October 9, 2012

Do You Know Where Your Data Is?

If your business collects information about customers and stores it electronically, this is an important article to read.

The march of cloud computing is well underway.  Increasing numbers of Australian businesses are storing data “offsite”, and for many businesses, “offsite” also means “offshore”.  Some of the most advanced data hosting services are located outside of Australia, Amazon being the notable example.  The efficiencies of cloud computing are clear from a commercial perspective, but many people are unaware that storing (or disclosing) certain types of information to parties outside of Australia is a major legal issue.  The recently proposed changes to Privacy Law make it a more pressing consideration – a regime that has been criticised as “toothless” will include fines of up to $1.1 million for breaches if the new bill is passed in its current form.

HOW PRIVACY LAW AFFECTS OFFSHORING DATA

The storage and use of “Personal information” is covered by the Privacy Act 1988 (Cth) (‘Act’).  The definition of personal information in the act is very broad (and imprecise): personal information is any information that identifies a person or could be used to identify a person.  This includes obvious categories of information like names and addresses, but reaches as far as information like dates of birth and post codes in circumstances where data can be cross referenced to deduce someone’s identity.

THE CURRENT POSITION ON OFFSHORING DATA

The “National Privacy Principles” are legally binding under the Act.  Principle 9 deals with “Transborder data flows”.  The Principle mandates that personal information can only be transferred to a foreign country if one of the following conditions is satisfied:

  • the country to which the information is being transferred also has privacy law “substantially similar” to the National Privacy Principles;
  • the individual who is the subject of the personal information consents to the transfer;
  • the transfer is necessary for the performance of a contract between the individual and the transferring organisation;
  • the transfer is necessary for the performance of a contract concluded in the interest of the individual between the organisation and a third party;
  • the transfer is for the benefit of the individual, it is “impracticable” to obtain consent, and if consent were sought, the individual would likely give it;
  • the organisation has taken “reasonable steps” to ensure that the transferred information will not be used or disclosed in a way that is inconsistent with the National Privacy Principles.

THE CHANGES IMPOSED BY THE CURRENT VERSION OF THE BILL

The Privacy Amendment (Enhancing Privacy Protection) Bill 2012 was passed by the House of Representatives on 17 September 2012, and is currently under consideration by the senate.

The new Australian Privacy Principle number 8 deals with offshoring data in a different way to the current principle 9.  Under the principle, if an Australian business discloses personal information to a foreign entity, and the foreign entity breaches the Australian Privacy Principles in respect of that personal information, the Australian business will be treated as if it has breached the law itself.

It is possible to gain consent from individuals to avoid this burden, but the threshold for consent is much higher than under current law.  Currently, a business can gain consent by mentioning that it may offshore personal information in its terms and conditions of business.  Under the new law, in order to gain consent, the business must make it clear to an individual that the business will disclose to foreign entities and will not be required to take reasonable steps to ensure compliance of foreign entities with the Australian Privacy Principles.  Some experts are of the view that a legally conservative approach would be to put this disclaimer into an entirely new document outside of the terms to be agreed to specifically by individuals.

Under the current bill, a failure to comply with the new principles can result in fines of up to $1.1 million.

WHAT TO DO ABOUT IT

  • Speak with your IT professional about whether or not the personal information you collect is stored exclusively in Australia.
  • If your business is storing personal information offshore, make sure that you are obtaining the consent of the relevant individuals so that you comply with the laws in force at the moment.
  • Keep an eye out for more updates from us on this topic – if the current version of the bill is approved, it is likely that certain sections of your terms and conditions and Privacy Policies will need to be redrafted.