Why do the Australian privacy rules matter to those operating outside Australia? Peter Leonard explains that the rules, while mainly of concern to Australian lawyers, might reach out and affect all those with clients operating with an ‘Australian link’.
The rules in the Australian Federal Privacy Act 1988 as to 'accountability' for offshore disclosures by Australian regulated entities continue to fuel debate between commercial lawyers when negotiating privacy provisions in commercial contracts. This overview looks at the principal areas of debate.
The Australian Federal Privacy Act 1988 creates 'accountability' in relation to privacy 'breaches' by a recipient that follow offshore disclosures of 'personal information' made by Australian regulated entities to any entity, whether or not that recipient entity was related in ownership or control to the discloser. Effectively, the 'personal information' once so disclosed remains regulated by the Australian Act, and the disclosing entity liable in relation to any act or practice of the recipient entity or any downstream recipient that would be a breach of the Australian Act, even though that act or practice is beyond the control of the discloser and may even be permitted in the destination jurisdiction.
Perhaps not surprisingly, this 'accountability' exposure is often the subject of negotiation as to contractual allocation of risk. The first negotiation issue is often discussion as to whether the accountability rule applies at all. This leads straight into the contentious area of when a body is to be regarded as 'carrying on business in Australia'.
Australian Federal, State and Territory Government Agencies are Australian Privacy Principles (APP) entities and are regulated in respect of any act or practice in relation to personal information outside Australia. Organisations, including corporations, associations and partnerships, that are constituted in Australia are also APP entities regulated in respect of any act or practice in relation to personal information outside Australia. In addition, organisations that have 'an Australian link' are regulated in respect of any act or practice in relation to personal information outside Australia. Most relevantly, an organisation that is not an Australian constituted body, and a small business operator, 'has an Australian link' only if each of two elements are present: first, if the body 'carries on business in Australia' and secondly, if 'the personal information was collected or held by the organisation or operator in Australia or an external Territory, either before or at the time of the act or practice': section 5B(3)(c).
There appears to be little debate as to the second element: personal information may be 'collected in Australia' by collection from an Australian resident even though the service provider has no physical infrastructure or other activities in Australia. This is because the Act considers a collection to occur where the personal information is collected from, not where the solicitation for collection is made.
But the second element is much more contentious. The Privacy Commissioner's Guidelines correctly note that the phrase 'carries on business in Australia', although not defined in the Privacy Act, is used in other areas of law that provide some guidance on when a business is carried on in Australia. Clearly, there must be some ongoing activity in Australia that forms part of the entity's business, but how little activity will suffice? The Commissioner's Guidelines at [B14] and [B.15] state as follows:
'activities that may indicate that an entity with no physical presence in Australia carries on business in Australia include: the entity collects personal information from individuals who are physically in Australia; the entity has a website which offers goods or services to countries including Australia; Australia is one of the countries on the drop down menu appearing on the entity's website; or the entity is the registered proprietor of trade marks in Australia. Where an entity merely has a website that can be accessed from Australia, this is generally not sufficient to establish that the website operator is "carrying on a business" in Australia.'
The Guidelines do not really assist in resolving the questions that usually arise. The Act does not include provisions for grouping members of corporate groups for such purposes, so the position of each company within a group must be separately considered. A common view is that some form of ongoing or regular physical activity in Australia through human instrumentalities that are employees of an entity, being activity that itself forms part of the course of conducting business of that entity, may be enough for an entity (such as a member of a corporate group member) to be regarded as carrying on business in Australia. This may be the case even though such activities may fall well short of constituting a 'permanent establishment in Australia' under Australian international tax law. But the Commissioner appears to be suggesting that some form of targeting of Australians from outside Australia but with advertising or marketing or other service features specific to Australia might be sufficient to lead to an entity carrying on business in Australia. This would be significant extension of the 'carrying on business' concept from its application in other fields of Australian law. It would lead to the result that many entities that currently consider themselves offshore entities are directly regulated under the Privacy Act as APP entities in Australia. It would also mean that many situations currently analysed as offshore disclosures under APP 8.1 are in fact disclosures to entities that are directly regulated, hence leading to accountability under section 16C not applying.
So, with that caution, let us now turn to the debates as to the operation of APP 8.1 and section 16C.
Consent to cross-border disclosure
Since the Privacy Act was amended in March 2014 to include APP 8, which regulates disclosures of personal information by Australian regulated entities to overseas entities, it has become commonplace for Australian regulated entities to seek privacy consents like the following:
We may disclose your personal information to X Inc., an entity that provides services to us. X Inc.is not an Australian entity and is not regulated by the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs) in that Act. By providing this Privacy Consent, you consent to the disclosure of your personal information to X Inc. as a recipient outside Australia, on the basis that if X Inc. engages in any act or practice that contravenes the APPs it would not be accountable under the Privacy Act and you will not be able to seek redress under the Privacy Act.
Such consents are sought by corporations and other businesses regulated by the APPs with the objective of bringing the APP entity within the APP 8.2(b) 'consent' exception (as discussed below). If successful, this exception operates to absolve the APP entity that collects the personal information and then discloses it to 'an overseas recipient' from accountability under section 16C of the Act for any act or omission by the overseas recipient which is contrary to the APPs. Accountability would otherwise arise through the curious interaction of APP 8.1 and section 16C of the Act. The provisions take quite a different approach to the European use of safe harbors and binding corporate rules. The operation of these provisions often gives rise to significant angst - and sometimes incredulity - from privacy counsel working outside Australia.
Looking first at the outcome, privacy consents such as that above are drafted with an eye to the Privacy Commissioner's Guidance as to the APP 8.2(b) exception, which at [8.28] states:
'At a minimum, this statement should explain that if the individual consents to the disclosure and the overseas recipient handles the personal information in breach of the APPs:
• the entity will not be accountable under the Privacy Act
• the individual will not be able to seek redress under the Privacy Act.'
The relevant provisions read as follows:
'APP 8.1 Before an APP entity discloses personal information about an individual to a person (the overseas recipient):
(a) who is not in Australia or an external Territory; and
(b) who is not the entity or the individual,
the entity must take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles (other than Australian Privacy Principle 1) in relation to the information.
Note: In certain circumstances, an act done, or a practice engaged in, by the overseas recipient is taken, under section 16C, to have been done, or engaged in, by the APP entity and to be a breach of the Australian Privacy Principles.
APP 8.2 Subclause 8.1 does not apply to the disclosure of personal information about an individual by an APP entity to the overseas recipient if:
(a) [the 'binding law or scheme' exception] the entity reasonably believes that:
(i) the recipient of the information is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the Australian Privacy Principles protect the information; and
(ii) there are mechanisms that the individual can access to take action to enforce that protection of the law or binding scheme; or
(b) [the 'consent' exception] both of the following apply:
(i) the entity expressly informs the individual that if he or she consents to the disclosure of the information, subclause 8.1 will not apply to the disclosure;
(ii) after being so informed, the individual consents to the disclosure;… .'
Section 16C (Acts and practices of overseas recipients of personal information) provides:
'(1) This section applies if:
(a) an APP entity discloses personal information about an individual to an overseas recipient; and
(b) Australian Privacy Principle 8.1 applies to the disclosure of the information; and
(c) the Australian Privacy Principles do not apply, under this Act, to an act done, or a practice engaged in, by the overseas recipient in relation to the information; and
(d) the overseas recipient does an act, or engages in a practice, in relation to the information that would be a breach of the Australian Privacy Principles (other than Australian Privacy Principle 1) if those Australian Privacy Principles so applied to that act or practice.
(2) The act done, or the practice engaged in, by the overseas recipient is taken, for the purposes of this Act:
(a) to have been done, or engaged in, by the APP entity; and
(b) to be a breach of those Australian Privacy Principles by the APP entity.'
Avoiding strict liability
So what is it about APP 8.1 and section 16C that leads to the incredulity of privacy counsel working outside Australia? Partly it is that the term 'overseas recipient' is not defined or explained in any meaningful way. An overseas recipient might be another APP entity which is not in Australia. More fundamentally, on one reading of APP 8.1, strict liability of the disclosing APP entity arises under section 16C regardless of whether the APP entity took reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles, or failed to do so. Assume that the disclosing APP entity did everything it conceivably could do to protect privacy and assure that the overseas recipient does not breach the APPs, including risk assessment and mitigation through appropriate operational controls and contractual measures and implementation of audit and review controls. On one reading of APP 8.1, an APP entity will still be strictly liable if the overseas recipient acts in a way that would have been a breach of the APPs if that act by the overseas recipient had been an act of the APP entity. And the gateway to that liability may not only be a decision by the Australian Privacy Commissioner, who might consider that accountability should not lie in this situation. APP 8.1 and section 16C may be said to create a statutory duty which may be litigated by a private litigant as the tortious cause of action of breach of statutory duty.
The availability of this strict reading, whether or not correct, leads many commercial lawyers to seek to avoid APP 8.1 by bringing an overseas disclosure within the exceptions in APP 8.2. Of the many exceptions, the two quoted above are the most commonly used.
APP 8 exceptions: Consent vs. 'Substantially similar'
Why do so many APP entities collecting personal information seek to rely upon the 'consent' exception in APP 8.2(b) and not the 'binding law or scheme' exception in APP 8.2(a)? Often it is because legal advisers will not express a view as to whether the laws of a destination country have the effect of protecting the information in a way that is substantially similar to the way in which the APPs protect the information and provide adequate remedies. Such an opinion is difficult to give, principally because it requires an in-depth knowledge of the privacy rules and remedies in two countries – and all other countries' privacy rules, if not remedies, differ from Australia's (notwithstanding, in Asia Pacific, the existence of the so-called APEC Privacy Framework: available at www.apec.org). Sometimes remedies in destination countries are quite different to remedies available under Australian law and their adequacy or otherwise cannot be the subject of a definitive opinion.
Often the problem is that the rules and remedies might look 'substantially similar' but those remedies are not clearly available to an Australian citizen because of jurisdictional obscurities. For example, personal health applications that enable an APP entity to disclose health information to a US entity might be thought to have the benefit of the US Federal law, The Health Insurance Portability and Accountability Act of 1996 (HIPAA Act) and privacy rules implemented pursuant to the HIPAA Act, which are suitably privacy protective. The HIPAA Act will apply to US entities covered by the law regardless of whether the personal health information they receive is from Australia or anywhere else, but not all health-related information is covered: it must originate from a healthcare-related transaction, and this leads to difficult questions (even leaving aside the further issue of how an Australian resident accesses remedies available under the HIPAA Act). And to date we have no assistance in the form of adequacy determinations by the Australian Privacy Commissioner, such as those of the European Commission in relation to such other exotic destinations as New Zealand, the Faroe Islands and Uruguay. In any event, European determinations are one way only - from the European Union to the destination - and what matters for APP 8.2(a) is whether Australia considers the destination as having 'substantially similar' privacy protections and 'adequate' remedies.
Effectiveness of consent
So many APP entities seek instead to bring themselves within the APP 8.2(b) exception. But many privacy consents don't follow the Australian Privacy Commissioner's Guidance, which might be said to express the intended effect of APP 8.2(b), but really is a stretch from a literal reading of that provision. Some drafters bury the consent in a privacy statement that says words to the following effect:
'If you consent to the collection by us and disclosure of your personal information to our overseas affiliate, APP 8.1 will not apply to the disclosure. By providing your personal information to us, you consent to our disclosure of your personal information to our overseas affiliate on that basis.
This closely follows APP 8.2(b), but it is hardly 'transparent': would any individual (other than a privacy professional) register the risk and fully understand the effect of giving the consent - even if they bothered to find it in its usual place of burial, deep in a prolix privacy statement?
Of course, the legal drafter's real concern is this: if an affected individual elects to read a privacy consent expressed in the form suggested by the Privacy Commissioner, it sounds quite dire. Are you really saying my personal information is off to Ruritania, there to be shopped to third parties and not adequately protected from hackers and other miscreants? So drafters strive to soften the tone of the consent statement. And if, in fact, the practical effect of giving such a consent is not so dire, because the APP entity has done everything it conceivably could do to protect privacy by assuring that the overseas recipient does not breach the APPs, can the disclosing entity go on to describe what those steps were and why they should reassure the individual reading the form of consent? In policy terms, it makes sense to provide an affected individual with all the information that they reasonably need in order to give a fully informed consent. However, it is arguable that reassurances as to privacy protective measures may off-set the APP 8.2(b) privacy consent, such that the individual is misled as to how to weigh whether to give the privacy consent.
Now, the above might sound like rather arcane legal debates. However, they are commercial issues debated between contract lawyers every week. Remember that individuals that are reading privacy consents are usually the same individuals that deal online and through smartphones directly with offshore entities that are not regulated in Australia (other than through operation of Australian Consumer Law) and who often make florid but meaningless privacy claims that often are practically unenforceable both in Australia and in the destination jurisdiction. By contrast, Australian entities effectively underwrite compliance by offshore entities to whom personal information is disclosed, with that underwriting arguably complete and not qualified by the 'reasonable steps' language. So can an APP 8.2(b) disclosure include a description as to those reasonable steps without undermining the effectiveness of the exception? It remains to be seen, but in the meantime expect to see APP 8.2(b) exception-based privacy consents continue to multiply and expand in range and creativity.
Peter Leonard is a Partner in Gilbert + Tobin Lawyers in Sydney, Australia and a director of international Association of Privacy Professionals Australia and New Zealand (iappANZ)