OAIC Releases Guidelines on Cross Border Disclosure and Direct Marketing

by K&L Gates LLP

The Office of the Australian Information Commissioner (OAIC) has released further draft Australian Privacy Principles (APP) Guidelines (draft Guidelines) for public consultation. The draft Guidelines outline how the OAIC will interpret and apply the APP. To access the draft Guidelines, click here.

On 20 September 2013, the OAIC released Parts 3 and 4 of the draft Guidelines which address APP 6 to APP 11. APP 1 to APP 5 were previously released on 23 August 2013 (click here for K&L Gates' Legal Insight).

In this Legal Insight, we will focus on the draft Guidelines on cross border disclosure (APP 8) and direct marketing (APP 7). Organisations are encouraged to review the draft Guidelines and provide feedback to the OAIC within the consultation period. This ends on 21 October 2013.

Cross Border Disclosure – APP 8

Reasonable Steps

APP 8.1 provides that before an organisation that is subject to the APP discloses personal information about an individual to an overseas recipient, that organisation must take reasonable steps to ensure the recipient does not breach the APP in relation to that information.

The draft Guidelines state that the appropriate steps an organisation should take to comply with APP 8.1 will depend on various circumstances. These include the nature of personal information disclosed to the overseas recipient and the risk of harm to an individual if the information is mishandled by the overseas recipient.

At paragraph 8.15, the draft Guidelines note that the OAIC generally expects an organisation to enter into an enforceable contract with the overseas recipient that includes:

  • a requirement for the recipient to handle the personal information in accordance with the APP
  • a complaints handling process for privacy complaints

  • a requirement that the recipient implement a data breach response plan. Under this plan, the overseas recipient should notify the organisation of any suspected privacy breaches and outline any appropriate remedial action.

If an organisation discloses information to an overseas recipient that is not itself bound by the APP under the Privacy Act 1988 (Cth), the organisation will be accountable for an act or practice of the overseas recipient that breaches the APP, unless it falls within the limited exceptions under APP 8.2. The key exceptions under APP 8.2 apply if:

  • the organisation reasonably believes that the overseas recipient is subject to laws in its country that protect the information in a substantially similar way to the APP, and that an individual affected by a breach is able to access that justice system, or
  • the organisation expressly informs the individual that their information will be disclosed to an overseas recipient and the individual consents to that disclosure with the knowledge that the organisation will not be held liable for any breaches by the overseas recipient.

Cloud Computing

Chapter 8 of the draft Guidelines provides some clarity about the applicability of the APP to offshore cloud service providers. Paragraph 8.12 of the draft Guidelines notes that an organisation will not be subject to the requirements under APP 8 where personal information is "not disclosed" to an overseas contractor. The example of "not disclosed" provided by the draft Guidelines is where personal information is provided by an organisation to a cloud service provider located overseas only for the limited purposes of storing and managing personal information.

In the above example, the draft Guidelines also differentiate between 'use' and 'disclosure'. Paragraph 8.8 of the draft Guidelines states that an organisation "will generally disclose personal information when it permits that information to be become known outside the organisation and releases it from its effective control." This would extend to circumstances where the overseas recipient has access to the personal information. However, 'use' of personal information is more limited to purposes such as 'storing and managing personal information' by the overseas recipient where the organisation continues to maintain effective control of the information. (So APP 8 does not apply to this 'use' as there is 'no disclosure'.)

It is important that the contract between an organisation and the cloud service provider reflects these limited purposes. Any permitted sub-contractors of the cloud service provider should also be subject to similar restrictions. Contracts are likely to need re-drafting and amending to fit within this APP Guidance.

Project PRISM

In July 2013, it was alleged in media reports that the US Government has been secretly collecting information about non-US citizens for nearly six years from multiple cloud service providers and other organisations – code name, project PRISM. Organisations regulated by the Privacy Act had been concerned about such disclosures by their service providers as this could potentially amount to a breach of the Privacy Act.

The draft Guidelines provide an organisation would not be responsible under APP 8.1 for the conduct of their offshore service providers if the offshore service provider discloses information due to a requirement of an applicable foreign law. That is, if a cloud service provider located in the US discloses personal information to the US Government due to a legal requirement, then this disclosure is not regulated by the APPs.

However, the above principle does not apply if the cloud service provider is located within Australia. Paragraph 8.60 of the draft Guidelines notes that "where a foreign law requires an APP entity in Australia to disclose personal information to an overseas recipient, the entity must comply with APPs 6 and 8."

On 26 September 2013, in response to the National Security Agency's (NSA) alleged activities, four senators announced a draft bill rolling back NSA's data collection powers. If passed, the proposed Intelligence Oversight and Surveillance Reform Act aims to reform the foreign intelligence surveillance court by making the quasi-judicial process more transparent and accountable. Progress of this bill should be monitored.

Direct Marketing – APP 7

Under the National Privacy Principles (NPPs), direct marketing is not specifically addressed in its own NPP. However, under the APPs, direct marketing is addressed separately.

Direct Marketing Communications

The APPs permit an organisation to use personal information for direct marketing purposes if (among other things) an easy opt-out mechanism is provided to the individual and the individual has not opted out.

Organisations have previously been required to include opt-out mechanisms for communications that were regulated by the Spam Act 2003 (Cth), for eg, emails and SMS. However, the requirements under the Privacy Act expand the application of opt-out mechanisms.

The draft Guidelines provide that examples of direct marketing include:

  • sending a catalogue in the mail addressed to an individual, or
  • displaying an advertisement on a social media site after the individual has logged in to the social media site. The advertisement would be classified as direct marketing if the organisation uses personal information which may include data stored on cookies relating to websites the individual has viewed.

Where the personal information was collected via a third party or the individual would not reasonably expect its use for direct marketing, an organisation is required to include a prominent statement in marketing communications drawing attention to the opt-out mechanism. The draft Guidelines provide that such statement should be:

  • positioned prominently, and not hidden among other text. Headings may be necessary to draw attention to the statement
  • be published in a font size and type which is easy to read, and at least the same font size as the main body of text in the communication.

Further, the draft Guidelines provide an example that an organisation could be required to tell the recipient of a direct marketing phone call that they can verbally opt out from any future calls.

Next Steps

Organisations should start to review their direct marketing communications and include the relevant unsubscribe mechanisms. This may be difficult for advertisements within the social media space or an app as the space for including an unsubscribe mechanism is rather limited.

Organisations may wish to further consult with the OAIC about the application of APP 7 and its effect, as interpreted by the OAIC, with respect to social media.

Privacy Review – Documents and Procedures

The changes to the Privacy Act commencing in March 2014 require organisations to not only update their policies and procedures before the start date but also impose additional ongoing commitments.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© K&L Gates LLP | Attorney Advertising

Written by:

K&L Gates LLP

K&L Gates LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.