Requirement of notice that personal information is being sent overseas

31.232 As noted above, a large number of respondents to the ALRC’s National Privacy Phone-In expressed concerns about Australian companies sending their personal information overseas.[351]

31.233 In IP 31, the ALRC asked whether organisations should be required to inform individuals that their personal information is to be transferred outside Australia, and if so, what form such notification should take.[352] Most stakeholders submitted that individuals should be informed that their personal information is to be transferred outside Australia.[353] The form in which the notice is given is relevant to the compliance burden placed on agencies and organisations. There is an enormous cost difference depending on whether notice has to be given to each individual or whether it could be posted, for example, on a company’s website. It was noted that, for large companies, the cost of complying with the requirement to give notice could run to millions of dollars.

31.234 In DP 72, the ALRC stated that, if personal information will or may be transferred outside Australia, agencies or organisations should be required to notify individuals, but that it would be too onerous to require notification with respect to each transfer. The ALRC proposed that the Privacy Policy of an agency or organisation, referred to in the proposed ‘Openness’ principle, should set out whether personal information may be transferred outside Australia.[354]

Submissions and consultations

31.235 Many stakeholders supported the ALRC’s proposal.[355] The OPC submitted that a Privacy Policy should set out whether the personal information is ‘likely’ to be transferred outside Australia.[356] PIAC expressed the view that the policy should also specify the countries to which personal information may be transferred.[357]

31.236 The Australian Privacy Foundation also expressed its support for the proposal, indicating that ‘a requirement to notify would be one of the most effective protections against inappropriate transfers’. It submitted that the requirement should include notification of which jurisdiction the information would be transferred to and the identity of the recipient in that jurisdiction, so as to assist individuals to make an ‘informed choice’ about their personal information or ‘bring pressure to bear for improvements in legislative protection’.In its view, specific notification should be made a condition of the consent exception in the ‘Cross-border Data Flows’ principle.[358]

31.237 ANZ was supportive of notifying customers, through a Privacy Policy, of the transfer of personal information overseas. The policy could outline the circumstances in which personal information is sent overseas and the types of information security controls that have been implemented to protect that information.[359]

31.238 GE Money opposed the ALRC’s proposal, on the basis that a Privacy Policy needs to be a ‘high level and relatively brief document’.

There may be many different divisions or businesses of an organisation that have different information-handling needs and practices. For some organisations privacy information is provided to customers and clients that is business or product specific. It should be open to an organisation to include this information in these sorts of privacy notices and consent forms (where they are provided) and not have to also include this information in a privacy policy where it may not be possible to be accurate about the specific situations where information will and will not be transferred outside of Australia.[360]

ALRC’s view

31.239 If personal information will, or may, be transferred outside Australia, agencies and organisations should be required to notify individuals. This would help individuals to exercise informed choice about how their personal information will be dealt with, and the level of privacy protection it will receive. Requiring notification or written consent each time an agency or organisation transfers an individual’s personal information overseas, however, would result in an unjustified compliance burden.

31.240 The ‘Notification’ principle will require an agency or organisation that collects personal information about an individual from the individual, to take such steps, if any, as are reasonable in the circumstances to notify the individual, or otherwise ensure that the individual is aware of a number of matters, including actual or types of organisations, agencies, entities or other persons to whom the agency or organisation usually discloses personal information.[361] The requirement would extend to notifying an individual if his or her personal information might be transferred outside Australia. The description of an agency or organisation provided as part of that notification may alert an individual to the country or countries to which his or her information is likely to be transferred.

31.241 Further, the ALRC recommends, in Chapter 24, that the ‘Openness’ principle should require agencies and organisations to create a Privacy Policy that sets out their policies on the management of personal information.[362] This Privacy Policy should set out whether personal information may be transferred outside Australia and the countries to which information is likely to be transferred. If the policy of an agency or organisation changes on transfer of personal information outside Australia, the Privacy Policy should be updated to reflect this.

Recommendation 31–8 The Privacy Policy of an agency or organisation, referred to in the ‘Openness’ principle, should set out whether personal information may be transferred outside Australia and the countries to which such information is likely to be transferred.

[351] National Privacy Phone-In, June 2006.

[352]Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 13–4.

[353] Stakeholder views on this issue are set out in detail in Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [28.112]–[28.117].

[354]Ibid, Proposal 28–10.

[355]Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Australian Collectors Association, Submission PR 505, 20 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Queensland Government, Submission PR 490, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; ANZ, Submission PR 467, 13 December 2007.

[356]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[357]Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[358]Australian Privacy Foundation, Submission PR 553, 2 January 2008.

[359]ANZ, Submission PR 467, 13 December 2007.

[360]GE Money Australia, Submission PR 537, 21 December 2007.

[361] Rec 23–2. The ‘Notification’ principle, discussed in detail in Ch 23, was referred to as the ‘Specific Notification’ principle in Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007).

[362] Rec 24–1.