The recent determination by the Australian Information Commissioner and Privacy Commissioner, Angele Falk, (Commissioner) in Commissioner Initiated Investigation into Uber Technologies, Inc. & Uber B.V. (Privacy) [2021] AICmr 34 (Uber) provides further guidance on the extraterritorial connection of the Privacy Act 1988 (Cth) (Act) though the ‘Australian link’ set out in subsections 5B(2)-(3) (Australian Link). This article discusses how the Office of the Australian Information Commissioner (OIAC) will assess whether an entity has an Australian Link to legally bind international entities to the Act.
Current Australian law
Section 15 of the Act states:
“APP entities must comply with Australian Privacy Principles
An APP entity must not do an act, or engage in a practice, that breaches an Australian Privacy Principle.”
An APP entity is defined by subsection 6(1) of the Act to mean an ‘agency’ or ‘organisation’. An ‘organisation’ (Organisation) includes:[1]
- individuals;
- body corporates;
- partnerships;
- any other types of incorporated associations; or
- trusts,
and excludes:
- small business operators;[2]
- registered political parties;[3]
- agencies;[4] or
- Australian State or Territory authorities.[5]
It can be assumed that this only applies to APP entities that exist within Australia. However, subsection 5B(1A) of the Act states:
“…[t]his Act… extend[s] to an act done, or practice engaged in, outside Australia …by an organisation, or small business operator, that has an Australian [L]ink.”
Entities become APP entities by Australian Link when:
“(2) [a]n organisation or small business operator has an Australian [L]ink if the organisation or operator is:
(a) an Australian citizen; or
(b) a person whose continued presence in Australia is not subject to a limitation as to time imposed by law; or
(c) a partnership formed in Australia …; or
(d) a trust created in Australia …; or
(e) a body corporate incorporated in Australia …; or
(f) an unincorporated association that has its central management and control in Australia …
(3) An organisation or small business operator also has an Australian [L]ink if all of the following apply:
(a) the organisation or operator is not described in subsection (2);
(b) the organisation or operator carries on business in Australia…;
(c) the personal information was collected or held by the organisation or operator in Australia or… either before or at the time of the act or practice.”[6]
Therefore, companies anywhere in the world can become APP entities if they satisfy the above. For example, a partnership formed in Zimbabwe that conducts business in Australia and has collected the personal information of Australian citizens could be bound by the Act.
Uber – the facts
Uber Technologies, Inc. (a body corporate incorporated in the United States) (UTI) and Uber B.V. (a body corporate incorporated in the Netherlands) (UBV) (together: Uber Companies) has been offering the Uber app (Uber App) since September 2012.[7] Since that date, the Uber App has collected personal information of its users (whether riders, drivers, or both) which includes names, email addresses, phone numbers and driver’s licence numbers.[8] This data was stored by the Uber Companies on Amazon servers in the United States which was accessible by UTI employees.[9] Between 13 October and 15 November 2016, this data was breached (Data Breach) by hackers using credentials of some UTI employees.[10] Approximately 1.2 million Australian users of the Uber App (Australian Users) were affected by the Data Breach.[11] Australian Users’ names, email addresses, phone number, and driver’s licence numbers were among the information that was downloaded by the Hackers in the Data Breach.
The Uber Companies’ Australian Link
As outlined above, for the Uber Companies to be in breach of an APP they must be an APP entity by having an Australian Link.[12] The question then arose if the Uber Companies carried on business and collected personal information in Australia.[13]
Firstly, the Commissioner considered if the Uber Companies carried on business in Australia at the time of the Data Breach. The Commissioner at [39] referred to the Explanatory Memorandum of the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Cth) (Explanatory Memorandum) which stated:
“…entities … who have an online presence (but no physical presence in Australia) and collect personal information from people who are physically in Australia, carry on a ‘business in Australia…’’[14]
The Commissioner was also guided by case law principles that state carrying on a business in Australia involves:[15]
- acts within the relevant territory that amount to, or are ancillary to, transactions that make up or support the business;[16]
- the acts forming a commercial enterprise;[17]
- repetition of acts which suggest a permanent character rather than participating in a single transaction or a number of isolated transactions;[18]
- not necessarily having an identifiable place of business in Australia.[19]
As one (1) or both of the Uber Companies had done the following during the time of the Data Breach:[20]
- installing and managing authentication, security and localisation cookies and similar technologies on Australian users’ devices for the purpose of enabling users to log-in and remain logged-in to the Uber App and to enable security features on it;
- rolling out new services of the Uber App in the USA to Australia;
- the fixing of general bug or issue for the Uber App in the USA was also fixed in Australia;
- ad campaigning for Australian users of the Uber App including on third party sites such as Google and Facebook;
- managing Uber’s pixel internationally, including Australia;
- controlling and licensing data of the Uber App;
- entering into contractual agreements with both drivers and riders;
- being contractually responsible for the collection of personal information of Australian users at the time of the Data Breach; and
- collecting personal information in Australia.
Next, the Commissioner considered whether the Uber Companies had collected personal information in Australia. The Commissioner referred to the Explanatory Memorandum which stated:[21]
“[t]he collection of personal information ‘in Australia’ under [section] 5B(3)(c) [of the Act] includes the collection of personal information from an individual who is physically within the borders of Australia… by an overseas entity.
For example, a collection is taken to have occurred ‘in Australia’ where an individual is physically located in Australia… and information is collected from that individual via a website, and the website is hosted outside of Australia, and owned by a foreign company that is based outside of Australia and that is not incorporated in Australia.”
The Commissioner at [71] stated:
“…I have found that UTI collected personal information of Australian users, because when Australian users submitted personal information to UBV through, and in connection with, their use of the Uber app and Uber website, it was transferred directly to UTI’s servers. I also consider that UBV collected that same information, because UTI was required to hold and use Australian Users’ personal information in accordance with UBV’s instructions only. This indicates that UBV had control of the record in which the personal information was held.”
Therefore, the Commissioner decided that the Uber Companies had carried on business in Australia and collected information from Australian Users thus satisfying the Australian Link. For a further breakdown of what APPs Uber breached and the subsequent actions the Uber Companies were ordered to take, see part 2 of this article.
Takeaways
While most Australian legislation will only apply to entities and citizens within this country, the Privacy Act 1988 (Cth) has international application through the Australian Link.[22] Entities that carry on a business in Australia and collect personal information from its citizens can be bound by the Act. International organisations may find themselves facing penalties if they breach their obligations under the Act, either directly or indirectly. This will occur whether the entity is aware of the Act or not.
Links and further references
Legislation
Cases
Other materials
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Cth)
Further information about privacy compliance
If you need advice on your legal obligations or risks you may have as an APP entity under the Privacy Act 1988, contact us for a confidential and obligation-free discussion:
Malcolm Burrows B.Bus.,MBA.,LL.B.,LL.M.,MQLS.
Legal Practice Director
T: +61 7 3221 0013 (preferred)
M: +61 419 726 535
E: mburrows@dundaslawyers.com.au
Disclaimer
This article contains general commentary only. You should not rely on the commentary as legal advice. Specific legal advice should be obtained to ascertain how the law applies to your particular circumstances.
[1] Privacy Act 1988 (Cth) s 6C.
[2] See also Privacy Act 1988 (Cth) s 6D.
[3] See also Commonwealth Electoral Act 1918 (Cth) Part XI.
[4] See also Privacy Act 1988 (Cth) s 6.
[5] See also Privacy Act 1988 (Cth) s 6.
[6] Privacy Act 1988 (Cth) s 5B(2)-(3).
[7] Commissioner Initiated Investigation into Uber Technologies, Inc. & Uber B.V. (Privacy) [2021] AICmr 34 (Uber) [4], [38].
[14] Explanatory Memorandum, Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Cth) 218.
[15] Uber [39]-[41]; see also Australian Information Commissioner v Facebook Inc (No 2) [2020] FCA 1307 [40-6].
[16] See also Valve Corporation v Australian Competition and Consumer Commission [2017] FCAFC 224.
[17] Tiger Yacht Management Ltd v Morris [2019] FCAFC 8 [51].
[18] Tiger Yacht Management Ltd v Morris [2019] FCAFC 8 [52].
[19] Tiger Yacht Management Ltd v Morris [2019] FCAFC 8 [53].
[21] Uber [45]; see also Explanatory Memorandum, Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Cth) 218.
[22] Privacy Act 1988 (Cth) s 5B(2)-(3).
Related insights about privacy compliance
-
Privacy Act amended to increase penalties up to $50 million
The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Bill) was passed by both Houses of Parliament on the 28 November 2022 and now awaits Royal Assent. The Bill was passed with virtually no amendment.
-
What should APP Entities include in a data destruction policy?
This article summarises the Australian Privacy Principles (APPs) and the importance of having a data destruction policy (DDP) in place. It outlines the steps to take when destroying or deidentifying personal and sensitive information, and the consequences of not doing so.
-
Uber breaches Australian privacy laws
This article provides an overview of interesting decisions of Australian Courts in Corporate Law, Technology Law and Intellectual Property. With cases on Trade Marks, Copyright, Defamation, Negligence, Joint Ventures and Confidential Information, it is an invaluable resource for anyone interested in these areas.
-
International companies can be bound by Australian privacy laws
Australian Intelligence Community (AIC) Commissioner Falk determined how the Office of the Australian Information Commissioner (OAIC) will assess if international entities have an Australian Link to Privacy Act 1988 (Cth).
-
Are your privacy practices compliant with the amended Privacy Act 1988 (Cth)?
Organisations must act ensure compliance with the Privacy Act 1988 (Cth) reforms. Learn more about the thirteen new Australian Privacy Principles (APP’s) the penalties for non-compliance, and the steps you can take to protect your business.
