The newly enacted Privacy Amendment (Enhancing Privacy Protection) Act of 2012, which introduced the Australian Privacy Principles (APPs) has left many local businesses scrambling to meet their compliance obligations under the new laws, but what about foreign companies—particularly foreign service providers? Many companies outside of Australia have not yet put the new privacy rules on their radar screen, even though web-based businesses that collect or hold personal information from individuals in Australia are subject to the Act. Failure to comply with the APPs comes with a hefty price tag—up to $1.7 million. This article discusses two immediate ways in which foreign companies may be subject to liability under the new APPs.
Having an ‘Australian Link’
The Australian Privacy Principles apply extraterritorially where an organization has an ‘Australian Link’. An Australian Link exists where an organization or small business operator is: an Australian citizen; incorporated or has its central management and control in Australia, or a partnership or trust created in Australia. More importantly for foreign service providers, the privacy commissioner will also find that an Australian Link exists where “(an organization) carries on business in Australia or an external territory, and it collected or held personal information in Australia or an external territory.”
The privacy commissioner interprets “carrying on business” in a manner that departs from the traditional notion of that standard in Australian law. Under the traditional view, an organization is “carrying on business” in Australia when it is physically present in the jurisdiction or its business activities involve systematic, regular and continuous acts in Australia, such as targeted marketing or sales. This new, broader view would consider an organization collecting personal information from individuals physically located in Australia with an exclusively online presence to be “carrying on business” in Australia. This interpretation of “carrying on business” seems to be confined to the new privacy laws and is seemingly unsupported by prior Australian jurisprudence in other sectors.
As a result, a wide array of web-based service providers and businesses with customers located in Australia from whom they have collected personal information may now find themselves subject to the APPs. Further complicating matters, companies relying on the old standard may be unaware of their potential liability under the new privacy regime, because of this new interpretation of “carrying on business.” It is important to note, however, that this standard is very new and it is not yet clear how it will be applied.
You May Soon Have a Contractual Obligation To Comply
An accountability framework introduced by APP 8 requires Australian businesses to “take reasonable steps to ensure that an overseas recipient of personal information does not violate the APPs.” Under the new framework, Australian companies are directly liable for any privacy breach by an overseas recipient, even where reasonable steps were taken to ensure compliance with the APPs. Going forward, Australian businesses are likely to begin contractually obligating their foreign service providers to adhere to the APPs to insulate themselves from liability and meet their own obligations under APP 8.
It is important to note that APP 8 does not apply unless personal information is disclosed to an overseas recipient. ‘Disclosure’ is not defined in the Privacy Act, but the OAIC guidance explains that disclosure occurs when an organization releases the subsequent handling of personal information from its effective control. Surprisingly, however, neither the APPs nor the OAIC guidance mentions the effect of encryption with regard to APP 8. Whether personal information encrypted before being provided to a service provider is 'disclosed' for the purposes of APP 8 is debatable.
Accordingly, there may still be an obligation to comply with the new rules, even if a foreign company is not covered by the Privacy Act. A foreign business, however, may not need as extensive an understanding as local businesses because the OAIC guidance describes specific contractual obligations that Australian companies should impose on overseas recipients to satisfy the ‘reasonable steps’ test of APP 8. These contractual obligations include: requiring that the overseas recipient implements a data breach response plan; complies with APPs related to collection, use, disclosure, storage, destruction and de-identification, and that its sub-contractors agree to the same terms of compliance. This seems to demonstrate that foreign companies who are required to comply with APPs via contract may have only a limited scope of the APPs with which to comply.
Though the APPs took effect only recently and it is unclear how the rules will be applied in practice, companies must understand whether they are subject to liability under the new rules and to take meaningful steps toward full compliance if so. It is also important that foreign companies with Australian ties to stay abreast of new developments as the APPs are enforced and interpreted.