16.08.2010
31.206 The Privacy Act does not provide a definition of what constitutes a ‘substantially similar’ set of principles for the purposes of NPP 9(a).[314] The OPC Review noted that stakeholders had expressed frustration at the lack of guidance regarding the countries whose laws provide adequate protection equivalent to the NPPs.
In this situation the onus is on the organisation to assess the regime of the country in which their trading partner resides. Many stakeholders, especially small businesses, have criticised the efficiency of this system arguing that they neither have the expertise or the resources to assess a foreign country’s privacy laws.[315]
31.207 In the context of the OPC Review, it was suggested that the OPC could publish a list of countries with substantially similar privacy laws. The OPC rejected this proposal on the basis that it was a complex task that would require considerable resources. The OPC also suggested that such a task could affect its relationships with other countries and may be an inappropriate task for it to undertake.[316]
31.208 In its submission to the House of Representatives Committee on Legal and Constitutional Affairs inquiry into the Privacy Amendment (Private Sector) Bill 2000 (Cth), the European Commission argued that ‘it is our experience that it is difficult for the average operator to have substantial knowledge of the level of protection of personal data in third countries’.[317]
31.209 In IP 31, the ALRC asked what role, if any, the OPC should play in identifying countries that have protection for personal information equivalent to the Privacy Act.[318] In DP 72, the ALRC acknowledged that such a role would have considerable resource implications. The ALRC proposed, therefore, that the Australian Government develop and publish a list of laws and binding schemes that effectively uphold principles for fair handling of personal information that are substantially similar to the UPPs.[319]
Submissions and consultations
31.210 Most stakeholders who commented on this proposal expressed their support.[320] Submissions noted that the list would assist individuals to make choices about the handling of personal information, and businesses to make decisions about when alternative arrangements are needed to protect personal information.[321] The Association of Market and Social Research Organisations and the Australian Market and Social Research Society submitted that the difficulty in determining the equivalence of other countries’ privacy regimes with Australia’s has created additional unnecessary barriers for Australian organisations wishing to trade overseas. In their view, knowing which countries guarantee substantially similar privacy rights for individuals is essential, but can be difficult for organisations to ascertain. They submitted that the OPC should be involved.[322]
31.211 In the OPC’s view, however, the task of interpreting and assessing a large number of different privacy laws and legal systems would not be an appropriate role for the OPC. The OPC submitted that these types of decisions were best left to governments, acting with the advice of privacy commissioners.[323] PIAC agreed that the OPC should not have responsibility for developing the list, but submitted that, along with privacy advocates and consumer groups, it should have input.[324]
31.212 Some support for the proposal was qualified. IBM Australia Ltd, while welcoming the proposal, submitted that‘the proposed list should not be the definitive requirement for determining whether an organisation is complying’ with the relevant privacy principle when transferring information overseas.[325]
31.213 The Australasian Compliance Institute supported the proposal as an initial mechanism to determine ‘jurisdictional compatibility’ and submitted that the list should be updated and maintained on an ongoing basis.[326] The National Australia Bank submitted that reliance on the list should constitute ‘reasonable belief’ for the purposes of the ‘Cross-border Data Flows’ principle.[327]
31.214 The Australian Privacy Foundation and the Cyberspace Law and Policy Centre submitted that there should be a ‘whitelist’ of countries with equivalent laws, promulgated as a regulation or other legislative instrument made by the government, after receipt of published advice by the Privacy Commissioner.[328] The Australian Privacy Foundation submitted that it is unrealistic to assume that, where an overseas scheme upholds privacy protections effectively, an individual can seek redress overseas. To address this concern, it suggested:
In order to qualify for the ‘whitelist’ for the purposes of UPP11(a), a foreign jurisdiction must have in place an agreement on cross border enforcement with the OPC.
Except where a transfer is to a jurisdiction included in a ‘whitelist’ legislative instrument, the agency or organisation should continue to be liable for any breaches of the UPPs …[329]
31.215 The Cyberspace Law and Policy Centre submitted that there was little point in ‘pretending’ that such a whitelist would not automatically qualify as a basis for ‘reasonable belief’ under the ‘Cross-border Data Flows’ principle, so this should be made explicit in the relevant regulations.[330]
ALRC’s view
31.216 The benefits of developing a list of laws and binding schemes that have equivalent Privacy Act protection for personal information far outweigh any disadvantages. Stakeholders have identified clearly the need for a list on a number of occasions, including in submissions to this Inquiry.[331] Such a list would assist agencies and organisations to comply with the proposed ‘Cross-border Data Flows’ principle. Further, it would assist individuals to make choices based on where their personal information may be transferred, and how it will be handled.
31.217 The ALRC accepts that this task would have considerable resource implications for the OPC. The ALRC therefore recommends that the Australian Government should develop and publish a list of laws and binding schemes that effectively uphold principles for fair handling of personal information that are substantially similar to the model UPPs. This may be a suitable task for the Department of Prime Minister and Cabinet,[332] in consultation with other Australian Government agencies, such as DFAT and the OPC.[333]
31.218 While inclusion on the list is a good basis for ‘reasonable belief’ for the purposes of the ‘Cross-border Data Flows’ principle, the list should not be enacted as a legislative instrument. If the list is maintained more informally, it is able to be updated easily and frequently. The list will be more useful if current. Also, as discussed above, the question of whether the test in (a) of the ‘Cross-border Data Flows’ principle is satisfied should be resolved on a case-by-case basis.
Recommendation 31–6 The Australian Government should develop and publish a list of laws and binding schemes in force outside Australia that effectively uphold principles for the fair handling of personal information that are substantially similar to the model Unified Privacy Principles.
[314] J Douglas-Stewart, Annotated National Privacy Principles (3rd ed, 2007), [2-5800].
[315] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 78.
[316] Ibid, 79.
[317] European Commission, Submission to the House of Representatives Committee on Legal and Constitutional Affairs Inquiry into the Privacy Amendment (Private Sector) Bill 2000 (2000), 7.
[318]Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 13–3. The submissions on this issue are canvassed in detail in Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [28.89]–[28.91].
[319] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 28–8.
[320] Unisys, Submission PR 569, 12 February 2008; Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Australian Collectors Association, Submission PR 505, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Queensland Government, Submission PR 490, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; Telstra Corporation Limited, Submission PR 459, 11 December 2007; National Australia Bank, Submission PR 408, 7 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007.
[321]Unisys, Submission PR 569, 12 February 2008; Australian Collectors Association, Submission PR 505, 20 December 2007; National Australia Bank, Submission PR 408, 7 December 2007.
[322]Association of Market and Social Research Organisations and Australian Market and Social Research Society, Submission PR 502, 20 December 2007.
[323]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007. In expressing this view, the OPC was agreeing with the view expressed by the OVPC in its submission to IP 31: Office of the Victorian Privacy Commissioner, Submission PR 217, 28 February 2007.
[324] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.
[325] IBM Australia, Submission PR 405, 7 December 2007. See also Australian Information Industry Association, Submission PR 410, 7 December 2007.
[326]Australasian Compliance Institute, Submission PR 419, 7 December 2007. See also National Australia Bank, Submission PR 408, 7 December 2007.
[327]National Australia Bank, Submission PR 408, 7 December 2007.
[328] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.
[329] Australian Privacy Foundation, Submission PR 553, 2 January 2008. See also Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.
[330] Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.
[331] See also European Commission, Submission to the House of Representatives Committee on Legal and Constitutional Affairs Inquiry into the Privacy Amendment (Private Sector) Bill 2000 (2000); Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 78.
[332] Responsibility for the Privacy Act falls under the Department of the Prime Minister and Cabinet: Commonwealth of Australia, Administrative Arrangements Order, 25 January 2008 [as amended 1 May 2008].
[333] The ALRC notes that Ernst & Young has compiled such a list: Ernst & Young, Data Protection in the European Union and Other Selected Countries: A New Comparative Study (2006).