It means explicit accountability.
Under the existing NPPs, it is not clear that an organisation which transfers personal information off-shore in compliance with NPP9 is necessarily liable and accountable if the recipient of that information uses or discloses that personal information in breach of the NPPs. The new Privacy Amendment Bill introduces an accountability framework which addresses this lack of clarity. It also changes the extra-territorial application of the Privacy Act in a way which requires both organisations and service providers to consider how the new accountability principle will apply to them.
Importantly, the new Privacy Amendment Bill also extends the cross-border disclosure principles (and the accountability framework) so that they also apply to disclosures of personal information by government agencies1.
There are two pieces to the new accountability framework.
First is APP 8 – Cross-border Disclosure of Personal Information (which replaces the old NPP 9 - Transborder dataflows). APP 8.1 requires an APP entity2, before disclosing personal information to a person who is not in Australia (and who is not the entity itself3), to take such steps as are reasonable in the circumstances to ensure that the recipient does not breach the APPs in relation to that information. There is a set of circumstances in which the APP 8.1 obligation does not apply, set out in APP 8.2 (discussed further below).
The second piece to the accountability framework is new section 16C, which comes into play where APP 8.1 applies to the cross-border disclosure of personal information by an APP entity and:
In these circumstances, the thing done by the overseas recipient is taken to have been done by the APP entity, and to be a breach of the APPs by the APP entity.
The requirement in section 16C that the APPs do not apply to conduct of the overseas recipient means that the deeming provision relating to an APP breach will not apply to an overseas recipient which is bound by the Privacy Act as a result of the extra-territorial provisions in new section 5B(1A). These sections expressly apply the APPs to acts carried out outside Australia by organisations which have an “Australian link”.
A person or an organisation has an Australian link:
It follows that under the new accountability framework, an organisation that uses a cloud service provider or an outsourcer which is located offshore will not be liable for any breaches of the APPs by that offshore service provider if that cloud service provider or outsourcer (eg. it carries on business in Australia or otherwise has an Australian link).5 As the Privacy Act does not set out a test for when an organisation carries on business in Australia, this will fall to be determined by general principles. Clearly, if an entity establishes an office or presence in Australia, or has agents in Australia with authority to bind it, it will be carrying on business in Australia. The situation will be more complex if it has no physical presence in Australia but has Australian customers – this will require careful analysis and consideration.
Although the APPs have extra-territorial effect as discussed above, section 6A(4) (and the note to section 5B(1A)) make it clear that an act done by an organisation outside Australia will not breach the APPs where that act is required by an applicable law of a foreign country. Thus, an offshore cloud provider who has an Australian link (and is subject to the APPs) will not breach the APPs if it discloses information to a law enforcement authority under a subpoena issued under an applicable foreign law.
As noted above, there are a number of exceptions to the obligation in APP 8.1. Importantly, if any of the exceptions apply, then the deeming provision in section 16C does not. This means that if an organisation makes a cross-border disclosure under one of the exceptions to APP 8.1, it is not under an obligation to take reasonable steps to ensure that the recipient does not breach the APPs, nor will it be deemed to be liable for any breach by the recipient of the APPs.
The exceptions are as follows:
APP 5.1 requires an APP entity which has collected personal information about an individual to take reasonable steps to ensure that the individual is aware of various things at, or as soon as practicable after, the collection. In the jargon of privacy lawyers, this is known as the obligation to provide a “collection statement”. One such matter to be drawn to the attention of an individual in a collection statement is the country or countries to which the individual’s data may be disclosed by the APP entity if it is likely to disclose the data to overseas recipients and it is practicable to identify the overseas locations.
For Australian organisations, in some ways, these changes will not make a significant practical difference to their risk profile in using overseas cloud providers or outsourcers. While the new accountability framework will make it clear that they are legally liable for any breach by the cloud provider or the outsourcer of the APPs, even under the existing NPPs, the organisation may well have been reputationally liable for such breach. However, there are a number of things that they should look to do:
For agencies, this will be a significant legal change. For the first time, they may have express legal accountability to individuals in relation to privacy if they choose to offshore or use cloud service providers. Although offshoring is not specifically prohibited under the AGIMO Cloud policy or the DSD security guidelines, agencies are expected to undertake a careful risk assessment before doing so.
Australian cloud providers or outsourcers will not be materially affected by these changes. They are and will remain subject to the terms of the Privacy Act in relation to any personal information collected by them. Of course, if they in turn use an off-shore service provider, then they will need to comply with APP 8 in relation to any disclosures of personal information by them to their offshore service providers.
Offshore cloud providers or outsourcers will have to determine whether or not they have an Australian link, and whether this makes them subject to the APPs. Offshore providers or outsourcers in jurisdictions with data privacy laws that are, overall, substantially similar to the APPs that afford Australian individuals a mechanism to take action, may well be requested by their prospective Australian customers to provide a comparison between the relevant foreign legal regime and the Australian regime.
In any event, all offshore providers and outsourcers can expect to be faced with requests from customers for assurances that the provider or outsourcer will conduct themselves in a manner consistent with the principles applying to the Australian entity and to accept liability for failing to do so.
Given the responsibility of Australian enterprise customers to ensure that their collection statements and privacy consents cover the use and disclosure of personal information by their service providers, prudent service providers with a commitment to providing services to Australian enterprise customers (both in the private and public sectors) will seek to assist their Australian customers to understand and address privacy issues arising out of their respective roles and responsibilities, so that each party bears an appropriate level of responsibility having regard to those matters.
1. The existing Information Privacy Principles applicable to government agencies do not have a transborder data flow principle.
2. An APP entity is an agency or an organisation.
3. However, note that disclosure to a related body corporate will be caught by the APP.
4. Importantly, in these circumstances, the personal information is not limited to information about an Australian citizen or permanent resident.
5. Assuming it is not formed, created, or incorporated in Australia.
6. An example of a permitted general situation is a disclosure where it is unreasonable or impractiable to obtain the individual's consent, and the disclosing entity reasonably believes is necessary to lessen or prevent a serious threat to life or safety.