|Executive summary | Chapter 1 | Chapter 2 |Chapter 3 |Chapter 4 |Chapter 5 |Chapter 6 |Chapter 7 |Chapter 8 |Chapter 9 |Chapter 10 |Chapter 11 |Chapter 12 |Chapter 13|
1. Advances in information technology have allowed information to be sent across the world with speed and efficiency. With the advent of inexpensive high-speed internet connections and the growth of the global economy, Australian agencies and organisations are increasingly operating across national borders.
2. The Privacy Act regulates the transfer of personal information outside Australia via NPP 9. NPP 9 provides important protections to individuals by preventing organisations from disclosing personal information to someone in a foreign country unless: the person in the foreign country is subject to an information privacy scheme comparable to the NPPs; or the individual has consented to the disclosure; or certain other circumstances apply.
3. In general, the Office believes that NPP 9 contains appropriate provisions to regulate transborder data flows and is generally operating well. However, in this chapter the Office suggests that NPP 9 could be enhanced to simplify the prescribed preconditions for sending personal information overseas. The Office also recommends that the Privacy Act should make clear that the transfer of personal information outside Australia to a related body corporate will be subject to NPP 9.
4. This chapter also discusses the issue of EU adequacy. The Office has found that, while Australian business does not appear to have been adversely affected by lack of EU 'adequacy', the Government should continue to work with the EU on the adequacy of the Privacy Act.612
5. NPP 9 provides important protections for the transfer of personal information overseas. In particular, NPP 9(a) states that personal information may only be transferred outside Australia if:
6. The Office considers that NPP 9(a) contains important protections for personal information being sent overseas. It would be reasonable to expect that organisations routinely transferring information to overseas jurisdictions without equivalent NPP privacy protections would establish appropriate privacy protections, such as contractual agreements with the overseas recipient.
7. Following a recommendation made in the Office's Private Sector Review, the Office intends to develop information sheets outlining issues that should be addressed in contractual agreements and how to more easily assess whether a privacy regime is substantially similar.613
8. The transfer of personal information overseas with the consent of the individual is permitted under NPP 9(b).
9. NPP 9(b) is an important provision regulating transborder data flows as, amongst other things, it would provide a mechanism by which data could be transferred outside of more routine transfers..
10. The Office believes that NPP 9(c) could be enhanced by an added specification that the transfer of personal information overseas should be within the reasonable expectations of the individual. The Office submits that this could ensure that contracts or pre-contractual arrangements are adequately clear about whether they may involve transfer of personal information overseas.
11. NPP 9(d) and (e) contain clauses that may be difficult to apply in practice.
12. NPP 9(d) and (e) require organisations to judge whether the transfer of personal information is 'for the benefit' or 'in the interests of' the individual concerned. Given that the reason for off-shoring the information might be based on organisational efficiency, judgements regarding the benefit to or interests of an individual may be difficult for an organisation to make. The Office suggests that the ALRC consider how these clauses may be clarified to give organisations greater direction when applying NPP 9(d) and (e).
13. As it stands, NPP 9(f) states that personal information may only be transferred outside Australia if
14. The Office notes that this clause assumes the information has already been transferred whereas the preceding clauses outline obligations to be complied with before information is sent overseas. This may create confusion for organisations applying the principle. The Office submits that NPP 9(f) may therefore benefit from an amendment that makes this clause a precondition of transfer and thus consistent with the other subsections of NPP 9.
15. The Office also notes that organisations may require further guidance on what constitutes 'reasonable steps' in this clause. The Office considers that when an organisation does not have an understanding of the privacy regime operating in the recipient's jurisdiction, a 'reasonable step' for the organisation is to ensure that privacy protections equivalent to the NPPs are in place through contracts. The Office suggests that it work with business to develop guidance material that explains what 'reasonable steps' might include.
16. The Office suggests that consideration should be given to replacing the term 'a foreign country' with 'outside Australia'. This will allow for a broader reading of what an overseas jurisdiction may be to take in states and provinces for example and not only countries or nations.
17. The Office submits that NPP 2 and NPP 9 should contain consistent terminology. For example, note 3 under NPP2 refers to transferring personal information to a 'person' in a foreign country, while NPP 9 makes reference to transferring of personal information to 'someone' in a foreign country. A single consistent term such as 'recipient' would be preferable.
18. The Office also considers that it would also be useful to define the term 'transfer' as being distinct from 'use' and/or 'disclosure' of personal information. The ordinary meaning given to the term 'transfer' is associated with information being sent somewhere. However, this may not be sufficient to cover situations where personal information that is stored on a single server in one jurisdiction is available to be viewed and accessed in other jurisdictions614.
19. The Office recommends that the issue of what constitutes a 'transfer' of personal information be considered and determined in order to give certainty to organisations and individuals about when NPP9 will apply.
20. As noted in the Office's response to question 4-31, national governments around the world increasingly interact and cooperate in a vast array of areas such as health, immigration, law enforcement, and business. It is desirable that personal information handled by government agencies is subject to the same level of protection when transferred overseas as that provided by organisations. For that reason the Office believes that agencies should also be regulated by a trans-border data flow principle. Ideally this would be part of a single set of principles that applied to both the public and private sectors. (as recommended by the Office in Chapter 4, in response to question 4-34.)
21. As noted in the Office's Private Sector review there is a distinction between disclosures of personal information between related bodies corporate within Australia and transfer of personal information from an Australian body corporate to a related body corporate overseas. While s 13B(1)(b) enables disclosure of information, compliance with NPP 9 for transfers of information to a foreign country is still required.
22. However, during the Office's Private Sector Review, a number of organisations called for clarification in the way NPP 9 and s 13B(1) operated together as they believed it was not clear whether s 13B(1) enables a body corporate in Australia to transfer personal information to a related body corporate located outside Australia without reference to NPP 9.615
23. Further, as also noted in the Office's Private Sector Review, extra-territorial provisions of the Privacy Act under s 5B do not appear to apply to related entities outside Australia. As such, if information is sent to a related body corporate, it may not be protected by the Privacy Act.616
24. The Office would therefore suggest that the Privacy Act could be amended to clarify that if an organisation transfers personal information to a related body corporate in an overseas jurisdiction, that transfer will be subject to NPP 9 trans-border requirements.
25. During consultations for the Office's Private Sector Review, a suggestion was made that the Office of the Privacy Commissioner should publish a list of countries found to have adequate privacy regimes.617
26. While publishing a list of countries with substantially similar privacy laws may provide some certainty to organisations that transfer information overseas, the Office submits that this may not be an appropriate role for the Office of the Privacy Commissioner. Establishing whether laws are substantially similar would be a complex task in that it would require the Office to keep abreast of a potentially large number of different privacy laws and legal systems. This could have considerable resource implications for the Office.
27. Further, publishing a list of countries with substantially similar privacy laws could have implications for the Office's relationships with other countries and their privacy regulators as it would put the Office in the position of making a judgement about the suitability or otherwise of their privacy regime.
28. The Office considers that a more appropriate role for the Office of the Privacy Commissioner would be to provide further and detailed guidance to assist organisations in assessing whether a privacy regime is substantially similar.
29. Under NPP 1.3 organisations are currently required to take reasonable steps to ensure that an individual is aware of the organisations or types of organisations to which personal information might be disclosed. This could include overseas organisations.
30. However, in light of the potential privacy risks, the Office believes that it would be clearer for individuals and organisations if notification of overseas transfers was an explicit requirement within the NPPs. This could be done as part of the usual notice procedures. As outlined in Chapter 4, the Office advocates the use of the short form privacy notice.
31. A requirement to provide notice to individuals should apply irrespective of whether the overseas organisation is a related body corporate of their Australian parent or an agent / contractor of the Australian organisation (see 13.2 below).
32. In addition to providing notice of the transfer, organisations could also provide further information about transfers of personal information outside Australia in their privacy policy or at the request of the individual. This information might include:
33. The Office notes that there will be other times when notice will be important. For example, if an organisation has not previously needed to transfer personal information outside Australia but circumstances have changed since the information was collected, then the organisation should notify affected customers.
34. Although Australia's privacy regime has not been recognised as 'adequate' for the purpose of the European Data Protection Directive, submissions to the Private Sector Review indicated that generally this has not hindered Australian companies from conducting business with European counterparts under contractual arrangements.618
35. While adequacy is desirable in order to streamline trade, the Office notes that even in EU jurisdictions privacy protections may not always be implemented satisfactorily. The EU's First report on the implementation of the Data Protection Directive indicates that different jurisdictions have implemented the Directive in different ways and as a result, unauthorised and possibly illegal transfers are being made to destinations, or recipients are not being guaranteed adequate protection619. Australia currently has an effective privacy regime in place to protect personal information transferred into and out of Australia. As noted above in response to question 13-1, there are some ways in which NPP 9 can be enhanced.
36. As regards the measures necessary to ensure the adequacy of Australia's privacy regime under the European Union Data Protection Directive, the Office has previously discussed this in the Private Sector Review620. In its response to the Office's Private Sector Review, the Australian Government agreed with the Office's recommendation that the Government should continue to work with the EU on the 'adequacy' of the Privacy Act621.
37. As the role of electronic business increases and the interaction between individuals, business and government continues to necessitate the flow of personal information between countries, it is important that Australia continues to participate both regionally and internationally to ensure appropriate privacy protections exist when personal information is transferred between countries.
38. The Office is of the opinion that the APEC Privacy Framework (the Framework) provides a positive step forward in addressing regional consistency regarding the handling of personal information and may be considered to be a useful tool to encourage the development of personal information handling practices622. Specifically, the Framework may function as a starting point to assist economies that currently do not have a privacy regime in place to develop privacy protections for individuals' personal information.
39. Part iv of the Framework provides guidance on implementation and states that '...the overall goal should be to develop compatibility of approaches in privacy protections...'623. Furthermore, the Framework calls for the cooperative development of 'cross-border privacy rules' for organisations, yet acknowledges that 'organisations would still be responsible for complying with the local data protection requirements....'624. As such, whilst the Framework does not include a trans-border data principle specifically, the Office believes that it is a valuable tool for the encouragement of compatible privacy laws and a consistent level of general privacy protection in the Asia-Pacific region.
612 Office of the Privacy Commissioner Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (Cth) (Office's Private Sector Review) 2005 Recommendation 17.
613 Office's Private Sector Review, Recommendation 18.
614 C Kuner, 'European Data Privacy law and Online Business', 2003 pg79-82
615 Office's Private Sector Review, P 77.
616 Unless the related entity overseas has an organisational link with Australia.
617 Office's Private Sector Review, p 78.
618 Office's Private Sector Review, p75
619 Commission of the European Communities Brussels, 15 May 2003 COM(2003) 265 Final report from the Commission, First report on the implementation of the Data Protection Directive (95/46/EC)p19 http://eur-lex.europa.eu/LexUriServ/site/en/com/2003/com2003_0265en01.pdf
620 Office's Private Sector Review, Recommendation 17 p76
621 Government response to the Privacy Commissioner's Report, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (Government response to the Office's Private Sector Review), 30 November 2006, available at http://www.ag.gov.au/www/agd/agd.nsf/Page/Privacy_GovernmentresponsestoPrivacyActreports .
622 See APEC Privacy Framework, generally Part i
623 Ibid, paragraph 32
624 Ibid, Part B, Part III, paragraph 46 of Part iv 'Implementation'