It means explicit accountability.
Under the existing NPPs, it is not clear that an organisation which transfers personal information off-shore in compliance with NPP9 is necessarily liable and accountable if the recipient of that information uses or discloses that personal information in breach of the NPPs. The new Privacy Amendment Bill introduces an accountability framework which addresses this lack of clarity. It also changes the extra-territorial application of the Privacy Act in a way which requires both organisations and service providers to consider how the new accountability principle will apply to them.
Importantly, the new Privacy Amendment Bill also extends the cross-border disclosure principles (and the accountability framework) so that they also apply to disclosures of personal information by government agencies1.
There are two pieces to the new accountability framework.
First is APP 8 – Cross-border Disclosure of Personal Information (which replaces the old NPP 9 - Transborder dataflows). APP 8.1 requires an APP entity2, before disclosing personal information to a person who is not in Australia (and who is not the entity itself3), to take such steps as are reasonable in the circumstances to ensure that the recipient does not breach the APPs in relation to that information. There is a set of circumstances in which the APP 8.1 obligation does not apply, set out in APP 8.2 (discussed further below).
The second piece to the accountability framework is new section 16C, which comes into play where APP 8.1 applies to the cross-border disclosure of personal information by an APP entity and:
- the APPs do not apply to something done by the overseas recipient in relation to the information; and
- the overseas recipient does something which would constitute a breach of the APPs (if they applied to it).
In these circumstances, the thing done by the overseas recipient is taken to have been done by the APP entity, and to be a breach of the APPs by the APP entity.
The requirement in section 16C that the APPs do not apply to conduct of the overseas recipient means that the deeming provision relating to an APP breach will not apply to an overseas recipient which is bound by the Privacy Act as a result of the extra-territorial provisions in new section 5B(1A). These sections expressly apply the APPs to acts carried out outside Australia by organisations which have an “Australian link”.
A person or an organisation has an Australian link:
- if the person has Australian citizenship or permanent residence;
- if the organisation is formed, created, or incorporated in Australia; or
- if the organisation was not formed, created or incorporated in Australia, it carries on business in Australia and the relevant personal information was collected or at any time held in Australia4.
It follows that under the new accountability framework, an organisation that uses a cloud service provider or an outsourcer which is located offshore will not be liable for any breaches of the APPs by that offshore service provider if that cloud service provider or outsourcer (eg. it carries on business in Australia or otherwise has an Australian link).5 As the Privacy Act does not set out a test for when an organisation carries on business in Australia, this will fall to be determined by general principles. Clearly, if an entity establishes an office or presence in Australia, or has agents in Australia with authority to bind it, it will be carrying on business in Australia. The situation will be more complex if it has no physical presence in Australia but has Australian customers – this will require careful analysis and consideration.
Compliance with Foreign Laws
Although the APPs have extra-territorial effect as discussed above, section 6A(4) (and the note to section 5B(1A)) make it clear that an act done by an organisation outside Australia will not breach the APPs where that act is required by an applicable law of a foreign country. Thus, an offshore cloud provider who has an Australian link (and is subject to the APPs) will not breach the APPs if it discloses information to a law enforcement authority under a subpoena issued under an applicable foreign law.
Exceptions to Accountability Framework Principles
As noted above, there are a number of exceptions to the obligation in APP 8.1. Importantly, if any of the exceptions apply, then the deeming provision in section 16C does not. This means that if an organisation makes a cross-border disclosure under one of the exceptions to APP 8.1, it is not under an obligation to take reasonable steps to ensure that the recipient does not breach the APPs, nor will it be deemed to be liable for any breach by the recipient of the APPs.
The exceptions are as follows:
- the organisation reasonably believes that the recipient is subject to a law or binding scheme that have the effect of protecting personal information in a way that overall is at least substantially similar to the APPs AND there are mechanisms that an individual can access to take action to enforce that protection or binding scheme;
- the individual consents to the cross-border disclosure after having been expressly informed that the consent means that APP 8.1 will not apply;
- the cross-border disclosure is required or authorised under Australian law;
- where certain “permitted general situations” apply. These are a collection of permitted disclosures which would not apply in normal commercial transactions6;
- where an agency discloses personal information under an international information sharing agreement to which Australia is a party;
- where an agency reasonably believes that the disclosure is reasonably necessary for one or more enforcement related activities conducted by or on behalf of an enforcement body AND discloses the information to a body that is or has functions similar to those of an enforcement agency.
Notification of offshore disclosures
APP 5.1 requires an APP entity which has collected personal information about an individual to take reasonable steps to ensure that the individual is aware of various things at, or as soon as practicable after, the collection. In the jargon of privacy lawyers, this is known as the obligation to provide a “collection statement”. One such matter to be drawn to the attention of an individual in a collection statement is the country or countries to which the individual’s data may be disclosed by the APP entity if it is likely to disclose the data to overseas recipients and it is practicable to identify the overseas locations.
What does this mean for organisations and agencies?
For Australian organisations, in some ways, these changes will not make a significant practical difference to their risk profile in using overseas cloud providers or outsourcers. While the new accountability framework will make it clear that they are legally liable for any breach by the cloud provider or the outsourcer of the APPs, even under the existing NPPs, the organisation may well have been reputationally liable for such breach. However, there are a number of things that they should look to do:
- review their collection statements and privacy consents to ensure that they cover the disclosure of personal information to their cloud providers and outsourcers, as well as the use by cloud providers and outsourcers of that personal information for the purposes of the organisation;
- ascertain whether or not the cloud provider or outsourcer has an Australian link;
- review the privacy provisions in their contracts to ensure that the Australian organisation has appropriate remedies if conduct by the overseas cloud service provider or outsourcer exposes the Australian organisation to liability under the Privacy Act as a result of them doing something which is deemed to be a breach of the APPs by the Australian organisation; and
- update their collection statements to comply with the new notification requirement.
For agencies, this will be a significant legal change. For the first time, they may have express legal accountability to individuals in relation to privacy if they choose to offshore or use cloud service providers. Although offshoring is not specifically prohibited under the AGIMO Cloud policy or the DSD security guidelines, agencies are expected to undertake a careful risk assessment before doing so.
What does this mean for cloud providers or outsourcers?
Australian cloud providers or outsourcers will not be materially affected by these changes. They are and will remain subject to the terms of the Privacy Act in relation to any personal information collected by them. Of course, if they in turn use an off-shore service provider, then they will need to comply with APP 8 in relation to any disclosures of personal information by them to their offshore service providers.
Offshore cloud providers or outsourcers will have to determine whether or not they have an Australian link, and whether this makes them subject to the APPs. Offshore providers or outsourcers in jurisdictions with data privacy laws that are, overall, substantially similar to the APPs that afford Australian individuals a mechanism to take action, may well be requested by their prospective Australian customers to provide a comparison between the relevant foreign legal regime and the Australian regime.
In any event, all offshore providers and outsourcers can expect to be faced with requests from customers for assurances that the provider or outsourcer will conduct themselves in a manner consistent with the principles applying to the Australian entity and to accept liability for failing to do so.
Given the responsibility of Australian enterprise customers to ensure that their collection statements and privacy consents cover the use and disclosure of personal information by their service providers, prudent service providers with a commitment to providing services to Australian enterprise customers (both in the private and public sectors) will seek to assist their Australian customers to understand and address privacy issues arising out of their respective roles and responsibilities, so that each party bears an appropriate level of responsibility having regard to those matters.