Privacy Legal Summary and Obligations
In Australia, privacy is regulated by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (Privacy Laws). These laws govern the collection, use, storage and disclosure of personal information by Australian entities. When sharing personal information with offshore parties, Australian organisations must ensure compliance with these laws, including obtaining proper consent and ensuring appropriate data security measures.
A breach of the Privacy Laws can lead to regulatory action (including the ability to seek enforceable undertakings from organisations that have breached the Privacy Laws) and penalties (which can be significant).
The Privacy Laws apply to Australian Government agencies and organisations with an annual turnover of more than $3 million, plus other specified entities including small business entities that have opted into the Privacy Laws or those which are related to an entity that is covered by the Privacy Laws (APP Entities).
While the Privacy Laws do not prohibit APP Entities from sending personal information overseas, if an APP Entity does disclose personal information to an overseas recipient, it can still be accountable for any actions of the overseas recipient that would breach the Privacy Laws.
Australian Privacy Principle 8
Australian Privacy Principle 8, specifically requires an Australian organisation to:
- take reasonable steps to ensure the overseas recipient will not breach the APPs and the Australian organisation will be accountable for any such breach by the overseas recipient; or
- alternatively:
- make it known to the relevant individual that their personal information will not be protected by the APPs after the ‘disclosure’ to the overseas recipient and obtain the individual’s consent to the ‘disclosure’; or
- form a reasonable belief that the overseas recipient is subject to laws substantially similar to the Privacy Laws.
The New Act
There has also been recent focus on the privacy sector, following several high-profile cyber attacks, which has resulted in the enactment of the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (New Act). The New Act provides for higher and more significant penalties, particularly for serious or repeated infringements of the Privacy Laws and broader regulatory powers of the Australian Information Commissioner. Foreign companies that carry on a business in Australia will also be captured by the Privacy Laws in accordance with the New Act.
It is likely that the New Act will be followed by a series of other reforms that have been discussed in several political papers, which ought to be carefully monitored and complied with if such further reforms are enacted.
Additional regulatory requirements may apply to the personal data, depending upon the laws of the country in which the offshore company operates.
Practical Tips
If you are considering engaging offshore workers and will be providing them with personal information of clients or third-parties, then we suggest you consider implementing the following measures:
- Prepare appropriate Privacy Policy and terms and conditions which comply with the Privacy Laws and disclose the outsourcing of the financial and personal details to the offshore company, and require the individual to consent to the Privacy Policy and terms and conditions upon the provision of the financial and personal details being submitted by the individual;
- Train staff and the offshore contractors in the management and compliance with the Privacy Policy;
- Negotiate an appropriate contract with the offshore company which provides warranties that the offshore company understands, and agrees to act in accordance with the Privacy Laws and your Privacy Policy, and includes appropriate indemnifications for failure to comply, including any losses or damages arising from penalties enforced against you as a result of any non-compliance;
- Review the laws that govern privacy in the offshore company’s country to determine whether such laws are substantially similar to the Privacy Laws and whether any additional requirements need to be met;
- Consider whether compliance by the offshore company ought to be closely monitored; and
- Have proper cyber security practices and safeguards in place to minimise data breaches.
If you require any further information, or would like assistance implementing our practical tips, please contact us today.
