31.232 As noted above, a large number of respondents to the ALRC’s National Privacy Phone-In expressed concerns about Australian companies sending their personal information overseas.
31.233 In IP 31, the ALRC asked whether organisations should be required to inform individuals that their personal information is to be transferred outside Australia, and if so, what form such notification should take. Most stakeholders submitted that individuals should be informed that their personal information is to be transferred outside Australia. The form in which the notice is given is relevant to the compliance burden placed on agencies and organisations. There is an enormous cost difference depending on whether notice has to be given to each individual or whether it could be posted, for example, on a company’s website. It was noted that, for large companies, the cost of complying with the requirement to give notice could run to millions of dollars.
Submissions and consultations
31.236 The Australian Privacy Foundation also expressed its support for the proposal, indicating that ‘a requirement to notify would be one of the most effective protections against inappropriate transfers’. It submitted that the requirement should include notification of which jurisdiction the information would be transferred to and the identity of the recipient in that jurisdiction, so as to assist individuals to make an ‘informed choice’ about their personal information or ‘bring pressure to bear for improvements in legislative protection’.In its view, specific notification should be made a condition of the consent exception in the ‘Cross-border Data Flows’ principle.
31.239 If personal information will, or may, be transferred outside Australia, agencies and organisations should be required to notify individuals. This would help individuals to exercise informed choice about how their personal information will be dealt with, and the level of privacy protection it will receive. Requiring notification or written consent each time an agency or organisation transfers an individual’s personal information overseas, however, would result in an unjustified compliance burden.
31.240 The ‘Notification’ principle will require an agency or organisation that collects personal information about an individual from the individual, to take such steps, if any, as are reasonable in the circumstances to notify the individual, or otherwise ensure that the individual is aware of a number of matters, including actual or types of organisations, agencies, entities or other persons to whom the agency or organisation usually discloses personal information. The requirement would extend to notifying an individual if his or her personal information might be transferred outside Australia. The description of an agency or organisation provided as part of that notification may alert an individual to the country or countries to which his or her information is likely to be transferred.
 National Privacy Phone-In, June 2006.
Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 13–4.
 Stakeholder views on this issue are set out in detail in Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [28.112]–[28.117].
Ibid, Proposal 28–10.
Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Australian Collectors Association, Submission PR 505, 20 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Queensland Government, Submission PR 490, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; ANZ, Submission PR 467, 13 December 2007.
Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.
Australian Privacy Foundation, Submission PR 553, 2 January 2008.
ANZ, Submission PR 467, 13 December 2007.
GE Money Australia, Submission PR 537, 21 December 2007.
 Rec 23–2. The ‘Notification’ principle, discussed in detail in Ch 23, was referred to as the ‘Specific Notification’ principle in Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007).
 Rec 24–1.