As the digital revolution continues to build speed, data remains king. Not surprisingly, data protection and privacy is an increasingly debated topic; however, old privacy regimes around the globe, including those in Europe, and not to mention Australia’s 1988 Privacy Act (Privacy Act), were designed long before today’s technological advancements were ever contemplated. Now legislative reforms are racing to catch up to the modern information age with progressive new laws reaching further than ever before. 

Amendments to Australia’s privacy regime: soon to be effective

Significant changes to Australia’s Privacy Act become effective on 12 March 2014 (Effective Date), in the form of the:

  • Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Amendment Act); and
  • Privacy Regulation 2013. 

One of the most notable amendments is the introduction of 13 new Australian Privacy Principles (APPs)[1], replacing the existing Information Privacy Principles (IPPs) applying to Government agencies, and the National Privacy Principles (NPPs) applying to businesses. The APPs will apply to APP entities – broadly defined as an agency or organisation.

The structure of the 13 APPs, and the order in which they appear in Schedule 1, “are intended to reflect the cycle that occurs as entities collect, hold, use and disclose personal information.”[2]

That cycle comprises:

  • forward planning as to how to meet obligations in relation to the handling of personal information;
  • determining whether such information should be collected;
  • information collection;
  • notification to individuals whose personal information has been collected;
  • information disclosure/use;
  • maintaining the integrity of personal information through secure storage and ensuring its quality; and
  • destruction of personal information or ensuring that it is no longer personal information.

Extra-territorial application of the Act

Whilst the previous regime simply prohibited trans-national disclosure, the APP’s apply to personal information collected in Australia (which has new potential impacts on international operations taking personal information out of Australia).

In other words, the Act now has extra-territorial application to organisations and businesses that have an "Australian link"[3]. An Australian link will exist where personal information is collected or held by an organisation or operator "in Australia" (or an external territory), and certain other broad requirements are fulfilled[4]. In this definition, "in Australia" includes the collection, by an overseas entity, of personal information from an individual who is physically present within the borders of Australia. For example, a collection of personal information is taken to have occurred "in Australia" where information is collected from an individual in Australia via a website and the website is hosted outside of Australia, and owned by a foreign company that is based outside Australia and is not incorporated in Australia.

Thus, Privacy Act compliance by overseas entities, including privacy policies and complaints procedures, must now be put in place unless an exception applies.

APP 8 – cross border disclosure of personal information

From the Effective Date, APP 8 provides that when an APP entity discloses an individual’s personal information to an overseas recipient, the disclosing entity must take “such steps as are reasonable in the circumstances” to ensure that the overseas recipient does not breach the APPs in relation to the information[5].

In certain circumstances, an act done or practice engaged in by the overseas recipient will be deemed to have been committed by the APP entity that originally disclosed the information to the overseas recipient[6]. Ouch! As far as possible, this increased regulatory burden on Australian disclosing entities needs to be managed and should be passed onto the overseas recipient, by requiring, under the relevant contractual terms, that the overseas recipient adhere to the APPs.

Exceptions to APP 8

However an APP entity disclosing personal information to an overseas recipient does not have to take the ‘reasonable steps’ required under APP 8 in certain circumstances, including where disclosure is required under Australian law. Three commercially relevant exemptions are:

  • Similar International Law - where the disclosing entity reasonably believes that the overseas recipient is subject to a law or binding scheme that has the effect of protecting the personal information in a way that is substantially similar to the way in which the APPs protect personal information (and the individual can access that protection);
  • Informed Consent from the Individual - where the disclosing entity expressly informs the individual that it will not take steps to ensure that the overseas recipient does not breach the APPs and the individual still consents to the disclosure.[7]
  • Internal Transfer - transferring personal information within the same legal entity does not breach APP 8 as the collecting entity is still bound by the Act. However, disclosure to a related body corporate will trigger the extra-territoriality rules due to the nature of the transfer to a separate legal entity not otherwise bound by the Privacy Act. Similarly, disclosure of personal information to subcontractors requires contractual terms that protect the data and its use to be in line with the APPs. This is a significant change compared to the NPP’s which referenced the “transfer” of personal information, whereas the APP’s use “disclosure” of information encompassing a wider range of information sharing, including less intentional methods. 

What now?

Australian business needs to be aware that its liability for the disclosure of personal information, and its use, continues post disclosure to an overseas entity (unless an exception otherwise applies). This will impact cross-border servers and the terms of use for cloud data storage and computing. This risk can be proactively managed by a review of current privacy procedures and policies to ensure that “reasonable steps” are taken to protect the information.

International businesses operating in Australia, including those that “carry on business” or collect, store or hold personal information in Australia are equally bound by the Privacy Act, including their actions outside Australian borders (unless exempt).  Collaboration with Australian-based suppliers of personal information or related entities will help these entities make the transition to the new Australian privacy regime.