International privacy protection

31.11 In order to ensure that Australian organisations are not disadvantaged in the international market, Australia must be able to meet the international community’s expectations of privacy protection while not impeding the free flow of information across borders. In this section, international models of data protection are outlined.

European Union Data Protection Directive

31.12 The EU Directive seeks to protect the privacy of individuals within the EU when information about them is transferred to countries outside the EU.[21] If the European Commission determines that a country does not provide ‘adequate’ data protection standards, this will lead to restrictions on the transfer of information to that jurisdiction.[22]

31.13 Article 25(1) of the EU Directive provides:

The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.

31.14 Article 25(4) provides:

Where the Commission finds … that a country does not ensure an adequate level of protection … Member States shall take the measures necessary to prevent any transfer of data of the same type to the third country in question.

31.15 Article 26 provides an exception to art 25, permitting transfers in certain circumstances to a third country, even where the third country has not ensured an adequate level of protection. The art 26 exception applies where:

  • there is unambiguous consent from the data subject;

  • the transfer is necessary for the performance, implementation or conclusion of certain contractual transactions;

  • the transfer is in the public interest or the vital interests of the data subject; or

  • the transfer is made from a public register.

31.16 Under art 26(2), a member state may also authorise transfers of personal data where a contract contains adequate safeguards protecting the ‘privacy and fundamental rights and freedoms of individuals, and as regards the exercise of corresponding rights’.[23]

31.17 The decision about the adequacy of third party regimes is made by the Article 29 Data Protection Working Party of the European Commission (Working Party), which is comprised of representatives of supervisory authorities in EU member states and a representative of the European Commission. Those countries that have been declared ‘adequate’ are: Canada, Switzerland, Argentina, Guernsey and the Isle of Man. The US Department of Commerce’s Safe Harbour Privacy Principles and the ‘transfer of Air Passenger Name Records to the United States Bureau of Customs and Border Protection’ also have been given adequacy status.[24]

31.18 The Working Party has noted that adequate protection does not necessarily mean equivalent protection, and that it is not necessary for third countries to adopt a single model of privacy protection. It also has stated that there may be adequate protection despite certain weaknesses in a particular system ‘provided, of course, that such a system can be assessed as adequate overall—for example, because of compensating strengths in other areas’.[25]

31.19 If a third country is deemed not to have adequate protection, member states must take action to prevent any transfer of personal data to the country in question. This ‘mandated approach’ is stronger than that set out in the OECD Guidelines.[26]

31.20 Professors Colin Bennett and Charles Raab note that the implementation of arts 25 and 26 poses problems for businesses that rely on cross-border flows of personal data. This has major implications for credit-granting and financial institutions, hotel and airline reservations systems, the direct marketing sector, life and property insurance, the pharmaceutical industry, and for any online company that markets its products and services internationally.[27]

Adequacy of the Privacy Act

31.21 One of the main drivers behind the Privacy Amendment (Private Sector) Act 2000 (Cth) was to facilitate trade with European countries by having the Privacy Act deemed adequate for the purposes of the EU Directive.[28] In March 2001, however, the Working Party released an opinion expressing concern that some sectors and activities are excluded from the protection of the Privacy Act, including small businesses and employee records.[29] The Working Party found that, without further safeguards, the Australian standards could not be deemed equivalent to the EU Directive. The Working Party also expressed concern about Australia’s regulation of sensitive information within the Privacy Act and the lack of correction rights for EU citizens under the Act.[30]

31.22 Further amendments were made to the Privacy Act in April 2004 as part of the process of moving towards EU adequacy.[31] Those amendments:

  • clarified that the protection offered by NPP 9 applies equally to the personal information of Australians and non-Australians;

  • removed nationality and residency limitations on the power of the Privacy Commissioner to investigate complaints regarding the correction of personal information; and

  • gave businesses and industries more flexibility in developing privacy codes that cover otherwise exempt acts.[32]

31.23 The OPC review of the private sector provisions of the Privacy Act (OPC Review) noted that there are ongoing discussions with the European Commission regarding the small business and employee records exemptions from the Privacy Act.[33] In evidence to the Senate Committee privacy inquiry, the Australian Government Attorney-General’s Department noted that the small business exemption was of concern to the European Commission and that it is probably the key outstanding issue between the EU and Australia.[34] There is no equivalent in the EU Directive to the Privacy Act exemption for small businesses. The Senate Committee privacy inquiry questioned the need to retain the small business exemption, in part because it is preventing recognition of Australian privacy laws under the EU Directive.[35]

31.24 In evidence to the Senate Committee privacy inquiry, the Law Institute of Victoria stated:

If we do not comply with the EU directive, Australian businesses are going to be impacted in terms of the extent to which they can work offshore and deal with other jurisdictions.[36]

31.25 This view was not shared by all stakeholders making submissions to the Senate Committee privacy inquiry. For example, the Australian Direct Marketing Association (ADMA) submitted that organisations had not been hindered in their ability to conduct business with EU business partners. Similarly, the OPC stated that, in practice, businesses simply included the relevant privacy standards in contracts.[37]

31.26 The OPC Review suggested that the fact that Australian privacy law has not been recognised as adequate by the EU has not inhibited trade. It stated that

only a very small proportion of the submissions received from stakeholders and few of the comments made in consultation meetings indicate that the failure to achieve EU adequacy has impaired business and trade with European organisations.[38]

31.27 Nevertheless, the Senate Committee privacy inquiry also considered it desirable for Australia’s privacy laws to gain formal recognition as being adequate. The Senate Committee recommended that:

the review by the Australian Law Reform Commission, as proposed at recommendations 1 and 2, examine measures that could be taken to assist recognition of Australia’s privacy laws under the European Union Data Protection Directive.[39]

31.28 The EU and Australia are engaged in ongoing negotiations on the issue of the adequacy of Australia’s privacy regime for the purpose of the EU Directive.

The use of contracts for compliance with the EU Directive

31.29 Alongside legislation and self-regulatory arrangements, contracts have been recognised as a mechanism for enhancing privacy protection.[40] Article 26(2) of the EU Directive explicitly recognises that contracts may be one method of ensuring that personal data transferred from one country to another receive ‘adequate protection’. A contract that would meet these criteria would have to bind the organisation receiving the data to meet the EU standards of information practices, such as the right to notice, consent, access and legal remedies.[41]

31.30 The OECD has identified the following as core elements of privacy protection that should be reflected in contractual provisions:

  • substantive rules based on the principles in the OECD Guidelines, either by inclusion of the substantive rules in the contract or by reference to relevant laws, principles or guidelines;

  • a means of ensuring accountability and verifying that the parties are complying with their privacy obligations;

  • a complaints and investigations process, in the event that there is a breach of the privacy obligations; and

  • a dispute resolution mechanism for affected parties.[42]

Is ‘adequacy’ necessary or desirable?

31.31 In the Issues Paper, Review of Privacy (IP 31), the ALRC asked whether adequacy of the Privacy Act under the EU Directive is necessary for the effective conduct of business with EU members, and desirable for the effective protection of personal information transferred into and out of Australia.[43] The consensus view of stakeholders was that, while a failure to achieve adequacy under the EU Directive was not preventing organisations from carrying out business internationally, an adequacy rating would help streamline trade between Australian businesses and Europe.[44] One stakeholder raised the important symbolic significance of achieving adequacy for the purposes of the EU Directive.[45] While adequacy is desirable, it was noted that, even in EU jurisdictions, privacy protection may not always be implemented satisfactorily.[46] In the Discussion Paper, Review of Australian Privacy Law (DP 72), the ALRC did not make a proposal in relation to the EU Directive specifically, but indicated that a number of its proposals in particular areas may assist in an EU adequacy finding.[47]

ALRC’s view

31.32 The ALRC has been advised that the EU Directive can create problems for organisations that conduct business in Europe. It has been noted that the registration system in Europe is expensive, and that adequacy under the EU Directive may still mean that organisations will be subject to additional requirements under the privacy laws of individual European countries. The ALRC also notes that the European Commission’s First Report on the Implementation of the Data Protection Directive found that the EU Directive has not guaranteed consistent privacy protection across Europe.[48] Different jurisdictions have implemented the EU Directive in different ways and, as a result, unauthorised and possibly illegal transfers are being made to destinations.[49]

31.33 The ALRC makes a number of recommendations which may assist an adequacy finding under the EU Directive, including: the removal of the small business and employee records exemptions;[50] requiring an organisation to provide an individual with a means of opting out of receiving direct marketing communications under the ‘Direct Marketing’ principle;[51] and, in the context of cross-border data flows, the development and publication of a list of laws and binding schemes that effectively uphold principles for the fair handling of personal information that are substantially similar to the model UPPs.[52]

Asia-Pacific Economic Cooperation Privacy Framework

31.34 The APEC Privacy Framework was endorsed by APEC Ministers in November 2004. The APEC Privacy Framework contains nine privacy principles recognising ‘the importance of the development of effective privacy protections that avoid barriers to information flows, ensure continued trade, and economic growth in the APEC region’.[53]

31.35 As with the EU Directive, the APEC Privacy Framework aims to promote electronic commerce by harmonising members’ data protection laws and facilitating information flow throughout the Asia-Pacific region.[54] Unlike the EU Directive, however, APEC members are not obliged to implement domestically the APEC Privacy Framework in any particular way.[55]

31.36 APEC commenced development of the APEC Privacy Framework in 2003. It is a principles-based framework, based largely on the OECD Principles. Australia played a key role in the development of the APEC Privacy Framework, leading the APEC working group in the drafting process.

31.37 The APEC principles are intended to apply to persons or organisations in both the public and private sectors who control the collection, holding, use, transfer or disclosure of personal information.[56] The principles cover: preventing harm; notice; collection limitation; use of personal information; choice; integrity of personal information; security safeguards; access and correction; and accountability.[57] The principles are intended to encourage the development of appropriate information privacy protections by members.[58]

31.38 One key area in which the APEC Privacy Framework takes a different approach to the EU Directive is in relation to cross-border data flows. Consultants to APEC, Malcolm Crompton and Peter Ford, have said:

It is no longer accurate to describe data as ‘flowing’ at all … instead of point to point transfers, information is now commonly distributed among a number of data centres and is accessible globally over the Internet or over private networks.[59]

31.39 Principle 9 of the APEC Privacy Framework states that a personal information controller

should be accountable for complying with measures that give effect to the Principles … When personal information is to be transferred to another person or organisation, whether domestically or internationally, the personal information controller should obtain the consent of the individual or exercise due diligence and take reasonable steps to ensure that the recipient person or organisation will protect the information consistently with these Principles.[60]

31.40 Given the vast differences between the member economies of APEC, the APEC Privacy Framework does not aspire to uniformity but strives to recognise cultural and other diversities within its membership.[61] It is intended to be ‘implemented in a flexible manner that can accommodate various methods of implementation’.[62] The APEC Privacy Framework encourages cooperation between members on the regional enforcement of data protection norms and the development of agreements between nations for cooperative enforcement.[63] These cross-border arrangements may include mechanisms to:

  • notify public authorities in other member states of investigations and assistance in investigations; and

  • identify and prioritise cases for cooperation in severe cases of privacy infringement that may involve authorities in several countries.[64]

31.41 APEC members also have agreed to support the development and recognition of members’ cross-border privacy rules (CBPRs) across the APEC region.[65] The APEC Privacy Framework states that:

Member Economies should endeavour to ensure that such cross-border privacy rules and recognition or acceptance mechanisms facilitate responsible and accountable cross-border data transfers and effective privacy protections without creating unnecessary barriers to cross-border information flows, including unnecessary administrative and bureaucratic burdens for businesses and consumers.[66]

31.42 The First Technical Assistance Seminar on International Implementation of the APEC Privacy Framework was held on 22–23 January 2007 in Canberra. Its focus was the development and use of CBPRs by business, and the development of a model for implementing CBPRs. The seminar concluded that a ‘Choice of Approach’ model supported by trustmarks would be the most appropriate model. The key feature of this model is that each economy chooses the entities and procedures that will be used within the economy to assess the compliance of an organisation’s CBPRs with the APEC Privacy Framework.

31.43 Discussions at this meeting emphasised that trust marks could play a significant role in a CBPR system to assist economies in reviewing and giving recognition to organisations’ CBPRs. A trustmark is a label or visual representation showing participation in a trustmark scheme in which a third party guarantees to consumers an organisation’s compliance with the requirements for participation in that scheme. Trustmarks can be used to demonstrate compliance with a host of different principles, including privacy principles.[67]

31.44 The Second Technical Assistance Seminar on International Implementation of the APEC Privacy Framework was held in Cairns on 25–26 June 2007. It looked at developing and refining aspects of the ‘Choice of Approach’ model by considering the cross-border cooperation arrangements between various stakeholders, which will be a necessary part of a CBPR system, and the steps economies can take to implement parts of the preferred implementation model. The development of a ‘Pathfinder’ (or pilot project), which would involve a number of economies participating in a trial of a CBPR system, was discussed at the seminar.

31.45 The OPC is currently leading three Data Privacy Pathfinder projects:[68]

  • Project Five—to establish and maintain a directory of data protection authorities;

  • Project Six—to develop template documentation (such as a Memorandum of Understanding (MOU) or letters of commitment) ‘which provides for cooperative arrangements between relevant enforcement authorities’;[69] and

  • Project Seven—to develop a template for a cross-border complaint-handling form.[70]

31.46 Senator the Hon John Faulkner, Cabinet Secretary and Minister with responsibility for the Privacy Act, has described the aim of the Pathfinder processes as the establishment of

a multi-lateral co-operative framework and rules, whereby a person in one country, such as Australia, can make a complaint to the privacy regulator in their own country about an alleged breach of their privacy, even though the breach affecting them may have occurred outside Australia.[71]

31.47 As noted above, Australia has been instrumental in the development of the APEC Privacy Framework. In the final report of the OPC Review, the OPC was supportive of the APEC Privacy Framework and expressed the view that:

The initiative has the potential to accelerate the development of information privacy schemes in the APEC region and to assist in the harmonisation of standards across national jurisdictions.[72]

31.48 Senator Faulkner also has indicated, however, that ‘Australia’s domestic privacy principles will not be compromised’ by Australia’s work in ‘developing an APEC-wide cross-border privacy rules system’.[73]

Analysis of the APEC framework

31.49 Crompton and Ford note that Principle 9 of the APEC Framework is the most important difference between it and the EU Directive. In effect, the APEC Principle is saying that ‘accountability should follow the data’. Once an organisation has collected personal information, it remains accountable for the data ‘even if it changes hands or moves from one jurisdiction’ to another. In contrast, the EU Directive focuses on border controls.[74]

31.50 There has been some criticism that the APEC Privacy Framework is too ‘light touch’ in its approach and does not provide sufficient privacy protection for individuals.[75] Professor Graham Greenleaf argues that the APEC Privacy Framework has a bias towards the free flow of personal information and does not recognise that there can be legitimate privacy reasons for restricting data exports.[76] The requirement of accountability, coupled with a requirement either of consent or that the discloser takes reasonable steps to protect the information, is said to be ‘a very soft substitute for a Data Export Limitation principle’ along the lines of that contained in the EU Directive.[77]

31.51 Greenleaf has acknowledged, however, that although the APEC Privacy Framework does not set any requirements of its own, it does not prevent its members having their own data export restriction rules. Such rules could be for domestic purposes or to meet the requirements of the EU Directive.[78]

31.52 One commentator has argued that the slow pace at which the EU’s Article 29 Committee has approved the adequacy of regulatory regimes ‘actually has helped reinforce the relevance of the APEC framework that increasingly is recognised as an important development’.[79]

Asia-Pacific Privacy Charter Initiative

31.53 The Asia-Pacific Privacy Charter Council, a regional non-government expert group, has developed independent privacy standards for privacy protection in the Asia-Pacific region.[80] The Council has drafted the Asia-Pacific Privacy Charter (APP Charter) with the aim of influencing the development of privacy laws in the region in accordance with the standards set out in the Charter.[81]

31.54 The APEC Privacy Framework and the APP Charter have a number of similarities, and both reflect many of the principles contained in other international and regional agreements, such as the OECD Guidelines and the EU Directive.[82] The APP Charter, as it stands, however, is intended to be a ‘maximalist’ or ‘high watermark’ draft, reflecting all the significant privacy principles from relevant international instruments.[83]

31.55 The APEC Privacy Framework does not have a principle that explicitly limits data flows to countries without similar privacy laws. In contrast, Principle 12 of the APP Charter contains a limitation similar to that under the EU Directive. Principle 12 states that an organisation must not transfer personal information to a place outside the jurisdiction in which it is located unless:

  • there is in force in that jurisdiction a law embodying principles substantially similar to the APP Charter Principles;

  • it is with the consent of the person concerned; or

  • the organisation has taken all reasonable steps to ensure that the personal information will be dealt with in accordance with the APP Charter Principles in that place and continues to be liable for any breaches of the Principles.

31.56 In IP 31, the ALRC asked whether the APEC Privacy Framework, or other standards, such as the APP Charter, provide an appropriate model for the protection of personal information transferred between countries.[84] A number of stakeholders supported the APEC Privacy Framework.[85] It was noted that the Framework may function as a starting point to assist member economies that currently do not have any privacy regime to develop privacy protections for individuals’ personal information.[86] Other stakeholders submitted that the APP Charter provides a more appropriate model for protecting privacy.[87]

Conclusion

31.57 The APEC Privacy Framework is a significant development in addressing regional consistency in the handling of personal information. In implementing the APEC Privacy Framework,

the means of giving effect to the Framework may differ between Member Economies, and it may be appropriate for individual economies to determine that different APEC Privacy Principles may call for different means of implementation. Whatever approach is adopted in a particular circumstance, the overall goal should be to develop compatibility of approaches in privacy protections in the APEC region that is respectful of requirements of individual economies.[88]

31.58 The involvement of Australia in the implementation of the APEC Privacy Framework is not intended to require the lowering of any privacy protection under the Privacy Act.[89] It may provide, however, new ways of encouraging compliance with local and international privacy standards. The ALRC notes that the Australian Government continues to play a key role in the implementation of the APEC Privacy Framework. The ALRC has borrowed elements from both the APEC Privacy Framework and the APP Charter, as well as the NPPs and the EU Directive, in developing the ‘Cross-border Data Flows’ principle discussed below.[90]

[21] European Parliament, Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, Directive 95/46/EC (1995).

[22] Parliament of Australia—Senate Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005), 9.

[23] See discussion of the use of contracts for compliance with the EU Directive below. See also A Hughes, ‘A Question of Adequacy? The European Union’s Approach to Assessing the Privacy Amendment (Private Sector) Act 2000 (Cth)’ (2001) 24 University of New South Wales Law Journal 270.

[24] See European Commission, Commission Decisions on the Adequacy of the Protection of Personal Data in Third Countries (2008) <ec.europa.eu/justice_home/fsj/privacy/thridcountries/index_en.htm> at 29 April 2008. See also Agreement between the European Union and the United States of America on the Processing and Transfer of Passenger Name Record (PNR) Data by Air Carriers to the United States Department of Homeland Security (DHS), 23 July 2007.

[25] Text on Non-Discrimination adopted by the Article 31 Committee (31 May 2000), cited in D Solove, M Rotenberg and P Schwartz, Information Privacy Law (2nd ed, 2006), 935.

[26] C Bennett and C Raab, The Governance of Privacy: Policy Instruments in Global Perspective (2006), 99.

[27] Ibid, 99.

[28] Revised Explanatory Memorandum, Privacy Amendment (Private Sector) Bill 2000 (Cth), 11–12.

[29] European Union Article 29 Data Protection Working Party, Opinion 3/2001 on the Level of Protection of the Australian Privacy Amendment (Private Sector) Act 2000, 5095/00/EN WP40 Final (2001), 3.

[30] European Commission, Submission to the House of Representatives Committee on Legal and Constitutional Affairs Inquiry into the Privacy Amendment (Private Sector) Bill 2000 (2000), 7.

[31]Privacy Amendment Act 2004 (Cth).

[32] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 74.

[33] Ibid, 74.

[34] Commonwealth of Australia, Parliamentary Debates, Senate Legal and Constitutional References Committee, 19 May 2005, 63 (C Minihan). This was confirmed more recently in a consultation with the Chair of the Article 29 Working Party: P Schaar, Consultation OSC 1, London, 1 November 2006. The small business exemption is discussed further in Ch 39.

[35] Parliament of Australia—Senate Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005), [7.32]–[7.34], rec 12.

[36] Ibid, [4.127].

[37] Ibid, [4.130]. See also A Beatty, A Smith and J Moore, Consultation PC 7, Sydney, 7 March 2006.

[38] The OPC concluded, however, that although there was no evidence of a push from business for the EU’s recognition of adequacy, there may be long term benefits for Australia to continue to work towards this aim. The OPC also supported continuing work within APEC to implement the APEC Privacy Framework (discussed below): Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 75.

[39] Parliament of Australia—Senate Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005), rec 16.

[40] Organisation for Economic Co-operation and Development, Transborder Data Flow Contracts in the Wider Framework of Mechanisms for Privacy Protection on Global Networks (2000), 7.

[41] South African Law Reform Commission, Privacy and Data Protection, Discussion Paper 109 (2005), 361.

[42] Organisation for Economic Co-operation and Development, Transborder Data Flow Contracts in the Wider Framework of Mechanisms for Privacy Protection on Global Networks (2000), 13.

[43]Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 13–5. See also [13.72].

[44] Stakeholder comments were canvassed in detail in Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [28.143]–[28.147].

[45] Centre for Law and Genetics, Submission PR 127, 16 January 2007.

[46] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[47]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [28.150].

[48]Commission of the European Communities, Report from the Commission: First Report on the Implementation of the Data Protection Directive (2003) 95/46/EC, 19. For areas of concern noted by the Article 29 Working Party, see: European Union Article 29 Data Protection Working Party, Opinion 3/2001 on the Level of Protection of the Australian Privacy Amendment (Private Sector) Act 2000, 5095/00/EN WP40 Final (2001); A Hughes, ‘A Question of Adequacy? The European Union’s Approach to Assessing the Privacy Amendment (Private Sector) Act 2000 (Cth)’ (2001) 24 University of New South Wales Law Journal 270, 272–275.

[49] Commission of the European Communities, Report from the Commission: First Report on the Implementation of the Data Protection Directive (2003).

[50] Recs 39–1, 40–1.

[51] Recs 26–3, 26–4, 26–5.

[52] Rec 31–6.

[53] Asia-Pacific Economic Cooperation, APEC Privacy Framework (2005), Foreword.

[54] Ibid, [4].

[55] M Crompton and P Ford, ‘Implementing the APEC Privacy Framework: A New Approach’ (2005) 5(15) IAPP Privacy Advisor 8, 8.

[56] Asia-Pacific Economic Cooperation, APEC Privacy Framework (2005), [10].

[57] See Ibid, [14]–[26].

[58] Ibid, Preamble.

[59] M Crompton and P Ford, ‘Implementing the APEC Privacy Framework: A New Approach’ (2005) 5(15) IAPP Privacy Advisor 8, 8.

[60]Asia-Pacific Economic Cooperation, APEC Privacy Framework (2005), Principle 9.

[61] Ibid, [5]–[6].

[62]Ibid, [31].

[63] M Crompton and P Ford, ‘Implementing the APEC Privacy Framework: A New Approach’ (2005) 5(15) IAPP Privacy Advisor 8, 8.

[64] Asia-Pacific Economic Cooperation, APEC Privacy Framework (2005), [45].

[65] Ibid, [46].

[66] Ibid, [48].

[67] Trustmarks are discussed further below.

[68] K Curtis, ‘Information Workshop for Australian Stakeholders’ (Paper presented at APEC Data Privacy Pathfinder Seminar, Sydney, 6 February 2008), 5.

[69]Ibid, 5–7.

[70] Ibid.

[71] J Faulkner, ‘Launch of Inaugural Australian Privacy Awards’ (Paper presented at Privacy Connections Breakfast, Sydney, 9 April 2008), 2.

[72] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 75.

[73] J Faulkner, ‘Launch of Inaugural Australian Privacy Awards’ (Paper presented at Privacy Connections Breakfast, Sydney, 9 April 2008), 2–3.

[74] M Crompton and P Ford, ‘Implementing the APEC Privacy Framework: A New Approach’ (2005) 5(15) IAPP Privacy Advisor 8, 8.

[75] See, eg, G Greenleaf, ‘APEC Privacy Framework Completed: No Threat to Privacy Standards’ (2006) 11 Privacy Law & Policy Reporter 220; S Robertson, ‘Offshore Business Processing in China Brings Privacy Concerns’ (2008) 10 Internet Law Bulletin 118, 119.

[76] G Greenleaf, ‘APEC’s Privacy Framework: A New Low Standard’ (2005) 11 Privacy Law & Policy Reporter 121, 122.

[77] Ibid, 125.

[78] G Greenleaf, ‘APEC Privacy Framework Completed: No Threat to Privacy Standards’ (2006) 11 Privacy Law & Policy Reporter 220.

[79] S Kenny, ‘Global Privacy Predictions for 2008’ (2008) 8(1) Privacy Advisor 11, 12.

[80] Cyberspace Law and Policy Centre, ‘Announcement: Asia-Pacific Privacy Charter Initiative’ (Press Release, 1 May 2003). As at 29 April 2008, a second draft of the Charter had not yet been released for public comment.

[81] See Ibid.

[82] G Greenleaf and N Waters, The Asia-Pacific Privacy Charter, Working Draft 1.0, 3 September 2003 (2003) WorldLII Privacy Law Resources <www.worldlii.org/int/other/PrivLRes/2003/1.html> at 5 May 2008, 1.

[83] Ibid, 1.

[84]Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 13–6.

[85]Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Law Council of Australia, Submission PR 177, 8 February 2007; Veda Advantage, Submission PR 163, 31 January 2007; National Australia Bank and MLC Ltd, Submission PR 148, 29 January 2007; ANZ, Consultation PC 82; Melbourne, 7 February 2007; Australian Compliance Institute, Consultation PC 53, Sydney, 17 January 2007. Stakeholder submissions were canvassed in detail in Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [28.172]–[28.176].

[86]Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[87]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [28.176]. See also G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007.

[88]Asia-Pacific Economic Cooperation, APEC Privacy Framework (2005), [32].

[89] J Faulkner, ‘Launch of Inaugural Australian Privacy Awards’ (Paper presented at Privacy Connections Breakfast, Sydney, 9 April 2008), 2.

[90] See, eg, Rec 31–2.