Part 2 – Lessons from the Ashley Madison privacy investigation

In Part 1 of this series we explored the Privacy Act 1988 (Cth) (Privacy Act) breaches that were identified by the Acting Australian Information Commissioner (Commissioner) and Privacy Commissioner of Canada during their joint investigation of Ashley Madison. Readers may recall that the Ashley Madison website operated by Avid Life Media Inc (ALM) made headlines last year after its dating website was hacked.

This week’s update focuses on the extra-territorial application of the Privacy Act.

Extra-territorial operation of the Privacy Act

Intuitively, many may assume that only organisations which are based within Australian borders are required to comply with the Privacy Act. The Privacy Act is intended to provide the basis for nationally consistent regulation of privacy and the handling of personal information (see Objects of the Act, section 2A(e)).  In addition, the Commissioner’s investigations of Privacy Act breaches and complaints have typically focused on the conduct and regulation of organisations within Australian borders.

The Commissioner’s investigation of Ashley Madison provides a useful reminder that the Privacy Act does in fact have extra-territorial operation and can extend to acts or practices performed by organisations physically located outside of Australian borders.

In particular, section 5B(1A) provides that the Privacy Act extents to an act done, or practice engaged in, outside of Australian borders by an organisation or small business operator that has an Australian link. An organisation or small business operator will have an ‘Australian link’ in a number of circumstances, including where it:

• carries on business in Australia or an external Territory; and
• collected or held personal information in Australia or an external Territory either before or at the time of the act or practice.

While ALM did not have a physical presence in Australia and was headquartered in Canada, the Commissioner determined that ALM still had an ‘Australian link’ as it carried on business in Australia and collected personal information in Australia. This was evidenced by the fact it conducted marketing in Australia, targeted its services at Australian residents, its website had pages specifically targeted at Australian users and it collected information from people in Australia. Due to these business activities, the Commissioner concluded that ALM carried on a business in Australia.

The Commissioner noted in the investigation report that personal information is collected ‘in Australia’, if it is collected from an individual who is physically present in Australia. The Commissioner found ALM collected personal information in Australia by collecting information about Australian users.

The Commissioner was satisfied that ALM was an organisation with an Australian link and thus, under the Privacy Act, was prohibited from doing an act, or engaging in a practice, that breached the Australian Privacy Principles.

Useful reminder

The Commissioner’s investigation into the privacy practices of an overseas company, such as ALM, is a useful reminder that:

• overseas organisations may be required to comply with the Privacy Act in certain circumstances
• the Commissioner has jurisdiction to investigate overseas organisations with an ‘Australian link’ and which may have engaged in an act or practice that may be an interference with the privacy of an individual or a breach of APP 1.

If you are an overseas business that:

• targets its services (or goods) at Australian residents and conducts marketing activities in Australia
• collects personal information from individuals located in Australia as part of the supply of goods or services to Australian residents,

you will have an ‘Australian link’ and be required to comply with the Privacy Act when conducting business activities directed at Australian based customers.

If you are an overseas business with an ‘Australian link’, we recommend you review your privacy and information security policies, procedures and practices to assess your organisations level of compliance with the Privacy Act. If the assessment reveals that your organisation is not complying with the Privacy Act, we recommend you take appropriate steps to become Privacy Act compliant.

Next week in Part 3, our final update, we will look at the issue of misleading or deceptive conduct in the context of Ashley Madison’s data security claims.