A clear link – extra territorial application of Australian Privacy Act explained

Those of you who have watched the recent episode ‘Joan is Awful’ in the latest season of Black Mirror would likely have googled what rights a large streaming platform would have to an individual’s private information (including rights to use a person’s facial image).  What would have been even more concerning for Australian individuals is that in the majority of the cases (at least as depicted in Hollywood movies), the organisations responsible for these indiscretions are typically based outside of Australia.  How far then, does the extra territorial application of the Privacy Act 1988 (Cth) (Privacy Act) extend?   

Well, the case of Clearview AI[1] confirms that the Privacy Act extends to organisations ‘carrying on business’ in Australia even if an organisation does not have a physical presence in Australia.

Background

On 14 October 2021, the Office of the Australian Information Commissioner (OAIC) found that Clearview AI (Clearview), a business which provides facial recognition technology services to law enforcement agencies, had breached the Privacy Act through the collection of images of individuals from the internet (including of individuals in Australia) for use in its facial recognition technology.  It was found that, among other things, Australian’s sensitive information was collected without consent and was collected by unfair means.  Sound oddly familiar?

Clearview sought a review of this decision in the Administrative Appeals Tribunal (AAT) on the basis that, as a foreign corporation, it did not have an ‘Australian link’ and therefore was not caught under the Privacy Act.

The AAT decision – ‘Australian link’

Under the version of the Privacy Act in force at the time of Clearview’s operations, the Privacy Act applied to foreign organisations that had an ‘Australian link’. At the time, an ‘Australian link’ was defined in section 5B of the Privacy Act as, amongst other things, an organisation that:

• carries on business in Australia; and
• collected or held personal information in Australia, either before or at the time of the Act or practice.

The second limb of this test was removed in the December 2022 amendments to the Privacy Act introduced by the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022.  The rationale behind this amendment was to ensure that multinational corporations which collected information online about Australians would still have obligations under the Privacy Act despite not directly collecting or holding personal information in Australia.

At the time of the OAIC’s decision, Clearview’s Australian operations was limited to offering Australian law enforcement agencies free trial use of their facial recognition technology product, providing Australian residents with an opt-out facility that would prevent results being returned by its facial recognition system if a law enforcement agency searched for their face and allowing ‘web crawlers’ to draw images from servers which held images of Australians, including from servers based in Australia.

The AAT agreed with the OAIC’s position that Clearview did in fact have an ‘Australian link’ for reasons including:

• Clearview had carried on a business in Australia as its web crawlers collected images from servers located in Australia. Further, the collection of images was a crucial part of Clearview’s business, which was to acquire and provide information about people.
• Additionally, the AAT found that the collection of images from Australian servers amounted to the collection of personal information in Australia, satisfying the second limb of the test.

Consequently, Clearview was required to comply with the Privacy Act and its actions contravened the Privacy Act.

Interesting, the AAT found that collecting images from servers hosted overseas did not constitute carrying on a business in Australia, even if the original images were created by Australians. The AAT considered that this transaction involved two offshore servers, and therefore did not contain a geographical link that would bring the transaction within the scope of the Privacy Act.

Changes to the ‘Australian link’ requirement

The Attorney-General’s Privacy Act Review Report (Report) released earlier this year indicated that section 5B of the Privacy Act may be subject to further reform. The Report suggests that the current iteration of section 5B (which only requires that a foreign organisation ‘carries on business in Australia’ to establish an ‘Australian link’) is too broad. The Report proposes to add an additional requirement in subsection 5B(3) to demonstrate an ‘Australian link’ that is focused on personal information being connected with Australia.  The intention of this is to prevent foreign organisations from using loopholes due to advances in technology and to not be dependent on the means or method of collection or storage of personal information. These proposals are still being considered by the Attorney General.

Next steps

Use of personal information in AI has been a hot topic recently but the fact remains that the protection of personal and sensitive information belonging to Australian individuals remains a priority for those operating across a range of industries. Businesses should be conscious that in the current online environment, they may be ‘carrying on a business’ in Australia despite not having physical presence in the country, and will therefore be required to comply with the Privacy Act obligations in Australia. Maximum penalties for breaches of the Privacy Act increased significantly in 2022, which we previously covered in this article.

For more information or assistance about your organisation’s privacy obligations, please contact our team.