Australia to extend its privacy long-arm jurisdiction

_{This is the second article of our coverage of the Australian Government’s overhaul of privacy laws. In the first article, we discuss the world-leading privacy penalty regime, introduced by the recently tabled Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Cth) amending Australia’s Privacy Act 1988 (Cth).}

An amendment in the recently tabled Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Cth) (Bill) will significantly expand the extraterritorial jurisdiction of Australian privacy law, and requires attention by all overseas entities that regularly transact or engage with Australians. The Bill has not yet passed into law and changes may be made to it.

Currently, Australia’s Privacy Act 1988 (Cth) (Privacy Act) applies to overseas entities which both: 

1. carry on business in Australia; and
   
   
2. collect or hold personal information in Australia. 

The Bill amends the Privacy Act by removing limb (b) so that Australia’s privacy laws will apply to overseas entities that carry on business in Australia, regardless of whether they collect or hold personal information in Australia. 

Which overseas entities might be caught under the expanded extraterritorial application of the Privacy Act?

‘Carrying on business’ is not defined in the Privacy Act. Case law provides that an entity is likely to be carrying on business in Australia where: 

• it engages in a repeated commercial activity with a view to profit; and
  
  
• there are acts within Australia that form part of or are ancillary to transactions that make up or support the commercial activity.

The following factors will be relevant when overseas entities assess whether their conduct amounts to carrying on business in Australia:

• whether they provide goods and services that are directed to Australian consumers, including via an international website;
  
  
• whether prices are displayed in Australian dollars for the sale of goods in Australia;
  
  
• whether they engage in online advertising or campaigns directed at Australian consumers;
  
  
• whether app updates and bug-fixes are rolled out to the Australian version of the business’s app simultaneously to app updates in the business’s main country of operation;
  
  
• whether they operate equipment (e.g. servers) in Australia;
  
  
• whether they employ people in Australia; and
  
  
• whether they enter into contracts with third parties in Australia. 

This is not an exhaustive list and courts have expressed a willingness, particularly in the context of the Privacy Act, to extend the definition of ‘carrying on business in Australia’ to further capture entities that engage with Australians online.

Why does this change matter to an overseas entity?

An overseas entity carrying on business in Australia must comply with the requirements of the Privacy Act on how it collects, holds, uses and discloses ‘personal information’ (i.e. information or an opinion about an individual or an individual who is reasonably identifiable). 

In particular, overseas entities need to:

• have in place a Privacy Act-compliant privacy policy that provides clear information relating to the entities’ collection, use and disclosure of personal information and how individuals whose personal information the entity collects may access their personal information;
  
  
• take reasonable steps to notify data subjects of key information relating to the collection, use and disclosure of their personal information;
  
  
• use collected personal information solely for the purposes it was collected for, or a secondary purpose related to the primary purpose which would be reasonably expected by the individual the personal information relates to; and
  
  
• notify the Office of the Australian Information Commissioner (OAIC), the privacy regulator in Australia,  and affected individuals, if it believes unauthorised access or disclosure of the personal information it holds has occurred which will cause serious harm to one or more individuals.

Overseas entities that do not comply with the requirements of the Privacy Act risk being subject to the substantially increased civil penalties associated with a ‘serious and repeated interference with an individual’s privacy’ under the Bill assuming it is passed.

What other actions should an overseas entity take?

Privacy compliance requires careful strategic planning and engagement with stakeholders. Delay in taking appropriate action to assess compliance with the Privacy Act, if applicable, could pose a significant operational risk. 

Overseas entities should, where applicable:

• consider whether they are ‘carrying on business in Australia’;
  
  
• review their privacy policies and data governance frameworks to ensure compliance with the Privacy Act;
  
  
• review their cyber insurance policies (particularly if the entity holds a global policy) to ensure that coverage is commensurate with the increased civil penalties;
  
  
• test the effectiveness of cyber controls and conduct regular cybersecurity tabletop exercises; and
  
  
• ensure that third-party risks are well managed, including through contractual safeguards, insurance requirements and indemnities.