A recent decision by the Privacy Commissioner/OAIC has removed the possibility of a ‘copy and paste, ‘one size fits all’ and ‘set and forget’ approach to privacy compliance. There is now a clear requirement to have a bespoke targeted program developed by skilled professionals which is both regularly updated to meet changing circumstances and tested. This decision has also, in an instant, made the actions of many offshore service (including technology services and Cloud) providers (service providers) subject to Australian privacy law.
The Privacy Commissioner’s decision, following its Commissioner Initiated Investigation (CII) into one of the most well-known global ‘disruptor’ or ‘gig economy’ companies’ (Decision), is the most significant privacy decision in many years. Not because it is about one of the most well‑known ‘disrupter’ or ‘gig economy’ companies of our time but because it re-interprets some of the most fundamental (and often misapplied) aspects of the Privacy Act/APPs: extraterritoriality, APP 1.2, APP 11.1 and APP 11.2.
Offshore service providers (whether arm’s-length or related entities) which have no connection with Australia other than remotely providing services to entities that ‘carry on business in Australia’, beware: the Decision is a seismic shift in the extraterritorial application of Australian privacy law. For most of the entities subject to the APPs (now including many offshore service providers), your information security practices now need to be much better than before. As for ransomware attacks (and other cyber incidents), you must be prepared with a clear plan. Gone are the days when your ‘plan’ can simply be to pay the ransom and hope for the best. While we do not address the impact of the Decision on cyber incident/data breach handling and response here, our Cyber colleagues will in an upcoming article.
The Decision also confirms a change to the OAIC’s enforcement posture, building over the last 18 months, towards a “take no prisoners” approach. Both the findings and the reasoning of the Commissioner/OAIC in the Decision must be fully understood and applied by all entities ‘carrying on business in Australia’ or providing services to an entity ‘carrying on businesses in Australia’ that collect, use, hold or disclose (collectively, process) any personal information relating to Australia.
The Decision is limited to Australian Privacy Principles (APPs) 1.2, 11.1 and 11.2 and the extraterritorial provisions (section 5B) of the Privacy Act.
The CII arose out of a ransomware attack on (and resulting in a data breach of) Australian-related personal information held in a cloud storage facility by an offshore related-party services provider to the APP entity. The data breach impacted the personal information of some 1.2 million Australians and was also the subject of investigations in other jurisdictions, including in the UK, the Netherlands and the US.
The Australian privacy law (including the APPs) applies to (i.e. must be complied with by) entities based outside Australia as follows:
Pre-Decision (i.e. traditionally)
Any entity without a physical presence in Australia that ‘carries on business in Australia’, traditionally (i.e. pre-Decision) considered to be those entities targeting their advertising at, selling their goods or services to and having a direct engagement with or collecting personal information directly from persons located in Australia (together with APP entities, Australian business), is subject to (i.e. must comply with) the Privacy Act/APPs.
Post-Decision (i.e. the new reach)
The interpretation and application of ‘carries on business in Australia’ in section 5B of the Privacy Act (the extraterritoriality provision) is to be applied to the specific circumstances of each case and, in its application, must take into account the statutory object of the Privacy Act of “protecting the privacy of individuals and the responsible handling of personal information collected from individuals in Australia”.
Even where the offshore entity does not have direct engagement with individuals in Australia (in this case there was no interaction with the riders, drivers or customers), is not involved in facilitating the transactions between those individuals and does not directly collect personal information from those individuals, if it otherwise ‘carries on business’ in any way in Australia (i.e. B2B with an APP entity) then it and any Australian-related personal information it processes (no matter where and how it gets it) is subject to the Privacy Act/APPs. “Carrying on business involves acts within [Australia] that amount to, or are ancillary to, transactions that make‑up or support the business”. That is, in this case, where the related provider of offshore services to the APP entity provided authentication, security, localisation cookies and similar technologies for use on Australian users’ devices (for the purposes of enabling those users to log in and enable security features on the Australian app) the offshore service provider is ‘carrying on business in Australia’ for the purposes of section 5B of the Privacy Act. Thus, when it ultimately processes any Australian related personal information (in this case simply holding it once provided to it by the APP entity) the offshore service provider and that personal information are subject to Australian privacy law.
The offshore service provider considered to be ‘carrying on business in Australia’ (i.e. providing tech services) does not need to be either directly dealing with individuals in Australia or directly collecting their personal information to be subject to the Australian privacy law. Once subject to the Privacy Act/APPs, whenever it processes (e.g. holds) Australian-related personal information it must treat that information in accordance with the Privacy Act/APPs (no matter where, how or why it finds itself in possession or control of such personal information) – even if such personal information was provided to it offshore and whether or not as a ‘processor’ (in accordance with the GDPR concept) under strict contractual obligations as regards that handling/processing and even if it is just ‘holding’ that personal information.
Also, it should be noted (as in this case) that, “the fact that an activity which occurs in Australia might be controlled or facilitated … remotely …, does not necessarily mean that no relevant activity is performed by the entity in Australia”.
The key “Must-Do’s” from the Decision in relation to APPs 1.2, 11.1 and 11.2, for all of those subject to the Privacy Act/APPs are:
APP 1.2 (or ensuring your compliance with the APPs)
You must take ‘reasonable steps’ (i.e. real and meaningful steps) to implement policies, practices, procedures and systems relating to your functions and activities that ensure that you (and your related entitles) comply with the APPs. Ensure that you have appropriate:
(a) ‘fit for purpose’ bespoke policies, procedures and programs in place;
(b) procedures necessary to implement the policies properly and comprehensively; and
(c) procedures to test the administrative, technical, physical and quality controls regularly.
Appoint an employee who is responsible for the above and to regularly review those policies, procedures and measures and to ensure training for all employees in respect of those policies and procedures.
The requirements set out above, the obligations to take ‘reasonable steps’ to ensure compliance with the Privacy Act/APPs, are not ‘one size fits all’. Your obligations under APP 1.2 (and thus the amount you need to spend, the quality and sophistication of the measures taken) are proportionate to the:
(a) sensitivity of the personal information;
(b) potential adverse consequences for individuals if the personal information is not handled by the entity in accordance with the APPs; and
(c) size, resources and business model of your APP entity.
Simply because the requirements above may be inconvenient, time‑consuming or costly does not excuse your non‑compliance (unless you can establish that a particular measure is truly an excessive burden in all the circumstances).
You must have, implement and train your staff on a ‘fit for purpose’ bespoke incident or data breach response plan (DBRP) in order to even be considered to have taken the appropriate “reasonable steps” under APP 1.2. Also, your DBRP must:
(a) include processes for promptly assessing the impacts of data breaches;
(b) detail the roles and responsibilities of the incident response team (IRT) and note how data breaches will be addressed if not referred to the IRT;
(c) set out the procedures for gathering and evaluating necessary information and to enable staff to recognise, report and escalate data breaches within the organisation; and
(d) set out timeframes for notifications, having regard to the nature of the personal information breached.
The DBRP and/or the reasonable steps relating to data breaches should also include:
(a) robustly assessing whether you have adequate internal technical capability to assess the impact of data breaches;
(b) promptly engaging a qualified third party to conduct the assessment of the data breach if there is any doubt as to your internal capacity to do so; and
(c) establishing a process for the assessment of post-breach responses and the ongoing effectiveness of the DBRP.
APP 11 (or your information security and deletion obligations)
You must take ‘reasonable steps’ (i.e. real and meaningful steps) to protect all of the personal information you hold from unauthorised access, disclosure and loss.
The security and de‑identification obligations under APP 11 are not ‘one size fits all’. The bigger you are and/or the greater volume of personal information you process and/or if you process sensitive information the greater the security and de‑identification obligations (and expectation of spend on and comprehensiveness of such) imposed on you are (i.e. what you have to do to meet APP 11).
‘Reasonable steps’ (over all stages of the information lifecycle) in relation to information security include (as a minimum) implementing strategies in relation to:
(a) governance, culture and training;
(b) internal practices, procedures and systems;
(c) ICT security;
(d) access security; and
(e) data breaches,
and must include both documented policies and procedures as well as behaviours consistent with those policies and procedures.
You must apply your security information policies, controls and processes across all of your personal information holdings and processing (e.g. the side projects, the data back‑ups, the archives, the personal information used for R&D and testing, that provided to third party ‘processors’ etc.).
You must have, implement and rigorously apply a ‘fit for purpose’ bespoke data retention/destruction policy that applies across all of your personal information holdings and processing in order for you to even be considered likely to have taken ‘reasonable steps’ to destroy or de-identify personal information in accordance with APP 11.2.
It is not reasonable (i.e. not a ‘reasonable step’) for an entity to simply rely on a service provider (whether a third party or related entity) to have appropriate and adequate information security (even if the provider is required to do so under the relevant contract). You must take your own measures and assure the provider’s capabilities and actual implementation of such.
The Decision has significant ramifications for both onshore companies already subject to the APPs (i.e. in relation to APPs 1.2, 11.1 and 11.2) and for offshore service providers to APP entities which ultimately hold Australian related personal information. Both must now consider the Decision carefully and determine what changes are required in your practices, policies and implementation to ensure that you adapt to the requirements of the Decision and the expanded extraterritorial reach of the Privacy Act/APPs.
Given the focus in the Decision on ‘reasonable steps’ including understanding objectively if what you have in place is sufficient and the suggested use of external expertise, you must robustly review where your organisation currently is with these issues. We are happy to assist you with these reviews and have significant experience in privacy and information security reviews which will provide you with an objective assessment (in an easy to follow practical report) with recommendations, fixes and/or workarounds. Also, as lawyers, where required to we can structure a regime to provide our report under legal professional privilege.
The Decision also serves as a warning to companies that your privacy compliance will only be as good as the quality of the advice you get from your internal or external advisers. Advising on privacy requires skill and experience to make it practical (i.e. not a handbrake on the business) while getting it right. All too often we have seen ‘off-the-shelf’ privacy and cyber advice putting clients at significant risk. The warning from the OAIC in the Decision is that companies need to seek out privacy expertise and experience to get it right. That is, don’t go to your GP for brain surgery (or, for that matter, a heart specialist for brain surgery!).
Finally, keep an eye out our Cyber colleagues’ upcoming article on the impact of the Decision on cyber incident/data breach handling and response.