If the experiences of Australian powerhouses Optus, Medibank and HWL Ebsworth are any indication, a company’s failure to protect their stakeholders’ personal information can lead to significant reputational damage and criticism in the court of public opinion.
While overseas organisations might consider reputational damage down-under to be of little importance, non-compliance with Australia’s federal Privacy Act 1988 (Cth) (“Privacy Act”) can also result in a range of consequences from civil penalties (fines) to regulatory investigations and enforcement actions taken against contravening businesses deemed to have an “Australian link”.
Our recent newsletter tackles some of the legal implications of carrying on a business in Australia, including how the Privacy Act applies to overseas organisations with an “Australian link”.[1] Determining whether an overseas organisation has an “Australian link” can be a tricky task – the threshold is not confined to traditional notions of jurisdiction and an organisation will be considered to have an “Australian link” if it “carries on business in Australia or an external Territory”.[2]
Once an overseas organisation has grappled with the “Australian link” threshold and determined that the Privacy Act applies to its operations, it must then understand what this means in practical terms. What obligations flow from the Privacy Act? What are the consequences for non-compliance?
In this article, special counsel Alistair Bridges and lawyer Emily Schilling return to Australian privacy law fundamentals to outline the A’s, B’s and C’s of Privacy Act compliance for overseas entities.
A is for the Australian Privacy Principles
A is for the Australian Privacy Principles (“APPs”).
13 APPs sit at the heart of the Privacy Act to regulate an organisation’s:
- collection, use and storage;
- governance and accountability,
- integrity and correction, and
- provision of individual access of personal information.
Once an overseas organisation determines that the Privacy Act applies, it must diligently comply with the APPs that are relevant to its business operations and handling of personal information. APPs apply equally to domestic and foreign organisations, but not all APPs will be relevant to all organisations.
The case of Clearview AI Inc and Australian Information Commissioner (“Clearview and AIC”) highlights this well.[3]
In Clearview and AIC, the Administrative Appeals Tribunal (“Tribunal”) considered whether Clearview AI complied with 5 APPs that were relevant to its operations. Clearview AI is an overseas developer of facial recognition technology built from a “web crawler” that compiles facial images from publicly available internet sources, including servers located in Australia.
The Tribunal found:
- Clearview AI collected "sensitive information” from individuals without their consent. This breached APP 3.3;[4]
- As a consequence of breaching APP 3.3, Clearview AI also failed to take reasonable steps to implement practices, procedures and systems to comply with the APPs. This breached APP 1.2;[5]
- Clearview AI collected information without access restrictions from the public internet. Any person who accessed the same webpages as Clearview AI could have done so. Clearview AI, therefore, complied with APP 3.5 regarding the lawful and fair collection of information;[6]
- Although Clearview AI did not notify individuals that it had collected their image, it would have been unreasonable to do so. Accordingly, Clearview AI met APP 5.1’s notification requirements (although APP 3.3 would still require Clearview AI to obtain all individuals’ consent);[7] and that
- Clearview AI’s collection of personal information was as accurate, relevant and as up-to-date as Clearview AI could provide. In these circumstances, Clearview AI complied with APP 10.2’s information integrity requirements.[8]
As evidenced by Clearview AI and AIC, an organisation needs to carefully consider which APPs apply to its business operations, and how they apply, before developing systems, procedures and practices to uphold the APPs.
B is for (data) breaches
B is for the Notifiable Data Breaches (“NDB”) scheme.
Under the Privacy Act’s NDB scheme, overseas organisations also have obligations to report certain data breaches (including suspected data breaches) to individuals affected by the data breach and the Office of Australian Information Commissioner (“OAIC”).
A data breach is “notifiable” when it is an “eligible data breach”.[9] According to section 26WE(2) of the Privacy Act, an eligible data breach occurs where:
- there is unauthorised access to, disclosure of, or loss of, information; which
- is likely to result in serious harm to any of the individuals to whom the information relates.[10]
If the organisation knows or suspects a NDB has occurred, it must notify relevant individuals and OAIC as soon as practicable.[11] When making this notification, the organisation must provide details of the eligible data breach that has occurred/is suspected, the information it relates to and the steps individuals should take in response.[12]
Overseas organisations should be particularly mindful of the circumstances in which it is providing personal information to an overseas recipient (i.e. an affiliate or parent company). This is because, if an overseas organisation discloses information to an overseas recipient in accordance with APP 8 (concerning cross-border disclosure), and an “eligible data breach” occurs, the overseas organisation will be held out as the responsible entity and required to report under the NBD scheme.[13]
C is for contraventions and consequences
C is for contraventions of the Privacy Act and consequences for non-compliance.
According to section 15 of the Privacy Act, organisations “must not do an act, or engage in a practice, that breaches an Australian Privacy Principle”.[14] Engaging in such conduct is considered to be an “interference with the privacy of an individual”,[15] from which regulatory action can flow. In this context, failing to comply with the NDB scheme is also regarded as interference with an individual’s privacy.[16]
The one caveat to this is that an overseas organisation will not be considered to have contravened an APP if the conduct or practice it has engaged in occurs outside Australia and is required under the laws of another country.[17]
There are a range of consequences arising from contravening the Privacy Act.
Where an organisation engages in “serious and repeated” interferences with an individual’s privacy, it is subject to the civil penalty provisions of the Privacy Act. This means that the organisation may face significant civil penalties (fines) the greater of $50 million, three times the value of the benefit the organisation obtained for engaging in the conduct, or 30% of the organisation’s turnover during the breach period, for non-compliance.[18]
Aside from this, OAIC also has a range of regulatory investigation, information-gathering and enforcement powers it can utilise to address non-compliance and suspected non-compliance. Such powers include the ability to investigate complaints, require organisations to produce information, conduct assessments and impose infringement notices, enforceable undertakings or injunctions on organisations.
Do not delay in complying with the Privacy Act
As stated above, organisations who fail to protect individuals’ personal information can face significant reputational damage and criticism in the court of public opinion.
This should be encouragement enough for overseas organisations to conduct a thorough assessment of whether its business operations are likely to be captured by the Privacy Act.
But, if organisations need any further encouragement… extensive reforms to the Privacy Act are coming in 2024. These reforms will enhance APP obligations and expand the applicability of the Privacy Act. Organisations should, therefore, prioritise compliance with the existing obligations, so that they are well prepared to comply with the enhanced obligations once introduced.
Moulis Legal will be here to monitor and report on Privacy Act developments. If you have any questions about your organisation’s obligations under the Privacy Act, please contact us.
[1] Section 5B of the Privacy Act.
[2] Section 5B(3)(b) of the Privacy Act. Notably, this does not require the organisation to have a physical presence in Australia, nor collect personal information from an Australia source (such as an Australian citizen).
[3] [2023] AATA 1069 (8 May 2023) (“Clearview v AIC”).
[4] Clearview v AIC [120]-[131].
[5] Clearview v AIC [148]-[149].
[6] Clearview v AIC [132]-[134].
[7] Clearview v AIC [135]-[140].
[8] Clearview v AIC [141]-[147].
[9] Section 26WE of the Privacy Act.
[10] Sections 26WE(2) and 26WG of the Privacy Act.
[11] Section 26WK(2) of the Privacy Act.
[12] Section 26WK(3) of the Privacy Act.
[13] Section 26WC of the Privacy Act.
[14] Section 15 of the Privacy Act; according to section 6A of the Privacy Act, an “act or practice breaches an Australian Privacy Principle if, and only if, it is contrary to, or inconsistent with, that principle”.
[15] Sections 13 of the Privacy Act.
[16] Section 13(4A) of the Privacy Act.
[17] Sections 6A and 13D of the Privacy Act.
[18] Sections 13G and 80U of the Privacy Act.