Chapter 11
Australian Privacy Principle 8–cross-border disclosure of personal
information and sections 19 and 20
Introduction
11.1
Australian Privacy Principle 8 (APP 8) outlines measures to ensure
that entities cannot avoid obligations to protect personal information by
disclosing the information to a recipient outside Australia.[1]
Section 19 provides for the extra-territorial operation of the new Privacy Act.[2]
Section 20 provides that an entity remains accountable for the acts and
practices of overseas recipients to which it discloses personal information.[3]
11.2
The Companion Guide notes that APP 8 uses the term 'disclosure',
rather than 'transfer', which was used in National Privacy Principle 9
(NPP 9) as 'transfer' implies that there is a cross-border movement of
personal information rather than the accessing of personal information by an
overseas recipient, regardless of whether the information is stored in
Australia or elsewhere through 'disclosure'. The Companion Guide notes that the
routing of personal information through servers which are located outside of
Australia is not intended to constitute a disclosure.[4]
11.3
APP 8 has been extended to apply to agencies as well as organisations.[5]
In addition, APP 8 provides conditions for the disclosure of personal
information outside Australia to ensure that entities remain accountable for
any disclosures they make, rather than prohibiting cross-border disclosures all
together as is the case under NPP 9. However, a series of exceptions provide
for an entity not to be held accountable for the disclosure of personal
information to an overseas recipient.[6]
11.4
The principle provides that before disclosing any personal information
outside of Australia, an entity has to take 'reasonable steps' to ensure that
the overseas recipient will not breach the APPs, by making sure that personal
information has sufficient protection. The Companion Guide notes it is expected
that the obligations of the overseas recipient would be set out in a contract
to establish effective information management arrangements.[7]
11.5
Section 19 provides for the extraterritorial operation of the Act. In
addition, unlike the Privacy Act 1988 (Privacy Act) which only
extended to the acts or practices undertaken by an organisation outside of
Australia in relation to the personal information of Australian citizens or
permanent residents, the new Privacy Act will extend to protect every person,
operating in relation to acts done or practices engaged in outside of
Australia, by agencies and organisations with an Australian link.[8]
The definition of an 'Australian link' is similar to that provided under
subsection 5B(2) of the current Privacy Act.[9]
11.6
The Companion Guide also states that arrangements under the existing
Privacy Act which ensure that an act or practice that is done or engaged in
outside Australia is not an interference with privacy if the act or practice is
required by an applicable law of a foreign country, will be replicated in the
new Privacy Act. These provisions will extend to cover agencies as well as
organisations.[10]
11.7
Under proposed section 20, an entity is held accountable for the acts
and practices of overseas recipients.[11]
The Companion Guide notes that while the term 'accountability' is not used in
this section, the provisions of the section hold an entity as liable for the
acts and practices of an overseas recipient which breach the APPs. However, if
one of the exceptions under APP 8 applies to the entity, then section 20
will not apply to the entity.[12]
Background
11.8
The transfer of personal information across national borders has been
identified as an issue of significant community concern. However, technological
advancements, among other developments, have contributed to a change in the way
business is conducted, and how personal information is collected and managed.[13]
A submitter to the Australian Law Reform Commission (ALRC) review commented:
In today's truly globalised world, cross-border data flows
are an everyday fact of commercial public and private life. The challenge
therefore becomes how to maintain a consistent security and privacy framework
around the treatment of that information across legal and jurisdictional
borders and geographies.[14]
11.9
International frameworks for privacy protection have also been developed
in response to the global developments 'to harmonise laws within economic
communities and improve trade relationships.' These include the Organisation
for Economic Co-operation and Development (OECD) Guidelines on the
Protection of Privacy and Transborder Flows of Personal Data (OECD
Guidelines); European Union (EU) Directive on the Protection of Individuals
with Regard to the Processing of Personal Data and on the Free Movement of Such
Data (EU Directive); and the Asia-Pacific Economic Cooperation (APEC)
Privacy Framework.[15]
11.10
Currently, NPP 9 provides the specific circumstances in which an
organisation can transfer information to a recipient in a foreign country, and
is largely modelled on articles 25 and 26 of the EU Directive. There are no
requisite arrangements in the Information Privacy Principles (IPPs) which apply
to agencies.[16]
11.11
Notably, NPP 9 does not apply where the information is transferred
to the same organisation, rather it only applies if the transfer is to a third
party. Further, NPP 9 only regulates the transfer of information to
'foreign countries' as opposed to 'other jurisdictions', and therefore:
It does not protect personal information that is transferred
to a state or territory government that is not subject to privacy law, or a
private sector organisation that is exempt from the Privacy Act.[17]
11.12
Section 5B of the current Privacy Act ensures that organisations do not
avoid their obligations in relation to the management of personal information
under the Act by transferring information overseas. The Privacy Act applies to
an act or practice relating to personal information about an Australian citizen
or permanent resident, and the organisation undertaking the act or practice
either has an Australian link or carried on a business in Australia and held or
collected information in Australia either before or at the time of the act done
or practice engaged in.[18]
To implement this, Privacy Commissioner's enforcement powers are extended to overseas
complaints which fit specified criteria.[19]
11.13
Subsection 6A(4) and section 13D of the existing Privacy Act provide
that an act or practice undertaken overseas which is required by an applicable
foreign law will generally not be taken as a breach of the Act or an interference
with the privacy of an individual.[20]
11.14
The ALRC review looked at the following matters, among others:
-
international frameworks for privacy protection, in particular,
the EU Directive, the APEC Privacy Framework and the Asia-Pacific Privacy
Charter;
-
regulation of cross-border data flows under the Privacy Act
1988 via the extraterritorial operation of the Act;
-
the restrictions in NPP 9 on the transfer of personal
information to countries with differing privacy regimes;
-
the content of the 'Cross-border Data Flows' principle in the
model Unified Privacy Principles (UPPs) and its application to agencies and related
bodies corporate;
-
notification requirements; and
-
the role of the Privacy Commissioner and the need for Office of
the Privacy Commissioner (OPC) guidance.[21]
11.15
The ALRC examined the application of section 5B of the Privacy Act to
agencies and formed the view that while section 5B applies only to
organisations:
Agencies often compel the collection of personal information
and should therefore remain accountable for the handling of that information
under the Privacy Act, whether they are located in Australia or offshore.
Further, agencies should not be able to avoid their obligations under the Act
by transferring the handling of personal information to entities operating in
countries with lower privacy protection standards.[22]
The ALRC therefore recommended that agencies that operate
outside Australia should be subject to the Privacy Act.
11.16
One of the criticisms of NPP 9 is that organisations, which transfer
personal information to recipients in foreign countries, are not held
accountable for subsequent breaches of privacy. Given the risks associated with
cross-border transfers, and the significant community concern around the issue,
the ALRC suggested it was pertinent that agencies and organisations which
transfer information to a recipient outside of Australia be held accountable
for the acts and practices of the recipient in respect of the transferred
personal information.[23]
The ALRC specified three circumstances in which an agency or organisation
should not be held liable namely, where the:
- information is subject to a law, binding scheme or contract which
effectively upholds privacy protections that are substantially similar to the
UPPs;
-
individual consents to the transfer, after being expressly advised that
the consequence of providing consent is that the agency or organisation will no
longer be accountable for the individual's personal information once
transferred; or
- agency or organisation is required or authorised to transfer the
personal information by or under law.[24]
11.17
The ALRC noted the concerns of stakeholders with respect to the
'reasonably believes' test currently used in NPP 9(a). However, the ALRC
recommended that the test be retained, and that the Government issue a list of
'laws and binding schemes that effectively uphold principles for fair handling
of personal information that are substantially similar' to those in Australian
legislation, to assist agencies and organisations with compliance. The factors
to be considered in determining whether an entity has a 'reasonable belief' may
include 'the level of enforcement of a relevant law, binding scheme or
contract, which may not be answered solely by their inclusion on the proposed
list'. Therefore, the ALRC also suggested that the OPC issue guidance on what
constitutes a 'reasonable belief'.[25]
11.18
Noting that provision of consent under this principle has significant
implications, the ALRC suggested that the application of more detailed consent
requirements than the usual 'voluntary and informed', may be required. For
example, an agency or organisation may need to be able to demonstrate that
informed consent was obtained, possibly through a written acknowledgement.
Further, in order to provide informed consent, an individual would need to be
notified of the countries to which their information may be sent. Such
information could be included in a privacy policy, and the notification
requirements under the principles would apply in this circumstance. The ALRC
recommended that the OPC provide guidance on what is required of agencies and
organisations in obtaining an individual's consent in particular contexts under
the Privacy Act.[26]
11.19
The views of submitters to the ALRC review were widely varied on the
definition of the term 'transfer' and whether a definition should be provided
in the legislation. Given the disparity in views, the ALRC recommended that the
OPC issue guidance on the circumstances in which a cross-border transfer would
occur, as such guidance 'can more readily be amended to accommodate changes to
the ways in which personal information is transferred than a definition of
"transfer" under the Privacy Act'.[27]
11.20
Stakeholders noted that under the current legislation it is not clear
whether the transfer of personal information outside of Australia to a related
body corporate is subject to NPP 9, due to the interaction between this
principle and subsection 13B(1). Subsection 13B(1) states that the collection
or disclosure of non-sensitive personal information between two related bodies
corporate is not an interference with the privacy of an individual. The ALRC
formed the view that it is in the public interest for the principle relating to
the cross-border transfer of information to apply to transfers of information
by organisations to related bodies corporate outside of Australia, as:
Although many related companies are governed by a common set
of internal policies, this may not always be the case. Further, the internal
policies of a related company may not always provide the same level of
protection as the Privacy Act.[28]
11.21
The ALRC noted that while the 'ability to investigate breaches of local
privacy laws in foreign countries poses particular challenges for privacy
regulators', the OPC and the Australian Government are already cooperating with
privacy regulators in other jurisdictions in various forums.[29]
11.22
Most submitters to the ALRC review stated that an individual should be
notified if their personal information will be transferred outside of
Australia. However, the ALRC formed the view that a notification each time an
individual's information is transferred overseas would be an onerous and
unjustified compliance burden on agencies and organisations. The ALRC suggested
that it would suffice if:
-
the entity's privacy policy set out whether the entity may
transfer personal information outside of Australia, and list those countries to
which the information may be transferred; and
-
under the 'notification' principle, an individual would be
notified if their personal information may be transferred overseas.[30]
Government response
11.23
The Government accepted seven of the eight ALRC recommendations in
relation to cross-border data flows and accepted with amendment the recommendation
relating to exceptions.[31]
11.24
In relation to exceptions, the Government accepted that, as a general
principle, an agency or organisation should remain accountable for the
information which they transfer outside of Australia. The Government was also
of the view that there should be certain exceptions to this general principle,
agreeing with two of the exceptions proposed by the ALRC, namely the consent
exception and the required or authorised by or under law exception. However,
the Government considered the exception under which an agency or organisation reasonably
believes the recipient is subject to substantially similar privacy protections
should be amended to ensure that there are also enforceable mechanisms to
enable individuals to take action if there is a breach of their privacy. The
Government suggested that these enforcement mechanisms:
...may be expressly included in the law or binding scheme or
may take effect through the operation of cross-border enforcement arrangements
between the Office of the Privacy Commissioner and an appropriate regulatory authority
in the foreign jurisdiction.[32]
11.25
The Government also considered that there should be further exceptions
to the general principle of accountability, as follows:
-
there is a reasonably belief that the disclosure is necessary to
lessen or prevent a serious threat to an individual's life, health or safety;
or public health or public safety and in the circumstances, it is unreasonable
or impracticable to seek the individual's consent;
-
there is reason to suspect that unlawful activity or serious
misconduct has been, is being, or may be engaged in, and the disclosure of the
personal information is a necessary part of the entity's own investigation of
the matter or in reporting its concerns to relevant persons or authorities; or
-
there is a reasonably belief that the disclosure is necessary for
the prevention, detection, investigation, prosecution or punishment of criminal
offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed
law.[33]
11.26
The Government response further stated that individuals should be
notified if their personal information is reasonably likely to be transferred
overseas, and if so, to which locations it might be transferred. The Government
envisaged this requirement would be provided for under the 'notification'
principle, and would be qualified by the 'reasonable steps' test (see chapter 8).[34]
Issues
11.27
The Australian Institute of Credit Management welcomed APP 8 as it
believed it will 'significantly ameliorate concerns regarding the management of
personal information in the international context'.[35]
However, Professor Greenleaf and Mr Waters called APP 8 'the most
controversial new principle' as it abandons a 'border protection' approach in
favour of an 'approach mis-described as "accountability"'.[36]
Privacy NSW considered that the principle should be more stringent than the use
or disclosure principle (APP 6) and disclosure should only take place
outside Australia where the same level of protection as the APPs is afforded or
if there is express consent.[37]
11.28
Other submitters stated that APP 8
increased the compliance burden on organisations, while the Australian Hotels Association commented that this
was a further regulatory requirement on an essential business process.[38]
Yahoo!7 on the other hand, preferred that accountability for the handling of
cross-border data disclosure be through self regulatory codes and cooperative
instruments and commented 'whilst we appreciate the need to provide information
and reassurance to users in relation to cross-border transfers, we consider any
reliance on distinction between borders to be unrealistic'.[39]
11.29
The following discussion addresses concerns in relation to the accountability
for personal information transferred overseas, the structure of APP 8, the
exceptions to the principle and interaction between APP 8 and section 20.
Accountability for personal
information transferred overseas
11.30
The NSW Department of Justice and Attorney General commented that APP 8
itself does not embody the principle of entities remaining accountable for
personal information transferred to an overseas recipient. Rather, the
principle only provides for a 'reasonable steps' test and the 'accountability'
principle is contained in proposed section 20.[40]
The NSW Department of Justice and Attorney General submitted that, for clarity,
the accountability principle could be embodied in the APP and not in a separate
section of the Act. It was suggested that, at the very least, a note could be
included following APP 8 to indicate that the accountability principle
applies and stating its location. This would avoid the risk that entities or
individuals assuming that APP 8 is exhaustive in relation to cross-border transfers
and that the only obligation on entities is to take reasonable steps to ensure
that the overseas recipient does not breach the APPs. The NSW Department of Justice
and Attorney General went on to submit that compliance only with APP 8 would
provide a far more limited safeguard than the accountability principle that appears
in section 20.[41]
The OPC also supported the inclusion of a note referring to section 20.[42]
11.31
In relation to the change to an 'accountability model', the Australian
Bankers Association (ABA) supported APP 8 using such a model as 'it is commercially
and socially realistic'.[43]
While Google supported the approach in the principle, it voiced concern with
the strict liability imposed by section 20.[44]
Other submitters also expressed concern about the shift in liability. The Australian
Finance Conference (AFC) commented that the principle shifts the risk balance
heavily to the entity and queried 'the individual interest justification to
support that'. It commented that APP 8 departs from the ALRC
recommendations and from the current NPP 9. The AFC also questioned the
approach taken in APP 8 given Australia's recent commitment to the APEC
Cross-border Privacy Enforcement Arrangement (CPEA). The APEC CPEA is aimed at
assisting in the removal of country boundaries in the enforcement of privacy
protections.[45]
11.32
Microsoft also raised the CPEA and commented that the combination of
APP 8 and section 20 'appears to go further than both the APEC
accountability principle and the government's own response to the ALRC
recommendations' as the entity will be liable if the recipient outside
Australia acts inconsistently with the APPs. Microsoft commented that
'liability will be imposed even where the Australian entity exercised due
diligence and took reasonable steps to ensure that the recipient would abide by
the principles'.[46]
11.33
Deloitte Australia commented on the point raised by Microsoft and
suggested that the interaction between section 20 and APP 8 was unclear.
Although it supported the accountability principle, Deloitte suggested that the
disclosing entity should only be liable under section 20 if it did not take
reasonable steps as required under APP 8(1). It also noted the comments of
the ALRC in relation to information that is the subject of a contract that
effectively upholds privacy protections substantially similar to the UPPs and
the provisions of the CPEA.[47]
11.34
The Law Council of Australia (LCA) also commented that the onus placed on
entities is stricter than that under the CPEA. The LCA suggested that section
20 is unnecessary if the provisions of APP 8 have been complied with.[48]
11.35
In response to comments in submissions about the intention of the
principle, and the shift to an accountability framework, the Department of the
Prime Minister and Cabinet (the department) stated that the Government had
accepted the general principle that an agency or organisation should remain
accountable for personal information that is transferred outside Australia. The
Government also accepted that there should be a limited number of exceptions to
the principle and that the term 'accountable' should be defined so that the
scope of the principle is clear to agencies and organisations.[49]
11.36
The department went on to note that the key instrument considered in
developing the principle was the CPEA, which in turn is derived from the OECD
principles. The key element of accountability is that an agency or organisation
transferring personal information should exercise due diligence and take
reasonable steps to ensure the recipient will protect the personal information.
11.37
In addition, one way to meet a requirement that a foreign recipient
protect personal information would be to use a contract. The department noted
that while contracts will remain useful as important mechanisms for agencies
and organisations to impose obligations upon recipients, they should not
provide a specific exception on their own from the accountability obligations. It
is expected that entities will ordinarily have a contractual relationship with
overseas recipients, and that contract would set out the obligations of the
overseas recipient. This may not be reasonable in all circumstances but it is
the general expectation.[50]
11.38
Matters specific to section 20 are discussed below, see paragraphs 11.121–134.
Conclusion
11.39
The committee acknowledges that APP 8 and section 20 address the growing
community concerns that technology allows information to be shared freely
across borders. While the committee notes concerns about the liability imposed
by section 20, even when reasonable steps have been taken by the entity, the
department and the Companion Guide explained that this will be managed through
contractual relationships with the overseas recipients including privacy
obligations. Therefore the committee does not consider that the obligations
imposed by APP 8 and section 20 are overly onerous.
11.40
In line with the committee's previous comments in relation to clarity,
the committee considers that a note referring to section 20 should be included
in APP 8 to ensure that the interaction between both provisions is clear.
Recommendation 14
11.41
The committee recommends that a note be added to the end of APP 8
making reference to section 20 of the new Privacy Act.
Notification
11.42
Professor Graham Greenleaf and Mr Nigel Waters commented that as
currently drafted, APP 8 does not appear to require notification of
individuals at the time that their data is being transferred to an overseas
jurisdiction. They considered that this compounded their concerns raised in
relation to APP 1 and APP 5 relating to notification of an individual
of the countries to which their personal information may be disclosed.[51]
11.43
The committee notes, that in its review, the ALRC recognised that
individuals should be notified if their personal information is to be
transferred outside of Australia. However, it was noted that requiring a
notification each time an individual's information is transferred overseas
would be an onerous compliance requirement for agencies and organisations.[52]
The Government agreed with the ALRC's recommendation that an agency or
organisation's privacy policy should state whether personal information is
likely to be transferred overseas, and where it may be transferred to. The
Government also stated in its response that a requirement to notify individuals
of the possible transfer of their personal information overseas would be
expressly provided for in the 'notification' principle, but would be qualified
by a 'reasonable steps' test:
For example, an agency or organisation would not need to
include this information in a collection notice if it did not reasonably know
at the time of collection whether information would be transferred overseas.
Further, it would not be reasonable to provide specific
information if the organisation or agency does not reasonably know to which
specific jurisdiction personal information may be transferred.[53]
Structure and terminology
11.44
In relation to structure and terminology used in APP 8, the Office
of the Victorian Privacy Commissioner (Privacy Victoria), suggested that
including exceptions which relate solely to Commonwealth agencies in privacy
principles which are supposed to be 'high-level' is problematic, as it
increases complexity and makes the principles less readily transferable to
states and territories.[54]
The AFC also submitted that, as a matter of policy and drafting, APP 8
fails to achieve the key objectives of the privacy reforms of high-level,
simple, clear and easy to understand principles.[55]
11.45
Privacy Law Consulting Australia raised various concerns regarding the
terminology used in the exposure draft of APP 8. In relation to
APP 8(1), it was noted that the APPs do not apply to overseas recipients,
therefore phrasing similar to section 20(1)(d) should be included in the
provision, such as 'if those Australian Privacy Principles applied to it'.[56]
11.46
The committee has commented on general matters in relation to clarity
and agency specific provisions in chapter 3.
To 'transfer' or to 'disclose'
11.47
APP 8 uses the term 'disclosure' rather than 'transfer' as is
currently used in NPP 9. The Companion Guide states that the term
'transfer' complicates the understanding of the information flow. Rather, the
ordinary meaning of disclosure is to allow information to be seen rather than
the implication of 'transfer' of a cross-border movement of information. This
means that a disclosure will occur when an overseas recipient accesses
information, whether or not the personal information that is accessed is stored
in Australia or elsewhere. The APP will not apply if the information is routed
through servers outside Australia.[57]
11.48
Telstra raised concern about the meaning of 'accessed' by an overseas
recipient. While agreeing that the principle should apply in the case where an
overseas recipient is able to have possession of personal information, Telstra
argued that the principle should not be extended to cover situations in which
the information is temporarily 'viewed' by an overseas recipient who cannot
print, copy or save the information. In Telstra's opinion, the entity which
possesses the information should remain responsible for the management of that
information.[58]
11.49
The Financial Services Council (FSC) noted the explanation provided in
the Companion Guide, which outlines that information will not be taken to be
'disclosed' if it is routed through servers which are outside of Australia or
stored offshore. However, it was submitted that these intentions should be
clarified in APP 8 and the provisions of the Privacy Act itself, and
explanatory material should also clearly state that entities will need to
ensure that information routed or stored offshore is not accessed by third
parties, and thereby 'disclosed'.[59]
11.50
The OPC suggested concerns about the use of the term 'disclosure' could
be addressed by including explanatory material to note that APP 8 and
related provisions only apply to disclosures and not to an entity's internal
'uses'.[60]
The OPC also suggested that explanatory material clarifying that APP 8
will apply to disclosures to a 'related body corporate' be included, consistent
with recommendations in the ALRC report, and as accepted in the Government's response.[61]
11.51
In relation to the intention that the principle will not apply to
information routed through servers outside Australia, the OPC commented that it
agreed with this view 'provided the personal information is not accessed by a
third party during this process'. The OPC concluded:
The Companion Guide or other explanatory material could note
that entities will need to take a risk management approach to ensure that
personal information routed overseas is not accessed by third parties. If the
information is accessed by third parties, this will be a disclosure subject to
APP 8 (among other principles).[62]
Conclusion
11.52
In light of the comments received by the committee in relation to the
'disclosure' of personal information, the committee considers that greater
clarity is required around the use of this term. The committee is of the view
that explanatory material should be prepared that clearly outlines when
information is taken to be 'disclosed' through cross-border activities. The
committee also considers that explanatory material regarding the application of
APP 8 to disclosures to a 'related body corporate' should be provided.
Recommendation 15
11.53
The committee recommends that the Department of the Prime Minister and
Cabinet develop explanatory material to clarify the application of the term
'disclosure' in Australian Privacy Principle 8.
Ensuring an overseas recipient does
not breach the APPs–APP 8(1)
11.54
APP 8(1) requires an entity, which is disclosing personal
information to an overseas recipient, to 'take such steps as are reasonable in
the circumstances' to ensure that the overseas recipient does not breach the
APPs in relation to the information before the disclosure takes place.
11.55
The LCA submitted that this is an onerous requirement as in order to
achieve the aim of APP 8(1) an Australian entity would have to require the
overseas entity to bind itself to observe the APPs and the affected overseas
entity may resist. The LCA suggested an amendment to the provision so that the
Australian entity must take reasonable steps to ensure that the foreign
recipient does not hold, use or disclose personal information 'in a manner
inconsistent with the Australian Privacy Principles'.[63]
11.56
Qantas expressed concern that the requirement to 'ensure that the
overseas recipient does not breach the Australian Privacy Principles' is too
broad, suggesting that the approach taken in NPP 9(f), which requires the
overseas recipient to hold, use and disclose the personal information in a
manner consistent with the APPs, is more appropriate.[64]
11.57
Some submitters commented that APP 8 is complex and confusing, as there
is no explanation of what might constitute 'reasonable steps'.[65]
Professor Graham Greenleaf and Mr Nigel Waters noted that in the absence of a
definition of what might constitute reasonable steps, guidelines from the
Australian Information Commissioner are essential. It was further noted that
guidance on model contract clauses will make it easier to determine whether a
contract meets the 'reasonable steps' compliance test in APP 8(1).[66]
11.58
Dr Colin Bennett argued APP 8 does not explicitly state the
intention of the principle, which, as explained in the Companion Guide is that,
'if the overseas recipient does an act or practice that would be a breach, then
the entity would be liable'. Dr Bennett suggests that Canadian privacy
legislation states the entity's responsibility more clearly, and encourages an
organisation to use contractual arrangements to ensure the adequate level of
privacy protection is complied with by the third party.[67]
11.59
Coles Supermarkets Australia Pty Ltd (Coles) supported this argument and
explained that when outsourcing services, Coles puts contracts in place which
oblige the overseas recipient to manage personal information in accordance with
the requirements of Australian privacy laws, and provide that the service
provider's compliance with the contract may be audited. Coles suggested that
similar requirements could be applied under the principles to any third party
recipients of personal information, regardless of their location.[68]
11.60
However, in its submission the ABA recognised that it is stated in the
Companion Guide that it is generally expected that entities will use
contractual arrangements to ensure that an overseas recipient manages
information in a manner which is consistent with the APPs, and that the
existence of such contractual arrangements indicates that an entity has taken
reasonable steps as required.[69]
11.61
Guidance on the term 'reasonable steps', is provided in the Guidelines
to the National Privacy Principles produced by the OPC, and it is expected
that similar guidance will be issued for the APPs. Professor Rosalind Croucher,
President of the ALRC, explained that the Office of the Australian Information
Commissioner:
...might assist in the process of determining what is
reasonable, in conjunction with the kinds of other steps that we have suggested
before. There are other sources of best practice. The advantage of an
information commissioner’s office is that it is a central repository and a
high-level federal government agency that can assist in the process of making
these high-level principles more operationally effective in the interests
underpinned by the principles.[70]
11.62
Further, the Government response supported the ALRC's suggestion that
the OPC provide guidance on what should be contained in a contractual agreement
with an overseas recipient of personal information.[71]
Conclusion
11.63
The committee considers that, as the Government envisages that most Australian
entities and overseas recipients will have contractual arrangements in place
which will be used to ensure information is managed in accordance with Australian
privacy law, guidance should be provided to assist entities in this regard. In
addition, compliance with APP 8(1) contains a 'reasonable steps' test.
Therefore the committee considers that, as a matter of priority, the Office of
the Australian Information Commissioner should provide guidance in relation to
the type of contractual agreements required to comply with APP 8.
Recommendation 16
11.64
The committee recommends that the Office of the Australian Information
Commissioner develop guidance on the types of contractual arrangements required
to comply with APP 8 and that guidance be available concurrently with the
new Privacy Act.
Exceptions
11.65
APP 8(2) sets out a number of exceptions under which an entity will
not be accountable for the cross-border disclosure of personal information to
an overseas recipient. As the cross-border disclosure of personal information
has been extended to agencies, a number of agency specific exceptions have been
included to 'ensure that current information sharing activities of agencies is
still permitted'.[72]
Comments on the inclusion of agency specific exceptions are contained in
chapter 3.
11.66
Professor Greenleaf and Dr Waters argued that the 'attempt at regulation
of overseas transfers' through APP 8(1) is 'fatally undermined by
APP 8(2) which provides nine separate means by which a data exporter can
be exempt from even the theoretical liability/"accountability" of
APP 8(1)'.[73]
The following canvasses the issues raised in relation to specific exceptions.
Similar overseas laws and
enforcement mechanism exception–APP 8(2)(a)
11.67
APP 8(2)(a) provides that if the entity transferring personal
information overseas 'reasonably believes' that the recipient of that
information is subject to laws which protect the information in a way that is
at least substantially similar to the APPs and there are accessible mechanisms
available to enforce those protections, an exception to the provisions of
APP 8(1) is available.
11.68
Microsoft noted the Government's response to the ALRC's recommendations
extended the exception to include the accessible enforcement mechanisms for
individuals to be able to take effective action to have the privacy protections
enforced. The Government response stated that any such enforcement mechanism
may be expressly provided for in a law or binding scheme, or be given effect
through cross-border enforcement arrangements between the OPC and an
appropriate foreign regulator. Microsoft submitted that it did not consider
that proposed APP 8(2)(a) reflects the position stated in the Government response.
Microsoft suggested that the exception be redrafted to ensure
that:
-
the foreign recipient is in a jurisdiction with an adequate level
of protection;
-
the foreign recipient is in a jurisdiction that has entered into
a cross-border enforcement arrangement with the OPC that will enable an
individual to pursue a claim against the foreign recipient in respect of
conduct that would constitute an interference of privacy if it had occurred in
Australia.[74]
11.69
A number of other issues were raised in relation to this exception. On
the one hand, privacy commentators considered that the exception was flawed
while data exporters pointed to the compliance burden.
11.70
Professor Greenleaf and Mr Waters argued that APP 8(2) was weakened
by the inclusion of the term 'reasonably believes' and submitted that:
Some organisations will inevitably make self‐serving judgements
about the level of protection in other jurisdictions and/or pay for advice that
supports their desire to transfer. Similar protection should be an exception to
any prohibition on transfer, but it must be based on objective criteria.[75]
11.71
As a consequence, they recommended that the term 'the entity reasonably
believes that' be deleted, 'so that the question of the effectiveness of the
overseas privacy protections becomes a question of fact, to be determined
initially by the Privacy Commissioner on the basis of a complaint, and
ultimately by a court on appeal'. Professor Greenleaf and Mr Waters concluded
that 'such ex post facto determinations may discourage exports of Australians'
personal information to countries where privacy protection is questionable, but
that would be a good result'.[76]
11.72
Dr Colin Bennet was of a similar view: either the overseas recipient is
subject to a law or binding scheme similar to the Australian legislation, or it
isn't, and noted that entities could use this to avoid liability in cases where
they have not exercised due diligence.[77]
11.73
Submitters raised concerns in relation to the compliance burden and
access to a comprehensive list of destinations which have regimes so that an
entity could comply with APP 8(2)(a). Qantas, for example, submitted that
the requirements of APP 8(2)(a) relating to the availability of
enforcement mechanisms is 'too onerous for an Australian entity to comply with
and should be removed'.[78]
In addition, it was argued that if entities were required to make their own
determination, a situation could arise whereby different entities make
different determinations about the level of privacy protection available in
various jurisdictions.[79]
11.74
Submitters called for the provision of a list which identifies countries
with similar privacy laws to Australia and which have accessible protection
mechanisms. Submitters suggested that the OPC should compile and publish a list
while Microsoft suggested that this should be a 'positive obligation' on the
OPC.[80]
Such as list would ensure consistent treatment of privacy protection between
entities and would assist entities in complying with their obligations,
particularly under APP 8(2)(a) when disclosing information offshore.[81]
It was noted that some international jurisdictions have adopted this approach
in relation to Anti-Money Laundering legislation, and that the compilation of
such a list may be facilitated by the new APEC Cross-border Privacy Enforcement
Arrangement.[82]
11.75
The NSW Department of Justice and Attorney General also commented that
the NSW Law Reform Commission's view was that, if such a list is published,
there is no need for the reasonable belief test. Further, such a list could
include not only laws but also 'binding schemes' such as inter-governmental
agreements or effective self-regulatory schemes. The NSW Department of Justice
and Attorney General stated:
There is a question about the circumstances in which an
entity could hold the necessary "reasonable belief" in relation to an
entity in a jurisdiction not on the list. It is conceivable that a jurisdiction
with adequate protection might not be on the list due to delays in maintaining
the list. In such circumstances, the reasonable belief test could provide a
safety net for entities. However, provided the list is effectively created and
maintained, in the vast majority of cases a belief is unlikely to be
'reasonable' in relation to an entity in a non-listed jurisdiction.[83]
11.76
The NSW Department of Justice and Attorney General further commented
that a belief may be reasonable, based on the information available to an
entity, but it may be ill informed and incorrect. It concluded that removal of
the 'reasonable belief' exception in favour of the 'listed jurisdiction'
approach, as recommended by the NSW Law Reform Commission may be worth further
consideration.[84]
11.77
The ALRC review recognised concerns regarding the 'reasonably believes'
test which is used in existing NPP 9(a), but recommended that the test be
retained. To assist agencies and organisations with compliance, the ALRC
suggested the Government issue a list of laws and binding schemes which are
substantially similar to the protections provided under Australian legislation.
However, the ALRC noted that the level of enforcement of a relevant law or binding
scheme would not be reflected by inclusion on a list. For example, entities may
know that there is no mechanism for enforcement of privacy protection laws and
thus could not demonstrate 'reasonable belief' for the purposes of the
principle. The ALRC suggested that the OPC issue guidance on the 'cross-border
data flows' principle which should include what constitutes a 'reasonable
belief'.[85]
11.78
In its response to issues raised in relation to this exception, the
department noted that 'the ALRC made it clear that the mere fact that a
recipient is subject to a listed binding law or scheme is not determinative in
itself, as the entity must still form its own reasonable belief based on the
information available to it'. Further, the Government response stated that
agencies and organisations will be able to use the list to assist them in
forming a reasonable belief that, in the circumstances of their particular
cross-border transfer of personal information, the recipient of the information
will be accountable. The department commented:
Once armed with the initial information, entities would be in
the best position to find out about the specific laws that apply to the
overseas recipient, including whether the recipient is bound by existing
privacy laws in the overseas jurisdiction that are substantially similar (we
understand that some privacy laws, for example in Korea, only apply to certain
industry sectors).[86]
11.79
The department noted that the list would be prepared by the Government
rather than the Office of the Australian Information Commissioner.[87]
11.80
The enforcement mechanism requirement was also examined by the LIV from
the perspective of access by affected individuals. While mechanisms may exist,
the LIV commented that if it is time consuming, costly, or not applied in a
practical sense 'then it does not provide any meaningful protection to
individuals' and 'it is unrealistic to expect Australian citizens to avail
themselves of such mechanisms'.[88]
PIAC and the Health Services Commissioner similarly argued that the affected
individual should not have to take action in another jurisdiction against a
third party in order to protect the rights afforded by Australian privacy law.
Rather, the individual should always be able to take action in Australia and
against the entity with which he or she had direct dealings.[89]
Consent to cross-border disclosure–APP 8(2)(b)
11.81
APP 8(2)(b) provides that APP 8(1) does not apply if the
entity obtains the consent of the individual to overseas disclosure, after the
individual has been given information to that effect. Submitters raised two
matters: the practicality of the consent requirement in relation to commonplace
international transactions; and the lack of the need to gain 'express' consent.
11.82
The ABA noted that there are a wide range of quite common international
transactions, such as international payments and international credit card
transactions, in which it is clear that information will cross international
borders. The ABA stated that it is not practicable to impose controls on
recipients in such transactions, and consequently, its members will find it
difficult to meet the requirements under APP 8(2)(b). To address this
issue, the ABA suggested an additional exception be provided under
APP 8(2) for circumstances in which the:
...overseas transfer of information is a necessary step in providing
a service which would be obvious to a reasonable person turning their mind to
the circumstances.[90]
11.83
The ABA submitted that if a bank is required to expressly inform each
individual customer separately that their information will be disclosed to an
overseas recipient, 'the consent exception will, in all practicality, be
illusory'. Consequently, the ABA suggested that an individual can be expressly
informed by an entity through the provision of information in the entity's
privacy policy, so that the customer is aware that in continuing to deal with
the entity, they consent to the potential for their information to be sent to
an overseas recipient.[91]
11.84
However, the possibility that entities would use privacy statements to
meet the consent requirement was of concern to other submitters. Professor
Greenleaf and Mr Waters commented that there was no requirement to explain
the 'risk' either generally or in relation to a specific destination. As
consent can be implied, entities may rely on 'small print' notices in standard
terms and conditions statements which were 'completely ineffective'.[92]
11.85
The issue of 'implied' consent through a notice being included in a
privacy statement was raised by other submitters.[93]
The Health Services Commissioner, Victoria, argued that a detailed privacy
notice at the end of a document which includes information about disclosures
overseas 'is not likely to be read by many individuals'. In addition, more
stringent requirements are needed in relation to sending health information
overseas.[94]
The LIV suggested that if this provision is retained, it should incorporate a
requirement that such consent be 'free, express and fully informed' to ensure
that any such consent is not implied.[95]
Professor Greenleaf and Mr Waters suggested that the provision be amended so
that individuals, who consent, be provided with a written notice that contains
the information provided to the individual when the consent was given.[96]
11.86
In its review, the ALRC considered that the application of more detailed
consent requirements than the usual 'voluntary and informed', may be required
under this principle as provision of consent in these circumstances has
significant implications. Consequently, the ALRC recommended that the OPC
provide guidance on what is required of agencies and organisations in obtaining
an individual's consent to the transfer of their information overseas. This recommendation was accepted by the Government.[97]
11.87
The ALRC's position on the concept of consent was explained more fully
by Professor Rosalind Croucher, President of the ALRC at the committee's public
hearing:
In our report we recommended that the Office of the Privacy
Commissioner should develop and publish guidance about what is required of
agencies and organisations to obtain an individual's consent. This guidance should,
for instance, address a number of the things that I am grabbing at—the factors
to be taken into account by agencies and organisations in assessing whether it
has been obtained, which is kind of what you are asking about in asking how. It
should cover express and implied consent as it applies in various contexts and
include advice on when it is and is not appropriate to use the mechanism of
bundled consent—in other words, a consent to general use. So we do consider
that in the report. I suppose the simple answer is that it depends on the
context, but we have suggested that the Office of the Privacy Commissioner,
which now sits under the Information Commissioner's office, might be the
appropriate agency through which such guidance could be developed.[98]
Required or authorised by or under
and Australian law–APP 8(2)(c)
11.88
Google Australia Pty Limited (Google) suggested that APP 8(2)(c)
only covers disclosures to an overseas recipient, not any subsequent disclosure
by that recipient which may be required by law in the overseas jurisdiction. It
was argued that the provision should recognise requirements of foreign law to
ensure that Australian entities are not put at risk of being in breach of the
Act under section 20, due to a disclosure of personal information by an
overseas recipient required by a foreign law.[99]
11.89
However, the committee notes that the Companion Guide indicates that subsection
6A(4) and section 13D of the current Privacy Act, provide that if an act or
practice which is done or engaged in outside Australia is required by an
applicable law of a foreign jurisdiction, then that act or practice is not
deemed to be an interference with privacy. The Companion Guide states that
these provisions are to be replicated in the new Act and will cover agencies.[100]
In addition, the department responded to Google's concerns and reiterated that the
existing policy achieved by subsection 6A(4) and section 13D of the Privacy Act
will be retained in the amended Act. In the example provided by Google, an
Australian entity would not breach the APPs if an applicable foreign law
required disclosure of personal information by an entity to which that
information had been disclosed.[101]
Required or authorised by or under
an international agreement–APP 8(2)(d)
11.90
APP 8(2)(d) provides an exception if an entity is an agency and the
disclosure of the information is required by or authorised by or under an
international agreement related to information sharing, and Australia is a
party to that agreement. Concerns were raised by the LIV that compliance with
the APPs may be avoided by government by entering international agreements. The
LIV stated 'we note that there is no regulation or requirement that
international agreements about information sharing comply with the APP' and
provided the example of the ease with which governments can circumvent the APPs
through international agreements by pointing to the Department of Immigration
and Citizenship's agreement with five countries to exchange biometric
information in relation to protection visa applicants.[102]
Professor Greenleaf and Mr Nigel Waters went further and called this 'policy
laundering', that is 'hiding behind often spurious claims of
"international obligations" to justify actions which would not
otherwise be lawful'.[103]
11.91
The OPC expressed similar concerns that the scope of the exception was
unclear and could be quite widely interpreted, thereby limiting the
circumstances in which an agency can be held accountable for the disclosure of personal
information overseas. The OPC explained that wherever practicable 'specific
domestic legislative authority should be the basis for an agency to disclose
personal information under an international agreement relating to information
sharing' thereby providing clarity and certainty to agencies and ensuring that
information sharing practices by agencies are subject to appropriate
parliamentary scrutiny. If no such legislative authority exists, the OPC
suggested the disclosure of information should be subject to other forms of
scrutiny, 'such as through a public interest determination (a legislative
instrument) issued by the Privacy Commissioner'.[104]
11.92
With regard to this exception, OPC suggested the committee:
-
seek further advice on the range of international agreements that
may be encompassed by the exception; and
-
consider whether those agreements are subject to sufficient
parliamentary scrutiny, such that it is appropriate for APP 8 to permit
disclosures that are authorised by those agreements (rather than relying on the
'required or authorised by law' exception in APP 8(2)(c)).[105]
11.93
The Companion Guide states that the exception allowing cross-border
disclosure of information pursuant to information sharing under an
international agreement, was necessary to include as the cross-border
disclosure principle has been extended to cover agencies. This exception will
facilitate the current information sharing activities of agencies.[106]
Law enforcement
activities–APP 8(2)(g)
11.94
An exception is available to agencies for the disclosure of information,
to overseas bodies 'similar' to Australian enforcement bodies, where it is
necessary for law enforcement activities by, or on behalf of, an Australian
enforcement body. The OPC commented that the requirement that the overseas body
performs functions, or exercises powers similar to those performed or exercised
by the Australian body could be broadly interpreted. The OPC suggested that the
term 'substantially similar' be used instead, as the definition of an
enforcement body is strictly defined in section 15 of the exposure draft.[107]
Diplomatic, consular and defence
activities–APP 8(2)(h) and APP 8(2)(i)
11.95
As noted in chapter 3, the OPC recommended that the diplomatic, consular
and Defence Force activities exceptions be addressed in portfolio legislation
rather than the Privacy Act, ensuring that these exceptions are only invoked
where appropriate. Consequently the APPs would remain a broad high-level framework,
applicable to all entities.[108]
Exceptions no longer included in
the cross-border principle
11.96
The Law Council of Australia and Qantas noted that two exceptions which
are currently provided for under the NPPs have not been included in APP 8.
These relate to when the transfer of information is necessary under a contract
(NPP 9(c) and (d)). In effect, the absence of these provisions means that:
...if an entity needs to disclose personal information which
is necessary for the conclusion of the contract with an overseas entity which
is not subject to a scheme which is similar to the APPs the entity will need to
obtain consent or to enter into a contract which will ensure the overseas
recipient does not breach the APPs.[109]
11.97
It was noted that this would be impracticable in a number of
circumstances, particularly in sectors such as the travel industry. In such
industries, entities commonly deal with overseas organisations with whom it is
impracticable to enter into a contract, and situations in which it would not be
possible to obtain an individual's consent at short notice. For these reasons, the
Law Council and Qantas recommended that the NPP exceptions relating to the
transfer of information required under a contract be included in the APPs.[110]
11.98
The department stated that in partially adopting ALRC recommendation
31-2, the Government accepted that it was not necessary to include an exception
relating to fulfilling contractual obligations. In recommendation 31-2, the
ALRC stated that, under the 'Cross-border Data Flows' principle, an exception
to the concept of accountability should include where an agency or organisation
reasonably believes that the recipient of the information is subject to a law,
binding scheme or contract which effectively upholds privacy protections that
are substantially similar to the model Unified Privacy Principles. The department
went on to state:
The Government response to ALRC recommendation 31-2 stated
that the application of contractual obligations on the recipient of the
information does not provide an individual with any rights to take action under
the contract. It went on to comment that, while contracts are important
mechanisms for agencies and organisations to impose obligations upon
recipients, they should not provide an exception from the general
accountability obligations.
Further, it is clear that in the case of existing NPP 9(c)
and (d), which involves a contract between the individual and the organisation,
or a contract concluded in the interest of the individual between the
organisation and a third party, that the individual would consent to the
transfer of the information. Under the new APP 8(2)(b), consent of the
individual is an exception to the general prohibition under APP 8(1).[111]
Conclusions
11.99
The committee considers that it is reasonable to include exceptions to
APP 8 in particular circumstances. The first exception, APP 8(2)(a),
provides for an exception where similar law and enforcement mechanisms apply to
the overseas recipients. The ALRC recognised that one of the more significant
challenges faced by privacy regulators, is the ability to investigate breaches
of local privacy laws in foreign countries. In light of this, the Government
considered it appropriate that any law or binding scheme deemed to be
substantially similar to the APPs must have effective enforcement mechanisms in
order to be subject to the exception to the general accountability obligation.
The Government suggested that such enforcement mechanisms could be specifically
included in the law or binding scheme, or 'may take effect through the
operation of cross-border enforcement arrangements between the Office of the
Privacy Commissioner and an appropriate regulatory authority in the foreign
jurisdiction.' The committee notes that the OPC and the Australian Government
are already working to improve cooperative arrangements between privacy regulators
across jurisdictions in a variety of forums including the CPEA.[112]
11.100 In relation to
recommendations that a list of jurisdictions with similar privacy schemes be
provided, the committee notes the department's comments that the list will be
provided by the Government. However, the Government's expectation is that this
will be 'initial information' and that entities will 'be in the best position'
to find out about specific laws that apply to the overseas recipients they are
dealing with. While the committee acknowledges that as it is the entity that is
transferring the personal information overseas, it must be of a reasonable
belief that the overseas jurisdiction provides for similar privacy protections,
it may not always be possible for an entity to make such a judgment. The
committee therefore considers that the Office of the Australian Information
Commissioner should be available to assist entities in the interpretation of
overseas privacy laws.
11.101 The committee
considers that the 'consent' to cross-border transfers of personal information
provides entities with a significant exception. As such, the committee
considers that guidance on what constitutes consent particularly important and
the Office of the Australian Information Commissioner should address this issue
as a matter of priority. This matter is further discussed in chapter 3.
11.102 The committee
has some concerns with the exception provided to agencies under
APP 8(2)(d)–required or authorised by or under an international agreement.
The committee considers that the scope of this exception is unclear and in
addition, notes comments about its potential to undermine accountability and
scrutiny. While the Parliament has formal mechanism to refer treaties to the
Treaties Joint Standing Committee, this committee does not review sub treaty
level agreements. The committee therefore considers that use of this exception
by agencies should be subject to accountability mechanisms and parliamentary
scrutiny.
Recommendation 17
11.103 The committee
recommends that, when the Australian Government enters into an international
agreement relating to information sharing which will constitute an exception
under APP 8(2)(d), the agency or the relevant minister table in the
Parliament, as soon as practicable following the commencement of that
agreement, a statement indicating:
-
the terms under which personal information will be disclosed
pursuant to the agreement; and
-
the effect of the agreement on the privacy rights of individuals.
11.104 In relation to the
exception for law enforcement activities, the committee notes the OPC's
concerns that APP 8(2)(g) could be interpreted broadly and suggests that
the wording of this provision be revisited.
Recommendation 18
11.105 The committee
recommends that further consideration be given to the wording of the law
enforcement exception in APP 8(2)(g) to ensure that the intention of the
provision is clear.
Extra-territorial application of
the Privacy Act –section 19
11.106 Section 19
provides for the extra-territorial operation of the Act, that is the APPs will
apply if the agency or organisation has an Australian link.
11.107 Google Australia
Pty Limited (Google) agreed with the concept of 'Australian link' provided for
in the exposure draft, and Professor Greenleaf and Mr Waters expressed support
for the provision enabling the Privacy Commissioner to investigate acts and
practices which occur outside of Australia.[113]
The Australian Direct Marketing Association (ADMA) and Professor Greenleaf and
Mr Waters supported the extension of the protection under the
extra-territoriality provision to cover the personal information of those who
are not Australian citizens or permanent residents.[114]
11.108 Some submitters
noted that paragraph 19(3)(g), does not clearly state where collection is
deemed to have taken place.[115]
The OPC provided comments in relation to the collection of information in the
online context. The OPC pointed to the case where a person in Australia
provided information to an overseas-based organisation. The OPC suggested that
subsection 19(3) could clarify that:
...the Privacy Act applies to overseas acts or practices
where the personal information is collected from or held in Australia. This may
help to clarify that the Act applies where personal information is collected
via the internet from an individual who is physically in Australia. There may
also be alternative ways to clarify that personal information 'collected or
held in Australia' includes such information collected over the internet.[116]
11.109 The OPC concluded
that clarifying the scope of extra-territorial operation of the Privacy Act
would enhance the Office's ability to apply the Act in these circumstances.[117]
11.110 Alternatively,
two submitters suggested that, given that it is often difficult to ascertain the
location of the user, the place of collection should be 'the place at which the
information is collated and processed', therefore the provision should make it
clear that:
...information is "collected" at the place (that
is, in the jurisdiction) of the service provider collecting the information,
not the place where the user is or may be presumed to be at the time that the information
is collected.[118]
11.111 In its answers
to questions on notice, the department commented that international internet
services, such as entities engaged in online retail that sell to Australians,
would be required to comply with the APPs so long as they fulfilled both
branches of paragraph 19(3)(g). The department went on to state:
It is likely that sub-paragraph 19(3)(g)(i) would capture
businesses operating in Australia, but not businesses operating in foreign
jurisdictions that happen to engage in commerce incidental to their primary
purposes with customers in Australia.
Collection takes place for the purpose of the Act when data
is entered in Australia, regardless of the point of collation or processing. As
such, the place of collection affects whether the Act applies, and once
collection takes place s20, which sets out rules and responsibilities relating
to the disclosure of personal information to an overseas recipient would apply
with regard to acts or practices concerning the data collected.[119]
'Australian link'
11.112 Three submitters
expressed concerns with the extension of the extra-territoriality provisions
under section 19, as in practice this would mean that organisations with an
Australian link, and every subsidiary or related body corporate of such
organisations, will be subject to the APPs regardless of whether the information
they are processing 'does not touch Australia and does not relate to the
personal information of an individual in Australia.'[120]
Each submitter suggested different options for limiting the application of the
extra-territoriality provisions:
-
the Law Council recommended that the Act should only extend to
the acts and practices of an organisation under paragraph 19(3)(g) which relate
to 'personal information that was collected or held in Australia by the
organisation, or personal information about an Australian citizen or a
permanent resident';[121]
-
ADMA recommended that the extra-territoriality provisions be
limited to apply only to companies with a presence in Australia;[122]
and
-
the FSC suggested that the APPs should not apply to 'information
collected overseas by an entity that operates in Australia.'[123]
11.113 Further, the OPC
raised concerns that the definition of 'Australian link' in the exposure draft
differs slightly to the existing definition under the current legislation. The
OPC noted that:
As it refers to 'personal information' generally, it does not
appear to require that 'the' specific item of personal information that is
involved in a particular overseas act or practice was collected or held in
Australia. This may unintentionally imply that, once an organisation collects
or holds any personal information in Australia, an individual located overseas
could complain under the Privacy Act about the organisation’s acts or practices
outside Australia, in relation to any personal information the organisation
holds about the individual (even if that information was never collected or
held in Australia).[124]
11.114 The LIV noted
that, under section 19 of the exposure draft, the APPs will apply to an
organisation with an Australian link, however, under the current Privacy Act,
the NPPs apply to an organisation if the act or practice relates to the
personal information of an Australian citizen or permanent resident. The LIV
expressed concern that the change of emphasis in the exposure draft may result
in a reduction of protection for Australian citizens and permanent residents,
particularly if they provide information to an agency which does not have an
Australian link.[125]
11.115 The LCA also
noted that while the current provisions stating that an act or practice
required by an applicable law of a foreign country will not be taken as an
interference with privacy will be replicated in the new Act, the existing
provision, 'only applies to acts or practices required by foreign law (i.e.
response to subpoena or other legal compulsion), not acts permitted in that
jurisdiction.'[126]
11.116 The LCA expressed
concern that:
Disclosure under compulsion of Australian law is permitted,
but not disclosure under compulsion of foreign law. This compounds the problem
noted above, as (for example) a US office of an Australian corporation
responding to US court process could find itself in jeopardy under Australian
law (again, even if the data subject was not an Australian person or a person
living in Australia). The Committee recommends that disclosures required under
any law or legal process applicable to the organisation should be expressly
permitted.[127]
11.117 The department
responded to the LCA's concerns and stated:
The exposure draft APPs is just one part of the process of
amending the Privacy Act. As noted above, the Government intends for disclosure
by organisations with an Australian link (as per s 19(3)) under foreign law to
be a valid exemption from the operation of s 9(1).
Provisions for the operation of foreign law in this way are
currently enacted in section 13D of the Privacy Act. Since the policy intent
behind these provisions has not changed, they have been replicated in the new
APPs. Some minor issues relating to the definition of the law of a foreign
country need to be resolved before this takes place, but these will be further
revised in the reforms before they are brought before the Parliament.[128]
Conclusion
11.118 In relation to
the concerns raised by the LCA, the committee notes that as stated in the
Companion Guide, the policy achieved by subsection 6A(4) and section 13D of the
Privacy Act 1988, will be replicated in the new Act ensuring that if an
act or practice is required by an applicable law of a foreign country, it will
not be taken as an interference with privacy.
11.119 The committee
supports the concept of 'Australian link' as provided for in section 19. The
committee notes that the policy intent that for a person to complain about the
management about their personal information, that information must be held in
Australia or collected in Australia. However, the committee has noted that
there are concerns that this policy intent is not adequately expressed in
proposed section 19. The committee therefore considers that further
clarification on this matter is required.
Recommendation 19
11.120 The committee
recommends that section 19, relating to the extraterritorial application
of the Act, be reconsidered to provide clarity as to the policy intent of the
provision.
Acts and practices of overseas
recipients of personal information–section 20
11.121 Concerns were
raised about the liability imposed on an Australian entity for the actions of
an overseas entity, particularly, as under section 20 an entity is subject
to strict liability even if it has taken all reasonable steps to ensure the
overseas recipient complies with the APPs.[129]
The AFC noted that section 20 only applies if information is disclosed to an
overseas recipient under APP 8(1), but doesn't apply if the information is
disclosed under APP 8(2). As a result, if information is disclosed to an
overseas recipient under APP 8(2), it is the overseas recipient that
remains liable, not the disclosing entity.[130]
11.122 The ABA
considered this provision to be 'unreasonable' while Telstra noted that even if
the entity takes all reasonable steps, there is still the possibility that the
entity will not comply, which the Australian entity cannot prevent.[131]
The Australian Association of National Advertisers noted that in some cases
entities may have recourse through a contract but pointed to instances where,
for example, an overseas recipient's computers are hacked. The AANA suggested
that the provision is unfair if provision is not made for mitigating factors
for example, personal information was obtained through hacking.[132]
11.123 The committee
was provided with a range of suggestions to address the concerns raised:
-
the LCA recommended where the disclosure complies with
APP 8, the entity should not be liable for any acts done, or practices
engaged in, by the overseas recipient in relation to that information;[133]
-
the ABA suggested subsection 20(2) be qualified to limit
application of the phrase 'for the purposes of this Act' to refer to the
purposes of the compensation provisions of the Act, rather than the penalty provisions of the Act;[134]
-
Telstra suggested that section 20 impose an obligation on an
entity to 'use reasonable endeavours to ensure that the overseas recipient
remedies any act or omission that would otherwise constitute a breach of the
APPs';[135]
and
-
the AANA suggested that section 20 be amended to include
exemptions to deal with mitigating factors.[136]
11.124 The department
responded specifically to the AANA's comments and noted that unauthorised
disclosure of personal information that has been lawfully transferred to a
foreign entity via a breach of that foreign entity's data security would not,
under the new Privacy Act, be a breach of section 20 as the breach and
disclosure would not be an 'act or practice' of the foreign entity. The
department added:
The accountability of organisations which choose to transfer
data across borders as provided for in s 20 is a necessary condition for the
security of that data. Contracts in place between two entities involved in a
cross-border transfer of data do not provide adequate protections for the
individuals to whom the information pertains. As such, contracts are not an
acceptable mitigating factor for the purposes of s 20.[137]
11.125 The LCA raised
further concerns that the exposure draft does not specify a time period after
which an entity is no longer liable for the acts or practices of an overseas
recipient. In light of this, the LCA suggested that the liability imposed by
section 20 be limited in time and aligned with other statutory limitation
periods.[138]
11.126 Further, the ABA
voiced concern that an overseas data custodian, which has breached the APPs,
may be able to limit its liability to the Australian data collector under
Australia's proportionate liability laws.[139]
The department commented on this point and noted that there is not currently
any statutory limitation relating to the 'interference of privacy' that may
occur under section 20. As the Act has not previously envisaged judicial
enforcement (consistent with the principles-based nature of the Privacy Act),
limitation periods have not been a relevant factor.
11.127 The department
added that the ALRC has made a number of recommendations that the Australian Information
Commissioner be given stronger enforcement powers, for example, the power to
commence proceedings in the Federal Court or Federal Magistrates Court for
enforcement orders and civil penalties. The department concluded:
The Government has either accepted, or accepted in-principle,
these recommendations, and will be developing draft amendments to address these
issues. Relevant civil litigation rules that underpin this system, including
statutory limitation periods, will be considered as part of the development of
these amendments.[140]
11.128 Professor
Greenleaf and Mr Waters questioned the ability of individuals to prove that a
breach of the APPs has occurred in an overseas jurisdiction. They submitted
that section 20 should be amended to provide that:
...a breach by an overseas recipient should be a rebuttable
presumption if damage to the individual can reasonably be assumed to have
resulted from the export.[141]
11.129 Telstra
requested clarification regarding the possible application of APP 8 and
section 20 to personal information which has been lawfully published.
Telstra noted concern that if an overseas recipient accessed publicly available
personal information, the entity which lawfully published the information might
be held liable under section 20 for any inappropriate use of the
information by an overseas recipient.[142]
11.130 The National
Australia Bank (NAB), noted that it is unclear from the exposure draft how
APP 8 and section 20 interact if the APPs apply to the overseas
recipient, for example, if the overseas recipient is an entity with an
Australian link. According to NAB, it appears that section 20 would not
apply in these circumstances, however under APP 8(1) the entity would
still have to undertake reasonable steps to ensure that the overseas recipient
doesn't breach the APPs. Consequently NAB submitted that section 20(1) and
APP 8(1) should be made consistent to avoid confusion.[143]
11.131 The LIV raised a
similar issue with regards to the interaction between APP 8 and
section 19:
APP 8(2)(a)(i) states that an entity is not bound to take
reasonable steps to ensure that an overseas recipient of personal information collected
in Australia does not breach the APPs if the entity reasonably believes that
the overseas recipient is subject to a law or binding scheme that protects
privacy in a 'substantially similar way'. Clause 19, however, intends to extend
the application of the Privacy Act 1988 (Cth) to an act done, or
practice engaged in, outside Australia by an organisation that has an
'Australian link'. The LIV queries which provision prevails in circumstances
where an overseas entity is captured by both APP 8 and cl 19.[144]
Conclusion
11.132 The committee
received a range of comments in relation to section 20 in particular the
application of the section in practice. The committee considers that further
clarification is required, for example, through explanatory material to
accompany the legislation.
Recommendation 20
11.133 The committee
recommends that the Department of the Prime Minister and Cabinet develop
explanatory material in relation to the application of the accountability
provisions of section 20.
11.134 The committee
also notes that the department has indicated that the Government has accepted
the ALRC's recommendations in relation to stronger enforcement powers for the
Australian Information Commissioner. The committee awaits with interest the
exposure draft relating to the powers and function of the Information
Commissioner.
Navigation: Previous Page | Contents | Next Page