When do the ACL unfair contract terms provisions apply to a SaaS agreement in Australia?

Since 9 November 2023, the unfair contract terms (UCT) regime under ss 23 to 28 of the Australian Consumer Law (ACL) applies to standard form contracts with consumers and small businesses. A 'small business' is defined under s 23(3A) of the ACL (as amended by the Treasury Laws Amendment (More Competition, Better Prices) Act 2022 (Cth)) as a business that employs fewer than 100 persons or has an annual turnover of less than $10 million. A SaaS agreement is a standard form contract if one party has not had a genuine opportunity to negotiate the terms. Under the amended regime, unfair terms are not merely voidable — they are void and their use may attract civil penalties of up to $50 million, three times the benefit obtained, or 30% of adjusted turnover for the relevant period, whichever is greatest, for corporations. A term is unfair if it would cause a significant imbalance, is not reasonably necessary to protect a legitimate interest, and would cause detriment. SaaS providers should review their standard agreements to ensure they comply with this stricter regime.

What privacy obligations apply to a SaaS provider under the Privacy Act 1988 (Cth)?

A SaaS provider that is an APP entity (broadly, any private sector organisation with an annual turnover above $3 million, or certain other categories of entity) must comply with the Australian Privacy Principles (APPs) in Schedule 1 to the Privacy Act 1988 (Cth). Key obligations for SaaS providers include APP 1 (maintaining an up-to-date privacy policy), APP 3 (collecting personal information only if reasonably necessary and, in the case of sensitive information, with consent), APP 6 (not using or disclosing personal information for a secondary purpose unless an exception applies), APP 8 (taking reasonable steps before disclosing personal information to overseas recipients), APP 11 (implementing reasonable security safeguards to protect personal information from misuse, interference, loss, and unauthorised access), and APPs 12 and 13 (providing individuals with access to and the ability to correct their personal information). Where a SaaS provider processes personal information on behalf of a customer, it is best practice to document the handling obligations in a data processing agreement or DPA schedule.

How does the Spam Act 2003 (Cth) affect SaaS communications in Australia?

The Spam Act 2003 (Cth) prohibits the sending of unsolicited commercial electronic messages with an Australian link — broadly, messages sent to an account accessed in Australia, sent from Australia, or sent by an organisation based in Australia. A commercial electronic message is a message that offers, advertises, or promotes goods, services, or a business or investment opportunity. SaaS providers must ensure that marketing emails, promotional in-app messages, and upsell communications are sent only to subscribers who have given express or inferred consent, include accurate sender identification, and include a functional unsubscribe facility that is honoured within 5 business days. Transactional messages (such as invoices, password reset emails, and service outage notifications) are generally not commercial electronic messages and do not require consent. Penalties for breaches of the Spam Act 2003 can be substantial — up to approximately $2 million per day for corporations for serious breaches.

Who owns customer data uploaded to a SaaS platform under Australian law?

Data itself is not protected by copyright in Australia to the same extent as original works — raw data sets typically do not attract copyright protection unless they reflect sufficient originality in selection or arrangement (as per Desktop Marketing Systems Pty Ltd v Telstra Corporation Ltd [2002] FCAFC 112, though the position has since become less settled with IceTV Pty Ltd v Nine Network Australia Pty Ltd [2009] HCA 14). However, the Privacy Act 1988 (Cth) gives individuals significant rights over their personal information, regardless of who holds it. In practice, SaaS agreements universally provide that the customer retains ownership of its customer data and that the provider uses that data only to the extent necessary to deliver the service. The provider should be prohibited from using customer data for its own commercial purposes (such as analytics or advertising) without explicit consent. On termination, the customer should have a reasonable period to export its data before the provider deletes it.

Do I need a lawyer to create a SaaS Agreement (Australia) in Australia?

A SaaS Agreement (Australia) does not legally require a lawyer in Australia, and individuals and businesses may draft and execute the document independently. The Corporations Act 2001 (Cth) does not mandate legal representation for the creation or signing of this type of document. However, seeking independent legal advice from a qualified Australia lawyer is recommended for transactions involving substantial financial value, complex regulatory requirements, or cross-border elements where multiple legal jurisdictions may apply. A lawyer can verify that the document complies with all applicable statutory requirements, identify potential risks specific to the transaction, and confirm that the terms adequately protect the interests of all parties involved. The Federal Court of Australia has jurisdiction over disputes arising from this type of document, and Australian Securities and Investments Commission (ASIC) may impose additional compliance obligations depending on the nature of the underlying transaction. Professional legal review is particularly advisable where the document will be submitted to government agencies or used as evidence in legal proceedings.

SaaS Agreement (Australia)

Prowadzone przez Vladislav Sergienko, Założyciel·Szablon ostatnio zmodyfikowany: 2026-06-03·Zgłoś błąd

Czym jest SaaS Agreement (Australia)?

A SaaS Agreement in Australia is a legally binding written instrument.

Australian SaaS agreements must comply with a distinct set of legal requirements that differ materially from US or UK templates. The key statutes are the Australian Consumer Law (ACL) — Schedule 2 to the Competition and Consumer Act 2010 (Cth), enforced by the Australian Competition and Consumer Commission (ACCC) — the Privacy Act 1988 (Cth), the Spam Act 2003 (Cth), and the A New Tax System (Goods and Services Tax) Act 1999 (Cth).

The ACL's unfair contract terms (UCT) regime under Sections 23 to 28 is one of the most significant considerations for SaaS providers. Since 9 November 2023, under the Treasury Laws Amendment (More Competition, Better Prices) Act 2022 (Cth), unfair terms in standard form contracts with consumers and small businesses are void and their use attracts civil penalties of up to $50 million for corporations (or three times the benefit, or 30% of adjusted turnover, whichever is greatest). A SaaS agreement is a standard form contract if one party has not had a genuine opportunity to negotiate the terms. Under Section 23(3A) of the ACL, a small business is defined as having fewer than 100 employees or annual turnover below $10 million. Terms commonly challenged under the UCT regime include broad unilateral variation rights, automatic renewal clauses with short cancellation windows, and asymmetric termination rights.

Privacy obligations arise under the Privacy Act 1988 (Cth) and the thirteen Australian Privacy Principles (APPs) for APP entities — broadly, organisations with annual turnover above $3 million and certain categories of entity regardless of turnover. APP 11 requires reasonable security safeguards for personal information. APP 8 imposes obligations before disclosing personal information to overseas recipients, including cloud infrastructure providers. APP 1 requires a current, publicly available privacy policy. Under Section 13G of the Privacy Act 1988 (Cth), serious or repeated interference with the privacy of individuals can attract civil penalties of up to $50 million. The Office of the Australian Information Commissioner (OAIC) enforces the Privacy Act and can investigate complaints, conduct audits, and seek civil penalty orders for serious or repeated contraventions. The Spam Act 2003 (Cth) requires SaaS providers to obtain consent before sending commercial electronic messages and to provide functional unsubscribe mechanisms. The Australian Communications and Media Authority (ACMA) enforces the Spam Act 2003 and can impose infringement notices and civil penalties for non-compliance. The forms-legal.com SaaS Agreement (Australia) template addresses all material ACL, Privacy Act, and Spam Act obligations within a commercially practical framework.

Kiedy potrzebujesz SaaS Agreement (Australia)?

Any Australian business offering cloud-based software on a subscription basis needs a compliant SaaS agreement before onboarding its first subscriber. The agreement governs every customer relationship for the life of the platform and failure to have one in place exposes the provider to uncapped liability, privacy law penalties, and unenforceable payment terms.

The agreement is immediately needed when the SaaS platform collects, stores, or processes personal information about end users or customers. In that case, the provider becomes an APP entity with obligations under the Privacy Act 1988 (Cth), and the agreement must address customer data ownership, APP 11 security obligations, APP 8 cross-border disclosure controls, and what happens to data on termination. Where the provider uses offshore cloud infrastructure — such as Amazon Web Services, Microsoft Azure, or Google Cloud — APP 8 requires taking reasonable steps to ensure the overseas recipient handles the information in accordance with the APPs.

A SaaS agreement is critical when the provider sends marketing emails or in-app promotional messages to subscribers. The Spam Act 2003 (Cth) prohibits unsolicited commercial electronic messages with an Australian link unless the recipient has given express or inferred consent. Penalties for serious contraventions can reach approximately $2 million per day for corporations. The agreement should confirm that the provider's communications comply with the Spam Act 2003, that consent has been obtained where required, and that a functional unsubscribe mechanism is maintained.

Where the customer base includes consumers or small businesses (fewer than 100 employees or annual turnover below $10 million under s 23(3A) of the ACL), the UCT regime applies. The provider must audit its standard terms — particularly limitation of liability clauses, auto-renewal provisions, unilateral price increase rights, and data deletion policies — to confirm they do not create a significant imbalance in the parties' rights that is not reasonably necessary to protect the provider's legitimate interests.

SaaS providers operating in regulated sectors — including financial services licensees regulated by the Australian Securities and Investments Commission (ASIC) under the Corporations Act 2001 (Cth), healthcare providers regulated by the Australian Health Practitioner Regulation Agency (AHPRA), and credit providers regulated by the Australian Prudential Regulation Authority (APRA) — may face additional sector-specific obligations affecting the SaaS agreement's data handling, outsourcing, and notification provisions. Legal advice from an Australian technology lawyer is recommended for providers in these sectors.

Co powinien zawierać SaaS Agreement (Australia)

A legally sound Australian SaaS Agreement must address the following elements to comply with the ACL, Privacy Act 1988 (Cth), Spam Act 2003 (Cth), and commercial best practice.

Parties and service description: Full legal names and Australian Business Numbers (ABNs) of both parties; a precise description of the software service including version, platform, and any included support or professional services; the number of authorised users; and any geographic or usage restrictions.

Subscription fees and billing: The subscription fee in AUD, expressed inclusive or exclusive of GST as required under the A New Tax System (Goods and Services Tax) Act 1999 (Cth); the billing cycle (monthly or annual); the auto-renewal terms and notice required to cancel; the provider's right to increase fees on renewal; and consequences of late payment.

Uptime SLA and service credits: The uptime commitment expressed as a percentage (e.g., 99.5% measured monthly); how downtime is measured and what events are excluded (scheduled maintenance, events beyond the provider's control); the service credit calculation for SLA breaches; and the process for claiming credits.

Intellectual property: Confirmation that the provider owns all IP in the software and grants the customer a limited, non-exclusive licence to use it during the subscription term; that the customer owns its data; and that neither party acquires any rights in the other's background IP. Under Section 35(6) of the Copyright Act 1968 (Cth), software created by an employee in the course of employment is owned by the employer, a factor relevant to providers' IP chain of title.

Customer data and privacy: A clear statement that the customer retains ownership of its data; the provider's obligation to process data only as instructed and in accordance with the APPs; APP 11 security safeguards including encryption, access controls, and incident response; APP 8 cross-border disclosure controls for data stored or processed offshore under Section 16C of the Privacy Act 1988 (Cth); the data return and deletion process on termination; and breach notification obligations consistent with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth), enforced by the OAIC. Under Section 26WF of the Privacy Act 1988 (Cth), APP entities must notify the OAIC and affected individuals of eligible data breaches likely to result in serious harm.

ACL compliance: An acknowledgment that the ACL consumer guarantees under Sections 60 to 62 (due care and skill, fitness for purpose) cannot be excluded; confirmation that the agreement does not contain unfair terms prohibited by Sections 23 to 28; and a limitation of liability clause that complies with Section 64A of the ACL for consumer contracts.

Spam Act compliance: A representation that all marketing and promotional communications sent by the provider to subscribers comply with the Spam Act 2003 (Cth), including consent, sender identification, and unsubscribe requirements enforced by the Australian Communications and Media Authority (ACMA).

Governing law: The laws of the relevant Australian state or territory; the jurisdiction of that state's Supreme Court or the Federal Court of Australia for disputes; and an optional mediation step before litigation. The forms-legal.com SaaS Agreement (Australia) template covers all these elements in a format ready for immediate use by Australian technology businesses, including those regulated by the Australian Securities and Investments Commission (ASIC) under the Corporations Act 2001 (Cth).

Auch verfügbar für diese Jurisdiktionen:

Najczęściej zadawane pytania

Based on Corporations Act 2001 (Cth) — Template last modified June 2026

This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer

Found an error? Let us know

Related Documents

You may also find these documents useful:

Software Licence Agreement (Australia)

Licence software in Australia with this comprehensive Software Licence Agreement covering SaaS, on-premises, and hybrid delivery models. Compliant with the Copyright Act 1968 (Cth) (software protected as literary work), the Australian Consumer Law (Schedule 2 to the Competition and Consumer Act 2010 (Cth)) including consumer guarantees for digital products, and the Privacy Act 1988 (Cth) with Notifiable Data Breaches scheme. Covers uptime SLA, support terms, acceptable use, IP ownership of customisations, data ownership, GST, and limitation of liability.

Service Agreement (Australia)

Create a comprehensive Australian Service Agreement compliant with the Australian Consumer Law (Schedule 2 of the Competition and Consumer Act 2010 (Cth)) and the common law of contract. Covers scope of services, GST-inclusive or exclusive fees, payment terms, consumer guarantees, intellectual property ownership, confidentiality, Privacy Act 1988 obligations, limitation of liability, and termination rights. Suitable for consultants, freelancers, agencies, and businesses providing services to other businesses or consumers across all Australian states and territories.

Data Processing Agreement (Australia)

As Australian businesses increasingly outsource data-intensive functions to third-party service providers — cloud platforms, payroll processors, CRM vendors, IT support companies, and analytics firms — the need for a formal Data Processing Agreement (DPA) has become critical. An Australian Data Processing Agreement is a contract that governs how a service provider (the Processor) handles personal information on behalf of an APP entity (the organisation responsible for that information), ensuring compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Australia does not have a regulation precisely equivalent to the European Union's GDPR Article 28, which mandates a written data processing agreement between controllers and processors. However, the Privacy Act 1988 (Cth) imposes obligations on APP entities that effectively require them to ensure service providers handling personal information on their behalf are contractually bound to appropriate privacy standards. Australian Privacy Principle 11 requires APP entities to take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. APP 2.1 provides that an individual must have the option of not identifying themselves or of using a pseudonym where lawful and practicable. The OAIC's Guide to Securing Personal Information identifies contractual arrangements with third parties as a key technical and organisational measure that APP entities should implement. The Notifiable Data Breaches (NDB) scheme, introduced by the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) and now in Part IIIC of the Privacy Act 1988 (Cth), requires APP entities to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals when an Eligible Data Breach occurs — that is, a breach likely to result in serious harm to one or more individuals. Where personal information is held by a service provider on behalf of an APP entity, the service provider may discover the breach first. A DPA should establish clear contractual obligations on the service provider to notify the APP entity promptly (the DPA should specify a timeframe shorter than the OAIC notification deadline) so the APP entity can assess whether the breach is notifiable and take required action. Cross-border disclosure of personal information is governed by Australian Privacy Principle 8. Before disclosing personal information to an overseas recipient, an APP entity must take reasonable steps to ensure the overseas recipient will handle the information in a manner consistent with the APPs. This is a particularly important consideration for Australian businesses using US-based cloud services (such as AWS, Azure, Google Cloud, or Salesforce), as the United States does not have a national privacy law equivalent to the APPs. A DPA should address whether the Processor may transfer or disclose personal information to overseas sub-processors and what safeguards must be in place. Under APP 8.2(b), an alternative is for the individual to consent to the overseas disclosure, but this is not always practicable. The Privacy Act 1988 (Cth) distinguishes between 'personal information' (broadly defined in s 6(1) as information or an opinion about an identified individual or an individual who is reasonably identifiable) and 'sensitive information' (a subset defined in s 6(1) to include health information, biometric information, genetic information, information about racial or ethnic origin, criminal records, religious beliefs, and other specified categories). Sensitive information attracts heightened protection under the APPs, particularly APP 3 (which requires consent for collection in most circumstances) and APP 6 (which restricts secondary use and disclosure). Where a Processor will handle sensitive information, the DPA should expressly acknowledge this and require enhanced security measures. The Australian Government released a revised Privacy Act Review Report in 2023, recommending significant reforms to the Privacy Act 1988 (Cth), including the introduction of a statutory tort of serious invasion of privacy, enhanced individual rights, and stronger enforcement powers for the OAIC. Businesses should monitor developments in Australian privacy law, as some of the recommended reforms may require updates to existing DPAs when legislation is enacted. Best practice for an Australian DPA — informed by the OAIC's guidance and aligned with international standards — includes: documented handling instructions from the APP entity to the Processor; restrictions on using personal information for the Processor's own purposes; security obligations aligned with APP 11 and the OAIC's Guide to Securing Personal Information; sub-processor controls; cross-border disclosure restrictions consistent with APP 8; breach notification obligations that dovetail with the NDB scheme; access and correction assistance for APPs 12 and 13; data destruction or de-identification obligations under APP 11.2 on termination; and audit rights for the APP entity. This Australian Data Processing Agreement template addresses all of these requirements. It uses Australian legal terminology (APP Entity rather than Controller, personal information rather than personal data, OAIC rather than ICO), references to the Privacy Act 1988 (Cth) and APPs, the NDB scheme under Part IIIC, and Australian business conventions including ABN identification and AUD pricing.

Privacy Policy (Australia)

Create a compliant Australian Privacy Policy for your business or website. Our template is drafted in accordance with the Privacy Act 1988 (Cth) and covers all 13 Australian Privacy Principles (APPs), including APP 1 (open management), APP 5 (notification), APP 6 (use and disclosure), APP 7 (direct marketing), APP 8 (cross-border disclosure), APP 11 (security), APP 12 (access), and APP 13 (correction). Includes the Notifiable Data Breaches scheme, OAIC complaint process, and the $3 million turnover threshold explanation.

Website Terms of Use (Australia)

Create compliant Website Terms of Use for your Australian business, drafted in accordance with the Australian Consumer Law (Schedule 2 of the Competition and Consumer Act 2010 (Cth)), the Electronic Transactions Act 1999 (Cth), the Privacy Act 1988 (Cth), and the Online Safety Act 2021 (Cth). Our template covers acceptance mechanisms, intellectual property protections, user obligations, limitation of liability, consumer guarantee disclaimers, and governing law. Unlike generic templates, this document reflects Australian-specific legal requirements — including the mandatory acknowledgement that consumer guarantees under the Australian Consumer Law cannot be excluded.