LegalWatch Updates

Home / News

As wearable AR devices become more integrated into business operations and consumer experiences, their capabilities to capture and store real-time data—including images, audio, and locational information—pose challenges under Australia’s established privacy framework.

For businesses looking to leverage this technology, it is critical to understand how the Privacy Act 1988 (Cth) and related regulations apply.

The Privacy Act 1988 (Cth): Key Provisions for AR Usage

The Privacy Act 1988 (Cth) is Australia’s foundational law governing the collection, use, and disclosure of personal information by businesses.

For companies with an annual turnover exceeding AUD $3 million, as well as smaller businesses handling sensitive information, there are stringent obligations to ensure privacy protections are upheld.

1. Collection and Use of Personal Information

AR glasses are capable of collecting what the Privacy Act defines as “personal information,” which includes any information or opinion that can identify an individual. Given the ability of Meta’s glasses to capture faces, voices, and locations, this kind of data is clearly within the scope of personal information as outlined in the Act.

  • Requirement for Consent: The Act mandates that businesses collect personal information directly from individuals and obtain informed consent. When employees or customers use AR glasses in public spaces or customer-facing roles, obtaining explicit consent from every individual captured may be challenging.
  • Purpose of Collection: Under Australian Privacy Principle (APP) 3, data collection must be necessary for a legitimate business purpose. AR usage should therefore be clearly justified in policy, ensuring data collection aligns with lawful and reasonable purposes.

2. Notice and Transparency Obligations

The Privacy Act requires organisations to be transparent about their data practices. The use of AR glasses adds a layer of complexity, as data collection may not always be visible or obvious to those being recorded.

  • Privacy Policy Updates: To comply with APP 1, businesses need to disclose AR-related data practices in their privacy policies, specifically addressing what types of data the AR glasses collect, the purposes for data use, and potential third-party data sharing.
  • Visibility of Data Collection: Clear signage or notices should be implemented in areas where AR glasses may be in use, helping notify individuals that they may be recorded.

3. Handling Sensitive Information

Sensitive information, such as health data or personal identifiers, is subject to stricter controls under the Privacy Act. While AR glasses may not directly collect health information, they can capture conversations, imagery, or other personal interactions that could inadvertently include sensitive information.

  • Restrict Access to Sensitive Data: Businesses should establish clear guidelines on the types of information collected and limit access to only necessary personnel. When AR devices may capture sensitive data, additional steps such as obtaining explicit consent or anonymising data may be prudent.

4. Data Security and Integrity

With augmented reality collecting large volumes of potentially sensitive information, maintaining robust data security is essential to mitigate the risk of breaches. Under APP 11, businesses are responsible for protecting personal information from misuse, loss, or unauthorised access.

  • Implementing Cybersecurity Measures: Businesses using AR technology should ensure data is encrypted, employ access controls, and conduct regular security audits. Any data captured by AR glasses should be transferred and stored in compliance with the Privacy Act’s security standards.
  • Breach Notifications: Under the Notifiable Data Breaches (NDB) scheme, if a data breach involving AR-captured data occurs and is likely to result in serious harm to individuals, businesses must promptly notify both the affected individuals and the Office of the Australian Information Commissioner (OAIC).

Workplace Surveillance and State Legislation

In addition to federal privacy law, businesses using AR technology in employee monitoring or performance assessments must consider workplace surveillance laws. These vary across states but generally require transparency and consent.

  • Surveillance Notices: In New South Wales and the ACT, the Workplace Surveillance Act 2005 requires that employees be informed about surveillance practices, including the type and purpose of surveillance, at least 14 days before implementation.
  • Consent Requirements: Surveillance of employees must not be hidden or covert. For instance, if AR glasses are used to observe employee performance, clear consent is essential to avoid breaches of state workplace laws.

Consumer Data Protection and Location-Based Privacy

AR glasses often collect locational data, raising additional concerns under Australian privacy standards.

  • Geolocation Consent: To comply with best practices under the Privacy Act, AR devices that track users’ locations should include options for individuals to turn off geolocation features or provide separate consent before this data is collected.
  • Data Minimisation Principle: Businesses should consider adopting a “data minimisation” approach, collecting only the minimum amount of locational data necessary and storing it for the shortest period possible to reduce privacy risks.

Future Legislative Considerations for AR Technology

Australian privacy law is continuously evolving, and proposals to increase penalties and regulatory powers may soon impact businesses leveraging AR technology.

The Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill aims to strengthen penalties for serious breaches and impose more stringent data-handling standards on organisations.

Key Takeaway

As Meta’s AR glasses and similar technologies become commonplace, businesses should proactively address privacy compliance by updating their privacy policies, establishing clear data security measures, and securing robust consent protocols.

This approach will help mitigate legal risks, ensuring that they not only comply with Australia’s current privacy laws but are prepared for future regulatory changes.

Integrating augmented reality into business operations provides exciting opportunities, yet it requires a careful balance with privacy law compliance.

By addressing these obligations thoughtfully, Australian businesses can enjoy the benefits of AR technology while safeguarding their legal standing and public trust.

Click To Schedule Your Legal Strategy Session