Recent data breaches in Australia have highlighted the lack of effective privacy controls in organizations. These include controls to ensure destruction of personal information after it is no longer required, deactivating ex-employee accounts and ensuring software deployment processes impacting access to personal information undergo privacy risk assessments.

Recent data breaches have caused changes to the Privacy Act 1988 to be rushed through Parliament. Changes include:

• Increasing penalties for body corporates from AU$2.2million to one of three options: AU$50 million, three times the value of the benefit obtained through the misuse of information or 30% of adjusted turnover in the relevant period, whichever is greater.
• Increasing the powers of Australia’s data protection authority, the Office of the Australian Information Commissioner.
• Increasing the extraterritorial reach of the Privacy Act.

The media's focus has been on the increase in penalties and powers, perhaps to cater to the Australian audience. However, globally, the largest change is to the applicability of the Privacy Act to organizations operating globally and in Australia. The expansion of extraterritorial applicability of the Privacy Act means higher penalties could apply to a whole new set of businesses overnight.

This article offers a deeper look into the impact of the extraterritorial reach expansion in Section 5B of the Privacy Act.

What is the purpose of Section 5B of the Privacy Act?

Section 5B helps us understand the extraterritorial reach of the Privacy Act outside of Australia. Specifically, it identifies when business functions or processes performed outside Australia, by an organization outside the country, has an “Australian link” and could be caught by the Privacy Act.

What is changing?

Before the changes, according to Section 5B (3), an organization could have an Australian link if it was not an organization as defined by Section 5B (2) and met both the following conditions:

1. “The organisation or operator carries on business in Australia or an external Territory.
2. The personal information was collected or held by the organisation or operator in Australia or an external Territory, either before or at the time of the act or practice.”

The change to this section means an organization only needs to satisfy the first of the above conditions to have an Australian link and fall under the Privacy Act. Many organizations outside of Australia will be impacted by this change.

What does expanding extraterritorial applicability mean for organizations?

Organizations outside Australia doing business in Australia and handling personal information about Australians are likely to be impacted by this change. The changes have now passed through Parliament, and will apply the day after receiving royal assent — which is imminent. There is no grace period.

The change means the Australian link test is now very broad. There is a lack of case law on the extraterritorial application of the Privacy Act and some applications remain to be tested in the courts. However, the 2022 case of Facebook Inc v. Australian Information Commissioner and the OAIC’s feedback from Australia’s Privacy Act Review provide hints as to how broad the application could be. For example, an organization outside Australia could carry on business in Australia in any of these circumstances:

• If the organization “collect(s) and/or (holds) personal information about an individual who is located in Australia” (8.33).
• Per the Explanatory Memorandum, if an individual is “physically located in Australia or an external Territory, and information is collected from that individual via a website, and the website is hosted outside of Australia, and owned by a foreign company that is based outside of Australia and that is not incorporated in Australia” (8.33).
• If the organization drops a cookie on an Australian’s device from a country outside of Australia.
• If the organization allows Australian developers to use their application programming interfaces to provide services to Australians.

On a practical level, organizations outside Australia could carry on business in Australia by allowing individuals located physically in Australia to:

• Buy or use products or services that collect or store personal information.
• Download mobile applications. For example, allowing Australian businesses such as restaurants to use apps enabling Australian patrons to order food.
• Enter a metaverse.
• Apply for jobs with organizations outside of Australia.
• Chat with a chatbot that collects and stores the conversation's script outside of Australia.
• See personalized advertisements on various platforms.

Organizations could also carry on business in Australia by providing technology support to global organizations storing personal information about Australians, or creating personal information about Australians outside of Australia, through analytics processes.

With the risk of fines larger than in the EU General Data Protection Regulation and regulatory scrutiny due to the broader extraterritorial reach of the Privacy Act, the reaction of the international community is limited to a few submissions to the Senate Standing Committee on Legal and Constitutional Affairs. Australian organizations can at least have greater leverage when carrying on business in Australia, without relying solely on contractual clauses or terms and conditions. 

However, Australia is a much smaller economy than the EU. While some organizations chose to avoid compliance with the GDPR by changing business models so the extraterritorial application did not apply, an even greater number of organizations could also consider changing their business models to avoid compliance with the Privacy Act, if the return on investment is not worth the risk of penalties or compliance investment costs. Australian consumers and organizations could be negatively impacted by increased costs and less choice resulting from reductions in trade and lessening of competition.

On the other hand, avoiding compliance is also not risk-free and costs money. It requires implementation of controls and monitoring to ensure there is no inadvertent collection or use of personal information from individuals in these jurisdictions by the organization or its third parties. A breach of these controls may mean the organization needs to fulfil an Australian individual’s rights and respond to regulators in these countries. Privacy and data protection regulations are becoming stricter in more and more jurisdictions around the world. Organizations avoiding privacy and data protection laws by choosing not to offer products or services to individuals in these countries may only end up hurting their own bottom line.

What does expanding extraterritorial applicability mean for consumers?

The expansion in the extraterritorial application may lead to individual consumers in Australia having greater confidence in the protection of their information when using the services of organizations outside of Australia, as these organizations may need to comply with the Privacy Act.

This change means consumers may have a right to:

• Contact organizations to access or correct their personal information or lodge a privacy complaint.
• Complain to the OAIC if a satisfactory response is not received to an access or correction request or a complaint.

What other privacy changes are coming to Australia?

Australia's comprehensive Privacy Act Review is underway. Draft legislation is expected in the second half of 2023.

In October 2021, the review published a discussion paper proposing significant changes to make the Privacy Act “fit for purpose” in the ever-evolving digital economy.

Given this extraterritorial expansion of the Privacy Act, new business functions and processes caught by this expansion will also need to consider the implementation of the new legal requirements to come.