Current coverage of cross-border data flows

Extraterritorial operation of the Privacy Act

31.71 Section 5B of the Privacy Act applies the Act (and approved privacy codes) to acts done, or practices engaged in, outside Australia by an organisation, if the act or practice relates to personal information about an Australian citizen or permanent resident and either the organisation:

• is linked to Australia by being a citizen; or a permanent resident; or an unincorporated association, trust, partnership or body corporate formed in Australia; or

• carried on a business in Australia and held or collected information in Australia either before or at the time of the act done or practice engaged in.

31.72 Section 5B(4) extends the enforcement powers of the Privacy Commissioner to overseas complaints that fall within the criteria in s 5B(1).^[108] The purpose of s 5B is to stop organisations avoiding their obligations under the Act by transferring the handling of personal information to countries with lower privacy protection standards.^[109] The privacy laws of another country, however, will not be overridden by the Privacy Act. Where an act or practice is required by an applicable law of a foreign country, it will not be considered a breach of the Privacy Act.^[110]

Agencies

31.73 Section 5B applies to organisations, but not to agencies. It is unclear whether, in the absence of an express statement, the Privacy Act operates extraterritorially in relation to the acts and practices of agencies. It could be argued that the IPPs apply to the records of Australian Government agencies wherever they may be.

31.74 The High Court has held, however, that in the absence of unambiguous language to the contrary, there is a common law presumption that courts do not read extraterritorial jurisdiction into legislation.^[111] This presumption has been held to apply in the case of legislation that applies to agencies.^[112] There are a number of examples of federal legislation that regulates the Australian Government public sector and expressly provides that the legislation is to have extraterritorial application.^[113]

31.75 The ALRC proposed in DP 72 that the Privacy Act be amended to clarify that it applies to acts done, or practices engaged in, outside Australia by an agency.^[114]

Submissions and consultations

31.76 The overwhelming majority of stakeholders supported the ALRC’s proposal.^[115] In the OPC’s view, the Privacy Act currently applies to Australian agencies operating outside Australia, however, it submitted that there was merit in amending the Privacy Act to clarify this point.^[116] The OVPC submitted that, ‘in the interests of uniformity, each piece of state or territory legislation should contain a similar provision indicating that it applies to acts done/practices engaged in outside the relevant jurisdiction by a state or territory agency’.^[117]

31.77 A number of stakeholders emphasised the need for equivalence between the public and private sectors. For example, the Government of South Australia submitted that ‘the privacy protection offered to the public by Governments should be at least equal to the privacy protection required of the private sector’.^[118] The Australasian Compliance Institute fully supported the consistent treatment of privacy principles between public and private sector organisations.^[119] Also, PIAC’s view was that the proposal was important because agencies are frequently able to compel the collection of personal information.^[120]

31.78 Some agencies expressed reservations. The Australian Federal Police (AFP) submitted that any extension of the Privacy Act to acts or practices by agencies outside Australia may be present compliance and enforcement difficulties.^[121]

ALRC’s view

31.79 Agencies that operate outside Australia should be subject to the Privacy Act. Agencies often compel the collection of personal information and should therefore remain accountable for the handling of that information under the Privacy Act, whether they are located in Australia or offshore. Further, agencies should not be able to avoid their obligations under the Actby transferring the handling of personal information to entities operating in countries with lower privacy protection standards. The ALRC recommends below that the Privacy Act be amended to clarify that it applies to the acts and practices of agencies that operate outside Australia. A similar provision should be included in state and territory legislation.

Information held under the law of a foreign country

31.80 The Privacy Act provides that, where overseas acts and practices are required by an applicable foreign law, they are generally not considered interferences with the privacy of an individual.^[122] The purpose of s 13D was to ensure that ‘the extraterritorial operation of the Act does not require organisations to act in contravention of laws operating in the country in which the act or practice occurs’.^[123]

31.81 These acts and practices may be interferences with privacy, however, if they: breach the Tax File Number (TFN) guidelines, or involve an unauthorised requirement or request for disclosure of an individual’s TFN; breach Part 2 of the Data-matching Program (Assistance and Tax) Act 1990 (Cth)or the data-matching guidelines issued under that Act; constitute a breach of the guidelines under s 135AA of the National Health Act 1953 (Cth); or constitute a credit reporting infringement by a credit reporting agency or a credit provider.^[124] One issue raised in this context^[125] arose from the debate in Canada about whether information held in the United States might be subject to secret demands under the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (US) (US Patriot Act).^[126]

31.82 In 2004, concerns were raised in Canada about whether organisations outside Canada, which were contracted to provide services to the federal and provincial governments, could be required to provide personal information about Canadian citizens to the US authorities.^[127] In response to these concerns, the Government of British Columbia amended the Freedom of Information and Protection of Privacy Act 1996 (British Columbia) to provide that a government agency must ensure that personal information in its custody or under its control is stored only in Canada and accessed only in Canada, except in certain circumstances.^[128] The Canadian Government, by contrast, did not adopt a legislative approach to this issue. It developed a strategy that involved raising awareness and providing guidance about privacy risks associated with contracting with organisations outside Canada.^[129]

31.83 Should the Privacy Act limit the circumstances when personal information transferred outside Australia will become subject to a foreign law? One option would be to amend s 13D to provide for certain limits. Another option is that reflected in the Privacy Protection for Off-shoring Bill 2007 (Cth).^[130] The Bill sought to amend the Financial Management and Accountability Act 1997 (Cth) by introducing a new s 43A which would have required an agency entering into a Commonwealth contract for the provision of services in Australia to take contractual measures to ensure that a contracted service provider cannot undertake work in relation to the contract in a country other than Australia that would involve use of ‘personally identifiable information’.^[131] The Bill reflects one method of protecting personal information from being collected and held under the law of a foreign country.

31.84 The Department of Finance and Deregulation raised concerns about the US Patriot Act. It noted that while Australian government agencies may impose contractual restrictions on service providers transferring confidential or personal information, they may not know that such transfers are or may be taking place under the US Patriot Act and hence will have no knowledge that a possible breach of contract may have occurred.^[132]

31.85 The ALRC does not recommend that s 13D of the Privacy Act be amended to limit the circumstances in which personal information transferred outside Australia will become subject to foreign law. In the ALRC’s view, the policy justification for s 13D is sound—acts and practices that take place in a foreign country, and are required by the laws of that country, generally should not be considered a breach of the Act. It would not be workable to prevent the transfer by agencies and organisations of personal information to countries such as the US. Also, it would be unfair to render an agency or organisation transferring personal information under s 13D responsible for an act or practice of the recipient which is required by a foreign law, when neither they, nor the recipient, can control or prevent the acts or practices required under such a foreign law.

31.86 The OPC’s guidance on the recommended ‘Cross-border Data Flows’ principle should set out the steps to be taken when personal information transferred outside Australia may become subject to a foreign law, including laws such as the US Patriot Act. The guidance also should provide advice to agencies when contracting government services to organisations outside Australia.

National Privacy Principle 9

31.87 NPP 9 dictates the circumstances in which an organisation may transfer personal information it holds in Australia to someone in a foreign country. As with the other private sector provisions, it was introduced in 2000 as part of the extension of privacy principles to the private sector.^[133]

31.88 NPP 9 prohibits the transfer by an organisation of an individual’s personal information to someone in a foreign country (other than that individual or organisation) unless a number of conditions are satisfied.^[134]

31.89 The principle is largely modelled on arts 25 and 26 of the EU Directive, which aim to ensure continued protection of personal information when data are sent from their originating country.^[135] Where one of the conditions in (a)–(f) is satisfied, the Australian organisation transferring the data is not liable for subsequent privacy breaches.

31.90 NPP 9 is limited to ‘foreign countries’ rather than ‘other jurisdictions’. It does not protect personal information that is transferred to a state or territory government that is not subject to privacy law, or a private sector organisation that is exempt from the Privacy Act.^[136] Where the transfer of personal information overseas is to the same organisation, not a third party, NPP 9 does not apply.

31.91 The Privacy Act was amended in 2004 to make it clear that the protection provided by NPP 9 applies equally to the personal information of Australian and non-Australian individuals.^[137] This amendment was made by excluding NPP 9 from the citizenship and residency requirements of s 5B(1).

31.92 In IP 31, the ALRC asked whether NPP 9provides adequate and appropriate protection for personal information transferred from Australia to a foreign country.^[138] While some stakeholders submitted that the protection afforded by NPP 9 was sufficient, others noted that NPP 9 is deficient in a number of respects, including: that organisations transferring data are not liable for any subsequent breaches; the perceived weakness of the tests for a ‘reasonable belief’ (NPP 9(a)); the operation of consent in the context of cross-border data flows; the failure to address the transfer of personal information offshore by agencies; a lack of clarity as to how NPP 9 relates to other parts of the Privacy Act; and a lack of guidance for organisations as to what steps they must take to comply with NPP 9.^[139] Each of these criticisms, along with the ALRC’s recommended approach, is dealt with in detail below.