It’s data, it’s law, it’s the vibe: Could Australian privacy law apply to your business in Aotearoa? - JD Supra
Around the office, it’s not uncommon to hear references to the Australian ’97 classic, The Castle. A good win for our team? It’s going straight to the pool room.
So you’ll have to forgive us for questioning whether proposed amendments to the extraterritorial application of Australian privacy law make sense, or whether they’re akin to asking Kiwi businesses to consider ‘the vibe of the thing’ when trying to determine if the Australian Privacy Act extends to their Aotearoa New Zealand-based activities.
These amendments arise in the context of some of the most significant reform to Australian privacy law since the Wallabies last held the Bledisloe (in other words, some would say the reform is ‘well overdue’).
What’s the proposed change?
Currently, an organisation outside Australia – including those based in Aotearoa – must comply with the Australian Privacy Act 1988 if that organisation has an ‘Australian link’. A business will have an ‘Australian link’ if that organisation:
- carries on business in Australia; and
- collects or holds information from a source inside Australia.
But changes proposed by the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Online Privacy Bill) would remove the second limb of that test. That change means that, if the Online Privacy Bill is enacted, the Australian Privacy Act would apply to foreign organisations (including organisations in Aotearoa) who carry on business in Australia, even if they do not collect or hold Australians’ information directly from a source in Australia. One reading of this change is that the Privacy Act could even apply to information collected by a foreign organisation about individuals who are not actually present in Australia.
And while there are a few indicators on which the Australian regulator currently relies on to determine whether an organisation is ‘carrying on business in Australia’ (including registering trade marks in Australia, or selling goods online to people in Australia), our view is that the change will make it even less clear for Aotearoa New Zealand businesses as to whether and to what extent they may be caught by Australian privacy law.
Why the change?
For context, Australia has been grappling – like many other countries in the last few years – with whether its privacy law is fit for the digital age. The Online Privacy Bill seeks to implement a few measures recommended by the Australian Competition and Consumer Commission’s Digital Platforms 2019 report, which examined the regulation of digital platforms.
So, the proposed extension of the extraterritorial application of Australian’s privacy law seems clearly aimed at capturing the likes of online platform providers. However, the amendments are not limited in scope to just the big players; which means, if implemented, we could see a significant broadening of the extraterritorial application of Australian privacy law. And given the deeply rooted business connections between Australia and Aotearoa New Zealand, may Kiwi businesses could find themselves technically subject to new requirements and harsher penalties.
What does this mean for you?
The good news is that, currently, the requirements of Australian privacy law are not so far removed from the requirements of Aotearoa New Zealand privacy law.
Chances are that if you’ve got your ducks in a row following the enactment of the New Zealand Privacy Act 2020, and the way in which you collect, hold, and process data aligns with recommended best practice, you won’t need to implement drastic changes to your privacy practices. That said, if you don’t get things right, the potential repercussions will be more significant: the proposed amendments to the Privacy Act fine regime contemplated by the Online Privacy Bill mean that the risk of getting things wrong will be elevated.
And the changes to the extraterritorial scope of the Privacy Act aren’t the only redlines on the table. A broader review of Australian privacy law is being conducted by the Australian government in parallel to the Online Privacy Bill, which could culminate in further significant changes to Australian privacy law.
The breadth of the significant reforms proposed by the Attorney-General’s Privacy Act Review include increased transparency obligations, a requirement to implement ‘pro-privacy’ settings by default, requirements aimed at enhancing protections for children and young people, and the establishment of new rights for individuals, akin to the GDPR.
Even if you think your operations don’t amount to ‘carrying on business in Australia’, your Australian-based customers (not to mention the Aussie regulator) might have different expectations. New Zealand businesses who wish to avoid an underarm delivery from the Office of the Australian Information Commissioner would do well to face up to the ‘vibe’ of the latest changes, and ensure that their practices, processes and risk assessments take into account the application of the privacy laws of the ‘West Island’.
Latest Posts
DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Dentons 2021 | Attorney Advertising
source: https://www.jdsupra.com/legalnews/it-s-data-it-s-law-it-s-the-vibe-could-4434758/
Your content is great. However, if any of the content contained herein violates any rights of yours, including those of copyright, please contact us immediately by e-mail at media[@]kissrpr.com.