OAIC Releases Guidelines on Cross Border Disclosure and Direct Marketing

The Office of the Australian Information Commissioner (OAIC) has released further draft Australian Privacy Principles (APP) Guidelines (draft Guidelines) for public consultation. The draft Guidelines outline how the OAIC will interpret and apply the APP. To access the draft Guidelines, click here.

On 20 September 2013, the OAIC released Parts 3 and 4 of the draft Guidelines which address APP 6 to APP 11. APP 1 to APP 5 were previously released on 23 August 2013 (click here for K&L Gates' Legal Insight).

In this Legal Insight, we will focus on the draft Guidelines on cross border disclosure (APP 8) and direct marketing (APP 7). Organisations are encouraged to review the draft Guidelines and provide feedback to the OAIC within the consultation period. This ends on 21 October 2013.

Cross Border Disclosure – APP 8

Reasonable Steps

APP 8.1 provides that before an organisation that is subject to the APP discloses personal information about an individual to an overseas recipient, that organisation must take reasonable steps to ensure the recipient does not breach the APP in relation to that information.

The draft Guidelines state that the appropriate steps an organisation should take to comply with APP 8.1 will depend on various circumstances. These include the nature of personal information disclosed to the overseas recipient and the risk of harm to an individual if the information is mishandled by the overseas recipient.

At paragraph 8.15, the draft Guidelines note that the OAIC generally expects an organisation to enter into an enforceable contract with the overseas recipient that includes:

  • a requirement for the recipient to handle the personal information in accordance with the APP
  • a complaints handling process for privacy complaints

  • a requirement that the recipient implement a data breach response plan. Under this plan, the overseas recipient should notify the organisation of any suspected privacy breaches and outline any appropriate remedial action.

If an organisation discloses information to an overseas recipient that is not itself bound by the APP under the Privacy Act 1988 (Cth), the organisation will be accountable for an act or practice of the overseas recipient that breaches the APP, unless it falls within the limited exceptions under APP 8.2. The key exceptions under APP 8.2 apply if:

  • the organisation reasonably believes that the overseas recipient is subject to laws in its country that protect the information in a substantially similar way to the APP, and that an individual affected by a breach is able to access that justice system, or
  • the organisation expressly informs the individual that their information will be disclosed to an overseas recipient and the individual consents to that disclosure with the knowledge that the organisation will not be held liable for any breaches by the overseas recipient.

Cloud Computing

Chapter 8 of the draft Guidelines provides some clarity about the applicability of the APP to offshore cloud service providers. Paragraph 8.12 of the draft Guidelines notes that an organisation will not be subject to the requirements under APP 8 where personal information is "not disclosed" to an overseas contractor. The example of "not disclosed" provided by the draft Guidelines is where personal information is provided by an organisation to a cloud service provider located overseas only for the limited purposes of storing and managing personal information.

In the above example, the draft Guidelines also differentiate between 'use' and 'disclosure'. Paragraph 8.8 of the draft Guidelines states that an organisation "will generally disclose personal information when it permits that information to be become known outside the organisation and releases it from its effective control." This would extend to circumstances where the overseas recipient has access to the personal information. However, 'use' of personal information is more limited to purposes such as 'storing and managing personal information' by the overseas recipient where the organisation continues to maintain effective control of the information. (So APP 8 does not apply to this 'use' as there is 'no disclosure'.)

It is important that the contract between an organisation and the cloud service provider reflects these limited purposes. Any permitted sub-contractors of the cloud service provider should also be subject to similar restrictions. Contracts are likely to need re-drafting and amending to fit within this APP Guidance.

Project PRISM

In July 2013, it was alleged in media reports that the US Government has been secretly collecting information about non-US citizens for nearly six years from multiple cloud service providers and other organisations – code name, project PRISM. Organisations regulated by the Privacy Act had been concerned about such disclosures by their service providers as this could potentially amount to a breach of the Privacy Act.

The draft Guidelines provide an organisation would not be responsible under APP 8.1 for the conduct of their offshore service providers if the offshore service provider discloses information due to a requirement of an applicable foreign law. That is, if a cloud service provider located in the US discloses personal information to the US Government due to a legal requirement, then this disclosure is not regulated by the APPs.

However, the above principle does not apply if the cloud service provider is located within Australia. Paragraph 8.60 of the draft Guidelines notes that "where a foreign law requires an APP entity in Australia to disclose personal information to an overseas recipient, the entity must comply with APPs 6 and 8."

On 26 September 2013, in response to the National Security Agency's (NSA) alleged activities, four senators announced a draft bill rolling back NSA's data collection powers. If passed, the proposed Intelligence Oversight and Surveillance Reform Act aims to reform the foreign intelligence surveillance court by making the quasi-judicial process more transparent and accountable. Progress of this bill should be monitored.

Direct Marketing – APP 7

Under the National Privacy Principles (NPPs), direct marketing is not specifically addressed in its own NPP. However, under the APPs, direct marketing is addressed separately.

Direct Marketing Communications

The APPs permit an organisation to use personal information for direct marketing purposes if (among other things) an easy opt-out mechanism is provided to the individual and the individual has not opted out.

Organisations have previously been required to include opt-out mechanisms for communications that were regulated by the Spam Act 2003 (Cth), for eg, emails and SMS. However, the requirements under the Privacy Act expand the application of opt-out mechanisms.

The draft Guidelines provide that examples of direct marketing include:

  • sending a catalogue in the mail addressed to an individual, or
  • displaying an advertisement on a social media site after the individual has logged in to the social media site. The advertisement would be classified as direct marketing if the organisation uses personal information which may include data stored on cookies relating to websites the individual has viewed.

Where the personal information was collected via a third party or the individual would not reasonably expect its use for direct marketing, an organisation is required to include a prominent statement in marketing communications drawing attention to the opt-out mechanism. The draft Guidelines provide that such statement should be:

  • positioned prominently, and not hidden among other text. Headings may be necessary to draw attention to the statement
  • be published in a font size and type which is easy to read, and at least the same font size as the main body of text in the communication.

Further, the draft Guidelines provide an example that an organisation could be required to tell the recipient of a direct marketing phone call that they can verbally opt out from any future calls.

Next Steps

Organisations should start to review their direct marketing communications and include the relevant unsubscribe mechanisms. This may be difficult for advertisements within the social media space or an app as the space for including an unsubscribe mechanism is rather limited.

Organisations may wish to further consult with the OAIC about the application of APP 7 and its effect, as interpreted by the OAIC, with respect to social media.

Privacy Review – Documents and Procedures

The changes to the Privacy Act commencing in March 2014 require organisations to not only update their policies and procedures before the start date but also impose additional ongoing commitments.