Definition of ‘transfer’

31.182 The ALRC also examined whether it would be useful to distinguish the term ‘transfer’ from the terms ‘use’ and ‘disclosure’. One option for dealing with this issue is to define ‘transfer’ in the Privacy Act to include the situation where personal information is stored in Australia in such a way that allows it to be accessed and viewed outside Australia. This definition clearly would capture the transfer of personal information on intranets and password-protected sections of websites. It also would include uploading personal information on the internet.

31.183 Another issue arises when an agency or organisation sends an email containing personal information by or to email systems that are hosted overseas.

Imagine, for example, a situation where an Australia doctor emails some test results to an Australian patient. Imagine further that the patient is using Microsoft’s Hotmail system. While the e-mail is sent from one Australian party to another, the e-mail including the sensitive personal information it contains, may be stored on a server overseas. Has the Australian doctor in this situation transferred personal information to someone in a foreign country? The answer would seem to be yes, as the information is placed on a server located in a foreign country.[289]

31.184 In DP 72, the ALRC asked whether the Privacy Act should provide that, for the purposes of the proposed ‘Cross-border Data Flows’ principle, a ‘transfer’:

  • includes where personal information is stored in Australia in such a way that allows it to be accessed or viewed outside Australia; and

  • excludes the temporary transfer of personal information, such as when information is emailed from one person located in Australia to another person also located in Australia, but, because of internet routing, the email travels (without being viewed) outside Australia on the way to its recipient in Australia?[290]

Submissions and consultations

31.185 A wide range of views were received on this question. Some stakeholders agreed with the ALRC’s proposed definition of the term ‘transfer’.[291]

31.186 Others expressed more qualified agreement. In the OPC’s view, the term ‘transfer’ should be defined, but it ‘should not exclude information transferred overseas accidentally because the sending entity has not taken reasonable steps to protect the personal information’.[292]

31.187 Other stakeholders disagreed.Microsoft noted that the difficulties associated with defining the concept of ‘transfer’ provided another justification for adopting the APEC accountability model, which does not turn on this concept. It argued that such concepts would become only more ‘difficult to define as emerging technologies further blur the question of where records are stored and the distinction between permanent and temporary copies of electronic records’.[293]

Personal information stored in Australia but accessed or viewed outside Australia

31.188 There was no consensus from stakeholders as to whether the term ‘transfer’ should include circumstances in which personal information is stored in Australia in such a way that allows it to be accessed or viewed outside Australia. A number of stakeholders supported its inclusion.[294] Others, such as GE Money, argued that a ‘transfer would not occur merely because it was possible for the information to be accessed or viewed outside of Australia, but only if this actually occurs’.[295] This point also was made by another stakeholder, who submitted:

This is appropriate because many organisations which operate internationally have servers which can be accessed from multiple jurisdictions. It is not appropriate to require that consent be obtained from an individual (or that another exception be triggered) merely to include an individual on a database with such a facility. The point at which any consent should be required is the point at which access is actually given to a particular record.[296]

31.189 There also were stakeholders who opposed the inclusion of this in the definition.[297] In the ABA’s view, the way in which it would operate in practice, and its effect on a bank’s operations, were uncertain.[298]

Excluding temporary transfer of information

31.190 Again, there was a lack of consensus about whether a definition of transfer should exclude the temporary transfer of personal information, such as when information is emailed from one person located in Australia to another person also located in Australia, but, because of internet routing, the email travels (without being viewed) outside Australia on the way to its recipient in Australia. Some stakeholders supported its exclusion.[299] In Microsoft’s view, such transfers ‘should fall outside the scope of regulation, because the compliance costs associated with regulating these types of transfers would far outweigh the privacy gain to the individual’.[300] Google submitted that the definition needed to be broader, covering situations where the sender is in Australia and the recipient is outside Australia, and where reliance is placed upon, for example, consent.[301]

31.191 TheOVPC submitted that there should be some provision for online transactions, which also often involve extensive and instantaneous transborder transfers of data.[302] In the view of the Cyberspace Law and Policy Centre, the communication of data by routes which enable it to be intercepted by parties outside Australia should constitute a transfer. It submitted:

A ‘transfer’ should only occur if there is a recipient outside Australia who uses or stores the information for purposes other than communicating it to final recipient. Communications may involve temporary storage, but if the information is subject to set retention periods whether required by law or otherwise, there will be a transfer.[303]

ALRC’s view

31.192 There is a high level of complexity attaching to the way in which personal information is transferred. Also, as noted above, a wide range of views was received from stakeholders on this question. Generally, if personal information is stored in Australia, but is accessed or viewed outside Australia, it should be considered to have been transferred. If personal information is routed and temporarily stored outside Australia, but is not accessed, it should not fall within the purview of the ‘Cross-border Data Flows’ principle. If it is accessed, however, it should be subject to the principle.

31.193 That said, providing a definition of ‘transfer’ in the Privacy Act is unlikely to clarify the situation, given rapid advances in technology and the difficulty of the distinction between the temporary and permanent storage of information. The term ‘transfer’ should not be defined for the purposes of the Privacy Act. It is preferable to resolve the question on a case-by-case basis, with the assistance of OPC Guidance.

31.194 The OPC Guidance relating to cross-border data flows should provide examples of circumstances in which a transfer would, or would not, be taken to have occurred for the purposes of the ‘Cross-border Data Flows’ principle.[304] Such guidance can more readily be amended to accommodate changes to the ways in which personal information is transferred than a definition of ‘transfer’ under the Privacy Act.

[289]D Svantesson, ‘Protecting Privacy on the “Borderless” Internet—Some Thoughts on Extraterritoriality and Transborder Data Flow’ (2007) 19(1) Bond Law Review 168, 184.

[290]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Question 28–1. The impact of the internet on privacy is discussed in Chs 9 and 11.

[291]Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; National Australia Bank, Submission PR 408, 7 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[292]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[293]Microsoft Asia Pacific, Submission PR 463, 12 December 2007.

[294]Australian Privacy Foundation, Submission PR 553, 2 January 2008; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[295]GE Money Australia, Submission PR 537, 21 December 2007.

[296]Confidential, Submission PR 536, 21 December 2007.

[297]Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Microsoft Asia Pacific, Submission PR 463, 12 December 2007.

[298]Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008.

[299]Ibid; GE Money Australia, Submission PR 537, 21 December 2007; Microsoft Asia Pacific, Submission PR 463, 12 December 2007.

[300]Microsoft Asia Pacific, Submission PR 463, 12 December 2007.

[301]Google Australia, Submission PR 539, 21 December 2007.

[302]Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[303]Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007. See also Australian Privacy Foundation, Submission PR 553, 2 January 2008.

[304] Rec 31–7.