Introduction

31.1 Cross-border data flow refers to the movement of personal information (or data) across national borders.[1] While the focus of the Privacy Act 1988 (Cth) was originally on personal information collected and handled within Australia, the increasing ease with which information can be transferred between countries has forced jurisdictions to recognise that efforts to protect personal information should be harmonised.[2]

Modern business is increasingly borderless. The communications revolution and the reduction in international trade barriers has allowed business to globalise and for regions to specialise. The call centre answers the phone in India, the product is designed in Europe, made in China and it is all managed from the US. But these business units must share their information; information about employees, customers and suppliers.[3]

31.2 Overseas business processing centres are increasingly handling customer data in such sensitive areas as processing credit card applications and bills, mortgage applications, insurance claims and help desk services.[4] One of the current leaders in this sphere is India which controls, according to some estimates, ‘44% of the global outsourcing market of software and back-office services’.[5] India’s total revenue due to IT and business process outsourcing is expected to grow to $60 billion by 2010.[6] Steven Robertson notes that China’s outsourcing industry is beginning to ‘rival the outsourcing powerhouse, India’.[7] Some commentators have pointed out that ‘currently no data privacy protection legislation of any kind exists in India’.[8] Similarly, at present, China has ‘no consolidated national data protection legislation’.[9]

31.3 A number of incidents have highlighted how personal information may be at risk from cross-border data flows.[10] For example, in 2005, undercover reporters from the Australian Broadcasting Corporation ‘were allegedly offered for sale personal data of 1,000 Australians for around US$10 per person’. The data included names, birth certificate details, drivers licence details and ATM card numbers.[11] It is important for Australians to feel confident that if their personal information is transferred outside Australia, it will be protected to the same standard that they enjoy in Australia.

31.4 Cross-border transfers of personal information have been, and continue to be, the source of significant community concern. For example, in a survey commissioned by the Office of the Privacy Commissioner (OPC), the majority of respondent Australians (90%) were ‘concerned’ about businesses sending their personal information overseas—of those, 63% were ‘very concerned’.[12] Such concerns were also reflected in the National Privacy Phone-In conducted by the ALRC, in which a number of respondents expressed concern about Australian companies sending their personal information offshore, particularly to overseas call centres.

If I deal with a company in Australia, I most certainly do not want that company passing my details overseas, where laws about privacy are even weaker. I also have a right to know when paying online whether my payment details are being sent overseas, as I view this as a huge security risk.[13]

31.5 Another stakeholder stated:

In today’s truly globalised world, cross-border data flows are an everyday fact of commercial public and private life. The challenge therefore becomes how to maintain a consistent security and privacy framework around the treatment of that information across legal and jurisdictional borders and geographies.[14]

31.6 One commentator, Associate Professor Dan Svantesson, noted that without adequate protection against cross-border data flows, ‘privacy regulation would arguably be pointless as personal information simply would be transferred to other jurisdictions without privacy protection’.[15]

31.7 Economic development is dependent on globalisation of information and electronic commerce. In the 1970s and 1980s, international bodies developed the first instruments to harmonise laws within economic communities and improve trade relationships. The 1980 Organisation for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (OECD Guidelines) was one of the first international instruments that attempted to address this issue.

31.8 The OECD Guidelines provide that, in developing laws and policies to protect privacy and individual liberties, member countries should not enact laws that unnecessarily create obstacles to cross-border flows of personal data.[16] The privacy principles in the OECD Guidelines are the foundation for the Information Privacy Principles (IPPs) and the National Privacy Principles (NPPs) set out in the Privacy Act. NPP 9 governs cross-border data flow out of Australia.[17]

31.9 More recent examples of these instruments are the privacy principles adopted by the European Union (EU) under the 1995 Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data[18] (EU Directive) and the Asia-Pacific Economic Cooperation (APEC) Privacy Framework.[19] The Asia-Pacific Privacy Charter Council, a regional non-government expert group, is also developing independent privacy standards for privacy protection in the Asia-Pacific region.[20] Australia’s ability to meet the expectations of privacy protection demanded by the international community is important to ensure that Australian businesses are not disadvantaged in an international market.

31.10 In this chapter, the ALRC examines international frameworks for privacy protection, in particular, the EU Directive, the APEC Privacy Framework and the Asia-Pacific Privacy Charter. It then considers the regulation of cross-border data flows under the Privacy Act via the extraterritorial operation of the Act, and the restrictions in NPP 9 on the transfer of personal information to countries with differing privacy regimes. The content of the ‘Cross-border Data Flows’ principle in the model Unified Privacy Principles (UPPs) is then considered, and its application to agencies is discussed. Finally, the application of the ‘Cross-border Data Flows’ principle to related bodies corporate, the role of the Privacy Commissioner, notification requirements and the need for OPC guidance are addressed.

[1] See Asia-Pacific Economic Cooperation, APEC Privacy Framework (2005), Part IV, Section B. See also Organisation for Economic Co-operation and Development, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980), Guideline 1 (the OECD uses the terminology ‘transborder data flow’). In Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), the ‘Cross-border Data Flows’ principle was referred to as the ‘Transborder Data Flows’ principle, picking up on the terminology used currently in NPP 9. The ALRC has changed the name of this principle, however, to make it consistent with terminology more commonly used, such as in the APEC Privacy Framework: Asia-Pacific Economic Cooperation, APEC Privacy Framework (2005), [44]–[46].

[2] South African Law Reform Commission, Privacy and Data Protection, Discussion Paper 109 (2005), vii.

[3] K Sainty and A Ailwood, ‘Implications of Transborder Data Flow for Global Business’ (2004–2005) 1 Privacy Law Bulletin 101, 101. See also N Saravade and P Kumaraguru, ‘Data Security Council of India—A Self-Regulatory Initiative in Data Security and Privacy Protection’ (2007) 7(11) IAPP 1, 1.

[4] B Cruchfield George and D Roach Gaut, ‘Offshore Outsourcing to India by EU and US Companies: Legal and Cross-Cultural Issues that Affect Data Privacy Regulation in Business Process Outsourcing’ (2006) 6 University of California Business Law Journal 13, 13.

[5] Ibid.

[6] N Saravade and P Kumaraguru, ‘Data Security Council of India—A Self-Regulatory Initiative in Data Security and Privacy Protection’ (2007) 7(11) IAPP 1, 1.

[7] S Robertson, ‘Offshore Business Processing in China Brings Privacy Concerns’ (2008) 10 Internet Law Bulletin 118, 118.

[8] B Cruchfield George and D Roach Gaut, ‘Offshore Outsourcing to India by EU and US Companies: Legal and Cross-Cultural Issues that Affect Data Privacy Regulation in Business Process Outsourcing’ (2006) 6 University of California Business Law Journal 13, 13.

[9] S Robertson, ‘Offshore Business Processing in China Brings Privacy Concerns’ (2008) 10 Internet Law Bulletin 118, 118.

[10] D Giles and A Chotar, ‘Offshoring Personal Information—The Devil in the Detail’ (2006) 3(6&7) Privacy Law Bulletin 73, 73.

[11] Ibid, 73–74.

[12] Wallis Consulting Group, Community Attitudes Towards Privacy 2007 [prepared for the Office of the Privacy Commissioner] (2007), 36.

[13]National Privacy Phone-In June 2006, Comment No 433. See also Unisys, Submission PR 569, 12 February 2008; B Laing, Submission PR 339, 12 November 2007; and D Giles and A Chotar, ‘Offshoring Personal Information—The Devil in the Detail’ (2006) 3(6&7) Privacy Law Bulletin 73, 74, citing research conducted by Blair Ingenuity.

[14] Unisys, Submission PR 569, 12 February 2008.

[15] D Svantesson, ‘Protecting Privacy on the “Borderless” Internet—Some Thoughts on Extraterritoriality and Transborder Data Flow’ (2007) 19(1) Bond Law Review 168, 179.

[16] Organisation for Economic Co-operation and Development, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980), Guideline 18.

[17] The IPPs and OECD Guidelines do not contain a comparable cross-border data principle to NPP 9. The transfer of personal information outside Australia by agencies is discussed below.

[18] European Parliament, Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, Directive 95/46/EC (1995).

[19] Asia-Pacific Economic Cooperation, APEC Privacy Framework (2005).

[20] G Greenleaf and N Waters, The Asia-Pacific Privacy Charter, Working Draft 1.0, 3 September 2003 (2003) WorldLII Privacy Law Resources <www.worldlii.org/int/other/PrivLRes/2003/1.html> at 5 May 2008. These instruments are discussed later in the chapter.