The Ashley Madison saga continues. As we foreshadowed in our earlier blog post, Avid Life Media Inc (ALM), the Canadian-based provider of the extramarital dating site, has been hit with lawsuits in Canada and the United States, flowing from the posting online, by the hacker group 'Impact Team', of personal information (including highly sensitive information) pertaining to the site's many millions of users.
Options for affected Australian users
While lawsuits have commenced in the United States and Canada, affected Australian users must wait. Australia does not have an individual statutory right to sue for a privacy breach (although, in narrow circumstances, an individual may be able to sue for breach of confidence). Instead, affected Australian users will be closely monitoring the investigation commenced by the acting Australian Information Commissioner (Commissioner) into the data breach.
The role of the Commissioner includes addressing potential privacy breaches on the behalf of those affected by the breach once a complaint has been made. On receipt of a complaint, the Commissioner broadly acts as an independent and impartial third party. However, in circumstances where disputes remain unresolved, the Commissioner may, after investigating a complaint against a breach of the privacy of an individual, make a 'determination' on the substance of the complaint.
The Commissioner is taking a proactive approach to the data breach despite ALM, and the majority of the Ashley Madison's users, being based overseas. The Commissioner has already announced that he will conduct the Australian investigation jointly with the Office of the Privacy Commissioner in Canada. This raises a number of issues about the scope of the Commissioner's territorial jurisdiction.
The Privacy Act states that it extends to an act done, or a practice engaged in, outside Australia by an organisation that has 'an Australian link' (section 5B). The APP Guidelines (Guidelines) in turn provide that a foreign organisation (such as ALM) will have 'an Australian link' where the organisation:
- carries on business in Australia; or
- has collected or held personal information in Australia.
Carries on business in Australia
The concept of carrying on a business in Australia is not defined by the Privacy Act. However, the Guidelines provide that factors indicating that an organisation carries on business in Australia include that:
- the organisation collects personal information from individuals who are physically in Australia;
- the organisation has a website which offers goods or services to countries including Australia;
- Australia is one of the countries on the drop down menu appearing on the organisation’s website; and
- the organisation is the registered proprietor of trade marks in Australia.
Collected personal information in Australia
The Guidelines provide a similarly low threshold for personal information to have been collected in Australia. The Guidelines provide that personal information is collected 'in Australia' if it is collected from an individual who is physically present in Australia. This applies regardless of where the collecting organisation is actually located or incorporated.
Beware the Commissioner
As you'll see from the Guidelines, it's not difficult for an overseas organisation to have 'an Australian link' and thereby fall within the ambit of the Commissioner's investigatory powers. While ALM may have been incorporated, operated its business and hosted its servers in Canada (and elsewhere overseas), it nevertheless collected information from individuals in Australia and marketed its services to Australians – making it a valid target of the Australian Privacy Commissioner's investigation.