent telecommunications company) is limited to 35%, and individual foreign investors are permitted to own up to 5%.

According to the National Broadband Network Companies Act 2011 (Subdivision A, Division 2, Part 3), the Commonwealth must retain full ownership of National Broadband Network Co (NBN Co). In addition, this ownership structure could be terminated only in limited circumstances (Subdivision B).