Australian Information Commissioner investigates Ashley Madison The Acting Australian Information Commissioner, Timothy Pilgrim, has launched an investigation into the data breach concerning the extra-marital dating website, Ashley Madison, and the company that operates the website, Avid Life Media, Inc. (ALM). The announcement is in response to a high profile data breach incident which involved the disclosure of personal and sensitive information pertaining to the website's millions of users. Unlike their North American counterparts, affected users in Australia do not have a personal statutory right to sue for a privacy breach, and will therefore closely monitor this investigation. Given the global nature of this incident (with ALM based in Canada), the investigation will be conducted jointly with the Office of the Privacy Commissioner of Canada. However, important questions remain regarding the scope of the Commissioner's territorial jurisdiction. For the purposes of the Privacy Act 1988 (Cth) (Privacy Act), an overseas organisation will have 'an Australian link' where it 'carries on business in Australia' or 'has collected or held personal information in Australia'. The term 'carry on business' is not defined in the Privacy Act, however the APP Guidelines set out relevant factors to be considered, including whether the organisation collects personal information from individuals who are physically in Australia, or whether Australia is one of the countries on the drop down menu appearing on the organisation's website. Although ALM is a Canadian business that hosts its servers outside Australia, both these factors are clearly met by its business activities. The hacker group 'Impact Team' claims to have released 30GB of data stolen from ALM, including the email addresses of millions of customers, source code for the website and internal data. Therefore, given the vast scope of this data breach, we expect that the OAIC's investigation will deal primarily with Australian Privacy Principle (APP) 11. To comply with APP 11, an organisation must take 'reasonable steps' to protect the personal and sensitive information they collect and hold from interference, as well as from misuse, loss and unauthorised access, use, modification or disclosure. This investigation could have serious legal and financial implications for ALM, and the Acting Commissioner has also urged caution for anyone reporting details of the published database (particular radio and TV networks) . For serious and repeated interferences with the privacy of an individual, the Acting Information Commissioner has the ability to impose a maximum civil penalty of A$1.8 million (effective 31 July 2015). The OAIC will publish a further statement and outline its findings at the conclusion of its investigation. A copy of the OAIC press release is available here. For more information, please contact Anne-Marie Allgrove, Toby Patten, Jarrod BaylissMcCulloch or Grace Loukides.