We have previously explored a business’ privacy obligations when they collect personal information in Australia and which they disclose to an overseas third party or a related body corporate. Subject to some exceptions, the general position is that an Australian business can be held accountable for any privacy breaches of the overseas entity.
In this article, we turn our attention to the obligations of Australian businesses that have set up a related body corporate in the US and collect personal information. In these circumstances, US law will apply as the company is collecting personal information outside of Australia and the company is doing business in the US. A related body corporate can include a US-based subsidiary or affiliate company.
At LegalVision, our clients with overseas operations, particularly in the US, are increasingly asking us about their privacy obligations. While we recommended seeking specific legal advice on your circumstances, this article provides a helpful introduction to the US federal privacy laws and your key obligations when collecting personal information in the course of your business.
The US Privacy Law Framework
Unlike Australia, the US does not have a single comprehensive federal legislation to regulate businesses who collect personal information. The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) forms Australia’s privacy framework, particularly the Australian Privacy Principles contained in Schedule 1 of the Act.
However, the US has a range of federal and state laws and regulations that set out the obligations of businesses when it comes to the privacy of their clients and customers. The following three US federal laws aim to regulate the collection, use and disclosure of personal information of US-based businesses.
The Federal Trade Commission Act 15 U.S.C. §§ 41-58 (Federal Trade Commission Act)
The Federal Trade Commission Act is the consumer protection law in the US. Although its application is not limited to privacy, the Act prohibits unfair and deceptive business practices. The courts have also applied it to data security policies and offline and online privacy.
The Federal Trade Commission (FTC) is the US independent law enforcement agency that enforces the Federal Trade Commission Act (similar to our Australian Competition and Consumer Commission). They have brought several actions against reputable businesses (including Google, Oracle and Facebook) that have failed to comply with their privacy obligations and which have engaged in unauthorised disclosure of personal information.
For example, the FTC brought an action against the dating site Ashley Madison as a result of the massive data breach of their network in July 2015. Ashley Madison had failed to protect 36 million users accounts and profile information. At the time of the data breach, they had:
- no written information security policy;
- inadequate employee training on security;
- no knowledge on whether their third party service providers were using reasonable security measures; and
- no measures to help monitor their security system and its effectiveness.
As part of the settlement with the FTC, Ashley Madison was required to implement a comprehensive data security program and pay $1.6 million in fines.
The Financial Services Modernization Act (Gramm-Leach-Bliley Act) (15 U.S.C. §§6801-6827 (GLB Act)
The GLB Act requires businesses that are ‘financial institutions’ to ensure the security of any financial information which they collect. Financial institutions include:
- insurance companies;
- securities firms; and
- other businesses that provide financial products or services.
It is important to note that a business will be regarded as a financial institution if it has ‘significantly engaged’ in providing financial products or services, regardless of whether it identifies itself as one.
The GLB Act regulates the use, disclosure and collection of personal financial information. As part of its implementation of the GLB Act, the FTC has developed the ‘Safeguards Rule’ which requires that all businesses covered by the GLB Act have measures in place to keep their customer information secure. The business must develop a written ‘information security plan’ that describes how they will keep their customer information secure. As part of their plan, each business must:
- design and implement an information security plan;
- allocate one or more employees to oversee and coordinate their information security plan;
- select service providers that can maintain acceptable safeguards and require in the contract that they maintain safeguards and oversee the handling of customer information; and
- adjust the information security plan in light of changing circumstances to ensure its continued effectiveness.
The Safeguards Rule also requires businesses to assess and address privacy risks in all areas of their operations, particularly:
- employee management and training;
- information systems; and
- detecting and managing system failures.
The FTC encourages businesses to:
- conduct background checks and check the references of prospective employees who will have access to personal information;
- control access to sensitive information (e.g. by requiring employees to change their passwords regularly);
- impose disciplinary measures for any security data breach in the organisation; and
- dispose of customer information in a secure way.
The GLB Act also applies to third parties that are not financial institutions but receive personal information from non-affiliated financial institutions.
The Health Insurance Portability and Accountability Act (42 U.S.C. §1301 et seq.) (The HIPA Act)
The HIPA Act regulates the collection and use of protected health information of individuals. It applies to a ‘covered entity’ that comes into contact with medical information, including:
- health care providers;
- pharmacies; and
- data processors.
It also applies to ‘business associates’, defined as a person or entity that performs functions involving the use or disclosure of protected health information on behalf of, or to service, a covered entity. These activities can include:
- benefit management; and
- claims processing or administration.
To implement the requirements of the HIPA Act, the US Department of Health and Human Services issued the Standards of Privacy of Individually Identifiable Health Information (HIPA Privacy Rule). The HIPA Privacy Rule sets out national standards for protecting ‘identifiable medical information’, which the HIPA Privacy Rule defines as either of the following:
- an individual’s past, present or future physical health or mental health;
- the provision of health care to the individual; and
- past, present or future payment for the provision of health care information to the individual.
The HIPA Privacy Rule sets out that a business is not permitted to use or disclose personal health information except as allowed under the HIPA Privacy Rule or with the consent from the individual authorised in writing. However, a business covered by the HIPA Privacy Rule must disclose protected health information in the following two circumstances:
- to individuals when they request access to their information; and
- to the Department of Health and Human Services when they are undertaking a compliance investigation, enforcement action or a review.
Furthermore, a business is permitted (but not obligated) to use and disclose personal health information without the individual’s consent in the following circumstances:
- to the individual who is subject to the information;
- for treatment, payment and health care operations;
- for the public interest or benefit activities. For example, in certain circumstances, businesses can disclose protected health information to government authorities regarding abuse, domestic violence or neglect;
- during judicial and administrative proceedings; and
- to comply with workers compensation laws.
If you have set up a related body corporate in the US, it is important to understand that you will be subject to US laws if you collect personal information in this jurisdiction. There are significant differences between US privacy laws and the privacy laws of Australia. It is best to confirm which laws apply to your business (including the relevant federal and state laws) and understand your obligations to ensure your business is compliant. If you have any questions, get in touch on 1300 544 755.