16.08.2010
31.195 NPP 9 does not prevent transfers of personal information outside Australia by an organisation to another part of the same organisation, or to the individual concerned.[305] As noted above, the Privacy Act operates extraterritorially in these circumstances by virtue of s 5B.
31.196 A company transferring personal information overseas to another related company, however, must comply with NPP 9. Section 13B(1) states that an act or practice is not an interference with the privacy of an individual if it involves a body corporate collecting or disclosing personal information (that is not sensitive information) from or to a related body corporate. A ‘related body corporate’ is a body corporate that is: a holding company of another body corporate; a subsidiary of another body corporate; or a subsidiary of a holding company of another body corporate; and the first mentioned body and the other body are related to each other.[306]
31.197 In submissions to the OPC Review, a number of stakeholders called for clarification of the interaction between NPP 9 and s 13B(1). They argued that it was unclear whether s 13B(1) made it possible for a body corporate in Australia to transfer personal information to a related body corporate located outside Australia without reference to NPP 9.[307]
31.198 The OPC Review concluded that, where information is transferred outside of Australia and the extraterritorial provisions do not apply, it is in the public interest for NPP 9 to apply. The OPC, therefore, did not recommend excluding related corporations from having to comply with NPP 9.[308]
31.199 In DP 72, the ALRC proposed that s 13B of the Privacy Act be amended to clarify that, if an organisation transferred personal information to a related body corporate outside Australia, that transfer would be subject to the proposed ‘Cross-border Data Flows’ principle.[309]
Submissions and consultations
31.200 Many stakeholders supported the proposal.[310] There also were some stakeholders who disagreed. For example, one stakeholder submitted:
In practice, the main effect of imposition of the cross-border data flows rules within company groups is likely to impose an unnecessary layer of red tape and bureaucracy. For example, many company groups would be likely to respond simply by having all companies in the group sign a contract agreeing to comply with the UPPs.[311]
31.201 Microsoft submitted that the ALRC should consider the introduction of an exemption for related bodies corporate that operate under a common set of internal policies, which would provide for at least the same level of protection as the Privacy Act. In Microsoft’s view, such an approach would be consistent with the commitment of APEC members to support the development and recognition of CBPRs across APEC.[312]
31.202 Similarly, GE Money was concerned that the proposal did not ‘consider the issues presented for organisations that form part of a large multinational company’. It argued that the proposal, when combined with the impact of proposals relating to the removal of the employee records exemption, had the potential to impede the collection and recording of employee information in an accurate and efficient way.[313]
ALRC’s view
31.203 If personal information is sent overseas to the same company, it will continue to be protected by the Privacy Act because the extraterritorial provisions apply. Section 5B, however, does not apply to related bodies corporate outside of Australia. As such, if personal information is sent to a related company, it may not be protected by the Privacy Act.
31.204 Although many related companies are governed by a common set of internal policies, this may not always be the case. Further, the internal policies of a related company may not always provide the same level of protection as the Privacy Act.
31.205 Where information is transferred outside of Australia by an organisation to a related body corporate, it is in the public interest for the ‘Cross-border Data Flows’ principle to apply.
Recommendation 31–5 Section 13B of the Privacy Act should be amended to clarify that, if an organisation transfers personal information to a related body corporate outside Australia or an external territory, the transfer will be subject to the ‘Cross-border Data Flows’ principle.
[305] Office of the Federal Privacy Commissioner, Guidelines to the National Privacy Principles (2001), 58.
[306] This definition is from the Corporations Act 2001 (Cth) s 50, as referred to in s 6(8) of the Privacy Act 1988 (Cth). For a general discussion of the exemption, see Ch 43.
[307] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 77.
[308] Ibid, 79.
[309]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 28–7.
[310]Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007l; Optus, Submission PR 532, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Queensland Government, Submission PR 490, 19 December 2007.
[311]Confidential, Submission PR 536, 21 December 2007. See also ANZ, Submission PR 467, 13 December 2007.
[312]Microsoft Asia Pacific, Submission PR 463, 12 December 2007.
[313]GE Money Australia, Submission PR 537, 21 December 2007.