There are still some grey areas in the new data privacy laws, including how to determine if an online company is undertaking business in Australia and how to go about investigating a company with operations based overseas, says Privacy Commissioner Timothy Pilgrim.\nSpeaking at an Association for Data-driven Marketing Advertising event today, Pilgrim said these were two challenges around the legislation, which came into effect on March 1.\n\u201cIt\u2019s going to be a fairly grey area for us to try and determine whether we think they are undertaking a business in Australia,\u201d he said.\n\u201cSo we would have to look at a number of issues; there\u2019s not going to be just one. We\u2019ve gone some way to try and elaborate on that in our guidance. But we would first [look] into issues such as whether they have a physical presence in Australia or not.\n\u201cThe next question [is] when you look at their advertising or their marketing, are they directly marketing a particular product to Australian citizens in terms of saying it\u2019s a product that you can buy here, it\u2019s applicable in Australia and it\u2019s covered by some other laws in Australia? Or, it is just being marketed in Australian dollars?\u201d\nRead: New data privacy laws: What you need to do to comply\nRead: New privacy laws: Have you done enough?\nPilgrim said there are some challenges around jurisdictional reach of the law related to investigating and taking action against companies based overseas but virtually present in Australia.\n\u201cThere will be cases where we will run into a situation where we may not be able to pursue an organisation,\u201d he said. \u201cBut there are some mechanisms that we can use to pursue matters, and it\u2019s only going to grow as the flow of data around the world grows,\u201d he said.\n\u201cFor example, through the APEC arrangements, we are a member of what\u2019s called the Cross Border Privacy Enforcement Arrangement.\n\u201cIf we do get an issue or a complaint is brought us about an online company that\u2019s based in the US, for example, and we believe we don\u2019t have necessarily the jurisdictional reach \u2026 I can formerly contact the Federal Trade Commission in the US and say \u2018we believe that this company is not acting appropriately in how it is handling personal information\u2019.\n"We can seek their assistance to their see whether we can pursue them through the Federal Trade Commission undertaking some activity,\u201d he said.\nPilgrim said he is involved the Global Privacy Enforcement Network through the OECD (Organisation for Economic Co-operation and Development) where there are similar cooperative arrangements between laws enforcers across borders to assist each other in pursuing investigations.\n\u201cMany of the large online companies operate out of Ireland. Through one investigation we did, there was a hack [through] LinkedIn some time ago. We found that the information of Australians who were on LinkedIn is stored on servers that are held in Ireland," he said.\n"We contacted the Irish Privacy Commissioner and asked whether he could assist us in doing our investigation. We were able to say \u2018we have a series of questions on what we want to know about the data on Australians, could you pursue those for us?\u2019\n\u201cWe are actually going to enter into a more formal arrangement with the Irish Commissioner given the number of companies that are based in Ireland so that we can do that sort of work.\u201d\nUnder the new privacy laws, overseas IT providers are required to abide by the local laws for any business they conduct in Australia.