US President Donald Trump has impacted on the privacy rights of non-US citizens under an executive order signed on 25 January 2017, the purported purpose of which is to ensure the safety of US citizens. The executive order is directed towards immigration but touches on privacy rights. Its full impact is still being understood.
Section 14 of the executive order, which refers to the US Privacy Act, states:
"Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information." 1
The US Privacy Act, on its terms, provides protection only for US citizens and lawful US permanent residents.
However, the executive order is likely to affect, among other things, the US-EU Privacy Shield (Shield), which was established in August 2016 following years of negotiations. The Shield allows companies to transfer personal information in relation to EU citizens to the US whilst preserving the rights of EU citizens under the more stringent EU privacy laws, rather than dropping to the less stringent US standards. The Shield applies to over 1,500 companies, including Google, Apple and Microsoft.
The executive order is a reminder that non-US citizens may have limited protection under US agencies’ privacy polices.
The executive order is also a reminder that individuals and organisations need to understand where their data is stored and disclosed, as the levels of protection are not uniform.
The executive order is in clear contrast to recent events in Australia where the Australian Parliament is currently considering strengthening our privacy laws.
The Australian Privacy Principles (APPs) are guidelines issued by the Australian Information Commissioner addressing the handling, use and management of personal information. They apply to most Australian Government agencies, all private sector and not-for-profit organisations with an annual turnover of more than $3 million, all private health service providers, and some small businesses (Australian Entities).
The APPs provide that Australian Entities cannot disclose personal information to an overseas recipient without first taking reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to that information.2
A Bill providing for more stringent reporting requirements of potential data breaches to the Australian Information Commissioner and affected individuals received Royal Assent on 23 February 2017, and will come into force by 23 February 2018 at the latest’.3
Under the current privacy legislation,4 there is no obligation to report a suspected breach of personal information relating to an individual. This will soon change.
By the proposed Act, a failure to report even a suspected breach in relation to personal information will be classed as an interference with the privacy of an individual and attract penalties,5 which are likely to be significant.
The penalties under the current Privacy Act 1988 (Cth) for serious or repeated interferences with the privacy of an individual can attract a maximum penalty of $360,000 for individuals and $1,800,000 for bodies corporate.
Many Australian individuals engage in some form of commercial transaction with the US which involves disclosing personal information – from retailers, to media streaming services, to search engines. In the digital age, the privacy laws of different countries are relevant to Australians.
A significant number of Australian Entities are engaged in providing personal information to US entities. To remain compliant with Australian law, Australian Entities generally need to ensure that information held offshore is protected to no lesser standard than in the Australian legislation (APP8). The executive order is a relevant consideration.
Where a foreign government’s laws may require disclosure by one of its nationals, there will not necessarily be a breach of the Privacy Act. However, particularly in light of the executive order, Australian Entities may want to amend their privacy policies to alert individuals of the potential for disclosure of information held offshore under foreign law.
Further, when the Bill comes into force, Australian Entities will be at risk of breaching the APPs by failing to comply with the more stringent reporting requirements introduced by the Bill.
At this stage, it is too early to ascertain what effect the combination of the clear change in approach to protection of the personal information of non US citizens by the US will impact on Australian’s and Australian Entities, particularly when the Bill to amend the Australian Privacy Act comes into force early next year.
What is however, clear is that, going forward it is important to understand if information is stored in the US as there is a risk it may not receive the same protection it may receive in Australia.
If you have any queries or comments about this publication please contact Iain Freeman.
[1] Rich text editor, editor1, Press ALT 0 for helpPrivacy Act of 1974, 5 USC s 14.
[2] Rich text editor, editor2, Press ALT 0 for helpPrivacy Act 1988 (Cth) Schedule 1 Australian Privacy Principles, 8.1.
[3] Rich text editor, editor3, Press ALT 0 for helpPrivacy Amendment (Notifiable Data Breaches) Act 2016 (Cth).
[4] Rich text editor, editor4, Press ALT 0 for helpPrivacy Act 1988 (Cth) (incorporating Schedule 1 Australian Privacy Principles); Privacy Regulations 2013 (Cth).
[5] Commonwealth, Parliamentary Debates, House of Representatives, 2016, 66 (Senator the Hon George Brandis, QC Attorney-General).
