Last week, Apple released its first ever report detailing
requests from government agencies worldwide in respect of its
customers' personal information. Interestingly, the report ends
with the following note:
'Apple has never received an order under Section 215 of the
USA Patriot Act. We would expect to challenge such an order if
served on us.'
Oh yes, intrigue.
The exceptionally well named Uniting and Strengthening America
by Providing Appropriate Tools Required to Intercept and Obstruct
Terrorism Act of 2001 (Patriot Act) provides that the FBI can order
the production of any tangible things (records, papers, documents
etc) for an investigation to protect against terrorism and
intelligence activities. If it's your information they're
after, you don't have the right to know they're after it,
let alone object. They don't even need to demonstrate
reasonable grounds to believe that you're engaged in criminal
activity. It also puts a gag on anyone receiving such an order, so
you're never going to know about it anyway.
Apple's unhappy with the gag so has published the note (now
referred to as a Warrant Canary) that it hasn't received an
order. If the Canary's not there next report, we'll know
there's been an order. Thanks Apple.
What does this mean for Australian businesses? Here's an
Company A collects personal information in Australia and
discloses it to its partner company in the US, Company B.
Amendments to the Privacy Act 1988 (the Act) that take effect March
2014 will require Company A, in relation to that personal
information, to either:
a) take reasonable steps to ensure that Company B doesn't
breach Australian privacy law; or
b) reasonably believe that Company B is subject to a law or
binding scheme (which has enforcement mechanisms available) that
protects the information in a manner that is at least substantially
similar to the way Australian law protects the information; or
c) get the informed consent of the individual to whom the
personal information relates to the effect that points a) and b)
won't apply to the disclosure.
So what can you do?
Point a) is hard to do and probably requires some express
cross-border agreements between all those entities you're
trying to disclose to (even if you're just using their overseas
Point b) is problematic in the US because of the Patriot Act.
The US is an otherwise privacy friendly jurisdiction, but so long
as the FBI can sort through personal information and no one is
allowed to know about it, we're thinking red flags to
So our tip for US disclosure is to seek consent from individuals
when collecting their personal information to the effect that
Australian privacy law won't apply to that information when it
is disclosed cross-border. Terms to that effect can be included in
privacy policies which will need to comply with new requirements
under the Act once amended in March.
We do not disclaim anything about this article. We're
quite proud of it really.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Those types of personal disclosure may still be permitted under the Privacy Act as long as your house is in order.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).