Content of the model ‘Cross-border Data Flows’ principle

Accountability

31.93 Professor Greenleaf, Nigel Waters and Associate Professor Lee Bygrave submitted that the six conditions under NPP 9 will generally be sufficient to allow any legitimate transfer overseas of personal information, even when those transfers may harm the interests of the data subjects concerned. They argued that data exporters should remain liable for breaches of privacy by data importers under most circumstances.[140]

31.94 Unisys submitted that:

As a leading provider of outsourced services in Australia and internationally, it is our experience that there is a gap between public perception and operational reality in the way that business and government treat personal information. Organisations are investing heavily to ensure that data is secure, whether handled directly or by third parties, whether onshore or offshore—including in physical and enterprise security, as well as HR/Hiring policies. Stipulating liability for information sent overseas would also encourage greater transparency on the measures that are planned and in place. Governments and commercial enterprises have an imperative to build confidence amongst the citizens and customers with whom they interact.[141]

31.95 One option is to amend the Privacy Act to introduce an ‘accountability’ concept in the proposed ‘Cross-border Data Flows’ principle. In DP 72, the ALRC suggested that this could be achieved by providing that agencies and organisations will continue to be liable for any breaches of the proposed UPPs when an individual’s personal information is transferred outside Australia.

Accountability under APEC

31.96 The APEC Privacy Framework provides that, when transferring personal information, a ‘personal information controller’ should be accountable for the protection of that personal information consistently with the APEC Privacy Principles, even if the information moves from one jurisdiction to another.[142] The Commentary on Principle 9 states:

When transferring information, personal information controllers should be accountable for ensuring that the recipient will protect the information consistently with these Principles when not obtaining consent. Thus, information controllers should take reasonable steps to ensure the information is protected, in accordance with these Principles, after it is transferred. However, there are certain situations where such due diligence may be impractical or impossible, for example, when there is no on-going relationship between the personal information controller and the third party to whom the information is disclosed. In these types of circumstances, personal information controllers may choose to use other means, such as obtaining consent, to ensure that the information is being protected consistently with these Principles. However, in cases where disclosures are required by domestic law, the personal information controller would be relieved of any due diligence or consent obligations.[143]

31.97 Margaret Eisenhauer stated that ‘APEC approach-based laws will recognise that global data flows are facilitated if the laws focus on ensuring that local companies are accountable for data processing activities’.[144] Gehan Gunasekara discusses the ‘hiatus’ in current privacy regulation and argues:

The principles as to onward transfer are, of necessity, open-ended. They point to the imperative for proactive measures to be adopted in future to close any privacy loopholes and lead inexorably to cross-jurisdictional paradigms. Far from being a solution, the existing jurisdictional approaches are therefore merely a pointer to future developments.[145]

31.98 While the APEC Privacy Framework introduces the principle of accountability, as discussed above, its approach to cross-border implementation is flexible. The Framework states that ‘the means of giving effect to the Framework may differ between Member Economies’.[146] Member Economies are encouraged to ‘share experiences on various techniques in investigating violations of privacy protections and regulatory strategies’.[147] Emphasis also is placed on cross-border cooperation in investigation and enforcement.[148] Australia is taking a lead role in APEC Data Pathfinder Projects to develop co-mechanisms for such cooperation, as discussed above.[149]

Accountability under the model ‘Cross-border Data Flows’ principle

31.99 To what extent should agencies and organisations remain liable when transferring personal information outside Australia? The approach to accountability under the APEC Privacy Framework is innovative in that it is based on the idea that ‘accountability should follow the data’.[150] The flexibility in its approach to cross-border implementation may mean that currently, in practice, the framework cannot deliver a sufficient level of protection for Australians in relation to cross-border data flows. Of particular relevance is Greenleaf’s objection to the ‘non-prescriptive’ approach to the implementation aspects of Part IV of the Framework which, he says, ‘exhort[s] APEC members to implement the Framework without requiring any particular means of doing so, or any means of assessing whether they have done so’.[151]

31.100 As discussed above, there are currently no data protection laws in key economies such as India and China.[152] Further, India is not a member economy of APEC.[153] Robertson states, in relation to China, that:

China’s response to the APEC Privacy Framework has not been positive, and China is not participating in the APEC Data Privacy Pathfinder program, although the reasons for this are not clear.[154]

31.101 It is important that the personal information of Australians is protected adequately when it is subject to cross-border transfer. Svantesson argues for a model of strict liability for data exporters.[155] He argues that ‘by imposing this liability, it can be anticipated that data exporters will take greater care in selecting to whom they will export personal information’.[156] Similarly, Professor Fred Cate notes that:

Users of personal information—whether in the public or private sectors—frankly are not very interested in meaningful, third-party accountability …

The absence of rational, effective accountability systems undermines privacy and consumer confidence.[157]

31.102 It has been suggested that the conception of privacy as a ‘key reputational risk’ is an important consideration for organisations.[158] Commentators on business ethics have noted that ‘somehow we need to determine who is responsible for business practices, both commendable and questionable ones’.[159]

31.103 Also relevant is Blair Stewart’s observation about the way in which individuals typically make complaints and the factors which may impact on the progress of such complaints.

Instinctively, the individual may complain to the local institution with which he or she is most familiar. That enforcement authority may consider the complaint to be outside its jurisdiction. In such a case, does it consult an overseas authority on the complaint and transfer it? Or does it simply notify the complainant that it is beyond its jurisdiction and suggest that the individual take the matter up elsewhere?

The scenario might also be complicated if either jurisdiction has no enforcement authority or if the authority in the other jurisdiction is of a different kind (such as a web seal programme or self regulatory body). These problems are by no means insurmountable but there is a considerable likelihood that the complications and difficulties will discourage either the local authority from taking any steps at all or leave the individual unable to obtain meaningful redress.[160]

Discussion paper proposal

31.104 In DP 72, the ALRC proposed the introduction of the concept of accountability into the ‘Cross-border Data Flows’ principle, linking it to clauses (c)–(f) of NPP 9. In developing the blended proposal, the ALRC modified existing clauses (c) and (f) of NPP 9 to address concerns raised by stakeholders.[161]

31.105 The ALRC proposed that NPP 9(c) be amended to provide that the transfer of personal information overseas, where necessary for the performance of a contract between the individual and the organisation, or for the implementation of pre-contractual measures taken in response to the individual’s request, should be within the ‘reasonable expectations’ of the individual. The ALRC also proposed that NPP 9(f) be amended to require that before a transfer takes place, an agency or organisation must take reasonable steps to ensure that the information will not be handled by the recipient of the information inconsistently with the proposed UPPs. The ALRC did not propose any changes to clauses NPP 9(d) and (e).[162]

31.106 In DP 72, the accountability limb of the ‘Cross-border Data Flows’ principle proposed by the ALRC provided that an agency or organisation in Australia or an external territory may transfer personal information about an individual to a recipient (other than the agency, organisation or the individual) who is outside Australia if:

(c) the agency or organisation continues to be liable for any breach of the proposed UPPs; and

(i) the individual would reasonably expect the transfer, and the transfer is necessary for the performance of a contract between the individual and the agency or organisation;

(ii) the individual would reasonably expect the transfer, and the transfer is necessary for the implementation of pre-contractual measures taken in response to the individual’s request;

(iii) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the agency or organisation and a third party;

(iv) all of the following apply: the transfer is for the benefit of the individual; it is impracticable to obtain the consent of the individual to that transfer; and if it were practicable to obtain such consent, the individual would be likely to give it; or

(v) before the transfer has taken place, the agency or organisation has taken reasonable steps to ensure that the information will not be dealt with by the recipient of the information inconsistently with the proposed UPPs.[163]

Submissions and consultations

31.107 A number of stakeholders supported the introduction of the concept of accountability into the ‘Cross-border Data Flows’ principle.[164] The Department of Broadband, Communications and the Digital Economy noted that the proposed accountability concept ‘would go some way to addressing the issue’ it had raised previously; namely, the ‘inherent difficulties in imposing legal responsibility upon an overseas recipient of personal information to use or disclose that personal information in a manner that is consistent with NPPs’. It noted that the onus would be on the agency or organisation to mitigate their liability in contractual arrangements with the recipient of personal information.[165]

31.108 The Cyberspace Law and Policy Centre expressed its support for the concept of data exporters remaining liable, which in its view was a ‘significant’ change.[166] Another stakeholder noted the difficulty for individuals of pursuing their privacy rights in foreign countries, in particular, that there is often no way to verify compliance.[167] The Australasian Compliance Institute pointed out that, currently, the Privacy Act maynot allow for situations where a third party is appointed to undertake services and outsources to another third party, who may be an overseas service provider.[168]

31.109 There was also a significant amount of opposition to the proposed introduction of accountability, particularly from organisations.[169] A number of stakeholders argued that the protection afforded by NPP 9 was adequate.[170]

31.110 The ABA raised questions about the potential operation of an accountability concept under the Privacy Act.

It is unclear how the organisation can remain liable for breaches of the UPPs by a third party when that third party is not bound by UPPs and therefore incapable of breaching them. It is unclear whether the organisation is to continue to be liable for any breaches of the UPPs pursuant to its contract with the data subject or if the legislation is to impose this liability. The ABA assumes that the former is the case so that the voluntary assumption of liability by the transferor organisation by contract with the individual concerned would trigger the exceptions in sub-paragraphs (i) to (iv) that appear to be written disjunctively…

Further, if the legislation imposed liability on an organisation for a transborder third party’s breach of the UPPs independently of contract, it is unclear why any of the circumstances as set out in sub-paragraphs (i) to (v) are necessary because the organisation would be liable in any event.[171]

31.111 In the ABA’s view, a transferor organisation should be able to ‘resist liability if it can show it did not act irresponsibly in initiating the transfer’. The ABA noted that the proposal did not provide any scope for the transferor to advance any defence to liability.[172]

31.112 GE Money also disagreed with the proposal, stating that it should be ‘sufficient that an organisation has taken reasonable steps to ensure that the information will not be dealt with by the recipient of the information inconsistently with the proposed UPPs’.[173] One stakeholder strongly objected to the proposal that an organisation be liable for ‘downstream breaches’ on the basis that ‘such a condition would be unfair, inappropriate and impractical and would have arbitrary effects’.[174]

31.113 In ANZ’s view, while the proposal would preserve its ability to send personal information about an individual offshore, it would be unreasonable for an organisation to continue to be liable for breaches of the UPPs by a third party. ANZ submitted that, where third party breaches occur, ‘flexibility should be retained (determined by the relevant contract)’ as to whether the organisation, or third party, should be responsible for ‘determining whether the breach is capable of causing serious harm’ and ‘completing notification procedures’.[175]

31.114 Microsoft submitted that the proposed UPP was less conducive to the free flow of information than NPP 9, because it required regulated entities to satisfy the APEC notion of accountability, in addition to some of the existing conditions in NPP 9. It submitted, however, that:

Microsoft’s view is that the APEC notion of accountability alone is sufficient to regulate transborder data flows. Put another way, there is no need to include conditions of transfer such as those set out in … (i) to (v) … if the organisation transferring the personal information remains accountable for the data. In Microsoft’s opinion, the APEC notion of accountability helps to assuage individuals’ concerns regarding offshore transfers of their personal information without imposing unnecessary burdens on transborder data flows. Such an approach also provides organisations with the flexibility to decide how they comply with this requirement, while still providing the individual with an appropriate level of privacy protection.

Microsoft therefore urges the ALRC to reconsider its proposed approach to the regulation of transborder data flows having regard to the crucial goal of harmonisation with international instruments such as the APEC Privacy Framework.[176]

31.115 Some agencies raised particular concerns. The Department of Foreign Affairs and Trade (DFAT) suggested that an exception similar to that in the proposed ‘Use and Disclosure’ principle be included in the ‘Cross-border Data Flows’ principle, namely where: use or disclosure is reasonably necessary to prevent a threat to life or health or safety; or public health or public safety. DFAT stated that it often ‘encounters cases where the disclosure of personal information would benefit a third party rather than the individual concerned’.[177] An example of this is where DFAT is asked to provide information to foreign authorities in relation to an Australian national if there are concerns regarding that person’s capacity to care for his or her children. The Department of Defence noted that Australia is committed to operational deployments and joint military exercises with a number of foreign governments. It submitted that disclosure of information to foreign forces is required in order to support these engagements, but that the proposal did not seem to have application in this context.[178]

31.116 Some stakeholders addressed the drafting of particular limbs of the accountability clause. The Cyberspace Law and Policy Centre noted that the conditions in proposed clause (c)(i)–(iv) were not contentious because they were similar to those in art 26(1) of the EU Directive. It supported the use of the term ‘reasonable expectations’ of the individual in proposed clause (c)(i) and (ii), on the basis that it would make it more likely that agencies and organisations will make the likelihood of overseas transfers subject to explicit notice.[179] Another stakeholder, however, objected to the addition of the ‘reasonable expectations’ test in relation to the performance of contracts.[180]

31.117 Regarding the requirement in proposed clause (c)(iv) that ‘consent would be likely to be provided’, one stakeholder submitted that often others interpreted that phrase ‘in their favour and against my own wishes known and unknown’.[181] PIAC also opposed proposed clause (c)(iv), on the basis that an agency or organisation should not be able to presume that a cross-border transfer is for the benefit of an individual or that an individual would be likely to consent.[182] One stakeholder argued that the requirements relating to the ‘interests of’ or ‘benefits of’ individuals should not be retained. The stakeholder argued that this is a judgment that is extremely difficult for an organisation to make and called for clearer criteria.[183] Privacy NSW supported the ALRC’s proposal, but submitted that an objective test regarding the ‘benefit of the individual’ should be included in the model UPP or, alternatively, that the OPC should provide guidance as to when a transfer would benefit the individual.[184]

31.118 PIAC and the Cyberspace Law and Policy Centre expressed support for the requirement in proposed clause (c)(v), that an agency or organisation must take steps before a transfer takes place.[185] The Cyberspace Law and Policy Centre argued, however, that proposed clause (c)(v) should not be seen as alternative basis for transfer—instead, it should apply to all transfers, other than those covered by proposed clause (a), relating to substantially similar privacy protections.[186] The ABA submitted that there was an ‘uncertain relationship’ between proposed clause (a) and clause (c)(v) which needed to be clarified. In the ABA’s view, it should be clear that the transferor’s knowledge of the existence of an overseas regime similar to the Privacy Act should be sufficient to satisfy clause (c)(v).[187]

ALRC’s view

31.119 In line with principles-based regulation, and to ensure consistency with the other model UPPs, the ALRC recommends the introduction of a general principle of accountability in the ‘Cross-border Data Flows’ principle. In DP 72, the proposal linked accountability to a range of elements which currently form part of NPP 9. In the ALRC’s view, if organisations are to remain liable, these elements are superfluous and do not provide a greater level of privacy protection. The principle recommended by the ALRC has been streamlined to strip away these elements. It also responds to stakeholder views that accountability should operate more simply under the ‘Cross-border Data Flows’ principle.

31.120 Accountability should operate as the default position in relation to cross-border transfers of personal information. This policy position is warranted both by the high level of community concern attaching to cross-border transfers of personal information and the nature of the risks associated with such transfers. The benefit of this approach is that it does not prevent information from being transferred. Instead, it requires agencies and organisations to remain responsible for personal information when transferred. There are three circumstances, however, when an agency or organisation should not remain accountable. These are when the:

  • information is subject to a law, binding scheme or contract which effectively upholds privacy protections that are substantially similar to the UPPs;

  • individual consents to the transfer, after being expressly advised that the consequence of providing consent is that the agency or organisation will no longer be accountable for the individual’s personal information once transferred; or

  • agency or organisation is required or authorised to transfer the personal information by or under law.

31.121 This will allow, for example, agencies and organisations to mitigate their liability through contractual arrangements with the recipient of the personal information. These exceptions also will address the concerns of agencies discussed above.

31.122 The ALRC’s recommended approach to accountability under the ‘Cross-border Data Flows’ principle draws on the APEC concept of accountability, but takes it further. As Greenleaf argues, the APEC Privacy Framework is ‘a floor not a ceiling’.[188] The ALRC’s recommended approach provides for an agency or organisation to remain responsible under Australian privacy law in respect of the actions taken by a recipient of personal information outside Australia. Placing responsibility on the agency or organisation transferring the personal information ensures that an individual has the ability to seek redress from someone in Australia if the recipient breaches the individual’s privacy. Further, the individual will be able to approach a local regulator, rather than have to seek protection under a foreign law, which may not provide the same level of protection as a local law.[189]

31.123 The general principle of accountability should mean that an agency or organisation will be responsible under the Privacy Act for the acts and practices of a recipient of personal information the subject of a cross-border transfer. That is, where an agency or organisation transfers information to a recipient outside Australia, if the acts or practices of that recipient in respect of the personal information would have amounted to an interference with the privacy of an individual if done in Australia, they should constitute an interference with the privacy of individual for the purposes of the Privacy Act. Further, the acts or practices of the recipient should be taken to be the acts or practices of the relevant agency or organisation for the purposes of the Privacy Act.

31.124 This approach gives substance to the general principle of accountability. It will trigger the complaint and investigation mechanisms under Part V of the Privacy Act and so provide access to remedies such as a declaration that the respondent should perform any reasonable act or course of conduct to redress any loss or damage suffered by a complainant, or a declaration that a complainant is entitled to a specified amount of compensation.[190] Consequential amendments to Division 1 of Part III of the Privacy Act also may be required.

31.125 The ALRC’s recommended approach to accountability is consistent with the APEC preamble[191] and the success criteria for the APEC Privacy Framework.[192] Also, the recommended exceptions to the general principle of accountability are in line with the commentary on Principle 9 of the APEC Privacy Framework.[193] Similarly, APEC’s mechanisms for investigation[194] are consistent with the ALRC’s model of accountability. They are conducive to the effective operation of the general principle of accountability, in that cross-border cooperation will be required to facilitate the investigation of incidents occurring outside Australia.

31.126 The limbs of the ‘Cross-border Data Flows’ principle recommended by the ALRC are now addressed in turn.

Substantially similar privacy protections

‘Reasonably believes’

31.127 NPP 9(a) states that an organisation may transfer personal information to someone overseas where it ‘reasonably believes’ the recipient is subject to a law, binding scheme or contract that effectively upholds principles substantially similar to the NPPs. In contrast, art 25 of the EU Directive provides that the country in question must have an adequate level of protection. Greenleaf has noted that NPP 9 only requires that an organisation reasonably believes that the foreign country has an arrangement that ‘effectively upholds’ privacy principles, not that there are enforcement mechanisms that are substantially similar to the Privacy Act.[195]

31.128 The OPC Guidelines to the NPPs state, in relation to NPP 9:

Given that transferring personal information overseas may remove it from the protection of Australian law, an organisation relying on NPP 9(a) … may need to be in a position to give evidence about the basis on which it decided that it has met the requirement of ‘reasonable belief’ …

Getting a legal opinion would be a good way for an organisation to get such evidence.[196]

31.129 The ALRC did not propose amendment of the ‘reasonable belief’ test in DP 72. Instead, it proposed that the Australian Government publish a list of laws and binding schemes for the fair handling of personal information that are substantially similar to the proposed UPPs.[197] The ALRC also proposed that the OPC should publish guidance on what constitutes a ‘reasonable belief’.[198]

Submissions and consultations

31.130 There was some stakeholder support for the retention of the current condition in NPP 9(a).[199] For example, the Australian Collectors Association stated that it provides the consumer protection necessary to ensure appropriate handling of personal information.[200] The National Australia Bank submitted that, for the purposes of the ALRC’s proposed clause (a), reliance on the list detailed in DP 72[201] should constitute a ‘reasonable belief’.[202]

31.131 Some stakeholders expressed reservations.[203] The Australasian Compliance Institute, for example, submitted that because the terminology ‘reasonably believes’ in clause (a) is open to interpretation, robust guidance on what constitutes ‘reasonably believes’ should be available.[204] PIAC submitted that the test is ambiguous, and is unlikely to be explained by OPC guidance. PIAC preferred the formulation adopted in the EU Directive, namely that the country to which information is to be transferred must have an adequate level of protection. Alternatively, there should be an explanation in the Act or regulations of what constitutes ‘reasonably believes’. PIAC also submitted that the term ‘effectively upholds’ needs clarification—it should not include self-regulatory schemes.[205]

31.132 One stakeholder disagreed with the ALRC’s proposed clause (a) on the basis that ‘believing is not quite the same thing as knowing’. The stakeholder claimed that clause (a) was

not good enough … Also other countries interpret some basic standards differently. What would be considered entrepreneurial competitiveness in some parts of the world would be considered unethical, cheating or bribing behaviour in Australia.[206]

31.133 DFAT stated that it is often required to disclose personal information to persons or bodies located overseas.

In many situations the Department would be unable to state with assurance that the information disclosed would be handled in accordance with a law or scheme which would uphold principles similar to those in the Privacy Act. In such situations, where the transfer of information is beneficial to the individual (where he or she may be detained or receiving medical treatment overseas and it is not possible to obtain his or her consent), the Department should not have to remain liable for breaches of any of the UPPs.[207]

31.134 The Australian Communications and Media Authority (ACMA) was concerned about the ‘practicality and reasonableness’ of the term ‘reasonable belief’, in the context of its international anti-spam information-sharing activities. Also, the ‘speed with which spammers can relocate operations often means that enforcement agencies and regulators have limited time for effective information-sharing’. ACMA submitted:

If the proposed conditions were introduced, ACMA may be placed in a position of having to undertake extensive analysis of the law of those countries before it could share information. The practical outcome of these conditions would be that such information-sharing would rarely occur, as the extended timeframe in which the conditions could be met would mean that the utility of the information would have expired by the time the conditions had been fulfilled.[208]

31.135 On the other hand, the Department of Families, Housing, Community Services and Indigenous Affairs submitted that proposed clause (a) was reasonable and, for this reason, did not expect that it would present any substantive issues for it, or for management of programs and data by their business partners in Centrelink.[209]

ALRC’s view

31.136 It should be an exception to the default position of accountability if the agency or organisation transferring the personal information outside Australia reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds privacy protections that are substantially similar to the model UPPs.

31.137 The ALRC does not recommend that any change be made to the ‘reasonable belief’ test. It does recommend, however, that the Australian Government should develop and publish a list of laws and binding schemes that effectively uphold principles for fair handling of personal information that are substantially similar to the model UPPs.[210] This will go a long way to creating certainty about when the recipient of the personal information is subject to a law, binding scheme or contract that effectively upholds principles substantially similar to the NPPs. It will address the resource implications for agencies and organisations who currently must undertake such inquiries independently.

31.138 The question of whether the test of ‘reasonable belief’ is satisfied, however, may involve considerations relating to the level of enforcement of a relevant law, binding scheme or contract, which may not be answered solely by their inclusion on the proposed list. This is implicit in the term ‘effectively upholds’. For example, if a country is included on the relevant list as having laws with a substantially similar level of privacy protection, but an organisation is aware that there is no mechanism for enforcement of those laws, it may be that the organisation could not demonstrate a ‘reasonable belief’ for the purposes of the ‘Cross-border Data Flows’ principle. This is not to say that an agency or organisation always needs to make inquiries about the mechanisms for enforcement of privacy laws in other jurisdictions, but rather that the question of whether an agency or organisation has a ‘reasonable belief’ may involve considerations other than whether the relevant law, binding scheme or contract is on the proposed list. This question will need to be resolved on a case-by-case basis.

31.139 The OPC’s guidance on the recommended ‘Cross-border Data Flows’ principle should include guidance on what constitutes a ‘reasonable belief’.[211] Obtaining legal advice is one way this requirement could be satisfied.

31.140 The ALRC acknowledges the concerns raised by some stakeholders, in relation to this aspect of the principle, that they may be required to transfer personal information to jurisdictions outside Australia, but are unable to state with assurance that such jurisdictions offer substantially similar privacy protection. The ‘required or authorised by or under law’ exception, discussed below, will allow agencies and organisations to transfer personal information where required or authorised by or under law to do so, thereby removing the need for them to rely on proposed clause (a) in many instances. In any case, the ‘Cross-border Data Flows’ principle recommended by the ALRC would not prevent the information being transferred by agencies. Rather, its effect would be that such agencies would remain responsible under the Privacy Act for the handling of that personal information after transfer.

Consent

31.141 A number of commentators have raised concerns about the operation of consent in the context of cross-border data flows.[212] Professor Peter Blume argued that, ‘in connection with a particular transfer it will often be doubtful whether the data subject can be sufficiently informed and thereby able to fully understand the consequences of consent’.[213] Gunasekara states:

In any event, it is trite to say that informed consent is necessary. However, consent cannot be truly informed unless the data subject is aware, at the outset, of all the downstream uses to which the information will be put, making it difficult at least to use this as the basis for allowing the transfer of data overseas.[214]

31.142 Svantesson argues that the greatest weakness of NPP 9 arises out of the approach to consent in the Privacy Act—‘to put it bluntly, consent is the miracle cure that cures virtually any abuse possible under the NPPs’.[215] While he notes that this approach has ‘logical appeal’ and is probably based in the ‘law seeking to provide for party autonomy’, he argues it is ‘fundamentally flawed’.[216] In Svantesson’s view, consent to cross-border data flows is ‘rarely sufficiently informed’.[217] He argues that an individual needs to know the country to which their personal information is to be transferred in order to provide informed consent.

31.143 Svantesson refers to the case of E v Money Transfer Services as an illustration of the ‘weakness of the consent requirement’, noting that it is the only reported decision of the OPC that deals with this aspect of NPP 9.[218] In that case, the complainant sought to send Australian currency to their family using a money transfer service. That money transfer service was incorporated in a foreign country and was subject to a subpoena issued by a regulatory body in that country. Under the subpoena, the service was required to provide customer information to the regulatory body, if an individual’s name matched a list of ‘persons of interest’. The complainant’s name matched a name on that list. The money transfer service contacted its Australian subsidiary and asked for further personal information (such as the complainant’s driver’s licence and passport details) for the purposes of identity verification. The complainant was advised both that the transaction had been halted and of the purpose for which he or she needed to provide the further information before the transaction could proceed. The Privacy Commissioner determined that, as the complainant provided the necessary documentation on an informed basis—that is, the complainant was aware that the information would be disclosed to the foreign money service—the complainant’s consent to the transfer could be implied from the complainant’s actions and the transfer did not breach NPP 9.[219]

31.144 In DP 72, the ALRC did not propose a change to the consent requirement in relation to cross-border data flows specifically. It did address consent as it operates generally under the Privacy Act, however, and proposed that the OPC provide guidance about what is required of agencies and organisations to obtain an individual’s consent.[220]

Submissions and consultations

31.145 Stakeholders who commented on this issue generally called for tighter requirements with respect to consent. PIAC noted, in this context, the high level of concern among Australians about their personal information being transferred outside Australia.[221] A number of stakeholders submitted that the reference to ‘consent’ should include only express consent, not implied or bundled consent, particularly as consent absolves the relevant agency or organisation from liability.[222] The OVPC submitted that consent should be express in relation to the ‘specific possibility’ of cross-border data flows.[223]

31.146 In addition, a number of stakeholders called for informed consent[224] and submitted that in order for consent to be fully informed, an individual should be advised of the countries to which information is to be transferred and the fact that the transferor is disclaiming liability by using the ‘consent’ exemption.[225] The Cyberspace Law and Policy Centre submitted:

Another major flaw in the proposed consent exception is that the ALRC anticipates that it would relieve the agency or organisation from any liability for how the information is handled overseas. This approach completely overlooks the fact that individuals will typically have absolutely no capacity to sensibly assess the risks associated with transborder data flows. [226]

31.147 The Australian Privacy Foundation and the Cyberspace Law and Policy Centre also argued that the consent exemption should be conditional upon the obligation in clause (c)(v), discussed above in relation to accountability, that, before transfer, reasonable steps be taken to ensure that data will be protected.[227]

31.148 Some stakeholders expressed an alternative view. For example, the ABA submitted that the ability to infer consent should be built into the ‘Cross-border Data Flows’ principle.[228] Another stakeholder noted that, if a general principle of accountability was implemented, it would ‘where possible, seek to rely on the consent exception in relation to the transfer of personal information outside Australia so as to minimise its liability for any breaches of the UPPs outside Australia’. The stakeholder noted, however, that it is not always practical to obtain consent, nor is it always clear whether a person has consented to a particular transfer of personal information to someone outside Australia. It submitted that, to ensure compliance with the consent exemption, extensive disclosure may be required.[229]

ALRC’s view

31.149 In Chapter 19, the concept of consent is discussed in detail, including the necessary elements of consent and the issues associated with ‘bundled consent’. The ALRC recommends that the OPC develop and publish guidance about what is required of agencies and organisations to obtain an individual’s consent for the purposes of the Privacy Act in specific contexts.[230] The cross-border transfer of personal information provides one such context. Any bundled consent obtained should allow the individual to decide whether to consent to the cross-border transfer of their personal information. OPC Guidance relating to bundled consent should specifically address the mechanism of ‘bundled consent’ in relation to cross-border data flows.[231]

31.150 As noted in Chapter 19, the requisite elements of consent are that it be voluntary and informed. Under the recommended ‘Cross-border Data Flows’ principle, consent not only permits personal information to be transferred, it takes the individual’s personal information outside the default position of accountability under the recommended principle. For this reason, more detailed consent requirements may be justified. For consent to be informed in this context, an individual should be made aware of the legal consequences of providing consent. In order for an agency or organisation to be able to demonstrate that informed consent was obtained, it may be advisable, where practicable, for the agency or organisation to seek a written acknowledgement from the individual in this regard.

31.151 Informed consent also requires that an individual be advised of the countries to which their information may be sent. The ALRC recommends that an organisation’s Privacy Policy include this information.[232] The requirements under the ‘Notification’ principle in the model UPPs, discussed in Chapter 23, would extend to notifying an individual if his or her personal information might be transferred outside Australia.

Application of the ‘Cross-border Data Flows’ principle to agencies

31.152 The Privacy Act does not regulate the transfer of personal information outside Australia by agencies. Some state and territory privacy legislation contains a cross-border data flows principle that regulates the public sector in those jurisdictions,[233] and a number of overseas jurisdictions impose obligations concerning cross-border flows on both public and private sector bodies.[234]

31.153 The ALRC proposed, in DP 72, that the ‘Cross-border Data Flows’ principle should apply to agencies and organisations.[235] The vast majority of stakeholders supported this proposal.[236] For example, Medicare Australia submitted that individuals should be entitled to expect the same level of protection from agencies as from organisations.[237]

31.154 In the ALRC’s view, the ‘Cross Border Data Flows’ principle should apply expressly to acts done, or practices engaged in, by agencies.

Recommendation 31–1 (a) The Privacy Act should be amended to clarify that it applies to acts done, or practices engaged in, outside Australia by an agency.

(b) The model Unified Privacy Principles should contain a principle called ‘Cross-border Data Flows’ that applies to agencies and organisations.

Transfers ‘required or authorised by or under law’

31.155 A cross-border data flow principle that applies to agencies will need to provide for offshore transfers in certain circumstances.[238] The Personal Information Protection Act 2004 (Tas), Information Act 2002 (NT) and the Information Privacy Bill 2007 (WA)[239] provide that a state or territory agency may transfer information outside that jurisdiction if the transfer is ‘required or authorised by or under law’.[240] The Privacy Act 1985 (Canada) provides that Canadian governmental bodies may not disclose the personal data of individuals without their consent, subject to a number of exceptions, including disclosures made

under an agreement or arrangement between the Government of Canada or an institution thereof and … the government of a foreign state, an international organization of states or an international organization established by the governments of states, or any institution of any such government or organization, for the purpose of administering or enforcing any law or carrying out a lawful investigation.[241]

Cross-border transfers of personal information required or authorised by federal Acts

Required by or under law

31.156 Some federal legislation imposes requirements on agencies and organisations to transfer personal information outside Australia in certain circumstances, for example, the:

  • National Health Security Act 2007 (Cth);[242] and

  • Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act).[243]

Authorised by or under law

31.157 A number of federal Acts authorise cross-border transfers of personal information, for example, the:

  • National Health Security Act 2007 (Cth);[244]

  • Communications Legislation Amendment (Information Sharing and Datacasting) Act 2007 (Cth);[245]

  • Trade Practices Act 1974 (Cth);[246]

  • Australian Federal Police Act 1979 (Cth);[247] and

  • AML/CTF Act.[248]

31.158 In addition, some legislation authorises disclosure for the purposes of international agreements or treaties, for example, the:

  • International Tax Agreements Act 1953 (Cth); [249] and

  • Social Security (Administration) Act 1999 (Cth).[250]

Discussion Paper proposal

31.159 In DP 72, the ALRC indicated that, should the ‘Cross-border Data Flows’ principle apply to agencies, an agency should not be liable for the transfer of personal information if it is necessary for law enforcement purposes. It noted that, in many cases, an agency will have no choice but to transfer information overseas, for example, for the purpose of a police investigation. The ALRC expressed the preliminary view that the law enforcement exception should not be worded as broadly as ‘required or authorised by or under law’. The ALRC was concerned that such an exception might be too permissive in the context of transfer to overseas jurisdictions that may not have a similar level of privacy protection to Australia. It proposed, therefore, that the ‘Cross-border Data Flows’ principle should include a provision mirroring the law enforcement exception under the ‘Use and Disclosure’ principle (the ‘law enforcement exception’).[251]

Submissions and consultations

31.160 The general consensus of stakeholders was that the proposed ‘law enforcement exception’ was too narrow and that a ‘required or authorised by or under’ law exception was both appropriate and warranted.[252] For example, the OPC submitted that ‘legitimate agency transfers would be more appropriately dealt with by a “required or specifically authorised by or under law” provision’. In the OPC’s view, such a condition would bring clarity and certainty to agencies whose enabling acts allow for disclosures and transfers overseas of personal information for particular purposes.[253] A large number of other agencies called for a ‘required or authorised by or under law’ exception. These included the following:

  • the AFP, which called for an exception that allowed it to perform all of its functions under the Australian Federal Police Act—for example, disaster victim identification, the location of missing persons and provision of assistance to foreign law enforcement agencies for the purposes of enforcing foreign law—and expressed concern that such functions would not be caught by the proposed ‘law enforcement exception’;[254]

  • ACMA, which expressed the view that the proposed ‘law enforcement exception’ may have the ‘unintended consequence of impeding ACMA’s statutory authority to disclose information relating to anti-spam activity to overseas agencies and organisations’ under Part 7A of the Broadcasting Services Act 1992 (Cth);[255]

  • the Australian Taxation Office (ATO), which noted that it is obliged under various international treaties (made part of Australian domestic law under the International Tax Agreements Act) to provide information to overseas taxing authorities, if requested to do so by these agencies and submitted that its ability to honour those obligations should not be inhibited;[256]

  • Centrelink, which indicated conditional support for the proposal on the basis that the ‘Cross-border Data Flows’ principle allowed the transfer of personal information outside Australia under obligations in the Social Security (Administration) Act that relate to international agreements;[257] and

  • theDepartment of Human Services, which called for an exception which would allow it to make disclosures necessary for compliance with an international treaty or other international agreement relating to maintenance obligations arising from family relationship, parentage or marriage, for example, under s 121B of the Child Support (Registration and Collection) Act 1988 (Cth).[258]

31.161 The point also was made in a number of confidential submissions.[259] One stated:

An exception for transfers by agencies where this is required or authorised by law should be included in the UPP to avoid any uncertainty where another law requires or authorises the transfer of information.… A broad authorised or required by law exception is preferable as there may also be other circumstances in which information is required to be transferred where not doing so may breach international obligations or requiring additional restrictions to be met may have real consequences in a timely response to a risk situation.[260]

31.162 In a similar vein, the ABA submitted that provision should be made in the UPPs for unconditional transborder data flows that are required by law.[261] This would cover the requirements on organisations to send personal information overseas in connection with international money transfers under the AML/CTF Act.

31.163 Some stakeholders supported the proposed ‘law enforcement exception’.[262] There also was some qualified support.[263] For example, some submissions called for further elements to be added to the ‘law enforcement exception’. One stakeholder argued that the exception needed to provide for the transfer of personal information in instances where there is a serious threat to life, health or safety.[264] The ACT Department of Disability, Housing and Community submitted that it may be useful to permit transfers where necessary to ‘ensure the wellbeing and safety of the individual’, noting that some children are placed overseas with their kin and their information is required to be transferred with them.[265] The Attorney-General’s Department argued for the explicit inclusion of mutual assistance and extradition in the ‘law enforcement exception’.[266] The OPC disagreed, however, stating that ‘disclosure and transfer overseas of information for extradition or mutual assistance purposes should be based on clear legislative authorisations’. [267]

31.164 Other stakeholders expressed the view that the proposed ‘law enforcement exception’ was too broad. Civil Liberties Australia argued that the proposal was inappropriately worded and would allow for broadbrush transmission of information. It proposed instead that an agency or organisation should be permitted to transfer data across borders ‘if empowered to do so under legislation or regulations applying to them’, but submitted that where such transfers took place, Australian privacy principles, requirements and penalties should attach to the transferred data and its use by the transferee. It argued that this was no different from the transfer of guarantees or warranties in the manufacturing and retail sector.[268]

31.165 Some stakeholders called for a requirement that agencies and organisations seek assurances about privacy protection in relation to such transfers. The Australian Privacy Foundation and the Cyberspace Law and Policy Centre were reluctant to support the proposed ‘law enforcement exception’, unless it was more tightly worded. They expressed concern that the proposal would allow for the transfer of personal information to a wide range of bodies in jurisdictions ‘not only lacking in privacy protection rules, but also lacking in basic standards of legitimacy, human rights or natural justice’. They argued that, at the very least, agencies and organisations transferring under the proposed law enforcement exception should be required to seek assurances about privacy protection.[269]

31.166 The OPC submitted that where an agency proposed to transfer personal information for law enforcement, extradition and mutual assistance purposes to a country without privacy protections similar to the UPPs, agencies should establish administrative arrangements or MOUs or protocols regarding appropriate handling practices for such information.[270] ACMA noted that it has MOUs in place with various overseas regulatory organisations, which broadly set out mutually agreed arrangements for the reciprocal exchange of information. Signatories to these MOUs include government regulators and law enforcement agencies.[271]

31.167 Some stakeholders addressed the relationship between the proposed law enforcement exception and the ‘Use and Disclosure’ principle. The Australian Privacy Foundation and the Cyberspace Law and Policy Centre noted that the exceptions to the ‘Cross-border Data Flows’ principle are an additional hurdle than must be crossed where an overseas transfer is involved. That is, the transfer also will need to comply with the ‘Use and Disclosure’ principle. Given this relationship, they questioned why the law enforcement exception needed to replicate some of the law enforcement exceptions in the ‘Use and Disclosure’ principle.[272]

31.168 Some stakeholders argued that the proposed ‘law enforcement exception’ should be limited to Australian agencies or Australian laws. The OPC’s proposal was predicated on ‘law’ being limited to Australian laws, consistent with the approach taken in the Acts Interpretation Act 1901 (Cth). The OPC also expressed the view that overseas law enforcement requests for personal information should be mediated by Australian law enforcement agencies. Its view was that overseas law or other matter should not be relied upon to authorise the disclosure of personal information.[273] PIAC agreed that there should be an exception, but argued it should apply only to Australian enforcement bodies.[274]

31.169 ACMA expressed concern that the proposed ‘law enforcement exception’ was too narrow in its application—that is, it needed to apply to bodies other than law enforcement bodies. It submitted that the use of the words

‘by or on behalf of an enforcement body’ may have the effect, for some overseas jurisdictions, of restricting ACMA’s ability to share information with the appropriate overseas government organisation charged with anti-spam minimisation or enforcement …

A broader exception should be adopted to ensure that ‘Australian’ law enforcement and regulatory authorities are not prevented from making disclosures to coregulators and enforcement bodies which may not fall within the meaning of ‘enforcement body’.[275]

ALRC’s view

31.170 Under the ‘Cross-border Data Flows’ principle, one of the circumstances in which the default position of accountability will not apply is where an agency or organisation is ‘required or authorised by or under law’ to transfer the personal information to a recipient outside of Australia. In making this recommendation, the ALRC acknowledges the view expressed by many stakeholders that such an exception would facilitate more appropriately legitimate agency transfers than one limited to ‘law enforcement’ purposes. Strong concerns were expressed by agencies that the ‘law enforcement exception’ in DP 72 may have had the unintended consequence of impeding their ability to make disclosures necessary to the fulfilment of their statutory functions.

31.171 International transfer of personal information by agencies should be based on legislative requirements or authorisations, although such authorisations may be implied. As discussed in Chapter 16, the ALRC recommends that the term ‘law’, for the purposes of the ‘required or authorised by or under law’ exception, be defined to include federal, state and territory Acts and delegated legislation.[276] It should not include the legislation of a foreign country.

31.172 To confine the application of the exception to law enforcement bodies is too narrow in that it may not allow, for example, cross-border transfers required to manage risks to public health[277] or to address the problem of spam.[278] There are situations in which an organisation may be required by law to execute a cross-border transfer of personal information.[279] The ‘required or authorised by or under law’ exception should apply both to agencies and organisations.

31.173 The ALRC encourages the establishment, by agencies, of administrative arrangements, MOUs or protocols regarding appropriate personal information-handling practices with countries without privacy protection similar to the UPPs in place. The OPC should provide guidance in relation to the establishment of those arrangements.

Terminology

31.174 NPP 9 currently regulates when an organisation may transfer personal information about an individual to ‘someone’ who is in a ‘foreign country’.

31.175 In DP 72, the ALRC proposed that the ‘Cross-border Data Flows’ principle should refer to the transfer of personal information to a ‘recipient’ rather than ‘someone’, in order to make it clear that the principle applies to the overseas transfer of personal information to agencies, organisations and individuals.[280] Also, the ALRC proposed that NPP 9 be amended to refer to ‘outside Australia’ rather than to a ‘foreign country’, as it suggested a broader reading of what an overseas jurisdiction may be. Further, it was consistent with language in overseas and state and territory cross-border data principles.[281] The ABA and the Cyberspace Law and Policy Centre supported the suggested change in terminology.[282] The ALRC’s proposed terminology is confirmed in the recommendation below.

31.176 In DP 72, UPP 11 was called the ‘Transborder Data Flow’ principle, picking up on the terminology used currently in NPP 9. The ALRC recommends that the principle be called the ‘Cross-border Data Flows’ principle, in order to ensure consistency with the terminology commonly used, such as in the APEC Privacy Framework.[283]

Recommendation 31–2 The ‘Cross-border Data Flows’ principle should provide that, if an agency or organisation in Australia or an external territory transfers personal information about an individual to a recipient (other than the agency, organisation or the individual) who is outside Australia or an external territory, the agency or organisation remains accountable for that personal information, unless the:

(a) agency or organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds privacy protections that are substantially similar to the model Unified Privacy Principles;

(b) individual consents to the transfer, after being expressly advised that the consequence of providing consent is that the agency or organisation will no longer be accountable for the individual’s personal information once transferred; or

(c) agency or organisation is required or authorised by or under law to transfer the personal information.

Recommendation 31–3 The Privacy Act should be amended to provide that ‘accountable’, for the purposes of the ‘Cross-border Data Flows’ principle, means that where an agency or organisation transfers personal information to a recipient (other than the agency, organisation or the individual) that is outside Australia or an external territory:

(a) the recipient does an act or engages in a practice outside Australia or an external territory that would have been an interference with the privacy of the individual if done or engaged in within Australia or an external territory; and

(b) the act or practice is an interference with the privacy of the individual, and will be taken to have been an act or practice of the agency or organisation.

[140] G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007.

[141]Unisys, Submission PR 569, 12 February 2008.

[142]Asia-Pacific Economic Cooperation, APEC Privacy Framework (2005), Principle 9.

[143]Ibid, Principle 9 (commentary).

[144] M Eisenhauer, Privacy and Security Law Issues in Off-Shore Outsourcing Transactions (2005) Hunton & Williams, 5.

[145] G Gunasekara, ‘The “Final” Privacy Frontier? Regulating Trans-border Data Flows’ (2006) 15 International Journal of Law and Information Technology 362, 382.

[146]Asia-Pacific Economic Cooperation, APEC Privacy Framework (2005), [32].

[147]Ibid, [42].

[148] Ibid, [44]–[45].

[149] K Curtis, ‘Information Workshop for Australian Stakeholders’ (Paper presented at APEC Data Privacy Pathfinder Seminar, Sydney, 6 February 2008), 5–9.

[150] M Crompton and P Ford, ‘Implementing the APEC Privacy Framework: A New Approach’ (2005) 5(15) IAPP Privacy Advisor 8.

[151] G Greenleaf, ‘APEC’s Privacy Framework: A New Low Standard’ (2005) 11 Privacy Law & Policy Reporter 121, 122.

[152]B Cruchfield George and D Roach Gaut, ‘Offshore Outsourcing to India by EU and US Companies: Legal and Cross-Cultural Issues that Affect Data Privacy Regulation in Business Process Outsourcing’ (2006) 6 University of California Business Law Journal 13, 13; S Robertson, ‘Offshore Business Processing in China Brings Privacy Concerns’ (2008) 10 Internet Law Bulletin 118, 118.

[153] Asia-Pacific Economic Cooperation, Member Economies (2008) <www.apec.org/content/apec/member_
economies.html> at 22 April 2008.

[154] S Robertson, ‘Offshore Business Processing in China Brings Privacy Concerns’ (2008) 10 Internet Law Bulletin 118, 119. See also G Greenleaf, ‘A Tentative Start for Implementation of APEC’s Privacy Framework’ (2005) Privacy Law and Practice Reporter 16, 16.

[155] D Svantesson, ‘Protecting Privacy on the “Borderless” Internet—Some Thoughts on Extraterritoriality and Transborder Data Flow’ (2007) 19(1) Bond Law Review 168, 183–184.

[156] Ibid, 184.

[157]F Cate, ‘Security and Privacy Challenges in the Decade Ahead’ (2006) 6(12) IAPP 1, 20.

[158]S Kenny, ‘Global Privacy Predictions for 2008’ (2008) 8(1) Privacy Advisor 11, 11.

[159] R Buchholz and S Rosenthal, ‘Integrating Ethics All the Way Through: The Issue of Moral Agency Reconsidered’ (2006) 66 Journal of Business Ethics 233, 233.

[160] B Stewart, ‘Cross-Border Cooperation on Enforcement Matters’ (2005) Privacy Law & Policy Reporter 2, 5.

[161] NPP 9.1(a) and (b) are discussed below under the headings ‘Substantially similar privacy protections’ and ‘Consent’.

[162] Stakeholder views on clauses NPP 9 (c)–(f), and the reasons for the ALRC’s proposals, were canvassed in detail in Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [28.51]–[28.62].

[163] Ibid, Proposal 28–4.

[164]Unisys, Submission PR 569, 12 February 2008; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Confidential, Submission PR 535, 21 December 2007; Australian Government Department of Broadband‚ Communications and the Digital Economy, Submission PR 512, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Centre for Law and Genetics, Submission PR 497, 20 December 2007; Queensland Government, Submission PR 490, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[165]Australian Government Department of Broadband‚ Communications and the Digital Economy, Submission PR 512, 21 December 2007.

[166]Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[167]Confidential, Submission PR 535, 21 December 2007.

[168]Australasian Compliance Institute, Submission PR 419, 7 December 2007.

[169] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; GE Money Australia, Submission PR 537, 21 December 2007; Confidential, Submission PR 536, 21 December 2007; Suncorp-Metway Ltd, Submission PR 525, 21 December 2007; ANZ, Submission PR 467, 13 December 2007; Microsoft Asia Pacific, Submission PR 463, 12 December 2007.

[170]GE Money Australia, Submission PR 537, 21 December 2007; Confidential, Submission PR 536, 21 December 2007; Suncorp-Metway Ltd, Submission PR 525, 21 December 2007.

[171]Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008. See also: GE Money Australia, Submission PR 537, 21 December 2007; Suncorp-Metway Ltd, Submission PR 525, 21 December 2007.

[172]Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008.

[173]GE Money Australia, Submission PR 537, 21 December 2007. Also: Suncorp-Metway Ltd, Submission PR 525, 21 December 2007.

[174]Confidential, Submission PR 536, 21 December 2007.

[175]ANZ, Submission PR 467, 13 December 2007.

[176]Microsoft Asia Pacific, Submission PR 463, 12 December 2007.

[177] Australian Government Department of Foreign Affairs and Trade, Submission PR 563, 24 January 2008.

[178]Australian Government Department of Defence, Submission PR 440, 10 December 2007.

[179]Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[180]Confidential, Submission PR 536, 21 December 2007.

[181]Confidential, Submission PR 535, 21 December 2007.

[182]Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[183]Confidential, Submission PR 536, 21 December 2007.

[184]Privacy NSW, Submission PR 468, 14 December 2007.

[185]Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[186] Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007. Note: clause (a) reproduces NPP 9(a).

[187]Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008.

[188]G Greenleaf, ‘A Tentative Start for Implementation of APEC’s Privacy Framework’ (2005) Privacy Law and Practice Reporter 16, 19.

[189] See D Svantesson, ‘Protecting Privacy on the “Borderless” Internet—Some Thoughts on Extraterritoriality and Transborder Data Flow’ (2007) 19(1) Bond Law Review 168, 183–184.

[190]Privacy Act 1988 (Cth) s 52(1).

[191]Asia-Pacific Economic Cooperation, APEC Privacy Framework (2005), Preamble.

[192]Report of Second Technical Seminar on International Implementation of the APEC Privacy Framework, Cairns, Australia, 25–26 June 2007, APEC Paper 2007/SOM3/ECSG/011 (2007), 2.

[193]Asia-Pacific Economic Cooperation, APEC Privacy Framework (2005), Principle 9 (commentary).

[194]Ibid, [42], [44]–[45].

[195] G Greenleaf, ‘Exporting and Importing Personal Data: The Effects of the Privacy Amendment (Private Sector) Bill 2000’ (Paper presented at National Privacy and Data Protection Summit, Sydney, 17 May 2000), 8.

[196] Office of the Federal Privacy Commissioner, Guidelines to the National Privacy Principles (2001), 58. See also J Douglas-Stewart, Annotated National Privacy Principles (3rd ed, 2007), [2–5795].

[197]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 28–8.

[198]Ibid, [28.50].

[199] Australian Collectors Association, Submission PR 505, 20 December 2007; Confidential, Submission PR 536, 21 December 2007.

[200] Australian Collectors Association, Submission PR 505, 20 December 2007.

[201]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 28–8.

[202]National Australia Bank, Submission PR 408, 7 December 2007.

[203]Australian Government Department of Foreign Affairs and Trade, Submission PR 563, 24 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Confidential, Submission PR 535, 21 December 2007; Australian Communications and Media Authority, Submission PR 522, 21 December 2007; Australasian Compliance Institute, Submission PR 419, 7 December 2007.

[204]Australasian Compliance Institute, Submission PR 419, 7 December 2007. See also Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008.

[205]Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[206]Confidential, Submission PR 535, 21 December 2007.

[207]Australian Government Department of Foreign Affairs and Trade, Submission PR 563, 24 January 2008.

[208]Australian Communications and Media Authority, Submission PR 522, 21 December 2007.

[209]Australian Government Department of Families‚ Housing‚ Community Services and Indigenous Affairs, Submission PR 559, 15 January 2008.

[210] Rec 31–6.

[211] Rec 31–7.

[212] D Svantesson, ‘Protecting Privacy on the “Borderless” Internet—Some Thoughts on Extraterritoriality and Transborder Data Flow’ (2007) 19(1) Bond Law Review 168, 182–3; G Gunasekara, ‘The “Final” Privacy Frontier? Regulating Trans-border Data Flows’ (2006) 15 International Journal of Law and Information Technology 362, 381; P Blume, ‘Transborder Data Flow: Is There a Solution in Sight?’ (2000) 8(1) International Journal of Law and Information Technology 65, 71.

[213] P Blume, ‘Transborder Data Flow: Is There a Solution in Sight?’ (2000) 8(1) International Journal of Law and Information Technology 65, 71.

[214] G Gunasekara, ‘The “Final” Privacy Frontier? Regulating Trans-border Data Flows’ (2006) 15 International Journal of Law and Information Technology 362, 381.

[215] D Svantesson, ‘Protecting Privacy on the “Borderless” Internet—Some Thoughts on Extraterritoriality and Transborder Data Flow’ (2007) 19(1) Bond Law Review 168, 182.

[216] Ibid, 182.

[217] Ibid, 183.

[218] Ibid.

[219]E v Money Transfer Service [2006] PrivCmrA 5.

[220]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 16–1.

[221] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[222]Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[223]Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[224]Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Confidential, Submission PR 535, 21 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[225]Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[226]Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[227]Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[228] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008.

[229]Confidential, Submission PR 536, 21 December 2007.

[230] Rec 19–1.

[231] Rec 19–1.

[232] Rec 31–9.

[233] See, eg, Information Privacy Act 2000 (Vic) sch 1, IPP 9; Personal Information Protection Act 2004 (Tas) sch 1, PIPP 9; Information Act 2002 (NT) sch 2, IPP 9.

[234] See, eg, Data Protection Act 1998 (UK) s 63 andFederal Data Protection Act 1990 (Germany) ss 1, 2.

[235]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 28–2.

[236] Unisys, Submission PR 569, 12 February 2008; Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Queensland Government, Submission PR 490, 19 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[237] Medicare Australia, Submission PR 534, 21 December 2007.

[238] See, eg, Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007.

[239] As at 5 May 2008, the Bill was before the Legislative Council.

[240] See, eg, Information Privacy Act 2000 (Vic) sch 1, IPP 9; Personal Information Protection Act 2004 (Tas) sch 1, PIPP 9; Information Act 2002 (NT) sch 2, IPP 9.

[241]Privacy Act RS 1985, c P-21 (Canada) s 8(2)(f).

[242]National Health Security Act 2007 (Cth) ss 17, 27.

[243]Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) s 64(5).

[244]National Health Security Act 2007 (Cth) ss 19(4), 27.

[245]Communications Legislation Amendment (Information Sharing and Datacasting) Act 2007 (Cth) s 59D.

[246]Trade Practices Act 1974 (Cth) s 155AAA(12).

[247]Australian Federal Police Act 1979 (Cth) s 60A.

[248]Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) s 132.

[249]International Tax Agreements Act 1953 (Cth) s 23.

[250]Social Security (Administration) Act 1999 (Cth) s 208(1)(b)(iii).

[251] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 28–3. Note: in Proposal 28–3, the ‘law enforcement exception’ operated, in fact, as a condition on transfer under the ‘Transborder Data Flows’ principle proposed by the ALRC.

[252] Confidential, Submission PR 570, 13 February 2008; Australian Government Centrelink, Submission PR 555, 21 December 2007; Australian Federal Police, Submission PR 545, 24 December 2007; Australian Communications and Media Authority, Submission PR 522, 21 December 2007; Australian Taxation Office, Submission PR 515, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[253]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[254] Australian Federal Police, Submission PR 545, 24 December 2007.

[255]Australian Communications and Media Authority, Submission PR 522, 21 December 2007.

[256]Australian Taxation Office, Submission PR 515, 21 December 2007.

[257] For example, s 208(1)(b)(iii) of the Social Security (Administration) Act 1999 (Cth) allows for the disclosure of protected information to a competent authority or a competent institution of a foreign country that is party to a scheduled international social security agreement: Australian Government Centrelink, Submission PR 555, 21 December 2007.

[258] Australian Government Department of Human Services, Submission PR 541, 21 December 2007.

[259] Confidential, Submission PR 570, 13 February 2008; Confidential, Submission PR 448, 11 December 2007.

[260] Confidential, Submission PR 570, 13 February 2008.

[261] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008.

[262] Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Queensland Government, Submission PR 490, 19 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[263]Confidential, Submission PR 570, 13 February 2008; Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Australian Government Attorney-General’s Department, Submission PR 546, 24 December 2007; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Federal Police, Submission PR 545, 24 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; Privacy NSW, Submission PR 468, 14 December 2007.

[264] Confidential, Submission PR 570, 13 February 2008.

[265]ACT Government Department of Disability, Housing and Community Services, Submission PR 495, 19 December 2007.

[266] Australian Government Attorney-General’s Department, Submission PR 546, 24 December 2007.

[267] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[268]Civil Liberties Australia, Submission PR 469, 14 December 2007.

[269]Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[270] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[271] Australian Communications and Media Authority, Submission PR 522, 21 December 2007.

[272] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[273] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[274] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[275]Australian Communications and Media Authority, Submission PR 522, 21 December 2007.

[276] Rec 16–1.

[277] For example, the National Health Security Act 2007 (Cth) s 19 provides for the sharing of information with the World Health Organisation and countries affected by an event relating to public health or an overseas mass casualty.

[278] See Australian Communications and Media Authority, Submission PR 522, 21 December 2007.

[279]Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) s 64(5).

[280] Stakeholder views on these issues were discussed in Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [28.42]–[28.44].

[281]Personal Data (Privacy) Ordinance (Hong Kong) s 33(1); Privacy and Personal Information Protection Act 1998 (NSW) s 19(2); Information Privacy Act 2000 (Vic) sch 1, IPP 9; Personal Information Protection Act 2004 (Tas) sch 2, PIPP 9; Information Act 2002 (NT) sch 2, IPP 9.

[282] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[283]Asia-Pacific Economic Cooperation, APEC Privacy Framework (2005), [44]–[46].