Overseas companies are now more likely than ever to be subject to the Privacy Act 1988 (Cth) following legislative amendments which were enacted late last year. The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, which was passed and commenced on 13 December 2022, amended the extra-territorial provisions of the Privacy Act to extend the operation of the Privacy Act to a broader range of overseas companies. This amendment was part of a package of reforms that were passed in response to a number of significant data breaches, which also includes higher penalties and new enforcement powers.
The meaning of "Australian link"
In order for an overseas company to be subject to the Privacy Act it must have an "Australian link". Prior to the amendments, an overseas company would only have an Australian link if it:
- Carried on business in Australia (or an external Territory); and
- Collected or held personal information in Australia, either before or at the time of its handling of that personal information.
Following the amendments, the second requirement has been removed. This means the sole requirement for the Privacy Act to apply to an overseas company is now that the entity "carries on business in Australia". If an overseas company carries on business in Australia, it will need to comply with the Privacy Act, which includes complying with the 13 Australian Privacy Principles and notifiable data breaches regime in the Privacy Act. This will be the case even if the personal information being collected or held by the entity has no connection to Australia.
Why was the Privacy Act changed?
According to the Attorney-General Mark Dreyfus, the amendment is intended to specifically target global technology companies which operate in Australia but may collect or process information offshore. This intention is echoed in the explanatory memorandum for the amending legislation, which states that the purpose of the amendment is "to reflect that in the digital era, organisations can use technology such that they do not collect or store information directly from Australia". The amendment addresses concerns raised by the Office of the Australian Information Commissioner about the difficulty of establishing jurisdiction, "particularly against motivated and well-resourced international companies", and is consistent with increased efforts over recent years by Australian regulators to hold large technology companies accountable for privacy violations.
What does "carries on business" mean?
The phrase "carries on business" is not defined in the Privacy Act but it has been considered by the courts to "generally involve conducting some form of commercial enterprise, systematically and regularly with a view to profit", or to embrace "activities undertaken as a commercial enterprise in the nature of a going concern, that is, activities engaged in for the purpose of profit on a continuous and repetitive basis". Some examples of factors which may indicate an entity is "carrying on business in Australia" include having an office in Australia, operating a website which sells goods and services to individuals in Australia and owning Australian registered trade marks.
However, in the recent case of Facebook Inc v Australian Information Commissioner [2022] FCAFC 9, the Full Federal Court found that an activity can constitute "carrying on business" so long as it is either commercial in character or engaged in on a continuous or repetitive basis. The court found that installing and managing cookies on the devices of Australian users and managing a login system for Australian developers were sufficient to constitute "carrying on business", even though those activities are not strictly commercial in character. The court’s decision was influenced by the fact that Facebook is a purely digital business which regularly collects and monetises personal information and so, even though these acts were not directly profit related, they were still important to the workings and commercial pursuits of the company. The Full Federal Court’s decision has been appealed, so the High Court of Australia is expected to provide much needed clarity on the meaning of "carries on business" when it hears the case this year.
It is also important to note that, even though the phrase "carries on business" appears in other Australian statutes, such the Competition and Consumer Act 2010 (Cth) and the Corporations Act 2001 (Cth), it does not necessarily have the same meaning in every context. This means that an entity may be "carrying on business" for the purposes of the Privacy Act, even if it is not "carrying on business" for the purposes of other Acts.
Does the Privacy Act now apply to personal information with no connection to Australia?
Various industry bodies have raised concerns that the removal of the requirement to "collect or hold personal information in Australia" from the "Australian link" test could give the Act an overly broad application, and it could even apply to the handling of personal information that has no connection with Australia. The view put forward in the Attorney-General's Privacy Act Review Report 2022, released on 16 February 2023, is that the requirement that a foreign company be "carrying on business" in Australia ensures there is a sufficient connection to Australia, although "there would be benefit in further clarifying that foreign organisations will only be regulated to the extent that their handling of personal information has a connection to Australia."
For the time being, the application of the Privacy Act to personal information with no connection to Australia remains unclear. However, the Office of the Australian Information Commissioner is unlikely to be too interested in foreign companies' handling of personal information where that information has no connection with Australia.