This is the second article in our coverage of the Australian government’s overhaul of privacy laws. In the First postwe discuss the world’s leading privacy sanctions regime introduced by the recent filing Privacy Legislation (Enforcement and Other Measures) Amendment Bill 2022 (Cth) modifying the Privacy Act 1988 (Cth).
An amendment to the recently tabled proposal Privacy Legislation (Enforcement and Other Measures) Amendment Bill 2022 (Cth) (Bill) will significantly extend the extraterritorial jurisdiction of Australian privacy law and requires the attention of all foreign entities that regularly transact or have contact with Australians. The bill has not yet been enacted and amendments may be made.
Currently, Australia Privacy Act 1988 (Cth) (Privacy Act) applies to foreign entities that both:
- doing business in Australia; and
- collect or store personal information in Australia.
The Bill amends the Privacy Act by deleting member (b) so that Australian privacy laws apply to foreign entities doing business in Australia, no matter that they collect or retain personal information in Australia.
What foreign rights might be affected by the extended extraterritorial application of the Privacy Act?
“Carrying on a business” is not defined in the Privacy Act. Case law provides that an entity is likely to carry on business in Australia when:
- he is engaged in repeated commercial activity with a profit view; and
- there is works in australia this are part of or incidental to at transactions that make up or support business activity.
The following factors will be relevant when foreign entities assess whether their conduct amounts to carrying on business in Australia:
- if they provide goods and services to Australian consumers, including via an international website;
- whether prices are displayed in Australian dollars for the sale of goods in Australia;
- if they engage in online advertisements or campaigns aimed at Australian consumers;
- whether app updates and bug fixes are rolled out concurrently to the Australian version of the company app and app updates in the company’s primary country of operation;
- if they operate equipment (eg servers) in Australia;
- if they employ people in Australia; and
- if they enter into contracts with third parties in Australia.
This is not an exhaustive list and courts have expressed a willingness, particularly in the context of privacy law, to extend the definition of ‘doing business in Australia’ to encompass more entities that interact with Australians online.
Why is this change important for a foreign entity?
A foreign entity doing business in Australia must comply with the requirements of privacy law about how it collects, holds, uses and discloses “personal information” (meaning information or an opinion about an individual or a reasonably identifiable individual).
In particular, foreign entities must:
- take reasonable steps to inform data subjects of key information about the collection, use and disclosure of their personal information;
- use the Personal Information collected only for the purpose for which it was collected, or for a secondary purpose related to the primary purpose that would reasonably be expected by the individual to whom the Personal Information relates; and
- inform the Australian Information Commissioner’s Office (CATO), the Australian privacy regulator, and data subjects, if it believes that unauthorized access or disclosure of personal information held by it has occurred which will cause a serious harm to one or more people.
Foreign entities that fail to comply with the requirements of the Privacy Act risk being subject to significantly increased civil penalties associated with “serious and repeated interference with an individual’s privacy” under the bill, assuming it passes.
What other actions should a foreign entity take?
Respecting privacy requires careful strategic planning and engagement with stakeholders. Delay in taking appropriate steps to assess compliance with the Privacy Act, if any, could pose a significant operational risk.
Foreign entities should, where applicable:
- determine whether they are “carrying on business in Australia”;
- review their privacy policies and data governance frameworks to ensure compliance with the Privacy Act;
- review their cyber insurance policies (particularly if the entity holds a comprehensive policy) to ensure that coverage is up to aggravated civil penalties;
- test the effectiveness of cyber controls and regularly conduct cyber security tabletop exercises; and
- ensure that third party risks are well managed, including through contractual guarantees, insurance requirements and indemnities.