Last week, Apple released its first ever report detailing requests from government agencies worldwide in respect of its customers' personal information. Interestingly, the report ends with the following note:

'Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge such an order if served on us.'

Oh yes, intrigue.

The exceptionally well named Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (Patriot Act) provides that the FBI can order the production of any tangible things (records, papers, documents etc) for an investigation to protect against terrorism and intelligence activities. If it's your information they're after, you don't have the right to know they're after it, let alone object. They don't even need to demonstrate reasonable grounds to believe that you're engaged in criminal activity. It also puts a gag on anyone receiving such an order, so you're never going to know about it anyway.

Apple's unhappy with the gag so has published the note (now referred to as a Warrant Canary) that it hasn't received an order. If the Canary's not there next report, we'll know there's been an order. Thanks Apple.

What does this mean for Australian businesses? Here's an example.

Company A collects personal information in Australia and discloses it to its partner company in the US, Company B. Amendments to the Privacy Act 1988 (the Act) that take effect March 2014 will require Company A, in relation to that personal information, to either:

a) take reasonable steps to ensure that Company B doesn't breach Australian privacy law; or

b) reasonably believe that Company B is subject to a law or binding scheme (which has enforcement mechanisms available) that protects the information in a manner that is at least substantially similar to the way Australian law protects the information; or

c) get the informed consent of the individual to whom the personal information relates to the effect that points a) and b) won't apply to the disclosure.

So what can you do?

Point a) is hard to do and probably requires some express cross-border agreements between all those entities you're trying to disclose to (even if you're just using their overseas server).

Point b) is problematic in the US because of the Patriot Act. The US is an otherwise privacy friendly jurisdiction, but so long as the FBI can sort through personal information and no one is allowed to know about it, we're thinking red flags to information protection.

So our tip for US disclosure is to seek consent from individuals when collecting their personal information to the effect that Australian privacy law won't apply to that information when it is disclosed cross-border. Terms to that effect can be included in privacy policies which will need to comply with new requirements under the Act once amended in March.

We do not disclaim anything about this article. We're quite proud of it really.