The intersection of privacy law and insolvency practice presents a complex landscape for liquidators in Australia. As part of the liquidation process, a liquidator will need to handle personal information about a range of the people involved in the distressed company, including customers and creditors. Beyond that though, as agents of insolvent companies, liquidators are tasked with realising assets to address creditor entitlements, often encountering customer databases and mailing lists which can be very valuable, but consist of highly regulated personal information. Liquidators must therefore balance obligations to creditors whilst responsibly handling the data of customers or risk contravening the Privacy Act 1988 (Cth) (Privacy Act).
Regulatory framework and liquidator’s role
Liquidators operate within the regulatory environment governed by the Corporations Act 2001 (Cth) and the Privacy Act, including the Australian Privacy Principles (APPs). As officers of the distressed company, liquidators assume the statutory duties that apply to directors, including the responsibility for handling personal information. This obligation is further reinforced by the Australian Restructuring Insolvency & Turnaround Association (ARITA) Code of Ethics, which requires the appropriate use of information obtained during professional services.
One of the primary challenges liquidators face is the identification and assessment of personal information contained in data assets. This process requires an understanding of the types of personal information held by the company, ranging from customer databases to employee records. Each category of information may carry different obligations under the APPs, necessitating a nuanced approach to handling and disclosing personal information.
The Privacy Act’s application to liquidators is particularly significant when dealing with data assets containing personal information. Regardless of the size of the business in liquidation, the exchange of personal information for benefit, service, or advantage is considered trading in personal information, thereby engaging the full scope of the APPs. This means that liquidators seeking to extract value from a customer database must remain compliant with the APPs, even when dealing with small businesses that might otherwise be exempt from certain privacy obligations.
Use of personal information by liquidators
Any use or disclosure of personal information by liquidators in the course of carrying out their duties will need to be permissible under APP 6.
APP 6 provides that personal information can only be used or disclosed with consent from the relevant individual, or otherwise without consent:
- for the primary purpose for which it was collected;
- for a related secondary purpose, provided that it would be reasonably expected by the individual; or
- in a manner specifically required or authorised by another Australian law or court order,
unless an exception applies.
Where a liquidator is carrying out a statutorily required duty, such as providing certain notices to creditors, then APP 6 will not stand in the way of those steps.
The Office of the Australian Information Commissioner (OAIC) advises that ‘normal internal business practice, such as auditing’ will typically be permissible as reasonably expected secondary uses of personal information, so there will potentially also be scope for use of personal information in a liquidator’s internal investigations.
If there are instances where a liquidator believes that the disclosure of personal information is necessary, but may not be permitted under APP 6, then there is scope to seek court authorisation to do so, as demonstrated in the case of Re OT MARKETS PTY LTD (in liq) Et al.1
In this case, the separate liquidators for OT Markets, AGM Markets and Ozifin Tech, applied for court directions to share information between themselves, including personal information of individuals who were investors or related to investors in these companies, which might otherwise be restricted by the Privacy Act.
The court granted the orders sought by the liquidators, recognising the complexity and interconnected nature of the affairs of the parties. The court acknowledged that the sharing of personal information was essential to ensure the efficient and effective resolution of creditor claims and to avoid significant delays and additional costs. Importantly, the case is a reminder that court approved disclosure can provide a robust legal basis for sharing personal information.
However, such approval per the courts order was limited to facilitating the administration of the liquidation and did not extend to a grant of permission for the sale of customer personal information. The authority suggests that it is unlikely the court would approve an order allowing for the explicit sale of personal information.
In circumstances where disclosure of data needs to occur, liquidators should also consider whether there is scope to reduce the amount or sensitivity of any personal information involved, so as to limit or avoid the application of the Privacy Act. Any appropriately aggregated or de-identified information is outside the scope of the APPs entirely as it is no longer about an identifiable individual. If this is a viable option, then it removes considerable complexity. If this is not a viable option, then limiting the details involved (especially any particularly sensitive information) may help to make a proposed use or disclosure of personal information easier to justify under APP 6.
Other steps to limit and control the further use or disclosure of personal information may also be useful, such as providing controlled access to (rather than copies) of data, and/or providing information subject to express confidentiality obligations and restrictions on how it is to be used.
Selling personal information assets
If seeking to realise value in a customer database, or other collection of personal information, by selling it to a third party, a liquidator will need to consider whether this disclosure is permissible (which will involve an assessment of the circumstances in which that information was collected) and also whether the purchaser will actually be in a position to use that information.
Collection of personal information
When assessing a company’s data assets containing personal information, liquidators must first consider the circumstances in which that personal information was originally collected.
APP 3 sets out the rules for collection of personal information, and a liquidator is likely to be highly limited in its ability to sell any personal information collected other than in accordance with those requirements.
The strictest requirements apply to the collection of sensitive information about topics such as health, genetics, biometrics, sexuality, race and religion. Collection of sensitive information typically requires consent. Even if the distressed company had that consent, a potential purchaser also needs similar consents before it is able to collect the sensitive information from the liquidator.
The circumstances in which personal information was collected are also relevant to determining the scope for that information to be later used or disclosed. Those limits are defined by reference to the primary purpose for which the information was collected, as discussed below.
Any undertakings or other statements made to individuals at the time of collection might also impact upon the ability to later deal with their personal information. For example, if a company has promised its customers that it will not give their information to any third parties, this might prevent a liquidator from later dealing with that data.
Disclosure of personal information
Transfer of a dataset by a liquidator to a purchaser will involve the disclosure of the personal information therein.
As noted above APP 6 allows for the disclosure of personal information without consent if consistent with the primary purpose for which it was collected, or a reasonably expected related secondary purpose.
There may be circumstances in which the liquidator’s disclosure of personal information is sufficiently related to the primary purpose of collection. These are most likely to involve instances where the liquidator is selling the dataset as part of a broader transaction, such that the incoming purchaser will be operating a business that resembles (in whole or in part) the business previously conducted by the distressed company, and the purposes for which information will ultimately be used will not materially change. This would still need to be considered on a case-by-case basis against the circumstances, including any promises made by the distressed company about how personal information would be handled.
However, this APP may pose a significant challenge for liquidators seeking to sell a dataset divorced from the context of the associated business. Such a transaction may be hard to justify as being related to the original purpose of collection, or reasonably expected by individuals.
A distressed company is also unlikely to hold the exceedingly broad consents that would be required to permit unfettered sale of personal information. However, there may be instances where a liquidator can seek to obtain consent to disclosure, though such efforts will ordinarily result in narrowing the dataset able to be sold, if consent is withheld by some individuals.
The Dick Smith Electronics liquidation in 2016 serves as a pertinent example of these challenges. The liquidators in this instance had to navigate the task of valuing and potentially selling a customer database containing millions of records. Dick Smith’s then privacy policy contemplated certain disclosures of personal information to third party service providers, but did not incorporate disclosure to a prospective purchaser of the business. In addition, Dick Smith’s website said that ‘Dick Smith will never sell or share your information.’ To overcome this issue, customers were contacted by the receivers through an email providing an opt in or opt out choice for the sale of their personal information.
Direct marketing
Much of the potential value in a dataset could be as a source of possible new customers, with the purchaser of a customer list likely to want to market to those individuals.
In those scenarios, it could be a case of ‘buyer beware’, with the restrictions of the APPs and the Spam Act 2003 (Cth) (Spam Act) potentially limiting the ability for customer databases to be used for direct marketing.
Under APP 7, direct marketing will typically be permissible:
- without consent, where the organisation conducting the marketing has obtained the relevant personal information directly from the individual involved, and the individual would reasonably expect it to be used for direct marketing; or
- otherwise, with consent.
Similarly, the Spam Act requires that an organisation obtain consent from individuals before sending them commercial electronic messages, although it does allow consent to be inferred from any business or other relationship between the organisation and the individual.
Together, these obligations make it far easier for organisations to send electronic marketing materials to their own customers than to a database of people obtained from another source. Even if the distressed company was permitted to conduct direct marketing to individuals, the purchaser of that database may not be in the same position to do so.
It is possible that appropriate consents have been obtained from individuals by the distressed company prior to its administration, but these would need to be exceedingly broad to permit absolutely any purchaser of the customer list to use it for their own purposes. A liquidator could also take steps to try to obtain fresh consents, as in the Dick Smith example above, to increase the value of the dataset being sold.
Upcoming reforms
The Privacy Act has been the subject of a long-running reform process, the first concrete step in which is the Privacy and Other Legislation Amendment Bill 2024 (Bill) currently before Commonwealth Parliament.
This legislation proposes to update the Privacy Act in a range of ways, discussed in our recent article series.
While some of these are quite major reforms, including a new statutory tort for serious invasions of privacy, they do not include any changes that fundamentally change the key APPs discussed above around collect, use and disclosure of personal information and direct marketing.
Perhaps the most interesting change arising from the Bill in this context might be new penalty options for the OAIC, including ‘speeding ticket’ style infringement notices, where the OAIC can issue modest penalties without needing to take formal court action. These new options may increase regulatory scrutiny and enforcement.
A second tranche of legislation is expected to introduce more substantive changes to the APPs, but this is not anticipated during the term of the current Parliament.
The reforms do highlight the increasing importance placed on appropriate handling of personal information.
Next steps
As the value of personal information continues to grow, and community expectations in this area lift, liquidators must be increasingly vigilant in their management of customer data during the liquidation process. By understanding the obligations under privacy law, implementing best practices, and seeking legal advice when needed, liquidators can navigate the intersection of insolvency and privacy law. This approach not only ensures compliance with the privacy regime but also protects the interests of creditors, customers, and contributes to the stability of corporate governance in times of financial distress.
Written by Luke Dale, Partner, Daniel Kiley, Partner, Max Soulsby, Solicitor and Christopher Power, Graduate.
1 Re OT MARKETS PTY LTD (in liq), AGM MARKETS PTY LTD (in liq) AND OZIFIN TECH PTY LTD (in liq) [2020] FCA 207
