Exemptions under international instruments

OECD Guidelines

33.15 The Guidelines on the Protection of Privacy and Transborder Flows of Personal Data issued by the Organisation for Economic Co-operation and Development (OECD Guidelines) do not refer to exemptions.[25] They do provide expressly, however, for the possibility of excluding personal data from the application of the Guidelines that ‘obviously do not contain any risk to privacy and individual liberties’.[26]

33.16 In addition, the OECD Guidelines recognise that there may be exceptions to the privacy principles. OECD Guideline 4 provides two general criteria to guide national policies in limiting the application of the Guidelines: exceptions should be as few as possible; and they should be made known to the public.[27] Acceptable bases for exceptions set out in the OECD Guidelines include national sovereignty, national security, public policy and the financial interests of the state.[28] Importantly, the OECD Guidelines state that exceptions should be limited to those that are necessary in a democratic society.[29]

33.17 The Memorandum to the OECD Guidelines acknowledges that opinions may vary on the question of exceptions. It recognises that member countries may apply the Guidelines differently to particular kinds of personal data or in particular contexts, for example, credit reporting, criminal investigation and banking.[30]

33.18 The OECD Guidelines also recognise that the application of the Guidelines is subject to various constitutional limitations in countries with a federal system and therefore there are no requirements to apply the Guidelines beyond the limits of constitutional competence.[31] The Australian Parliament’s power under the Australian Constitution to enact federal privacy laws is discussed in Chapter 3.

EU Directive

33.19 The Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (EU Directive) issued by the European Parliament contains a number of specific exemptions and exceptions.[32] Exemptions in the EU Directive include the processing of data by: natural persons in the course of a purely personal or household activity;[33] and political parties in compiling data on individuals’ political opinions in the course of electoral activities.[34]

33.20 Examples of exceptions to the privacy principles in the EU Directive include processing of data: necessary for the prevention, investigation, detection and prosecution of criminal offences;[35] concerning public security, defence, state security (including the economic well-being of the state when the processing operation relates to state security matters) and the activities of the state in areas of criminal law;[36] and for journalistic purposes or the purpose of artistic or literary expression if they are necessary to reconcile the right to privacy with the rules governing freedom of expression.[37]

APEC Privacy Framework

33.21 Under the Asia-Pacific Economic Cooperation (APEC) Privacy Framework, exceptions to privacy principles are to be: ‘limited and proportional to meeting the objectives to which the exceptions relate’; made known to the public; or in accordance with law.[38]

33.22 The APEC Privacy Framework defines ‘personal information controller’ to exclude an individual who deals with personal information in connection with his or her personal, family or household affairs.[39] Like the EU Directive, the APEC Privacy Framework is not intended to impede governmental activities authorised by law to protect national security, public safety, national sovereignty and other public policy interests.[40] Unlike the EU Directive, the APEC Privacy Framework does not contain exceptions for journalistic, literary or artistic expression, or an exemption for political parties in respect of their political or electoral activities.

[25] Organisation for Economic Co-operation and Development, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980).

[26] Ibid, Guideline 3(b).

[27] Ibid, Guideline 4.

[28] Ibid; European Parliament, Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, Directive 95/46/EC (1995), Guideline 4; Memorandum, [46].

[29] Organisation for Economic Co-operation and Development, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980), Memorandum, [47].

[30] Ibid, Memorandum, [19(g)], [47].

[31] Ibid, Guideline 5; Memorandum, [48].

[32] European Parliament, Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, Directive 95/46/EC (1995).

[33] Ibid, art 3(2).

[34] Ibid, recital 36.

[35] Ibid, art 13(1)(d).

[36] Ibid, art 3(2).

[37] Ibid, art 9. See also European Parliament, Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, Directive 95/46/EC (1995), recitals 17, 37.

[38] Asia-Pacific Economic Cooperation, APEC Privacy Framework (2005), [13].

[39] Ibid, [10].

[40] Ibid, [13].