Extending the Privacy Act to offshore data collection where it relates to Australians goes beyond that of the European Union’s General Data Protection Regulation, according to a handful of tech giants and industry groups.
The Digital Industry Group Inc (DIGI), Business Council of Australia and the Tech Council of Australia all flagged concerns with the proposal in their submissions to the senate committee currently reviewing the Privacy Legislation Amendment (Enforcement and Other Measures) Bill.
The bill, which passed the lower house on Wednesday, is designed to impose significantly higher penalties on organisations that suffer severe or repeated data breaches, but also contains other amendments to ensure Australia’s privacy laws remain fit for purpose.
Proposed changes to the Privacy Act’s extraterritoriality provisions would subject foreign companies carrying on business in Australia to the Privacy Act even if they do not collect or hold citizen data “directly from a source in Australia”.
At present, foreign companies are only required to comply with the Privacy Act if they have an “Australian Link”, a threshold that is crossed if the organisation both carries on business in Australia and collects or holds personal information in Australia.
According to the Attorney-General’s Department, this link has become blurred with the evolution of technology and it can now be “difficult to establish that foreign organisations collect or hold personal information directly from Australia”.
Privacy groups have broadly welcomed the proposal, which Digital Rights Watch said would make it “harder for foreign companies to avoid meeting the requirements of the Privacy Act”, bringing Australia in line with foreign equivalents like the General Data Protection Regulation (GDPR).
Less enthusiastic, however, is the industry group representing Facebook, Apple, Twitter and Google. DIGI is concerned the bill “serves to also remove the requirement that data be collected in Australia” and, therefore, “must be closely examined”.
“The effect…is that if an offshore corporation carries on business in Australia through providing services to Australian end users, then the…Privacy Act would also apply to that corporation’s handling of information about users in any other jurisdiction where its services are available,” it’s submission said.
“DIGI would like to understand if the intention in removing this paragraph is that offshore businesses carrying on business in Australia must handle all the personal information they collect from everywhere (not from Australia or relating to Australians) in accordance with the…Privacy Act.”
DIGI said that if this is the case, the extraterritoriality provisions of the bill exceed the provisions in the European Union’s (EU) General Data Protection Regulation (GDPR). The GDPR covers EU residents, organisations based in the EU, and organisations that have EU customers.
The group also questioned the justification for the change, suggesting that “if the impact on Australians cannot be established, then this raises the question of whether the action falls within the jurisdiction of the Australian Information Commissioner”.
“It is not clear why Australian laws seek to regulate the management of personal information that has no direct connection with Australia or with Australians,” DIGI said.
DIGI’s concerned are shared by the Business Council of Australia (BCA), who also said it is “unclear why the Australian Parliament would seek to regulate the management of personal information where there is no connection to Australia”.
“Given there isn’t a clear justification for this, it appears this is an unintended drafting error. We recommend this be amended before the bill receives passage,” the BCA said particularly bluntly in its submission.
The Tech Council of Australia (TCA) similarly said the extraterritoriality provision could “benefit from further clarification to avoid unintended consequences”, recommending the bill specify the “personal information collected or held must relate to an individual located in Australia”.
The TCA, alongside the Australian Information Industry Association and the Australian Computer Society, is also calling on the government to embed a safe harbour provision in the bill for companies that meet certain conditions.
All three industry groups have also recommended a tiered penalty regime for data breaches to ensure smaller fines apply to less severe infringements, much like the approach adopted for the GDPR.
The Australia Privacy Foundation has recommended the government align extraterritoriality provisions with the GDPR to “provide consistency between the privacy regimes of Australia and the EU and other jurisdictions”.
Do you know more? Contact James Riley via Email.