To date the APP 2 obligation to give individuals the option of not identifying themselves or using a pseudonym when interacting with the organisation has not been widely implemented by organisations or enforced by the Privacy Commissioner. However, with the first stage of amendments to the Privacy Act being passed in late November 2024 and, relevantly, becoming effective on 10 December 2024, it is time to take another look at APP 2 and the obligation that arises under it.
Impact of the recent Privacy Act changes
The importance of and introduction of a better mechanism for the enforcement of the APP 2 obligation were addressed as part of the revision of the civil penalties regime under the Privacy and Other Legislation Amendment Act 2024. In particular, the adding of section 13K to the Privacy Act as part of the new low‑tier civil penalty and infringement notice regime will breathe new life into and the enforcement of the APP 2 obligation. In summary and most relevantly, s 13K(1) Privacy Act provides:
" (1 ) An entity contravenes this sub‑section if:
(a)the entity does an act, or engages in a practice; and
(b)the act or practice breaches any of the following Australian Privacy Principles: …
(iii)Australian Privacy Principle 2.1 (individuals may choose not to identify themselves in dealing with entities); …”
From 10 December 2024 the failure to offer the option of anonymity/pseudonymity to individuals pursuant to APP 2 will be a contravention enabling the Privacy Commissioner to issue an infringement notice imposing the low‑tier civil penalty to each infringement incidence. The occurrence of any contravention(s) of s13K(1)(b)(iii) Privacy Act will likely be relatively easy for the Privacy Commissioner to establish. Even if not obvious in the circumstances, the Commissioner can use her enhanced information gathering powers under ss 44 and 45 Privacy Act to obtain the evidence she needs from the organisation itself to ‘prove’ the contravention(s).
What is anonymity and pseudonymity under APP2?
Before we examine when the APP 2.1 obligation applies, the exceptions to it and how best to practically implement it, it is important to understand what ‘anonymity’ and ‘pseudonymity’ mean in the context of APP 2.
“Anonymity” is not defined in the Privacy Act and therefore has its common meaning, being “not named or identified” and “lacking individuality, distinction or recognisability”.Taking inspiration from the definitions of “personal information” and “de-identified” in s 6 Privacy Act, to be anonymous the information must not be about an identifiable individual or an individual who is reasonably identifiable. While used in the title of APP 2, the term ‘anonymity’ is not used in expressing the obligation in APP 2.1.Rather, APP 2.1 requires that individuals interacting with the organisation must be given the option of not identifying themselves, that is to remain anonymous, or to use a pseudonym when interacting with the organisation.
“Pseudonymity” is not defined in the Privacy Act either but is generally understood to be the use of a ‘pseudonym’ or fictitious name. As an aid to interpretation, Article 4(5) GDPR defines “pseudonymisation” as “the processing of personal [information] in such a manner that the personal [information] can no longer be attributed to a specific [individual] without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal [information] are not attributed to an identified or identifiable natural person.”
When is anonymity or pseudonymity required under APP 2?
There is often a default assumption (or perhaps desire) that all of an organisation’s activities and interactions require individuals to identify themselves, unless and until the case is made (often by way of a privacy complaint) that such could be performed or satisfied on an anonymous or pseudonymous basis.
It is also often assumed by organisations that, because some or even most of an organisation’s purposes for that collection of information may require the individual to be identified to deliver their services and/or comply with their regulatory obligations, this means that all of the organisation’s activities or ‘matters’ therefore need to collect personal information and have the individual identify themselves. Therefore, by default, the APP 2.1 obligation does not apply to them.
However, APP 2.1 actually requires that organisations give individuals “the option of not identifying themselves, or of using a pseudonym, when dealing with the organisation in relation to a particular matter” (emphasis added).As expressly noted, this obligation is to be applied ‘in relation to each particular matter’, to each interaction or activity between the organisation and the individual. This aspect of the APP 2.1 obligation has, in practice, often not been applied by organisations which have generally and wrongly applied the obligation at an overarching macro-organisational level.
The exceptions to this obligation
There are two exceptions to the requirement for the organisation to offer the option of anonymity or pseudonymity in relation to each particular matter or interaction with the organisation under APP 2.2, where:
“(a)the [organisation] is required or authorised by or under an Australian law or a court/tribunal order, to deal with individuals who have identified themselves; or
(b)it is impracticable for the [organisation] to deal with individuals who have not identified themselves or have used a pseudonym.”
The first exception under APP 2.2, where the organisation is required or authorised by or under an Australian law or order, has often been applied far to widely such that any requirement under an Australian law, in particular for a specific activity, is interpreted to purportedly cover all activities, interactions and matters of an organisation: even though on an objective reading only certain limited activities of the organisation are actually ‘required or authorised’ by that Australian law to have individuals identify themselves. Whether an Australian law or court/tribunal order authorises the organisation to request or requires that the individual identify themselves to the organisation must be assessed for each and every activity, interaction or ‘matter’ of the organisation with each individual.
The second exception under APP 2.2 is also often misapplied by organisations beyond those core activities that do need an individual to identify themselves to every activity and interaction of the organisation with individuals, irrespective of that actual need for identification for that ‘matter’. This blanket application of APP 2.2(b) does not reflect the actual requirement to provide the option of anonymity/pseudonymity to all individuals in relation to each particular matter or specific interaction with the organisation.
The application of the exemptions in APP 2.2 is a separate activity‑by‑activity, service‑by‑service and interaction‑by‑interaction investigation and analysis.
When and how to offer anonymity/pseudonymity?
Organisations must apply APP 2.1 to each matter, interaction and activity with each individual and offer each individual the option to not identify themselves or to use a pseudonym for each such activity or interaction, except where an exemption under APP 2.2 applies. The obligation under APP 2.1, with each possible exemption under APP 2.2, must be applied at the interaction, activity and matter level, not generally at a whole of organisation level.
A practical way of ensuring that the APP 2.1 obligation is appropriately addressed by the organisation is to start from the premise that each activity or interaction of the organisation with an individual can be provided or undertaken without the individual identifying themselves. From this premise the organisation should then determine, objectively, if either of the APP 2.2 exceptions apply. The organisation must offer the option for individuals not to identify themselves and/or to use a pseudonym unless and until the organisation can objectively establish that: (a) there is an Australian law or order that requires or authorises them to deal with the individual on an identified basis for the specific interaction; or (b) it is impracticable for the organisation to deal with the individual for that specific activity or interaction unless they identify themselves.
For example, where an organisation makes general information available about its services or products, it is unlikely that any law will require the individual or authorise the organisation to ask the individual to identify themselves in order to obtain that information. Therefore, the exception in APP 2.1(a) will not be triggered. Likewise, it seems difficult to justify in the circumstances that it is impractical for the organisation to provide such information anonymously or pseudonymously. Therefore, the exception in APP2.2(b) will not be triggered. Even though it may be preferable for the organisation to obtain the individual’s name in order to follow‑up with them, in the absence of a specific law expressly requiring or authorising identification the option not to identify themselves or to use a pseudonym must be offered to the individual by the organisation.
Where do anonymity and pseudonymity fit with information privacy?
While included as APP 2 in Australian privacy law, a positive obligation to provide individuals with the option of not identifying themselves or to use a pseudonym when dealing with organisations is not common in the privacy laws of other countries. Not even the GDPR, the often self-proclaimed ‘gold standard’ of privacy laws, includes this specific requirement. APP 2 can therefore be understood as a conscious decision by lawmakers to provide an additional practical protection to individuals above and beyond the usual and more traditional information privacy protections. In this context, the APP 2 obligation should be seen as complementary to and an extension of the organisation’s security obligations under APPs 11.1, 11.2 and 11.3 and the organisational measures required under APPs 1.2 and 11.3 to ensure compliance with APP 11.
Anonymity provides individuals with the freedom to engage in activities or express opinions without fear of retaliation, judgement or negative consequences to their person. In an information privacy context, that is the protections under the Privacy Act, if an organisation does not comply with its privacy obligations or there is a data breach then the individual’s personal information may be revealed, despite the information privacy protections of the Privacy Act. However, where the individual and the information provided to the organisation is anonymous, even in cases of non-compliance or a data breach, the personal information of the individual is not exposed and cannot be the subject of any unauthorised access, disclosure or misuse – it is safe from the negligent or malicious acts of all others, providing individuals with the ultimate protection in practice of their personal information. The upside for the organisation under most privacy laws including the Privacy Act and GDPR is that anonymous information is not subject to the provisions of the privacy law.
Taking a lead from the GDPR and the European Data Protection Board’s (EDPB) recent Guidelines 01/25 on Pseudonymisation adopted on 16 January 2025 (Pseudonymisation Guidelines), pseudonymisation may be used more broadly as a technical and organisational measure under APP 11.3.In addition to the obligation to offer pseudonymity and/or anonymity under APP 2.1, pseudonymisation could also be used by organisations as part of both their wider arsenal of TOMs required under APP 11.3 and data minimisation obligations under APPs 3, 4, 9 and APP 11.2. For example, the EDPB notes in the Pseudonymisation Guidelines that pseudonymisation can be used to meet various privacy requirements, in particular:
as part of a suite of appropriate technical and organisational measures;
for data minimisation, confidentiality and purpose limitation for internal processing and/or for a pre-defined set of external recipients;
to address lawfulness, fairness and accuracy principles;
assisting with security of information appropriate to the risk; and
as a supplementary measure for overseas disclosures.
However, as the EDPB points out in the Pseudonymisation Guidelines, in order for organisations to achieve these benefits a number of requirements must be implemented for such a program, more than simply allowing pseudonyms to be used.
Conclusion - a call to action
APP 2 can no longer be ignored by organisations. The APP 2.1 obligation and the APP 2.2 exemptions must be applied on a case-by-case or matter-by-matter basis. On the bright side, any anonymous information collected by an organisation will not be subject to the privacy obligations under the Privacy Act and pseudonymisation may help the organisation meet its technical and organisational measures requirement under the new APP 11.3
Apologies to the amazing Tina Turner and her 1984 No.1 hit “What’s love got to do with it”.