Australia
Answer ... The Privacy Act applies to ‘APP entities’, which may be either agencies or organisations.
Agencies are Commonwealth public sector entities, including government ministers and government departments and other bodies. Certain national security and law enforcement agencies are exempt, including the Australian Security Intelligence Organisation and the Australian Signals Directorate, and some of these agencies are exempt in relation to particular types of acts or practices.
An ‘organisation’ is defined as an individual, a body corporate, a partnership, an unincorporated association or a trust – in other words, any form of private sector legal entity. This is subject to exemptions for:
- ‘small business operators’ (ie, operating businesses with an annual turnover, including of related entities, of A$3 million or less);
- registered political parties;
- state or territory authorities; and
- prescribed instrumentalities.
These exemptions are not absolute. The small business exemption will not apply in certain circumstances, including if the relevant business:
- is a health service provider;
- trades in personal information;
- is a contracted service provider for the Commonwealth; or
- is a credit reporting body.
Although the Privacy Act does not generally apply to state and territory authorities, it applies to specified New South Wales energy authorities and South Australia’s Department for Health and Wellbeing and HomeStart Finance, which are considered to be organisations.
Other privacy-related legislation applies to a more limited set of entities – for example, the My Health Records Act applies to specific healthcare providers and the Telecommunications Act privacy provisions apply only to carriers and carriage service providers (CSPs).
Australia
Answer ... Certain Commonwealth public sector entities are exempt in whole or part from the Privacy Act, as identified in question 2.1. Also, state and territory government agencies are generally exempt. Private sector businesses (including not-for-profits) are subject to the Privacy Act unless the small business exemption discussed in question 2.1.
The Privacy Act does not apply in other cases, including to:
- acts or practices of a private sector employer where related to the employment relationship (or former relationship) and an ‘employee record’. An employee record is a record of an employee’s (or former employee’s) personal information relating to the employment relationship. This does not apply to agencies or where the employee record is used for non-employment related purposes;
- acts or practices of individuals that are not related to the business (if any) carried on by the individual. In other words, an individual is not subject to the Privacy Act in relation to the collection, use and so on of personal information only for purposes related to his or her personal, family or household affairs; and
- acts or practices of media organisations relating to journalism, provided that the organisation is publicly committed to published privacy standards.
Registered political parties are exempt from the Privacy Act; as are ‘political representatives’ (ie, members of Parliament and local government councillors) and their contractors and volunteers when undertaking specific political activities, including in relation to elections. However, ministers retain obligations under the Privacy Act in relation to personal information.
Australia
Answer ... The Privacy Act, and codes registered thereunder, have extraterritorial operation (section 5B), as follows:
- acts or practices of agencies, wherever performed; and
- acts or practices of organisations, where an Australian link exists. An ‘Australian link’ exists where an organisation is:
-
- an Australian citizen or permanent resident;
- a partnership or trust established in Australia;
- a body corporate incorporated in Australia; or
- an unincorporated entity with central management and control in Australia.
-
If this requirement is not satisfied, then an act or practice of an organisation done or engaged in outside Australia will have an Australian link if both:
-
- the organisation “carries on business” in Australia; and
- the relevant personal information was collected or held by the organisation in Australia, either before or at the time of the act or practice.
Australian Information Commissioner v Facebook Inc (No 2) [2020] FCA 1307 considered the requirements for an Australian link in the context of the Information Commissioner’s case against Facebook Ireland and Facebook Inc arising from the Cambridge Analytica scandal. Although only a decision on an interlocutory application, where the commissioner needed only to establish a prima facie case, the Federal Court judge hearing the case found that Facebook Inc, even though it did not provide the Facebook app to Australian users, carried on business in Australia through services provided to Facebook Ireland in Australia and collected and held personal information in Australia, as it installed and operated cookies on Facebook and provided caching servers in Australia.