11 August 2008
The ALRC’s national consultation exercise clearly indicates that Australians are concerned about their personal information being sent or held overseas without their knowledge and consent. ALRC President, Professor David Weisbrot, said “This unease appears to reflect a general feeling by people that they are losing control over something deeply personal, with little ability to do anything about it, and few remedies if anything goes wrong overseas.”
It is now commonplace for major companies that deal with personal information, such as banks and credit card companies, to conduct their ‘back office’ processing of data overseas. Similarly, individuals increasingly purchase goods and services over the internet on sites based overseas, paying with a credit card.
“A seemingly simple purchase of a book or DVD from a popular website, such as Amazon.com, actually may involve personal information flowing across many jurisdictions, with identity and credit verification, data processing, stock checking and shipping all handled in different countries,” Professor Weisbrot said.
Professor Les McCrimmon, Commissioner in charge of the Privacy Inquiry, said that “While the Privacy Act provides some protection for personal information transferred to another country by businesses, it does not apply to government agencies—and there are general concerns about whether the law currently provides an adequate level of protection.”
For their part, business organisations told the ALRC they want to continue to be able to choose the most effective and efficient means of storing and processing customer data—and suggest this often means doing so overseas. Businesses wish to develop these practices further, without the time, trouble and cost of seeking regular customer consent to what they regard as routine cross-border data flows.
“Businesses and governments promoting the economic benefits of efficient information handling and increasing access to global markets for trade and labour need a framework that can facilitate cross-border data flows, while providing individuals with a level of assurance that this will not compromise the security or privacy of their personal information,” Professor McCrimmon said.
In For Your Information: Australian Privacy Law and Practice the ALRC recommends a new approach to cross-border data flows aimed at creating greater certainty for Australian businesses and individuals, and which balances the need to transfer information with the protection of an individual’s privacy.
The ALRC recommends that privacy laws should provide that an agency or organisation that transfers personal information about an individual outside Australia will remain responsible for the protection of that information. This will ensure that an individual has the ability to approach a local privacy regulator and seek redress from someone in Australia if the overseas recipient breaches the individual’s privacy.
There are three specific circumstances, however, when an agency or organisation should not remain responsible. These are when:
- the agency or organisation reasonably believes that the recipient of the information is subject to privacy protections that are of a similar standard to Australia’s;
- the individual consents to the transfer, after being expressly advised that the consequence of providing consent is that the agency or organisation will no longer be responsible; or
- the agency or organisation is ‘required or authorised by law’ to transfer the personal information.
These qualifications will allow, for example, agencies and organisations to deal with any liability through contracts with the recipient of the personal information. Similarly, agencies and organisations will be allowed to transfer information overseas when they are required to do so by law—for example, during extradition proceedings or public health emergencies.
For more information about cross-border data flow see Chapter 31 of For Your Information: Australian Privacy Law and Practice (ALRC 108, 2008).