The amended Privacy Act and APPs aims to ensure that any information disclosed overseas is still treated in accordance with the Privacy Act1.
A threshold issue is whether the transfer of personal information overseas constitutes a 'disclosure' thereby engaging APP 8.1 (discussed below). Where an entity retains control over the personal information and the contractor relationship is more akin to one of agency, there may not be a 'disclosure' but a 'use' of the personal information. This is most commonly and clearly seen in the relationship of cloud storage providers2. However even in these circumstances, it is important to bear in mind that APP 11 will apply. APP 11 requires that the Australian entity that outsources personal information has taken reasonable steps to prevent the information from misuse, interference and loss and from unauthorised access, modification or disclosure. If the overseas recipient leaks personal information to the public without the individual's consent, the Australian entity may be liable under APP 11. The remainder of this article proceeds on the basis that there is a 'disclosure' and that APP 8.1 also applies.
Obligations on the entity disclosing information
If APP 8.1 applies, an act done or a practice engaged in, by an overseas recipient that is not otherwise covered by the Act, will generally be deemed to have been done, or engaged in, by the APP entity3.
APP 8.1 applies unless the disclosure falls within the list of exceptions in APP 8.2. These include disclosures where:
- the individual has provided consent to the disclosure (discussed below);
- the entity believes the overseas recipient is bound by privacy laws which are substantially similar to the APPs and there are mechanisms that individuals can access to take action to enforce these laws; or
- the disclosure is required or authorised or under an Australian law or a court/tribunal order.
The operation of these provisions may be most easily understood by illustration. If an Australian entity:
- chooses to outsource its customer services division to a Chinese based entity that does not carry on business in Australia;
- does not seek to maintain control over the customers' personal information when it is within the hands of the Chinese entity;
- does not seek the customers' consent before transferring their information overseas,
it is likely that the Australian entity would need to take reasonable steps to ensure the Chinese entity complied with the APPs (except APP 1) before sending the customers' information overseas. Further, the Australian entity risks being liable for any mishandling of that information by the Chinese entity4.
The Guidelines on the APPs explain that taking 'reasonable steps' generally involves entering enforceable contractual arrangements5. For this reason, it is important for entities to keep arrangements with their overseas contractors well documented, ensure that the agreements clearly impose obligations and responsibilities, and allow for the Australian entity to monitor compliance (such as through audits). Contractual obligations may include obligations on the recipient and any of its sub-contractors to comply with the APPs in relation to collection, use, disclosure, storage and destruction or de-identification of personal information, a complaints handling process and a requirement that the recipient implements a data breach response plan including a mechanism for notify the Australian entity where there are reasonable grounds to suspect a data breach6.
Exceptions to APP 8.1
While there are a number of exceptions to APP 8.1, relying on them can be problematic. As mentioned above, an exception to APP 8.1 arises where an individual provides his or her consent to the disclosure. For an entity to avail itself of this exception it must have expressly informed the individual that if he or she consents to the disclosure of the information, that the provision will not apply to the disclosure, and after being so informed, the individual must have provided his or her consent to the disclosure7.
However, a number of issues need to be borne in mind if seeking to rely on consent, including:
- the consent must be valid - the Guidelines to the APP outline the four criteria for a valid consent, namely that the individual must be adequately informed before giving their consent, the individual must give their consent voluntarily, the consent must be current and specific and the individual must have the capacity to understand and communicate their consent8. While it may be tempting to seek broad consents (e.g. to a wide range of overseas collections, uses and disclosures for an unspecified period of time), these may not be sufficiently voluntary or specific9;
- additional administrative obligations – amongst other things, a consent database will need to be maintained10. Entities that seek consents face an added compliance burden of recording the purpose of the consent (to ensure that the consent is only relied upon for these purposes),the date when the consent was given (as a consent is not taken to endure indefinitely11), and refused or withdrawn consents (to ensure previous consents are not relied upon12).
Another exception to APP 8.1 applies where the entity believes the overseas recipient is bound by privacy laws that are substantially similar to the APPs and there are mechanisms that individuals can access to take action to enforce these laws13. At first blush this exception may appear relatively easy to satisfy but there are a number of hurdles, namely:
- to fall within this exception the entity must have a reasonable basis for its belief14;
- it is a question of fact whether the privacy laws are 'substantially similar' to Australian privacy laws; the Privacy Commissioner has not assisted entities by providing a white list of countries that he considers satisfies these requirements15;
- the inquiry goes towards whether the overseas recipient is bound by substantially similar laws. An overseas recipient may not be subject to a law or binding scheme where, for example, it is exempt from complying or is authorised not to comply with part, or all of the privacy or data protection law in the jurisdiction16. In many cases, this requires a detailed examination of the statute in that jurisdiction;
- there must also be enforcement mechanisms accessible to the individual and there must be effective powers to enforce the privacy or data protection laws17.
Other exceptions relate to employee records (discussed further below); circumstances where the disclosure is required or authored by or under an Australian law or for agencies, an international agreement; threats to the life, health or safety; suspicions of unlawful activities or misconduct of a serious nature; missing persons; and enforcement related activities18.
Intra-group information sharing
A common practice of multinational corporations is to share personal information, often for the purposes of centralising recruitment processes for prospective employees or streamlining information handling facilities (such as customer service or order processing facilities).
In broad terms, under section 13B of the Act, the sharing of personal information (other than sensitive information) collected by one company to a related company does not constitute an interference with the privacy of an individual. This provision is not limited to related companies in Australia.
However, the Explanatory Memorandum states that APP 8 still applies 'where an organisation sends personal information to a 'related body corporate' located outside Australia'. It is therefore prudent for entities to ensure that intra-group agreements include privacy obligations to ensure compliance with the Act and to establish clear lines of communication, responsibilities and liabilities in the event of a data breach.
The APPs provide that where a body corporate collects personal information from a related body corporate, it is taken to have the same primary purpose as the related body corporate that collected the personal information19. Corporate groups need to be mindful that personal information can still generally only be used by related bodies corporate for the primary purpose for which the information was collected or a related secondary purpose, unless the individual has provided their consent20. Collection notices that are provided to individuals at the time that their personal information is collected should therefore clearly contemplate all proposed uses of the personal information by the corporate group.
In Australia, there is also an exemption under the Act for employee records21. Under this exemption, any use or disclosure of an employee record directly related to the current or former employment relationship between the employer and the employee will be exempt from the operation of the Act. International groups that pool their employees' personal information may believe that their use and disclosures of employee records fall within this exemption. However, this exemption only relates to acts or practices by the employer and not to the entire corporate group.
Given the potential liability that Australian entities face under the Act and APPs for sending personal information overseas, it is important to review these acts and practices including contractor and intra-group agreements, together with internal document handling policies and consumer facing collection notices.