On 13 December 2022, amendments to the Australian Privacy Act 1988 (APA),including the enhancement of its extraterritorial provisions, were passed and took effect. Consequently, foreign organisations (including sole traders) carrying on business in Australia must comply with the APA and the Australian Privacy Principles (APPs) although they do not collect or hold personal information in Australia.
Before the amendment, the APA already had extraterritorial effect – that is, it applied to foreign organisations which have an ‘Australian link’. A foreign organisation would be deemed to have an ‘Australian link’ if it met both of the following conditions:
The APA amendment removed the second condition in considering whether an ‘Australian link’ exists. The change extensively broadened the application of the APA to cover foreign organisations that carry on business in Australia but do not collect or hold personal information in Australia. That said, if an act done by a foreign organisation outside Australia is required by an applicable foreign law, that act will not be considered a breach of the APA or the APPs.
The Office of the Australian Information Commissioner (OAIC), the Australian government agency that administers the APA, reasoned that the change was necessary to address the risks arising from foreign organisations handling or trading in Australians’ personal information which is not directly collected in Australia (e.g., collection is done by a related entity in Australia or an overseas digital platform).
The APA does not define the phrase ‘carries on business in Australia’. However, the OAIC has noted that the following factors will be among the points considered in determining whether an organisation is doing business in Australia:
In addition, an Australian Federal Court case also noted that an organisation may prima facie be regarded as carrying on a business in Australia by installing cookies on devices of Australian users and allowing Australian developers to use its application programming interface to provide services in Australia.
Accordingly, even an entity without a physical presence in Australia could be considered as having an ‘Australian link’. However, an organisation will not generally be considered as carrying on business in Australia solely because it has a website which is accessible from Australia.
The impact of the expanded extraterritoriality clause is substantial given the equally broad construction of ‘carrying on business in Australia’(and therefore, an ‘Australian link’), as discussed above. In other words, a foreign organisation without a physical office in Australia may not be aware that it would need to comply with the APA and the APPs when it collects personal information from an individual physically located in Australia (including a foreign citizen)through its website hosted overseas. This could be a major issue given the hefty penalty for non-compliance with the APA and the APPs under the amended APA – up to AUD50 million for body corporates.
Given the expanded extraterritorial application of, and the hefty penalty attached to a breach of, the APA and the APPs, foreign organisations who carryon business in Australia but do not collect or store personal data in Australia should take extra measures to determine whether they would need to comply with the APA and the APPs in respect of their data processing activities outside Australia.
OrionW regularly advises clients on cross-border data protection matters. For more information about data protection issues, or if you have questions about this article, please contact us at info@orionw.com.
Disclaimer: This article is for general information only and does not constitute legal advice.
