Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Communications
  3. Marketing

OAIC Releases Guidelines on Cross Border Disclosure and Direct Marketing

advertisement 
30 September 2013
Practice Group(s):
Privacy, Data
Protection and
Information
Management
Consumer Financial
Services
Commercial
Transactions and
Outsourcing
OAIC Releases Guidelines on Cross
Border Disclosure and Direct Marketing
By Andrea Beatty, Cameron Abbott, Jim Bulling and Abhishek Bansal
The Office of the Australian Information Commissioner (OAIC) has released further draft Australian
Privacy Principles (APP) Guidelines (draft Guidelines) for public consultation. The draft Guidelines
outline how the OAIC will interpret and apply the APP. To access the draft Guidelines, click here.
On 20 September 2013, the OAIC released Parts 3 and 4 of the draft Guidelines which address APP 6
to APP 11. APP 1 to APP 5 were previously released on 23 August 2013 (click here for K&L Gates'
Legal Insight).
In this Legal Insight we will focus on cross border disclosure (APP 8) and direct marketing (APP 7).
Organisations are encouraged to review the draft Guidelines and provide feedback to the OAIC within
the consultation period. This ends on 21 October 2013.
Cross Border Disclosure – APP 8
Reasonable Steps
APP 8.1 provides that before an organisation that is subject to the APP discloses personal information
about an individual to an overseas recipient, that organisation must take reasonable steps to ensure
the recipient does not breach the APP in relation to that information.
The draft Guidelines state that the appropriate steps an organisation should take to comply with APP
8.1 will depend on various circumstances. These include the nature of personal information disclosed
to the overseas recipient and the risk of harm to an individual if the information is mishandled by the
overseas recipient.
At paragraph 8.15, the draft Guidelines note that the OAIC generally expects an organisation to enter
into an enforceable contract with the overseas recipient that includes:
 a requirement for the recipient to handle the personal information in accordance with the APP
 a complaints handling process for privacy complaints
 a requirement that the recipient implement a data breach response plan. Under this plan, the
overseas recipient should notify the organisation of any suspected privacy breaches and outline any
appropriate remedial action.
If an organisation discloses information to an overseas recipient that is not itself bound by the APP
under the Privacy Act 1988 (Cth), the organisation will be accountable for an act or practice of the
overseas recipient that breaches the APP, unless it falls within the limited exceptions under APP 8.2.
The key exceptions under APP 8.2 apply if:
 the organisation reasonably believes that the overseas recipient is subject to laws in its country that
protect the information in a substantially similar way to the APP, and that an individual affected by
a breach is able to access that justice system, or
OAIC Releases Guidelines on Cross Border Disclosure and
Direct Marketing
 the organisation expressly informs the individual that their information will be disclosed to an
overseas recipient and the individual consents to that disclosure with the knowledge that the
organisation will not be held liable for any breaches by the overseas recipient.
Cloud Computing
Chapter 8 of the draft Guidelines provides some clarity about the applicability of the APP to offshore
cloud service providers. Paragraph 8.12 of the draft Guidelines notes that an organisation will not be
subject to the requirements under APP 8 where personal information is "not disclosed" to an overseas
contractor. The example of "not disclosed" provided by the draft Guidelines is where personal
information is provided by an organisation to a cloud service provider located overseas only for the
limited purposes of storing and managing personal information.
In the above example, the draft Guidelines also differentiate between 'use' and 'disclosure'. Paragraph
8.8 of the draft Guidelines states that an organisation "will generally disclose personal information
when it permits that information to be become known outside the organisation and releases it from its
effective control." This would extend to circumstances where the overseas recipient has access to the
personal information. However, 'use' of personal information is more limited to purposes such as
'storing and managing personal information' by the overseas recipient where the organisation
continues to maintain effective control of the information. (So APP 8 does not apply to this 'use' as
there is 'no disclosure'.)
It is important that the contract between an organisation and the cloud service provider reflects these
limited purposes. Any permitted sub-contractors of the cloud service provider should also be subject
to similar restrictions. Contracts are likely to need re-drafting and amending to fit within this APP
Guidance.
Project PRISM
In July 2013, it was alleged in media reports that the US Government has been secretly collecting
information about non-US citizens for nearly six years from multiple cloud service providers and
other organisations – code name, project PRISM. Organisations regulated by the Privacy Act had been
concerned about such disclosures by their service providers as this could potentially amount to a
breach of the Privacy Act.
The draft Guidelines provide an organisation would not be responsible under APP 8.1 for the conduct
of their offshore service providers if the offshore service provider discloses information due to a
requirement of an applicable foreign law. That is, if a cloud service provider located in the US
discloses personal information to the US Government due to a legal requirement, then this disclosure
is not regulated by the APPs.
However, the above principle does not apply if the cloud service provider is located within Australia.
Paragraph 8.60 of the draft Guidelines notes that "where a foreign law requires an APP entity in
Australia to disclose personal information to an overseas recipient, the entity must comply with APPs
6 and 8."
On 26 September 2013, in response to the National Security Agency's (NSA) alleged activities, four
senators announced a draft bill rolling back NSA's data collection powers. If passed, the proposed
Intelligence Oversight and Surveillance Reform Act aims to reform the foreign intelligence
surveillance court by making the quasi-judicial process more transparent and accountable. Progress of
this bill should be monitored.
2
OAIC Releases Guidelines on Cross Border Disclosure and
Direct Marketing
Direct Marketing – APP 7
Under the National Privacy Principles (NPPs), direct marketing is not specifically addressed in its own
NPP. However, under the APPs, direct marketing is addressed separately.
Direct Marketing Communications
The APPs permit an organisation to use personal information for direct marketing purposes if (among
other things) an easy opt-out mechanism is provided to the individual and the individual has not opted
out.
Organisations have previously been required to include opt-out mechanisms for communications that
were regulated by the Spam Act 2003 (Cth), for eg, emails and SMS. However, the requirements
under the Privacy Act expand the application of opt-out mechanisms.
The draft Guidelines provide that examples of direct marketing include:
 sending a catalogue in the mail addressed to an individual, or
 displaying an advertisement on a social media site after the individual has logged in to the social
media site. The advertisement would be classified as direct marketing if the organisation uses
personal information which may include data stored on cookies relating to websites the individual
has viewed.
Where the personal information was collected via a third party or the individual would not reasonably
expect its use for direct marketing, an organisation is required to include a prominent statement in
marketing communications drawing attention to the opt-out mechanism. The draft Guidelines provide
that such statement should be:
 positioned prominently, and not hidden among other text. Headings may be necessary to draw
attention to the statement
 be published in a font size and type which is easy to read, and at least the same font size as the
main body of text in the communication.
Further, the draft Guidelines provide an example that an organisation could be required to tell the
recipient of a direct marketing phone call that they can verbally opt out from any future calls.
Next Steps
Organisations should start to review their direct marketing communications and include the relevant
unsubscribe mechanisms. This may be difficult for advertisements within the social media space or an
app as the space for including an unsubscribe mechanism is rather limited.
Organisations may wish to further consult with the OAIC about the application of APP 7 and its
effect, as interpreted by the OAIC, with respect to social media.
Privacy Review – Documents and Procedures
The changes to the Privacy Act commencing in March 2014 require organisations to not only update
their policies and procedures before the start date but also impose additional ongoing commitments.
K&L Gates has developed a number of privacy implementation and compliance tools. These include a
privacy project plan, an information handling survey and privacy compliance checklists which
3
OAIC Releases Guidelines on Cross Border Disclosure and
Direct Marketing
organisations can use on an ongoing basis to assess and review their own and their service providers'
information handling practices and general compliance with the APPs. If you would like us to assist
with your organisation's privacy compliance project, or to obtain copies of our Privacy Compliance
Checklist, please contact us. These documents and various other privacy tools are available on a fixed
fee basis.
Authors:
Andrea Beatty
andrea.beatty@klgates.com
+61.2 9513 2333
Cameron Abbott
cameron.abbott@klgates.com
+61.3 9640 4261
Jim Bulling
jim.bulling@klgates.com
+61.3 9640 4338
Abhishek Bansal
abhishek.bansal@klgates.com
+61.2 9513 2368
Anchorage Austin Beijing Berlin Boston Brisbane Brussels Charleston Charlotte Chicago Dallas Doha Dubai Fort Worth Frankfurt
Harrisburg Hong Kong Houston London Los Angeles Melbourne Miami Milan Moscow Newark New York Orange County Palo Alto Paris Perth
Pittsburgh Portland Raleigh Research Triangle Park San Diego San Francisco São Paulo Seattle Seoul Shanghai Singapore Spokane Sydney
Taipei Tokyo Warsaw Washington, D.C. Wilmington
K&L Gates practices out of 48 fully integrated offices located in the United States, Asia, Australia, Europe, the
Middle East and South America and represents leading global corporations, growth and middle-market companies,
capital markets participants and entrepreneurs in every major industry group as well as public sector entities,
educational institutions, philanthropic organizations and individuals. For more information about K&L Gates or its
locations, practices and registrations, visit www.klgates.com.
This publication is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in
regard to any particular facts or circumstances without first consulting a lawyer.
©2013 K&L Gates LLP. All Rights Reserved.
4
Related documents
Big Brain Quiz
Big Brain Quiz
Attachment E Student Competition Interview Questions Undergraduate Library Student/Library Collaborative
Attachment E Student Competition Interview Questions Undergraduate Library Student/Library Collaborative
Appendix G CS Student Interview Questions Undergraduate Library Student/Library Collaborative
Appendix G CS Student Interview Questions Undergraduate Library Student/Library Collaborative
poster_Lets_go. - TU Delft Institutional Repository
poster_Lets_go. - TU Delft Institutional Repository
Name: ______________________________ Reading Assignment #1
Name: ______________________________ Reading Assignment #1
Download
advertisement