The Privacy Act 1988 of Australia uses the concept of an "Australian link" to determine its extraterritorial applicability to organizations and small business operators.

Text of Relevant Provisions

Privacy Act 1988 Art.5B(1A):

"This Act, a registered APP code and the registered CR code extend to an act done, or practice engaged in, outside Australia and the external Territories by an organisation, or small business operator, that has an Australian link."

Privacy Act 1988 Art.5B(2):

"An organisation or small business operator has an Australian link if the organisation or operator is:(a) an Australian citizen; or(b) a person whose continued presence in Australia is not subject to a limitation as to time imposed by law; or(c) a partnership formed in Australia or an external Territory; or(d) a trust created in Australia or an external Territory; or(e) a body corporate incorporated in Australia or an external Territory; or(f) an unincorporated association that has its central management and control in Australia or an external Territory."

Privacy Act 1988 Art.5B(3):

"An organisation or small business operator also has an Australian link if all of the following apply:(a) the organisation or operator is not described in subsection (2);(b) the organisation or operator carries on business in Australia or an external Territory."

Analysis of Provisions

The Privacy Act 1988 extends its applicability to entities with an "Australian link" even when they conduct activities outside of Australia and its external territories. This approach ensures that Australian data protection standards are maintained for entities closely connected to Australia, regardless of where the actual data processing occurs.The law defines an "Australian link" through two main criteria:

1. Inherent connection to Australia (Art.5B(2)):
   • Australian citizenship
   • Permanent residency
   • Formation or incorporation in Australia
   • Central management and control in Australia
2. Business presence in Australia (Art.5B(3)):
   • Carrying on business in Australia or an external Territory

This broad definition of "Australian link" captures a wide range of entities, ensuring comprehensive coverage of data protection obligations for organizations with significant ties to Australia.

Implications

The extraterritorial application of the Privacy Act 1988 has several important implications for businesses:

1. Global reach: Australian companies operating overseas must comply with the Act, even for their foreign operations.
2. Foreign companies in Australia: International organizations doing business in Australia are subject to the Act's requirements.
3. Online businesses: Companies offering goods or services to Australian customers online may be considered as "carrying on business in Australia," potentially falling under the Act's jurisdiction.
4. Data transfer considerations: Organizations with an Australian link must ensure that any cross-border data transfers comply with the Act's requirements.
5. Compliance challenges: Entities with complex international structures may need to carefully assess their Australian links to determine the Act's applicability to different parts of their operations.
6. Potential conflicts of law: The Act acknowledges potential conflicts with foreign laws, providing exceptions for practices required by applicable foreign laws (as noted in Art.5B(1A)).

This broad scope of applicability reflects the Australian legislature's intent to protect the privacy of Australian individuals and maintain control over data processing activities closely linked to Australia, regardless of the physical location where such activities occur.