A couple of months ago the Privacy and Other Legislation Amendment Bill 2024 was introduced to Federal Parliament.
With proposed reform to Australia’s privacy legislation on the horizon, now more than ever, it is crucial that you comply with your legal obligations under the Australian Privacy Principles (APPs).
This note focuses on the application of the Privacy Act 1988 (Cth) (Privacy Act) to overseas disclosures of personal information both now (Before the Commonwealth-reforms or “BC”) and later (After the Draft reforms have become law or “AD”).
First things first, it is important to map out how your organisation collects, uses, discloses and holds “personal information” (i.e. information which identifies an individual). This will inform the scope and context of your organisation’s disclosure.
Be aware that any circumstance where personal information becomes accessible by international entities, even if the data is physically stored within Australia, is considered an overseas disclosure for the purpose of the Privacy Act.
Where a disclosure occurs, Australian businesses that are governed by the Privacy Act are required to implement reasonable measures to safeguard and protect the use of the personal information by overseas third party recipients.
Failing to comply with the Privacy Act could result in significant fines or lead to regulatory enforcement action being taken against the business. The proposed reform further strengthens these consequences with the addition of new provisions to allow the Australian Information Commissioner to tailor civil penalties depending on the seriousness of the data breach.
An overseas recipient is any party who receives personal information from your organisation, providing they are:
Generally, if you make personal information available to any party outside of your organisation, this will be considered to be a disclosure. The important thing to remember is whether this disclosure was authorised; that is, whether the individual whose information was disclosed, gave consent for that information to be provided to third parties.
Overseas disclosures (cross-border data transfers) are regulated under APP #8.
APP 8 broadly states that before disclosing an individual’s personal information, government agencies and business entities governed by the Privacy Act, must take reasonable steps to ensure that the overseas recipient does not contravene the APPs.
Organisations must take reasonable steps to ensure that the recipient of the information does not breach the APPs in relation to that information. For example, the recipient must:
Even if your business has taken “reasonable steps” to prevent misuse of information, it may still be held responsible for the acts of an overseas recipient where there is a breach.
Generally, in this context, reasonable steps might include where your organisation enters into a contract with an overseas recipient which requires the recipient to handle personal information in accordance with the APPs.
However, what is reasonable will depend on the circumstances. You should consider taking more rigorous action if:
To mitigate your liability, your organisation should consider assessing the security protocols of the overseas service provider as well as your own business and continually monitoring the overseas service provider’s compliance with the contract.
Under the current laws, the privacy obligations for disclosure apply regardless of whether there was an actual transfer of information or not; that is, even if the information is stored on Australian servers, your organisation will need to comply with the APPs if the information is accessible by overseas parties.
The important question to be asked is whether your organisation has a connection to Australia. If an organisation conducts its business operations in Australia or an external territory and has collected or held information from an Australia source, then it will have an Australian link and will be required to comply with the APPs.
The proposed reforms to the Privacy Act, in part, attempt to strike a balance between the obligation on businesses to assess the adequacy of overseas processes and the public concerns about the privacy risks of international data sharing.
Importantly, the reform proposes to introduce an adequacy regime that will allow businesses to disclose personal information to overseas recipients in “white listed” countries without having to assess the country’s privacy laws or negotiate data protection agreements.
A whitelist refers to a list of prescribed countries approved by the Australian government as having substantially similar privacy protections with the effect of assisting an entity assess whether to disclose information to a service provider located in a whitelisted jurisdiction.
The introduction of this regime will ease the pressure on business entities to undertake due diligence, strengthen working relationships between overseas business partners and reduce the likelihood of data breaches due to confusion.
Until and after the reform takes effect as an act of Parliament, businesses should continue undertaking the reasonable steps to ensure that overseas recipients are handling and managing personal information appropriately. The Australian Government Solicitor’s office suggests the best way to ensure compliance with the privacy standards is through enforceable contracts.
In particular, your organisation may see merit in including the following conditions in your agreements with overseas service providers:
Assistance from Jackson McDonald
Jackson McDonald’s highly experienced team can assist your organisation manage and comply with its APP obligations. If you would like more information or assistance, please contact Ariel Bastian Senior Associate | Corporate Commercial.