Applicability of the Privacy Act 1988 in Australia

The Privacy Act 1988 ("the Act") is the main data protection legislation in Australia. It primarily outlines territorial rather than material applicability factors.

Territorial Applicability Factors

The Act identifies several territorial applicability factors, which include:

• Doing Business in Jurisdiction
• Entity's Link or Presence in Jurisdiction
• Control and Central Management in Jurisdiction Criterion
• Processing by Entity Registered or Incorporated in Jurisdiction
• Physical Location/Residency of Data Subject in Jurisdiction

Each factor is analyzed in detail below.

Doing Business in Jurisdiction

The Act extends its applicability to entities that conduct business in Australia, even if their data processing activities occur elsewhere. This ensures that organizations with a commercial presence in Australia are subject to the privacy standards set by the Act.

Privacy Act 1988 Article 5B(3b):

"An organisation or small business operator also has an Australian link if all of the following apply: (b) the organisation or operator carries on business in Australia or an external Territory."

The term "carries on business" is used to describe ongoing commercial activities that establish a tangible presence within the jurisdiction. This factor applies to both Australian and foreign companies that engage in economic activities in Australia, regardless of the physical location of their data processing activities.

Entity's Link or Presence in Jurisdiction

The concept of an "Australian link" is central to the extraterritorial application of the Privacy Act. Entities are considered to have an Australian link based on a range of factors, including the presence of an entity, its formation, or its place of business.

Privacy Act 1988 Article 5B(1A):

"This Act, a registered APP code and the registered CR code extend to an act done, or practice engaged in, outside Australia and the external Territories by an organisation, or small business operator, that has an Australian link."

Privacy Act 1988 Article 5B(2):

"An organisation or small business operator has an Australian link if the organisation or operator is: (a) an Australian citizen; or (b) a person whose continued presence in Australia is not subject to a limitation as to time imposed by law; or (c) a partnership formed in Australia or an external Territory; or (d) a trust created in Australia or an external Territory; or (e) a body corporate incorporated in Australia or an external Territory; or (f) an unincorporated association that has its central management and control in Australia or an external Territory."

These provisions ensure that entities with a substantial connection to Australia are subject to the Act's requirements, regardless of where the data processing occurs.

Processing by Entity Registered or Incorporated in Jurisdiction

Entities registered or incorporated in Australia automatically have an Australian link, making them subject to the Privacy Act.

Privacy Act 1988 Article 5B(2c-e):

"An organisation or small business operator has an Australian link if the organisation or operator is: (c) a partnership formed in Australia or an external Territory; or (d) a trust created in Australia or an external Territory; or (e) a body corporate incorporated in Australia or an external Territory."

This provision establishes that entities formally registered or incorporated in Australia, including partnerships, trusts, and corporations, must comply with the Privacy Act regardless of where their data processing takes place.

Control and Central Management in Jurisdiction Criterion

The Privacy Act also applies to unincorporated associations that have their central management and control in Australia.

Privacy Act 1988 Article 5B(2f):

"An organisation or small business operator has an Australian link if the organisation or operator is: (f) an unincorporated association that has its central management and control in Australia or an external Territory."

This factor focuses on the practical location of decision-making, rather than the formal registration status of an entity. It ensures that entities managed and controlled from within Australia are subject to the Privacy Act.

Physical Location/Residency of Data Subject in Jurisdiction

The Act applies to data processing activities involving data subjects who are physically present in Australia.

Privacy Act 1988 Article 5B(2b):

"An organisation or small business operator has an Australian link if the organisation or operator is: (b) a person whose continued presence in Australia is not subject to a limitation as to time imposed by law."

This provision ensures that data processing activities involving individuals physically present in Australia, without limitations on their residency, are subject to the Privacy Act.

Conclusion

The Privacy Act 1988 is designed to have a broad territorial scope, applying not only to entities formally incorporated in Australia but also to foreign organizations with an Australian business presence, central management, or significant link to the jurisdiction. The Act ensures consistent data protection standards across a wide range of entities, irrespective of the physical location where data processing occurs.