The Privacy Act 1988 of Australia uses the "central management and control" criterion to extend its applicability to certain entities not formally incorporated or registered within Australia.

Text of Relevant Provisions

Privacy Act 1988 Art.5B(2f):

"Australian link

(2) An organisation or small business operator has an Australian link if the organisation or operator is:

(f) an unincorporated association that has its central management and control in Australia or an external Territory."

Analysis of Provisions

The Privacy Act 1988 extends its applicability to unincorporated associations based on the location of their "central management and control." This provision is part of the broader definition of an "Australian link" in Article 5B, which determines the Act's extra-territorial operation.The key elements of this provision are:

1. It applies to "unincorporated associations" - entities that are not formally incorporated or registered as companies.
2. The criterion is having "central management and control" in Australia or an external Territory.
3. The geographical scope includes both Australia proper and its external Territories.

This factor ensures that the Privacy Act covers entities that may not have a formal legal presence in Australia but effectively operate from within the country. It focuses on the practical reality of where an organization is managed and controlled, rather than its legal structure or place of incorporation.

Implications

The inclusion of this factor has several important implications:

1. Broad coverage: It allows the Privacy Act to apply to a wider range of entities, including those that might otherwise attempt to avoid regulation by not formally incorporating in Australia.
2. Substance over form: The law prioritizes the actual location of decision-making and control over legal formalities, making it harder for organizations to circumvent the Act's requirements.
3. Territorial extension: The provision extends the Act's reach to external Territories, ensuring consistent privacy protection across all areas under Australian jurisdiction.
4. Compliance obligations: Unincorporated associations with central management and control in Australia must comply with the Privacy Act, including its Australian Privacy Principles, even if they are not formally registered in the country.
5. International organizations: Multinational entities operating in Australia through unincorporated structures need to be aware that they may fall under the Act's purview if their central management and control are located within Australian territory.
6. Enforcement: The Australian Information Commissioner can potentially take action against unincorporated associations based outside Australia if their central management and control are within Australian jurisdiction.

This approach aligns with global trends in data protection legislation, where lawmakers seek to ensure that entities significantly connected to a jurisdiction are subject to its privacy laws, regardless of their formal legal structure or place of incorporation.