Cross-border data flows and the extra-territorial application of data privacy laws: Some thoughts from Down Under
In Part 1 of this article series, we consider some of the cross-border compliance and enforcement risks which can arise when cloud data centres are used to hold and process personal information. We do so through the lens of Australia’s privacy laws.
Cross-border data flows and extra-territorial application of foreign laws
For organisations that operate or deliver services in multiple jurisdictions, cloud data centres are appealing as data can be readily collected and processed across each of an organisation’s operating or service delivery locations. Notwithstanding the efficiency of cloud data solutions, there are cross-jurisdictional and organisational complexities that must be considered, especially if the data being collected and processed includes personal information. By way of example, recent legal developments in Australia have the potential to bring the acts and practices of many more foreign organisations within the scope of Australia’s privacy laws, even if those organisations do not have an Australian office and do not generate revenue in Australia.
An Australian perspective
In Australia, the collection, use, disclosure and security of personal information is governed by the Australian Privacy Principles (APPs) which are set out in Schedule 1 to the Privacy Act 1988 (Cth) (Privacy Act). ‘Personal information’ is defined in s 6 of the Privacy Act as ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable: (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in material form or not’. Section 187LA of the Telecommunications (Interception and Access) Act 1979 (Cth) extends this meaning to cover certain types of telecommunications data kept under Part 5-1A of that Act.
Australia’s privacy laws are not just applicable for organisations who are resident ‘down under’ and generate revenue there. Foreign organisations should be aware that since 13 December 2022, a materially lower threshold for them to be caught by the Privacy Act has applied. Since that date, the Privacy Act extends to any act done, or practice engaged in, outside of Australia by an organisation that has an Australian link: Privacy Act, s 5B(1A). Critically, the “Australian link” test no longer includes an additional requirement that the personal information be collected or held in Australia.
The concept of an ’Australian link’ is broad and includes, inter alia, organisations who ‘carry on business’ in Australia: Privacy Act, s 5B(3). In Clearview AI Inc and Australian Information Commissioner [2023] AATA 1069, the Administrative Appeals Tribunal held that Clearview AI, a US company who had no physical presence in Australia and did not derive revenue in Australia, carried on business in Australia because it engaged in repetitive acts in Australia that amounted to, or were ancillary to, transactions that made up and supported its business. That finding was made notwithstanding that the relevant acts were not intrinsically commercial in themselves, and no human agency was required. The relevant acts were Clearview AI’s collection of scraped images and associated metadata from servers in Australia. Such automated acts were sufficient for Clearview AI to ’carry on business’ in Australia because the harvesting of images was an essential or foundational part of Clearview AI’s business, and such acts were properly characterised as transactions that made up or supported Clearview’s business.
Accordingly, any foreign organisation whose activities have the potential to be caught by the ’Australian link’ test in the Privacy Act should be aware that its acts and practices outside of Australia in relation to all personal information it handles could be regulated by the Privacy Act. If unauthorised access, use or disclosure of that personal information occurs (whether malicious or inadvertent), the foreign organisation may face legal consequences in Australia as well as in any resident jurisdiction(s).
Key Takeaways
Notwithstanding the efficiency of cloud data solutions, there are cross-jurisdictional and organisational complexities that must be considered, especially if the data being collected, processed, stored and secured includes personal information.
All organisations should have a clear understanding of: what personal information is collected and processed in the course of the organisation’s business; all of the means by which this occurs; and all of the jurisdictions in which this occurs.
Important changes were made to the extra-territorial application of Australia’s Privacy Act in December 2022. Even if your organisation does not have a physical presence in Australia or generate revenue in Australia, it may still be caught by Australia’s privacy laws if it carries on business in Australia and therefore has an ‘Australian link’.
The concept of carrying on business under the Privacy Act is broad. The critical consideration is whether your organisation engages in any repetitive acts in Australia that amount to, or are ancillary to, transactions that make up and support your organisation’s business. Such acts need not be intrinsically commercial in themselves, and no human agency is required. In such circumstances, your organisation may have an “Australian link” for the purpose of the Privacy Act and be caught by Australia’s privacy and notifiable data breach laws. If in doubt, please contact our Australian team who would be happy to assist.
For further information, please contact:
Julie Cheeseman, Partner, Bird & Bird
julie.cheeseman@twobirds.com