Your business will have several privacy obligations when collecting personal information in Australia and sharing it with an overseas third party or related body corporate. The general position is that an Australian business can be responsible for any privacy breaches of the overseas entity. This article explores your obligations as an Australian business with a related body corporate in the United States and considerations when collecting personal information.
Collecting Personal Information
US law will apply if your Australian business collects personal information in Australia but discloses such information to a related body corporate in the United States. A related body corporate can include a US-based subsidiary or affiliate company.
Unlike Australia, the US does not have a single comprehensive federal legislation to regulate businesses that collect personal information. The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) forms Australia’s privacy framework, particularly the Australian Privacy Principles.
However, the US has a range of federal and state laws and regulations that set out the obligations of businesses regarding the privacy of their clients and customers. The following three US federal laws aim to regulate the collection, use and disclosure of personal information of US-based businesses.
The US Privacy Law Framework
The Federal Trade Commission Act 15 U.S.C. §§ 41-58 (Federal Trade Commission Act)
The Federal Trade Commission Act is the consumer protection law in the US. Although its application is not limited to privacy, the Act prohibits unfair and deceptive business practices. The courts have also applied it to data security policies and offline and online privacy.
The Federal Trade Commission (FTC) is the US independent law enforcement agency that enforces the Federal Trade Commission Act (similar to our Australian Competition and Consumer Commission). They have brought several actions against reputable businesses (including Google, Oracle and Facebook) for breaches of their privacy obligations and their engagement in unauthorised disclosure of personal information.
For example, the FTC brought an action against the dating site, Ashley Madison, due to the data breach of their network in July 2015. Ashley Madison had failed to protect 36 million users’ accounts and profile information. At the time of the data breach, they had:
- no written information security policy;
- inadequate employee training on security;
- no knowledge of whether their third-party service providers were using reasonable security measures; and
- no measures to help monitor their security system and its effectiveness.
As part of the settlement with the FTC, Ashley Madison was required to implement a comprehensive data security program and pay $1.6 million in fines.
The Financial Services Modernization Act (Gramm-Leach-Bliley Act) (15 U.S.C. §§6801-6827 (GLB Act)
The GLB Act requires businesses that are ‘financial institutions’ to ensure the security of any financial information that they collect. Financial institutions include:
- banks;
- insurance companies;
- securities firms; and
- other businesses that provide financial products or services.
The GLB Act regulates the use, disclosure and collection of personal financial information. Likewise, the ‘Safeguards Rule’ requires that all businesses under the GLB Act have measures in place to keep their customer information secure. The business must develop a written ‘information security plan’ that describes how they will keep their customer information secure. As part of their plan, each business must:
- design and implement an information security plan;
- allocate one or more employees to oversee and coordinate their information security plan;
- select service providers that can maintain acceptable safeguards and require in the contract that they maintain safeguards and oversee the handling of customer information; and
- adjust the information security plan in light of changing circumstances to ensure its continued effectiveness.
The Safeguards Rule also requires businesses to assess and address privacy risks in all areas of their operations, particularly:
- employee management and training;
- information systems; and
- detecting and managing system failures.
The FTC encourages businesses to:
- conduct background checks and check the references of prospective employees who will have access to personal information;
- control access to sensitive information (e.g. by requiring employees to change their passwords regularly);
- impose disciplinary measures for any security data breach in the organisation; and
- dispose of customer information in a secure way.
The GLB Act also applies to third parties that are not financial institutions but receive personal information from non-affiliated financial institutions.
The Health Insurance Portability and Accountability Act (42 U.S.C. §1301 et seq.) (The HIPA Act)
The HIPA Act regulates the collection and use of individuals’ protected health information. It applies to a ‘covered entity’ that comes into contact with medical information, including:
- health care providers;
- pharmacies; and
- data processors.
It also applies to ‘business associates’, who include a person or entity that performs functions involving the use or disclosure of protected health information on behalf of, or to service, a covered entity. These activities can include:
- re-pricing;
- billing;
- benefit management; and
- claims processing or administration.
Additionally, Standards of Privacy of Individually Identifiable Health Information (HIPA Privacy Rule) sets out national standards for protecting ‘identifiable medical information’. This includes:
- an individual’s past, present or future physical health or mental health;
- the provision of health care to the individual; and
- past, present or future payment for the provision of health care information to the individual.
Furthermore, a business is permitted (but not obligated) to use and disclose personal health information without the individual’s consent in the following circumstances:
- to the individual who is subject to the information;
- for treatment, payment and health care operations;
- for the public interest or benefit activities. For example, in certain circumstances, businesses can disclose protected health information to government authorities regarding abuse, domestic violence or neglect;
- during judicial and administrative proceedings; and
- to comply with workers’ compensation laws.
New US State Data Privacy Laws
Depending on what state you have set up your Australian business in, you will have to follow different state privacy laws. Some recent privacy laws include:
- California Privacy Rights Act (CPRA) – amends the California Consumer Privacy Act. The CPRA provides additional protection for Californians, such as the right to know what personal data entities are collecting about them and the right to know if businesses are selling their data and to whom.
- Colorado Privacy Act – all businesses must disclose their data collection and sharing practices to consumers and give Colorado residents the right to opt out of the sale of their personal data. There will be penalties for companies in breach of the Act, and the state attorney general may bring enforcement actions.
- Connecticut Personal Data Privacy and Online Monitoring Act – covers businesses that collect personal information from Connecticut residents. The Act imposes regulations for data controllers and processors and requires them to take reasonable security measures to protect personal data. Consumers will have the right to request information about whether their data is being processed and opt out of their data being processed for certain activities.
- Maryland Online Consumer Protection Act – protects consumers from cybersecurity threats, including data breaches, theft, phishing, and spyware. The Act applies to all businesses that collect, use, or disclose personal data about Maryland residents, including out-of-state companies that sell goods or services in Maryland. By comparison to other state laws, it is more comprehensive in requiring:
- businesses to take reasonable steps to protect consumers’ personal information from unauthorized access, use, or disclosure; and
- entities to provide consumers with a way to opt out of having their personal information collected, used, or sold.
- New York Privacy Act – sets strict rules about how businesses must handle consumers’ personal information. The act helps ensure all residents control their personal information. Some key provisions include:
- entities must disclose what categories of consumer data they collect, use, or sell, and the purposes for which they’ll use the data; and
- consumers have a right of action for any violation.
This fact sheet outlines the changes to data and privacy protection in 2023.
Key Takeaways
If you have set up a related body corporate in the US, it is important to understand that you will be subject to US laws if you collect personal information. There are significant differences between US privacy laws and the privacy laws of Australia. It is best to confirm which laws apply to your business (including the relevant federal and state laws) and understand your obligations to ensure your business is compliant.
For assistance understanding your privacy obligations, our experienced privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.
We appreciate your feedback – your submission has been successfully received.
