In the recent case of Professor Barry Spurr against the publishers of New Matilda, Federal Court of Australia Justice Michael Wigney was called upon to apply the Australian Federal Act, the Privacy Act 1988, to restrain publication by New Matilda of Professor Spurr’s emails. His Honour recounted his journey into the Privacy Act as follows: “A more labyrinthine, opaque piece of legislation I have yet to discover ... legislative porridge ... where almost every word is defined in ways that are counter- intuitive.”
Having spent nine months grappling with Australian Privacy Principle (APP) 8, it is hard not to sympathise His Honour’s frustration.
Consent to cross-border disclosure
Since the Privacy Act was amended in March 2014 to include the Australian Privacy Principles, including APP 8 which regulates disclosures of personal information by Australian regulated entities to overseas entities, it has become commonplace for Australian regulated entities to seek privacy consents like the following:
We may disclose your personal information to X, Inc., an entity that provides services to us. X Inc.is not an Australian entity and is not regulated by the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs) in that Act. By providing this Privacy Consent, you consent to the disclosure of your personal information to X, Inc. as an recipient outside Australia, on the basis that if X, Inc. engages in any act or practice that contravenes the APPs it would not be accountable under the Privacy Act and you will not be able to seek redress under the Privacy Act.
Such consents are sought by corporations and other businesses regulated by the APPs – so-called APP entities - with the objective of getting the APP entity within the APP 8.2(b) ‘consent’ exception (as discussed below). If successful, this exception operates to absolve the APP entity that collects the personal information and then discloses it to ‘an overseas recipient’ from accountability under section 16C of the Act for any act or omission by the overseas recipient which is contrary to the APPs. Accountability would otherwise arise through the curious interaction of APP 8.1 and section 16C of the Act. The provisions take quite a different approach to the European use of safe harbours and binding corporate rules. The operation of these provisions often gives rise to significant angst - and sometimes incredulity - of privacy counsel working outside Australia. The provisions are also quite odd when looked at closely.
Looking first at the outcome, privacy consents such as that above are drafted with an eye to the Australian Privacy Commissioner’s Guidance as to the APP 8.2(b) exception, which at [8.28] states:
“At a minimum, this statement should explain that if the individual consents to the disclosure and the overseas recipient handles the personal information in breach of the APPs:
- the entity will not be accountable under the Privacy Act
- the individual will not be able to seek redress under the Privacy Act.”
The relevant provisions read as follows:
“APP 8.1 Before an APP entity discloses personal information about an individual to a person (the overseas recipient):
- who is not in Australia or an external Territory; and
- who is not the entity or the individual,
the entity must take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles (other than Australian Privacy Principle 1) in relation to the information.
Note: In certain circumstances, an act done, or a practice engaged in, by the overseas recipient is taken, under section 16C, to have been done, or engaged in, by the APP entity and to be a breach of the Australian Privacy Principles.
APP 8.2 Subclause 8.1 does not apply to the disclosure of personal information about an individual by an APP entity to the overseas recipient if:
- the entity reasonably believes that:
- the recipient of the information is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the Australian Privacy Principles protect the information; and
- there are mechanisms that the individual can access to take action to enforce that protection of the law or binding scheme; or
- both of the following apply:
- the entity expressly informs the individual that if he or she consents to the disclosure of the information, subclause 8.1 will not apply to the disclosure;
- after being so informed, the individual consents to the disclosure;… .” Section 16C (Acts and practices of overseas recipients of personal information) provides:
Section 16C (Acts and practices of overseas recipients of personal information) provides:
“(1) This section applies if:
- an APP entity discloses personal information about an individual to an overseas recipient; and
- Australian Privacy Principle 8.1 applies to the disclosure of the information; and
- the Australian Privacy Principles do not apply, under this Act, to an act done, or a practice engaged in, by the overseas recipient in relation to the information; and
- the overseas recipient does an act, or engages in a practice, in relation to the information that would be a breach of the Australian Privacy Principles (other than Australian Privacy Principle 1) if those Australian Privacy Principles so applied to that act or practice.
(2) The act done, or the practice engaged in, by the overseas recipient is taken, for the
purposes of this Act:
- to have been done, or engaged in, by the APP entity; and
- to be a breach of those Australian Privacy Principles by the APP entity.”
Avoiding strict liability
So what is it about APP 8.1 and section 16C that leads to the incredulity of privacy counsel working outside Australia? Partly it is that the term ‘overseas recipient’ is not defined or explained in any meaningful way. An overseas recipient might be another APP entity which is not in Australia. More fundamentally, on one reading of APP 8.1, strict liability of the disclosing APP entity arises under section 16C regardless of whether the APP entity took reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles, or failed to do so. On this reading, despite having done everything it conceivably could do to protect privacy and assure that the overseas recipient does not breach the APPs, such as risk assessment and mitigation though appropriate operational controls and contractual measures and implementation of audit and review controls, an APP entity will be still strictly liable if the overseas recipient acts in a way that would have been a breach of the APPs if that act by the overseas recipient had been an act of the APP entity.
The availability of this reading leads most privacy lawyers to seek to avoid APP 8.1 by bringing an overseas disclosure with the exceptions in APP 8.2, of which the two exceptions quoted above are the most commonly used.
APP 8 exceptions: Consent vs. ‘Substantially similar’
Why do so many APP entities collecting personal information seek to rely upon APP 8.2(b) and not APP 8.2(a)? Often it is because legal advisers will not express a view as to whether laws of a destination country have the effect of protecting the information in a way that is substantially similar to the way in which the APPs protect the information and provide adequate remedies. Such an opinion is difficult to give principally because it requires an in-depth knowledge of the privacy rules and remedies in two countries – and all other countries privacy rules, if not remedies, differ from Australia’s (notwithstanding, in Asia Pacific, the existence of the so-called APEC Privacy Framework (available at www.apec.org)). Sometimes remedies in destination countries are quite different to remedies available under Australian law and their adequacy or otherwise cannot be the subject of a definitive opinion.
Often the problem is that the rules and remedies might look ‘substantially similar’ but those remedies are not clearly available to an Australian citizen because of jurisdictional obscurities. For example, personal health applications that enable an APP entity to disclose health information to a U.S. entity might be thought to have the benefit of the U.S. Federal law, The Health Insurance Portability and Accountability Act of 1996 (HIPAA Act) and privacy rules implemented pursuant to the HIPAA Act, which are suitably privacy protective. HIPAA will apply to U.S. entities covered by the law regardless of whether the personal health information they receive is from Australia or anywhere else, but not all health-related information is covered: it must originate from a healthcare-related transaction, and this leads to difficult questions (even leaving aside the further issue of how an Australian resident accesses remedies available under the HIPAA Act). And to date we have no assistance in the form of adequacy determinations by the Australian Privacy Commissioner, such as those of the European Commission in relation to such exotic destinations as New Zealand, the Faroe Islands and Uruguay. In any event, European determinations are one way only - from the European Union to the destination- and what matters for APP 8.2(a) is whether Australia considers the destination as having ‘substantially similar’ privacy protections and ‘adequate’ remedies.
Effectiveness of consent
So many APP entities seek instead to bring themselves within the APP 8.2(b) exception. But many privacy consents don’t follow the Australian Privacy Commissioner’s Guidance, which arguably expresses the intended effect of APP 8.2(b) but really is a stretch from a literal reading of that provision. Some drafters bury the consent in a privacy statement that says words to the effect that If you consent to the collection by us and disclosure of your personal information to our overseas affiliate, APP 8.1 will not apply to the disclosure. By providing your personal information to us, you consent to our disclosure of your personal information to our overseas affiliate on that basis. This closely follows APP 8.2(b), but it is hardly ‘transparent’: would any individual (other than a privacy professional) register the risk and fully understand the effect of giving the consent?
Of course, the real concern is this: if an affected individual elects to read a privacy consent expressed in the form suggested by the Privacy Commissioner, it sounds quite dire. Are you really saying my personal information is off to Ruritania, there to be shopped to third parties and open to hackers and other miscreants? So drafters strive to soften the tone of the consent statement. And if, in fact, the practical effect of giving such a consent is not so dire, because the APP entity has done everything it conceivably could do to protect privacy by assuring that the overseas recipient does not breach the APPs, can the disclosing entity go on to describe what those steps were and why they should reassure the individual reading the form of consent? In policy terms, it makes sense to provide an affected individual with all the information that they reasonably need in order to give a fully informed consent. However, it is arguable that reassurances as to privacy protective measures may off-set the APP 8.2(b) privacy consent such that the individual is misled as to how to weigh whether to give the privacy consent.
This might all sound arcane, but it is a significant commercial issue. Remember that these individuals reading the privacy consent are usually the same individuals that deal online and through smartphones directly with offshore entities that are not effectively regulated in Australia (other than through operation of Australian Consumer Law) and often make florid but meaningless privacy claims that often are practically unenforceable both in Australia and in the destination jurisdiction. By contrast, Australian entities effectively underwrite compliance by off shore entities to whom personal information is disclosed, with that underwriting arguably complete and not qualified by the ‘reasonable steps’ language. So can an APP 8.2(b) disclosure include a description as to those reasonable steps without undermining the effectiveness of the exception? It remains to be seen, but in the meantime expect to see APP 8.2(b) exception-based privacy consents continue to multiply and expand in range and creativity.