The new international reach of Australian privacy laws
Foreign companies operating in Australia have been given a thorny regulatory issue to deal with in the recent amendments to Australia’s privacy legislation.
Following major privacy breaches such as Optus and Medibank, amendments to the legislation were enacted late last year: the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Cth) received Royal Assent on 12 December 2022.
The amending Act:
amends the Privacy Act 1988 (Cth) (“Australian Privacy Act”), the Australian Information Commissioner Act 2010 (Cth) and the Australian Communications and Media Authority Act 2005 (Cth);
includes substantial increases in penalties under the Australian Privacy Act;
gives enhanced enforcement powers to the Office of the Australian Information Commissioner;
broadens the information sharing powers of the Australian Information Commissioner and the Australian Communications and Media Authority; and
includes a significant change that may be a concern for foreign companies carrying on business in Australia. In this article we focus on this element of the reforms.
International reach
As well as applying to conduct in Australia, the Australian Privacy Act applies to acts outside Australia by a private sector organisation or small business if that organisation or small business has an “Australian link”.
Being incorporated in Australia is treated as an Australian link, and so the Australian Privacy Act will apply to any acts of an Australian company, whether in Australia or outside Australia.
In the case of a company that is not incorporated in Australia, before the amendments to the Australian Privacy Act, that company could still have an Australian link if two conditions were met: firstly, it carried on business in Australia, and secondly, the personal information was collected or held by the company in Australia.
The condition that the company is carrying on business in Australia is not a hard one to meet. In Facebook Inc v Australian Information Commissioner [2022] FCAFC 9, the Full Federal Court found that there was a prima facie case that Facebook Inc carried on business in Australia merely by installing and managing cookies on physical devices of Australian users and providing functionality to Australian developers through its Graph API.
The amendments to the Australian Privacy Act have removed the second condition for an Australian link: that personal information is collected or held in Australia.
This means that a foreign company which collects or holds personal information outside Australia is now subject to the Australian Privacy Act, if that company happens to carry on business in Australia.
The reason given for this change was that when a breach of the Australian Privacy Act occurs, it may be difficult to establish that a foreign organisation collects or holds personal information from a source in Australia; for example, where information is collected from a digital platform that does not have servers in Australia.
The problem with the change is that it is not limited to personal information about Australian citizens or residents of Australia. A foreign company which collects and holds personal information outside Australia about an individual who has no connection with Australia is now subject to the Australian Privacy Act in relation to that individual, if that foreign company carries on business in Australia.
Concerns about this amendment were raised by the Law Council of Australia (“LCA”) before the legislation passed. In its submission on the Bill, the LCA said that removing the requirement that the personal information be collected or held in Australia could have the effect of making the Australian Privacy Act (including both the Australian Privacy Principles and Part IIIA on Credit Reporting) being applicable to all foreign organisations operating in Australia for all their privacy practices, even those that affect citizens of other nations who do not have any link to Australia. The LCA said that it was
“highly likely that a foreign entity that has properly implemented its privacy obligations in its own jurisdiction, and is providing satisfactory protection for its customers, might nevertheless be failing to comply with some element of the Australian Privacy Principles or Part IIIA of the Privacy Act and, as a result, committing repeated ‘interferences with privacy’ that would expose it to the civil penalty provisions in section 13G of the Privacy Act.”
The concerns raised by the LCA were not heeded by the Government.
The changes to the Australian Privacy Act could leave companies having to comply with both Australian laws and the laws of other countries in relation to the same personal information about individuals outside Australia.
Under section 13D of the Privacy Act, acts or practices specifically required by a law of a foreign country will not be an interference with privacy when engaged in outside Australia. So for example, a foreign company which was required to do something specifically required by the privacy law of China would not be interfering with the privacy of an individual under the Australian Privacy Act, if the company took that action in China.
On the other hand, if an act or practice was prohibited by the Australian Privacy Act but allowed under the law of China, a foreign company could be in breach of the Australian Privacy Act, even though it was acting lawfully under Chinese law.
A court would not necessarily apply the Australian law over the law of the foreign country: it would need to decide which law was the most appropriate in the circumstances. Nonetheless, the changes to the legislation create regulatory uncertainty when there are conflicting laws that have to be complied with.
In the financial services sector, there are around 50 foreign banks operating in Australia who now have to deal with this issue.
The Australian Privacy Act is under review. The review has now been completed and we are waiting on the release of the report and the Government response in the first half of 2023. It is possible that the international issue created by the recent amendments will be addressed in the report.