Insurance Update: "Interesting times" in privacy, especially for 'offshore' insurers, reinsurers and service providers!

The reputed Chinese curse, “may you live in interesting times”, is apt for the Australian privacy regime right now. The perfect storm of the backlash from the recent spate of high profile (almost ‘whole of population’) data breaches in the middle of a major review of our privacy law have resulted in a regulatory environment likely to create significant changes in privacy. And this following soon after the changes of the Security of Critical Infrastructure Act which now also regulates certain insurers.

Two core areas of the recent changes, the (a) extraterritorial reach of Australian privacy law and (b) introduction of the world’s highest fines for breaching privacy law, were rushed through and become law in December 2022, even before the finalisation of the Government’s response to the Attorney General’s review of the Privacy Act. These changes will, in practice, have a disproportionate impact on the Australian insurance sector, particularly ‘offshore’ insurers, reinsurers and service providers (including related entities), due to a popular current business model for Australian insurers.

The prior extraterritorial test

As an overseas based entity or related company involved as an insurer, reinsurer or service provider to the insurance sector in Australia, whether or not you were subject to the Australian Privacy Act was dependent on if (a) you were ‘carrying on business’ (for the purposes of the Privacy Act) in Australia and (b) you had at any time collected any relevant personal information from individuals or held their personal information in Australia.

So what is the test now?

In a decision of the Office of the Australian Information Commissioner (OAIC) in mid-2022, the Privacy Commissioner pushed the interpretation of the extraterritoriality wording to the extreme by finding that an offshore group service provider (SP) to an Australian based gig‑economy company where the SP did not directly collect or hold any personal information in Australia was nonetheless required to comply with the Australian privacy laws. While we believe the then wording of the relevant provision in the Australian Privacy Act did not permit such a conclusion, it is now a moot point.

In December 2022 legislation amending the extraterritorial application of the Privacy Act removed the requirement for an offshore entity to have, at some time, directly collected or held the relevant personal information in Australia. That is, now if an offshore entity is considered to be ‘carrying on business’ (for the purposes of the Privacy Act) in Australia then that entity is required to comply with the Privacy Act, at least as regards all of the Australian related personal information it processes.

The ‘carrying on business’ test for the purposes of the Privacy Act is not as ‘onerous’ as similarly worded tests for Australian taxation and company law. In practice, this test is similar to the application of Article 3(2) of the GDPR. Activities such as advertising, entering into contracts, undertaking services which impact on the operations of an Australian insurer (eg an app which is used by an insurer in Australia but which is hosted or maintained by an offshore services entity), targeting of individuals located in Australia (itself directly, through an agent or even a subsidiary acting on its behalf) will be ‘carrying on business’ in Australia.

Once an offshore entity (eg insurer, reinsurer or service provider) is ‘carrying on business in Australia' then it is an 'APP entity' and required to comply with the Privacy Act in relation to all Australian personal information it ultimately processes – even if received from another entity offshore.

Therefore, just like Article 3(2) of GDPR when it was enacted, many more offshore (often related) entities, group service providing entities and third party service providers are now subject to the requirements of Australian privacy law for all Australian related personal information they process. Where an insurance or reinsurance product related to Australian entities or individuals is ultimately provided (or supported) by an offshore entity (even though the arrangements may have been sourced by a licensed local subsidiary or third party), that activity will almost certainly make the offshore entity an 'APP entity' subject to Australian privacy law for all Australian related personal information they process.

Likewise offshore group entities that provide any services (including tech support) to Australian insurers are now required to comply with Australian privacy law.

The world’s largest fine for contravening privacy law

In practice, prior to the December 2022 legislative changes, some offshore entities which were subject to Australian privacy law were either oblivious to or not that interested in whether or not they needed to comply with Australian privacy law given that (a) if they were meeting the privacy requirements of Europe or the UK (and in some cases the US) they would ‘pretty much’ be meeting Australian requirements and (b) the fine for failing to comply was a maximum of A$2.2 million with no history of active imposition of fines by the OAIC. However now the second of the December 2022 legislative changes and the expected future significant changes to the requirements of Australian privacy law in 2023 warrant a very different approach.

At the same time as changing the extraterritoriality provisions, in December 2022 the maximum penalty for a serious invasion and repeated invasions of privacy (ie contravention of the Australian privacy law) was increased from the A$2.22 million maximum to up to the greater of A$50 million and 30% of the turnover of the enterprise for the greater of 12 months and the period of time over which the contravention occurred.

This unprecedented change (both in terms of quantum and the speed of the change) also reflects a significant shift in the attitude of the Government and the OAIC to privacy compliance and enforcement. Even if, as an offshore entity, you believe that it will be difficult for the OAIC to enforce any penalty against you overseas, the consequences of a serious breach or repeated breaches of the privacy law may include preventing you from doing any further business related to Australia (or, rather, prohibiting Australian based entities from dealing with you) and may also threaten the licenses of your related entities in Australia (ie loss of their right to operate in Australia).

What’s next?

We also expect significant changes to the substantive obligations under Australian privacy law coming out of the Attorney General’s Privacy Act review this year.

In the meantime, we are happy to discuss with you how the December 2022 changes impact your offshore activities, if Australian privacy law now applies to you, what those requirements are and mean to you in practice and how you can best ensure compliance or change your Australian related activities to avoid your offshore entity being subject to Australian privacy law.