Grey areas in new privacy laws: Pilgrim

There are still some grey areas in the new data privacy laws, including how to determine if an online company is undertaking business in Australia and how to go about investigating a company with operations based overseas, says Privacy Commissioner Timothy Pilgrim.

Speaking at an Association for Data-driven Marketing Advertising event today, Pilgrim said these were two challenges around the legislation, which came into effect on March 1.

“It’s going to be a fairly grey area for us to try and determine whether we think they are undertaking a business in Australia,” he said.

“So we would have to look at a number of issues; there’s not going to be just one. We’ve gone some way to try and elaborate on that in our guidance. But we would first [look] into issues such as whether they have a physical presence in Australia or not.

“The next question [is] when you look at their advertising or their marketing, are they directly marketing a particular product to Australian citizens in terms of saying it’s a product that you can buy here, it’s applicable in Australia and it’s covered by some other laws in Australia? Or, it is just being marketed in Australian dollars?”

Read: New data privacy laws: What you need to do to comply Read: New privacy laws: Have you done enough?

Pilgrim said there are some challenges around jurisdictional reach of the law related to investigating and taking action against companies based overseas but virtually present in Australia.

“There will be cases where we will run into a situation where we may not be able to pursue an organisation,” he said. “But there are some mechanisms that we can use to pursue matters, and it’s only going to grow as the flow of data around the world grows,” he said.

“For example, through the APEC arrangements, we are a member of what’s called the Cross Border Privacy Enforcement Arrangement.

“If we do get an issue or a complaint is brought us about an online company that’s based in the US, for example, and we believe we don’t have necessarily the jurisdictional reach … I can formerly contact the Federal Trade Commission in the US and say ‘we believe that this company is not acting appropriately in how it is handling personal information’.

“We can seek their assistance to their see whether we can pursue them through the Federal Trade Commission undertaking some activity,” he said.

Pilgrim said he is involved the Global Privacy Enforcement Network through the OECD (Organisation for Economic Co-operation and Development) where there are similar cooperative arrangements between laws enforcers across borders to assist each other in pursuing investigations.

“Many of the large online companies operate out of Ireland. Through one investigation we did, there was a hack [through] LinkedIn some time ago. We found that the information of Australians who were on LinkedIn is stored on servers that are held in Ireland,” he said.

“We contacted the Irish Privacy Commissioner and asked whether he could assist us in doing our investigation. We were able to say ‘we have a series of questions on what we want to know about the data on Australians, could you pursue those for us?’

“We are actually going to enter into a more formal arrangement with the Irish Commissioner given the number of companies that are based in Ireland so that we can do that sort of work.”

Under the new privacy laws, overseas IT providers are required to abide by the local laws for any business they conduct in Australia.