OFFSHORING Data the new privacy laws

Transcription

1 OFFSHORING Data the new privacy laws

2 OFFSHORING DATA THE NEW PRIVACY LAWS Transfer of data by Australian organisations to other jurisdictions is increasingly common. This is a result of IT service providers using personnel and infrastructure in low cost jurisdictions such as India to service Australian based clients. The cloud computing industry alone is now worth nearly $2 billion in Australia and about half of this is spent on public cloud services. Eighty six per cent of Australian businesses now report that they use cloud services. 1 While there are onshore data processing options available in the marketplace (including Australianonly clouds 2 ), these may not offer the customer the same benefits (e.g. economies of scale, affordability) as offshore options. There are a range of commercial risk and regulatory considerations that any customer or supplier considering offshoring data needs to assess. In particular, new laws govern the disclosure by Australian organisations 3 of personal information 4 to overseas recipients from 12 March This note addresses some of the relevant issues. What are the changes to privacy law? The new law replaces the National Privacy Principles (that applied to private organisations) and Information Privacy Principles (that applied to government agencies) with a single list of principles called the Australian Privacy Principles (APPs). 1 IDC. Cloud is now business as usual. (16 July 2013). 2 Australia-only cloud services are those where the provider commits to only storing or processing data in data centres located in Australia. 3 This includes entities with an Australian link in accordance with s 5B. 4 This is information or opinion about an identified individual or a person who is reasonably identifiable. It does not matter whether the information is true or actually recorded in a material form. 5 Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth). The new law gives the Privacy Commissioner more powers, including: the ability to seek enforceable undertakings from organisations that have breached the Privacy Act and enforce any such undertaking in the courts; the power to initiate own motion investigations whether or not a complaint from an affected individual has been made; and the power to apply to the Federal Court for a civil penalty order of up to $1.7 million for serious or repeated breaches. How do the APPs govern disclosures overseas? APP 8 requires that before disclosing personal information to a person that is outside Australia (an overseas recipient), an Australian organisation must: 1. take reasonable steps to make sure that the overseas recipient will not breach the APPs and the Australian organisation will be accountable for any such breach by the overseas recipient; or 2. alternatively: a. make it known to the relevant individual that his or her personal information will not be protected by the APPs after the disclosure to the overseas recipient and obtain the indvidual s consent to the disclosure ; or b. form a reasonable belief that the overseas recipient is subject to laws substantially similar to the APPs. Step One: is the data transfer a disclosure? APP 8 does not apply unless the personal information is disclosed to an overseas recipient. page 2

3 Is the transfer a disclosure or a use? The new law does not define what constitutes a disclosure. The NPPs regulate cross-border transfers of personal information, not disclosures. 6 Under the Explanatory Memorandum for the new law, Parliament explained that disclosure isn t intended to be as broad as transfer. 7 The Merriam Webster Dictionary defines a disclosure as the act of making something known. Accordingly, a transfer of personal information to an overseas recipient will not necessarily be a disclosure or subject to APP 8. The Office of the Australian Information Commissioner (OAIC) has suggested that a disclosure occurs when information is released from an entity s effective control. 8 In the context of cloud services, the OAIC is of the view that a transfer of personal information will not be a disclosure if the service provider is only storing the data and certain contractual protections are implemented: OAIC EXAMPLES 9 Where an APP entity provides personal information to a cloud service provider located overseas for the limited purpose of performing the services of storing and ensuring the entity may access the personal information, this [will not be a disclosure ] provided: 1. a binding contract is entered into requiring the provider to only handle the personal information for these limited purposes; 2. that contract requires any subcontractors to agree to the same obligations; and 3. that contract gives the entity effective control of how personal information is handled by overseas recipient. However, the OAIC has also given guidance that the following service provider arrangements will involve a disclosure : 6 NPP 9 (Transborder data flows) 7 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 Explanatory Memorandum p 83 8 OAIC Guidance (APP 8) at [8.8] 9 OAIC Guidance (APP 8) at [8.14] outsourcing processing of online purchases through website to an overseas service provider (providing personal information on customers to the service provider in order to facilitate); sending information to an overseas service provider for the purposes of conducting reference checks on behalf of the Australian organisation; or an Australian organisation relying on a parent company offshore to supply billing support (providing the parent with access to its customer database in order to facilitate). The distinction between the cloud storage example and the other examples given doesn t appear to be justified in terms of control. For example, the online payment processing agreement could be subject to the same contractual controls as the OAIC stipulates in the cloud storage example. The distinction appears to be in the different levels of use or processing of the personal data required by the service provider in each example. In the cloud storage example, the service provider does not need to use, access or view the personal data, whereas in the other examples, the service provider does need to access or view the data in order to perform its services. It is interesting that neither the new law, nor the OAIC guidance, deals with encryption of personal data in the context of APP 8. Arguably, if a customer encrypts personal information before providing it to its service provider, no disclosure of the personal information will occur. Even if an Australian organisation can satisfy itself that a transfer of personal information to an overseas recipient is not a disclosure and therefore not subject to APP 8, the organisation may still be liable for any breach of the APPs by the overseas recipient on the basis that the overseas recipient is acting as the Australian organisation s agent and its acts or omissions may be taken to be acts or omissions of the Australian organisation for the purposes of the Privacy Act. It is important to recognise that OAIC guidance 10 in relation to disclosure is not legally binding. However, prudent organisations will take note of the regulator s guidance when implementing compliance procedures. 10 OAIC Australian Privacy Principles Guidelines (February 2014) page 3

4 OFFSHORING DATA THE NEW PRIVACY LAWS Based on the Explanatory Memorandum for the new law, we can be confident that the following acts will constitute a disclosure : publishing personal information on the internet; accidentally releasing personal information publicly; and sending information to a related company (for example, a parent or sister company). 11 Further, a transfer of personal information within the same corporate entity is not considered a disclosure, even if that transfer is to an overseas office of the same entity. 12 The diagram below is a visual representation of the acts that may constitute a disclosure to an overseas recipient. Transferring personal information outside Australia: use or disclosure? Received by parent company in Washington D.C. ( Disclosure ) Received by Houston office of Australian entity ( Use ) Received by cloud provider in London. Entity enters into binding contract with cloud provider to limit access to information, enforce security standards and restrict cloud provider to only providing storage services ( Use ) Received by contractor in New Delhi for purpose of reference checking applicants for a job ( Disclosure ) Received by individual customer in Buenos Aires who requested their own personal information ( Use ) Document sent from Sydney office via 11 OAIC Guidance (APP 8) at [8.13] 12 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 Explanatory Memorandum p 83 page 4

5 Step two: taking reasonable steps to ensure the service provider does not breach the APPs Assuming that a disclosure has taken place and it is received by an overseas recipient, the consequence is that an Australian organisation must take reasonable steps to ensure that the overseas recipient does not breach the APPs. Parliament has suggested that reasonable steps will normally require that an entity enter into a contractual relationship with the recipient. 13 The OAIC has also gone a step further, specifying contractual conditions that it believes may be sufficient to satisfy the reasonable steps requirement: OAIC recommended contractual protections 14 Set out the types of personal information to be disclosed and the specific purposes of disclosure. Include obligation that overseas recipient complies with APPs in relation to: a. collection; b. use; c. disclosure; d. storage; and e. destruction/de-identification. Include obligation that subcontractors comply with same requirements as above. Include requirement that overseas recipient implement a data breach response plan (for notifying Australian entity of data breaches and required remedial action). Exceptions Exception 1: where consent is obtained An entity will not need to ensure the overseas recipient complies with the APPs if the entity obtains consent from 13 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 Explanatory Memorandum p OAIC Guidance (APP 8) at [8.16] the individual whose information is being disclosed. Consent will only be valid where it is (a) expressly obtained and (b) plainly evident that the individual was aware the entity would not be taking steps to ensure the overseas recipient complies with the APPs. 15 The OAIC has suggested that valid consent will be given where: a. the entity provides a clear written or oral statement explaining the consequences of consent (i.e. the entity will not be accountable for breaches of the APPs by the foreign entity and the individual may not be able to seek redress); and b. the statement explains practical effects and risks associated with disclosure that the entity is aware of (e.g. that the individual will not have the ability to access personal information relating to the individual that is held by the foreign entity). Exception 2: where the overseas recipient is subject to substantially similar laws An entity will not need to ensure the overseas recipient complies with the APPs if the entity has a reasonable belief that the person outside Australia is subject to laws substantially similar to the APPs. What constitutes a reasonable belief? A reasonable belief is more than merely a genuine or subjective belief. The OAIC suggests that it is the responsibility of the organisation to justify its reasonable belief if there is a dispute. One example that the OAIC gives is where an organisation has obtained independent legal advice on the foreign privacy protections. What are substantially similar laws? Laws which are substantially similar do not necessarily need to requote the protections in the APPs. Rather, the overall effect of the law is the determining factor. The OAIC hasn t been willing to disclose a white list of countries that it considers to have substantially similar laws to Australia, but the EU white list 16 may be 15 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 Explanatory Memorandum p The European Commission has published a white list of countries that it considers has adequate data protection laws (see: privacycommission.be/en/transfers-outside-the-eu-with-adequate-protection) page 5

6 OFFSHORING DATA THE NEW PRIVACY LAWS a good starting point for an analysis (the list includes, for example, Switzerland, Argentina and New Zealand). It is prudent to seek legal advice as to whether the country where an overseas recipient is located is subject to substantially similar laws. In the context of cloud computing, this may involve considering the laws of each of the jurisdictions in which the service provider s infrastructure is located. The OAIC has published its own guidance as to what it will take into account when considering foreign privacy laws: OAIC recommended contractual protections 14 Is there a comparable definition of personal information? Does it regulate collection of personal information in a similar way to the APPs? Does it require the recipient to notify individuals about collection? Does it require the recipient to use or disclose personal information only for authorised purposes? Are there comparable data quality and security standards? Is there a right to access and seek correction of personal information? The last element is that the similar laws must have enforcement mechanisms that are accessible to an individual whose personal information is disclosed. An equivalent body of the OAIC or courts with similar functions and powers will be a necessity. Privacy Policy & Collection Statements In addition to complying with APP 8, Australian organisations are required to include in their Privacy Policy: a. whether they are likely to disclose information overseas 17 ; and b. the countries where overseas recipients are located. 18 If the information is likely to be disclosed to a person overseas who is not already listed in the Privacy Policy, then an entity must send the individual a Collection Notice that lists the other countries where the information may be disclosed. 19 Security Australian organisations are also required to take appropriate security measures to protect any personal information from misuse, interference and loss and from unauthorised access, modification or disclosure. 20 Security may need to be more rigorous if the information is sensitive or the potential consequences for the individual, if the information were disclosed, are severe. Other regulation Depending on the industry the organisation is in or for government agencies, there are additional laws that may also apply to offshore data transfers. Commonwealth Government agencies are subject to separate, stringent rules when they choose to outsource or offshore data (Attorney-General s Guidelines for Outsourced or Offshore ICT Arrangements). For example, where personal information is sent offshore or placed in a public cloud service arrangement, the agency must first obtain the consent of both the Attorney- General and the Minister responsible for the agency. There are special data management requirements for financial institutions (APRA Prudential Practice Guide CPG 235). These include ensuring that all contracts for the outsourcing of data (not just personal information) include special conditions relating to the handling of that data. APRA suggests that these include terms covering business continuity management and that a risk assessment procedure be established before these arrangements can be entered into. 17 APP 1.4 (f) 18 APP 1.4 (g) 19 APP 5.2 (i) and 5.2 (j) 20 APP 11.1 page 6

7 CORRS CONTACTS JAMES NORTH Partner Tel Mob +61 (0) james.north@corrs.com.au Ravi de Fonseka Senior Associate Tel ravi.defonseka@corrs.com.au JOHANNA O ROURKE Daniel Thompson Special Counsel Tel johanna.orourke@corrs.com.au Associate Tel daniel.thompson@corrs.com.au Barbara Keane Kieran Donovan Senior Associate Tel barbara.keane@corrs.com.au Lawyer Tel kieran.donovan@corrs.com.au Disclaimer The content of this leaflet is intended to provide general information regarding the Australian Privacy Principles and other related legislation, and is not intended to be advice as to the application of the referenced legislation and regulations to the recipient s business. page 7

8 SYDNEY 8 Chifley 8-12 Chifley Square Sydney NSW 2000 Tel Fax MELBOURNE Bourke Place 600 Bourke Street Melbourne VIC 3000 Tel Fax BRISBANE Waterfront Place 1 Eagle Street Brisbane QLD 4000 Tel Fax PERTH Woodside Plaza 240 St George s Terrace Perth WA 6000 Tel Fax KH120314