International companies can be bound by Australian privacy laws

The recent determination by the Australian Information Commissioner and Privacy Commissioner, Angele Falk, (Commissioner) in Commissioner Initiated Investigation into Uber Technologies, Inc. & Uber B.V. (Privacy) [2021] AICmr 34 (Uber) provides further guidance on the extraterritorial connection of the Privacy Act 1988 (Cth) (Act) though the ‘Australian link’ set out in subsections 5B(2)-(3) (Australian Link).  This article discusses how the Office of the Australian Information Commissioner (OIAC) will assess whether an entity has an Australian Link to legally bind international entities to the Act.

Current Australian law

Section 15 of the Act states:

“APP entities must comply with Australian Privacy Principles

An APP entity must not do an act, or engage in a practice, that breaches an Australian Privacy Principle.”

An APP entity is defined by subsection 6(1) of the Act to mean an ‘agency’ or ‘organisation’.  An ‘organisation’ (Organisation) includes:[1]

  • individuals;
  • body corporates;
  • partnerships;
  • any other types of incorporated associations; or
  • trusts,

and excludes:

  • small business operators;[2]
  • registered political parties;[3]
  • agencies;[4] or
  • Australian State or Territory authorities.[5]

It can be assumed that this only applies to APP entities that exist within Australia.  However, subsection 5B(1A) of the Act states:

“…[t]his Act… extend[s] to an act done, or practice engaged in, outside Australia …by an organisation, or small business operator, that has an Australian [L]ink.”

Entities become APP entities by Australian Link when:

 (2)  [a]n organisation or small business operator has an Australian [L]ink if the organisation or operator is:

(a)  an Australian citizen; or

(b)  a person whose continued presence in Australia is not subject to a limitation as to time imposed by law; or

(c)  a partnership formed in Australia …; or

(d)  a trust created in Australia …; or

(e)  a body corporate incorporated in Australia …; or

(f)  an unincorporated association that has its central management and control in Australia …

(3)  An organisation or small business operator also has an Australian [L]ink if all of the following apply:

(a)  the organisation or operator is not described in subsection (2);

(b)  the organisation or operator carries on business in Australia…;

(c)  the personal information was collected or held by the organisation or operator in Australia or… either before or at the time of the act or practice.”[6]

Therefore, companies anywhere in the world can become APP entities if they satisfy the above.  For example, a partnership formed in Zimbabwe that conducts business in Australia and has collected the personal information of Australian citizens could be bound by the Act.

Uber – the facts

Uber Technologies, Inc. (a body corporate incorporated in the United States) (UTI) and Uber B.V. (a body corporate incorporated in the Netherlands) (UBV) (together: Uber Companies) has been offering the Uber app (Uber App) since September 2012.[7]  Since that date, the Uber App has collected personal information of its users (whether riders, drivers, or both) which includes names, email addresses, phone numbers and driver’s licence numbers.[8]  This data was stored by the Uber Companies on Amazon servers in the United States which was accessible by UTI employees.[9]  Between 13 October and 15 November 2016, this data was breached (Data Breach) by hackers using credentials of some UTI employees.[10]  Approximately 1.2 million Australian users of the Uber App (Australian Users) were affected by the Data Breach.[11]  Australian Users’ names, email addresses, phone number, and driver’s licence numbers were among the information that was downloaded by the Hackers in the Data Breach.

The Uber Companies’ Australian Link

As outlined above, for the Uber Companies to be in breach of an APP they must be an APP entity by having an Australian Link.[12]  The question then arose if the Uber Companies carried on business and collected personal information in Australia.[13]

Firstly, the Commissioner considered if the Uber Companies carried on business in Australia at the time of the Data Breach.  The Commissioner at [39] referred to the Explanatory Memorandum of the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Cth) (Explanatory Memorandum) which stated:

“…entities … who have an online presence (but no physical presence in Australia) and collect personal information from people who are physically in Australia, carry on a ‘business in Australia…’’[14]

The Commissioner was also guided by case law principles that state carrying on a business in Australia involves:[15]

  • acts within the relevant territory that amount to, or are ancillary to, transactions that make up or support the business;[16]
  • the acts forming a commercial enterprise;[17]
  • repetition of acts which suggest a permanent character rather than participating in a single transaction or a number of isolated transactions;[18]
  • not necessarily having an identifiable place of business in Australia.[19]

As one (1) or both of the Uber Companies had done the following during the time of the Data Breach:[20]

  • installing and managing authentication, security and localisation cookies and similar technologies on Australian users’ devices for the purpose of enabling users to log-in and remain logged-in to the Uber App and to enable security features on it;
  • rolling out new services of the Uber App in the USA to Australia;
  • the fixing of general bug or issue for the Uber App in the USA was also fixed in Australia;
  • ad campaigning for Australian users of the Uber App including on third party sites such as Google and Facebook;
  • managing Uber’s pixel internationally, including Australia;
  • controlling and licensing data of the Uber App;
  • entering into contractual agreements with both drivers and riders;
  • being contractually responsible for the collection of personal information of Australian users at the time of the Data Breach; and
  • collecting personal information in Australia.

Next, the Commissioner considered whether the Uber Companies had collected personal information in Australia.  The Commissioner referred to the Explanatory Memorandum which stated:[21]

“[t]he collection of personal information ‘in Australia’ under [section] 5B(3)(c) [of the Act] includes the collection of personal information from an individual who is physically within the borders of Australia… by an overseas entity.

For example, a collection is taken to have occurred ‘in Australia’ where an individual is physically located in Australia… and information is collected from that individual via a website, and the website is hosted outside of Australia, and owned by a foreign company that is based outside of Australia and that is not incorporated in Australia.”

The Commissioner at [71] stated:

“…I have found that UTI collected personal information of Australian users, because when Australian users submitted personal information to UBV through, and in connection with, their use of the Uber app and Uber website, it was transferred directly to UTI’s servers.  I also consider that UBV collected that same information, because UTI was required to hold and use Australian Users’ personal information in accordance with UBV’s instructions only. This indicates that UBV had control of the record in which the personal information was held.”

Therefore, the Commissioner decided that the Uber Companies had carried on business in Australia and collected information from Australian Users thus satisfying the Australian Link.  For a further breakdown of what APPs Uber breached and the subsequent actions the Uber Companies were ordered to take, see part 2 of this article.

Takeaways

While most Australian legislation will only apply to entities and citizens within this country, the Privacy Act 1988 (Cth) has international application through the Australian Link.[22]  Entities that carry on a business in Australia and collect personal information from its citizens can be bound by the Act.  International organisations may find themselves facing  penalties if they breach their obligations under the Act, either directly or indirectly.  This will occur whether the entity is aware of the Act or not.

Links and further references

Related articles

Uber breaches Australian privacy laws

Ransomware Payments Bill 2021 (Cth)

The Australian Cyber Law Map

Proposed standards for online safety

OAIC Notifiable Data Breaches report – July 2020

Data breaches: what exactly is serious harm?

What is a data breach response plan and how do I get one?

Legislation

Privacy Act 1988 (Cth)

Cases

Commissioner Initiated Investigation into Uber Technologies, Inc. & Uber B.V. (Privacy) [2021] AICmr 34

Other materials

Explanatory Memorandum

Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Cth)

Further information

If you need advice on your legal obligations or risks you may have as an APP entity under the Privacy Act 1988, contact us for a confidential and obligation free and discussion:

 

Malcolm BurrowsMalcolm Burrows B.Bus.,MBA.,LL.B.,LL.M.,MQLS.
Legal Practice Director
elephone: (07) 3221 0013 (preferred)
Mobile: 0419 726 535
e: mburrows@dundaslawyers.com.au

 

Disclaimer

This article contains general commentary only.  You should not rely on the commentary as legal advice.  Specific legal advice should be obtained to ascertain how the law applies to your particular circumstances.

[1] Privacy Act 1988 (Cth) s 6C.

[2] See also Privacy Act 1988 (Cth) s 6D.

[3] See also Commonwealth Electoral Act 1918 (Cth) Part XI.

[4] See also Privacy Act 1988 (Cth) s 6.

[5] See also Privacy Act 1988 (Cth) s 6.

[6] Privacy Act 1988 (Cth) s 5B(2)-(3).

[7] Commissioner Initiated Investigation into Uber Technologies, Inc. & Uber B.V. (Privacy) [2021] AICmr 34 (Uber) [4], [38].

[8] Uber [4].

[9] Uber [6].

[10] Uber [6].

[11] Uber [8].

[12] Uber [36-8].

[13] Uber [38].

[14] Explanatory Memorandum, Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Cth) 218.

[15] Uber [39]-[41]; see also Australian Information Commissioner v Facebook Inc (No 2) [2020] FCA 1307 [40-6].

[16] See also Valve Corporation v Australian Competition and Consumer Commission [2017] FCAFC 224.

[17] Tiger Yacht Management Ltd v Morris [2019] FCAFC 8 [51].

[18] Tiger Yacht Management Ltd v Morris [2019] FCAFC 8 [52].

[19] Tiger Yacht Management Ltd v Morris [2019] FCAFC 8 [53].

[20] Uber [56], [66].

[21] Uber [45]; see also Explanatory Memorandum, Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Cth) 218.

[22] Privacy Act 1988 (Cth) s 5B(2)-(3).

Send this to a friend