11. UPP 11: Cross-border data flows

Updates and background for this project (Digest)

• Introduction
• Current approaches to regulation of cross-border data flows
• ALRC Report 108
• Content and distinguishing features of UPP 11
• Defining accountability
• The scope of application of UPP 11
• Adequacy of remedial action
• Interaction with other UPPs
• The Commission’s overall views

11.1 Cross-border data flows, sometimes referred to as cross-border data transfers or transborder data flows, is about the movement of personal information across national borders or State borders, as the case may be.

11.2 With the communication revolution taking over and the current trend of outsourcing back office services resulting in the globalisation of modern business more than ever before, personal information is now transferred across State borders and further afield between nations, with incredible ease. In addition, the current economic climate of globalisation of information and electronic commerce demand such cross-border data flows to ensure economic growth.

11.3 However, the unregulated or under regulated transfer of personal information can result in a widespread intrusion of privacy for affected individuals, whether they be consumers or citizens, thereby undermining or weakening all other privacy protection. Indeed, the Community Attitudes to Privacy 2007 survey conducted by the Office of the Federal Privacy Commissioner (“OPC”) revealed that “the majority of Australians (90%) are concerned about businesses sending their personal information overseas, with 63% being very concerned”.¹ Similar concerns were expressed in the National Privacy Phone-In conducted by the ALRC in June 2006 as well as in submissions to the ALRC.²

11.4 Individuals need to be confident that their personal information is protected by the agency or organisation that has access to, or control of, such information and that they have avenues of redress, if their privacy is breached. While the protection of privacy must not be compromised, there should also be a free flow of information without the creation of unnecessary obstacles and barriers. It is therefore imperative that the regulation of cross-border data flows by various international frameworks and federal and State legislation be appropriate and adequate to ensure a healthy balance is struck between cross-border flow of information and the protection of privacy.

11.5 The aim of this chapter is to ascertain if this balance has been appropriately struck in UPP 11. In making this evaluation, the Commission examines the content and likely impact of UPP 11 against the background of existing approaches adopted in international frameworks and Commonwealth and NSW legislation, to assess the effectiveness of the principle and its suitability for adoption in NSW.

CURRENT APPROACHES TO REGULATION OF CROSS-BORDER DATA FLOWS

11.6 Internationally, cross-border data flow is regulated by various frameworks. Of particular relevance are the European Union Data Protection Directive (“EU Directive”)³ and the Asia-Pacific Economic Cooperation (“APEC”) Privacy Framework. The Asia-Pacific Privacy Charter (“the Charter”), a regional non-government expert group, is also developing independent privacy standards for use in the region.

11.7 The frameworks adopted internationally have resulted in the emergence of two approaches to the regulation of cross-border data transfers. They are:

• the “adequacy” approach taken by the EU Directive; and
• the “accountability” approach taken by APEC.

The adequacy approach

11.9 Article 25(1) of the EU Directive prohibits the transfer of personal data to any country or territory outside the EU (a third country) unless the third country “ensures an adequate level of protection” (emphasis added) for the rights and freedoms of those individuals whose personal data is being transferred, hence referred to as the adequacy approach.

11.10 Where there is inadequate protection, the transfer of personal data can still be legitimised if, as provided in Article 26:

• there is unambiguous consent from the data subject;
• the transfer is necessary for the performance, implementation or conclusion of certain contractual transactions;
• the transfer is in the public interest or the vital interests of the data subject; or
• the transfer is made from a public register.

11.12 Article 25(2) sets out the criteria against which adequate protection is assessed as follows:

The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.

11.14 The European Commission is also of the view that there are wide divergences in implementation.⁷ The strong emphasis in the EU Directive on registration requirements such as notification⁸ and publication⁹ have been considered to be “burdensome and expensive”¹⁰ and not required for the EU test of adequacy.

11.15 Most importantly, the EU Directive does not cover law enforcement and security activities in an integrated way, resulting in a trend towards far-reaching exemptions for law enforcement purposes without detailed justification.¹¹ It has been suggested that providing the consumer with a number of accountability bodies to which they can complain makes it hard for the consumer and the regulator.¹²

The accountability approach

11.16 The APEC Privacy Framework was published in 2004 and is “principles based” with nine privacy principles largely based on the 1980 Organisation for Economic Co-operation and Development (“OECD”) Guidelines on the Protection of Privacy and the Transborder Flow of Personal Data. One of the APEC principles applies specifically to the issue of accountability in the transfer of information whether domestically or internationally and provides as follows:

A personal information controller should be accountable for complying with measures that give effect to the principles stated above. When personal information is to be transferred to another person or organisation, whether domestically or internationally, the personal information controller should obtain the consent of the individual or exercise due diligence and take reasonable steps to ensure that the recipient person or organisation will protect the information consistently with these principles.

11.18 On the other hand, it has been argued that the accountability approach is too “light touch” with a bias towards the free flow of information, rather than limiting the export of information to stringently crafted exceptional circumstances.¹⁵ Noticeably, there is no explicit limitation of data flows to countries that do not have similar privacy laws or protections.¹⁶

The Australian approach

Federal approach

11.19 Federally, cross-border data flow is regulated by privacy principles in the Privacy Act 1988 (Cth), which applies to acts done, or practices engaged in, outside Australia by an organisation, if the acts or practices relate to personal information about an Australian citizen or permanent resident, and provided the organisation either:

(a) is linked to Australia by being a citizen or a permanent resident, or an unincorporated association, trust, partnership or body corporate formed in Australia; or

(b) carried on a business in Australia and held or collected information in Australia either before or at the time of the act done or practice engaged in.¹⁷

11.20 Section 5B further provides for extra-territorial operation by empowering the Privacy Commissioner to take action overseas to investigate and deal with complaints about overseas acts and practices. Notably though, it applies only to organisations and not to agencies. Section 13D provides that where an act or practice is required by the law of a foreign country, it will not be overridden by the Privacy Act.

11.21 The circumstances in which an organisation may transfer personal information is dealt with in NPP 9, set out below, which is largely modelled on the adequacy approach as spelled out in Articles 25 and 26 of the EU Directive. NPP 9 prohibits the transfer of personal information unless one of the conditions in (a)–(f) is satisfied.

NPP 9: Transborder data flows

An organisation in Australia or an external Territory may transfer personal information about an individual to someone (other than the organisation or the individual) who is in a foreign country only if:

(a) the organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the National Privacy Principles; or

(b) the individual consents to the transfer; or

(c) the transfer is necessary for the performance of a contract between the individual and the organisation, or for the implementation of pre-contractual measures taken in response to the individual’s request; or

(d) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the organisation and a third party; or

(e) all of the following apply:


(i) the transfer is for the benefit of the individual;

(ii) it is impracticable to obtain the consent of the individual to that transfer;

(iii) if it were practicable to obtain such consent, the individual would be likely to give it; or


(f) the organisation has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the National Privacy Principles.

11.22 In NSW, s 19(2) of PPIPA prohibits disclosure of information outside NSW or to a Commonwealth agency unless:

(a) a relevant privacy law that applies to the personal information concerned is in force in that jurisdiction or applies to that Commonwealth agency; or

(b) the disclosure is permitted under a privacy code of practice.

11.23 Section 19(4) indicates that the “Privacy Commissioner is to prepare a code relating to the disclosure of personal information by public sector agencies to persons or bodies outside New South Wales and to Commonwealth agencies” and s 19(5) states that 19(2) does not apply unless a code referred to in 19(4) is made. Given that no privacy codes of practice have, to date, been made, there are, in effect, currently no limitations on the disclosure of personal information outside NSW.¹⁸

11.24 However, HRIPA regulates disclosure of health information to Commonwealth agencies by virtue of HPP 14, subject to eight conditions.

HPP 14: Transborder data flows and data flow to Commonwealth agencies

An organisation must not transfer health information about an individual to any person or body who is in a jurisdiction outside New South Wales or to a Commonwealth agency unless:

(a) the organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract that effectively upholds principles for fair handling of the information that are substantially similar to the Health Privacy Principles, or

(b) the individual consents to the transfer, or

(c) the transfer is necessary for the performance of a contract between the individual and the organisation, or for the implementation of pre-contractual measures taken in response to the individual’s request, or

(d) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the organisation and a third party, or

(e) all of the following apply:


(i) the transfer is for the benefit of the individual,

(ii) it is impracticable to obtain the consent of the individual to that transfer,

(iii) if it were practicable to obtain such consent, the individual would be likely to give it, or


(f) the transfer is reasonably believed by the organisation to be necessary to lessen or prevent:

(i) a serious and imminent threat to the life, health or safety of the individual or another person, or

(ii) a serious threat to public health or public safety, or


(g) the organisation has taken reasonable steps to ensure that the information that it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the Health Privacy Principles, or

(h) the transfer is permitted or required by an Act (including an Act of the Commonwealth) or any other law.

11.25 The issue of cross-border data flows was dealt with at length by the ALRC in DP 72 as well as in Report 108 with a view to improving the regulation of cross-border data flows currently contained in NPP 9. The result was the formulation of UPP 11, set out below, which adopts the new accountability approach while incorporating aspects of the existing adequacy approach.

UPP 11: Cross-border Data Flows

11.1 If an agency or organisation in Australia or an external territory transfers personal information about an individual to a recipient (other than the agency, organisation or the individual) who is outside Australia and an external territory, the agency or organisation remains accountable for that personal information, unless the:
(a) agency or organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds privacy protections that are substantially similar to these principles;

(b) individual consents to the transfer, after being expressly advised that the consequence of providing consent is that the agency or organisation will no longer be accountable for the individual’s personal information once transferred; or

(c) agency or organisation is required or authorised by or under law to transfer the personal information.

Note: Agencies and organisations are also subject to the requirements of the ‘Use and Disclosure’ principle when transferring personal information about an individual to a recipient who is outside Australia.

11.26 The following section addresses the content of UPP 11 and its approach to regulating cross-border data flows, while distinguishing it from NPP 9 and HPP 14. It evaluates the rationale for change and assesses UPP 11’s overall potential for effectiveness. It also makes recommendations for change, where appropriate.

Coverage

11.27 As stated above, the Privacy Act applies to acts done, or practices engaged in, outside Australia by an organisation, but does not extend to agencies.¹⁹ The ALRC proposed in DP 72 and Report 108 that the Privacy Act be amended to clarify that agencies that operate outside Australia should be subject to the Privacy Act.²⁰ This represents a departure from HPP 14 which only applies to organisations, and s 19(2) of PPIPA which only applies to agencies and is currently inoperative.²¹

11.28 This lack of regulation of cross-border flows by agencies was discussed at length in the ALRC’s DP 72 and Report 108. There appears no rational justification for this exclusion and the majority of submissions supported extending coverage to agencies. Accordingly, UPP 11 applies to agencies and organisations. This is a significant improvement on the current provisions. The Commission supports it.

Terminology

11.29 Whereas NPP 9 referred to the transfer of personal information to “someone … who is in a foreign country”, UPP 11 refers to a “recipient … who is outside Australia and an external territory”. The ALRC’s rationale for this change in terminology is that it clarifies that “the principle applies to the overseas transfer of personal information to agencies, organisations and individuals” and that it suggests “a broader reading of what an overseas jurisdiction may be” consistent with the language used in other cross-border regulatory principles. This is also why the principle is now referred to as “Cross-border data flows” rather than “Transborder data flows”.²²

“Transfer”

11.30 The ALRC Report considered whether the term “transfer” ought to be defined to distinguish it from “use” and “disclosure”, and generally to clarify what a “transfer” of personal information would include. Of particular concern was whether the focus ought to be on the opportunity to access the information or actual access.

11.31 The OPC submitted that the term “transfer” should be defined but “should not exclude information transferred overseas accidentally because the sending entity has not taken reasonable steps to protect the personal information”.²³ Microsoft, on the other hand, submitted that emerging technologies make it hard to formulate a definition.²⁴ Overall, there was a lack of consensus on the ambit of a definition.²⁵

11.32 The ALRC’s view was that the ambit of “transfer” was unclear and, therefore, the principle really turned on whether the personal information was accessed or not. If accessed it would be subject to the principle.²⁶ Ultimately however, the ALRC preferred to rely on OPC guidance rather than on legislative definition to accommodate the potentially frequent changes and consequent amendments that would be required as a result of the rapid advances in technology.²⁷

11.33 Another relevant issue in the context of transfers is whether the cross-border principles should apply equally to transfers by an organisation to another part of the same organisation overseas and another related company. Currently, transfers to another part of the same organisation are not prevented by NPP 9 but transfers to a related company must comply with NPP 9. However, s 13B(1) of the Privacy Act states that “the disclosure of personal information (other than sensitive information) about the individual by the body corporate to a related body corporate” is not an interference with privacy. While there may be justification for related bodies corporate to transfer information between each other, there is an apparent discrepancy between s 13B and NPP 9. Despite a few submissions that argued to the contrary,²⁸ the ALRC recommended that s 13B be amended to make it consistent with the approach adopted in NPP 9 and followed in UPP 11: that if an organisation transfers personal information to a related body corporate outside Australia or an external territory, the transfer will be subject to the Cross-border Data Flows principle.²⁹

Approach

11.34 The most notable difference between NPP 9 and UPP 11 is the shift in approach from a focus on adequacy to one of accountability. Rather than prevent the transfer of information unless particular conditions are met, as is the case with NPP 9, in UPP 11 the default is based on the accountability concept, whereby transfers are allowed if there is accountability. The adequacy (of laws, contracts and binding schemes) concept is presented as an exception to the accountability approach.

11.35 In DP 72, the ALRC linked the accountability approach to a number of conditions that are found in NPP 9, particularly clauses (c) to (f), with some modifications.³⁰ Many stakeholders³¹ submitted that this would be a positive step towards ensuring that agencies and organisations are responsible about how they transfer personal information, enabling the consumers to identify the agency or organisation when breaches occur.³²

11.36 However, this approach also met with significant opposition on the basis that the protection afforded by NPP 9 was sufficient and because of operational concerns.³³ Some submissions objected to the conditions of transfer and were of the view that “the APEC notion of accountability alone is sufficient to regulate transborder data flows”.³⁴ Others objected to the limited scope for a transferor to provide a defence to liability³⁵ and argued that it should be “sufficient that an organisation has taken reasonable steps to ensure that the information will not be dealt with by the recipient of the information inconsistently with the proposed UPPs”.³⁶

11.37 Having considered the submissions, the ALRC decided to strip away the conditions proposed in the DP and to introduce a general accountability principle in UPP 11 as a default position. Thus, UPP 11 does not prevent information from being transferred, but requires that agencies and organisations remain accountable. They will be responsible under the Privacy Act for the acts and practices of a recipient of personal information, the subject of a cross-border transfer and will be subject to the complaints and investigation mechanisms of Part V of the Privacy Act.

11.38 The Commission considers the shift from the adequacy approach to the accountability approach a significant and workable development. However, its true effectiveness will depend on:

• the definition of “accountability”;
• the scope of application; and
• the adequacy of remedial action.

11.39 In Report 108, the ALRC discussed how the accountability approach should operate as a default position in relation to cross-border transfers. It explained that the benefit of the approach is that while it does not prevent information from being transferred, it will require agencies and organisations to remain accountable for the information when transferred (except in the exceptional circumstances listed).³⁷

11.40 The ALRC also explained what accountability means in this context:

The general principle of accountability should mean that an agency or organisation will be responsible under the Privacy Act for the acts and practices of a recipient of personal information the subject of a cross-border transfer. That is, where an agency or organisation transfers information to a recipient outside Australia, if the acts or practices of that recipient in respect of the personal information would have amounted to an interference with the privacy of an individual if done in Australia, they should constitute an interference with the privacy of the individual for the purposes of the Privacy Act. Further, the acts or practices of the recipient should be taken to be acts or practices of the relevant agency or organisation for the purposes of the Privacy Act.³⁸

The evidentiary burden should shift to the party that exports the personal information to a country that has no data protection laws equivalent to Australian laws. It should be up to them to prove, on the balance of probabilities, that any damage suffered by the person which might reasonably be assumed to be as a result of the breach of the UPPs by some overseas party has in fact arisen from some other cause.⁴⁰

11.43 The Commission agrees that, given the change of approach, a definition of “accountability” should be included. Identifying in clear terms what exactly is meant by “accountability” would also help to establish proof of whether UPP 11 has been breached. While the Commission supports the inclusion of a definition of “accountability” in the privacy principles, we do not believe that is appropriate to articulate the incidence of the burden of proof in high level principles of this nature.

RECOMMENDATION 13

An agency or organisation being “accountable” for personal information should be defined in UPP 11 to mean:

(a) being responsible for the acts and practices of a recipient of personal information, the subject of a cross-border transfer; and

(b) being liable for a breach of UPP 11 if the acts and practices of the recipient would have amounted to an interference with the privacy of an individual, if done in Australia.

11.44 UPP 11.1 does not apply to all transfers of personal information as it is subject to three exceptions. The exceptions are listed in UPP 11.1(a) to (c). They can be paraphrased as follows:

(a) the “reasonable belief” exception;

(b) the “consent” exception; and

(c) the “required or authorised by or under law” exception.

11.45 In contrast, NPP 9 is subject to six exceptions and HPP 14 is subject to eight. Though less in number, the question for consideration is whether the exceptions are still so wide that they render UPP 11 ineffective, or less effective than it should be.

Reasonable belief

11.46 UPP 11.1(a) provides for accountability of cross-border data flows unless the:

agency or organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds privacy protections that are substantially similar to these principles;

11.48 Commenting on the term “reasonable belief” in submissions to DP 72, many stakeholders observed that the test “is ambiguous”,⁴¹ and that “believing is not quite the same thing as knowing”,⁴² and expressed concern “about the practicality and reasonableness”⁴³ of the terms. It is possible that even a reasonable belief in error may invoke the exception, making it a very weak test. It has been suggested that such a test is “doomed to become a wide loop hole for transfers that weaken privacy, either through error or deliberate action”.⁴⁴

11.49 Similarly, the term “substantially similar to these principles” is undefined and no guidance has been offered on how such laws are to be identified. There may be instances where legislation in another jurisdiction is not “substantially similar” but provides adequate protection by taking an alternate approach and may even be more favourable.⁴⁵

11.50 It has also been observed that protection is restricted to being “substantially similar to ‘these principles’ [UPPs]”, being “a fraction of the potential breaches of privacy contained in the broader Privacy Act”.⁴⁶ This would exclude protections offered by the rest of the Privacy Act, such as data breach rules, as well as health and credit reporting regulations and other similar protections contained in the Act. As an example, it has been suggested that consumers are likely to be seriously concerned about a data breach, whether the breach occurs at a local data centre or an offshore data centre.⁴⁷ It would be preferable to cover all protection offered by the Privacy Act and regulations. This would apply to laws, binding schemes and contracts.

11.51 Despite objections in the submissions, and although the ALRC acknowledged the concerns raised, the ALRC did not recommend any changes to the reasonable belief test nor the test that protections must be substantially similar. Instead, it recommended that “the Australian Government should develop and publish a list of laws and binding schemes in force that effectively uphold principles for the fair handling of personal information that are substantially similar to the UPPs”⁴⁸ and that the OPC’s guidance on the Cross-border Data Flows principle should include guidance on what constitutes a reasonable belief.⁴⁹

11.52 The Commission agrees with the view expressed by Chris Connolly that if a list of countries that provides privacy protection substantially similar to the UPPs is published, then there would be no further need for the weaker reasonable belief test. On the other hand, if a country is not on the published list, the reasonable belief test can still be met, which creates a dangerous situation⁵⁰ because there will be no accountability and no protection in those circumstances. Either way, the reasonable belief test appears unnecessary and problematic, whether applied to laws, contracts or binding schemes.

Laws

11.53 The fact that a country has privacy laws does not necessarily mean that those privacy laws provide actual protection. For instance, Japan’s Act on the Protection of Personal Information 2003 does not provide exhaustive coverage because many notable exceptions are not contained in the Act, but in other documentation such as Cabinet orders.⁵¹ There are many other examples of countries that do have privacy legislation, but which do not necessarily provide the requisite level of protection.⁵² A mistaken “reasonable belief” can therefore quite easily be maintained, even justified, at great risk to the person whose personal information has been transferred.

11.54 The ambiguities created by the presence of privacy legislation and the absence of evidence based, objective knowledge (rather than a belief) of the requisite level of protection suggests that it would be preferable to substitute the “reasonable belief” test with a test that requires actual protection. Such a test could be implemented by reference to an official list of jurisdictions that have adequate and effective privacy protections. Most submissions to the ALRC supported the development of such a list.⁵³ Its formulation would, no doubt, be a difficult and resource-intensive process. Moreover, the list would need to be updated and maintained on an ongoing basis. Its existence would, however, provide certainty about whether a particular country does, or does not, provide effective privacy protection, a judgment that would normally be almost impossible for an agency or organisation to make with any degree of confidence. The Commission agrees with the ALRC that the compilation of the list should be the responsibility of the Australian Government, and may be a suitable task for the Department of Prime Minister and Cabinet, in consultation with such agencies as Department of Foreign Affairs and Trade and the OPC.⁵⁴ In our view, any such list in NSW legislation should replicate the list developed by the Australian Government and should be contained in the regulations to the Act.

11.55 Attempting to minimise the effect of the “reasonable belief” test in the light of the concerns raised by stakeholders, the ALRC was of the view that “the ‘required or authorised by or under law’ exception, … will allow agencies and organisations to transfer personal information where required or authorised by or under law to do so, thereby removing the need for them to rely on [UPP 11.1(a)] in many instances”. In the Commission’s view, this is all the more reason why the “reasonable belief” test is not justified and should be removed.⁵⁵

RECOMMENDATION 14

If an agency or organisation in Australia or an external territory transfers personal information about an individual to a recipient who is outside of Australia and an external territory, the agency or organisation should remain accountable for that personal information unless the recipient of the information is subject to a law that effectively upholds privacy protections that are substantially similar to, or more favourable than, the protections afforded by privacy legislation in Australia and that applies in a “listed jurisdiction”. A “listed jurisdiction” is one that is specifically identified in a legislative instrument for the purposes of UPP 11.

11.56 In addition to laws and contracts, UPP 11.1(a) also makes reference to a “binding scheme … which effectively upholds privacy protections that are substantially similar to these principles [UPPs]”. NPP 9 also makes reference to “binding schemes”. Such schemes could include, for example, inter-governmental agreements or effective self-regulatory schemes. As is the case with “laws”, the Commission is of the view that such schemes should be identified in an official list.

RECOMMENDATION 15

In UPP 11 binding schemes should be dealt with in the same way as laws.

11.57 Contracts are commonly used, and used effectively, to protect privacy in cross-border data transfers.⁵⁶ In the Commission’s view, an agency or organisation in Australia should remain accountable for the transfer of personal information to a recipient outside Australia unless the contract in question contains terms that are substantially similar to, or more favourable than, the protections afforded by Australian privacy legislation. As in the case of laws,⁵⁷ it ought not to suffice, in order to avoid such accountability, that the agency or organisation “reasonably believes” that the contract in issue provides such privacy protection.

11.58 To assist parties in determining whether or not contractual terms reach the requisite standard of privacy protection, the ALRC has recommended that the federal Privacy Commissioner should develop and provide guidance on the ‘Cross-border Data Flows’ principle (UPP 11) that, among other matters, focuses on “the issues that should be addressed as part of a contractual agreement with an overseas recipient of personal information”.⁵⁸ The Office of the Victorian Privacy Commissioner has already published Model Terms for Cross-border Data Flows of Personal Information that includes model clauses, with commentary, for the transfer of personal information outside Victoria.⁵⁹ In the Commission’s view, these guidelines provide the basis for the development, on a national basis, of model contractual terms dealing with the transfer of personal information to recipients outside Australia.

RECOMMENDATION 16

The “reasonable belief” test in relation to contracts should be replaced with a test that requires the contract to contain mandatory terms which incorporate privacy protections that are substantially similar to, or more favourable than, the protections afforded by privacy legislation in Australia.

11.59 The consent exception in NPP 9 merely requires that the individual consents to the transfer of information, as is the case under HPP 14. NPP 9 also permits the transfer of information where it is for the benefit of the individual and it is impracticable to gain the consent of the individual, but where the individual would consent if it were practicable.

11.60 The consent exception under UPP 11.1(b) is more restrictive in that it requires that the individual must be expressly advised of the consequences of providing consent:

[the] individual consents to the transfer, after being expressly advised that the consequence of providing consent is that the agency or organisation will no longer be accountable for the individual’s personal information once transferred.

11.62 However, the general problems associated with consent as it relates to other UPPs and as discussed in the ALRC Report,⁶⁰ are imported here. Of particular relevance is the issue of whether the individual has provided “informed consent”, that is, whether the individual has been sufficiently informed of the uses to which the information will be put if consent is given. In the Commission’s view, if an individual is to provide consent that would remove the accountability principle from operating, it should be necessary that the individual is informed of all the intended uses, destination/s to which the information will be transferred and protections available in the destination jurisdiction/s. No doubt detailed information may not always be available with regards to the uses, but it is necessary that full disclosure be made, if known. The requirements under the openness principle extend to notifying an individual if his or her personal information may be transferred outside Australia.⁶¹

11.63 A number of submissions also suggested that consent ought to be express, not implied or “bundled”, that is, bundled together without the consumer’s knowledge or approval, (such as the transfer of information to a foreign jurisdiction) together with consent for other uses of the information with the consumer’s knowledge (such as processing of an application). The Commission agrees with the view that such bundled consent would make it difficult “for a consumer to approve local use and oppose foreign use”.⁶²

11.64 In the Commission’s view, in addition to the current restrictions in UPP 11.1(b), the consent exception should require that an individual be advised of the uses to which the information will be put and destination jurisdictions to which the information will be transferred, before providing express consent to the specific possibility of cross-border data flows.

RECOMMENDATION 17

UPP 11.1(b) should be amended to read as follows:

(b) the individual expressly consents to the transfer, after being expressly notified of the following:

(i) the destination jurisdiction/s of the transfer and the likelihood of further transfers;

(ii) the intended recipient/s;

(iii) the intended uses (if known);and

(iv) the consequence of providing consent is that the agency or organisation will no longer be accountable for the individual’s personal information once transferred.

11.65 UPP 11(c) permits information to be transferred, without the accountability principle applying, if the “agency or organisation is required or authorised by or under law to transfer the personal information”. HPP 14(h) provides a similar exception when “the transfer is permitted or required by an Act (including an Act of the Commonwealth) or any other law”. There is no specific reference to such an exception in NPP 9.

11.66 In DP 72, the ALRC proposed that if the ‘Cross-border Data Flows’ principle was extended to apply to agencies, then it should be subject to a law enforcement exception similar to the law enforcement exception proposed for the use and disclosure principle.

11.67 While some submissions to DP 72 supported the law enforcement exception,⁶³ there were others that argued it was too broad⁶⁴ or needed further elements added to it.⁶⁵ Still others argued for a “required or authorised by law” exception instead of a law enforcement exception⁶⁶ for various reasons including that it may have unintended consequences.⁶⁷ The Commission agrees with the view expressed by still other stakeholders that mirroring the use and disclosure exception is unnecessary since the exceptions to the ‘Cross-border Data Flows’ principle are “an additional hurdle that must be crossed where an overseas transfer is involved”.⁶⁸

11.68 While there is no difficulty with this exception where an agency or organisation is “required by or under law” to transfer such information, there has been concern over the “authorised by or under law” limb of this exception.⁶⁹ The concern is that it may widen the ambit of the exception unnecessarily.

11.69 The distinction between being “required by law” and being “authorised by law”⁷⁰ is that in the former case the law in question “demands” or “necessitates” that something be done,⁷¹ whereas in the latter, the law in question permits it to be done but the person concerned has a discretion whether or not to do it. The Commission sees no reason why the exception should not apply to the latter situation. “Authorised” does not mean, of course, that something can be done simply because there is no law prohibiting it.⁷²

ADEQUACY OF REMEDIAL ACTION

11.70 One of the main advantages of the accountability approach, and indeed one of the reasons it was canvassed in DP 72, was because it places liability on the agency or organisation transferring the personal information. This “ensures that an individual has the ability to seek redress from someone in Australia if the recipient breaches the individual’s privacy” making it possible for the individual to approach the local regulator, “rather than have to seek protection under a foreign law, which may not provide the same level of protection as a local law”.⁷³

11.71 Although the accountability approach allows consumers to identify the regulator more easily, the damage that occurs in a foreign country is still difficult to rectify. In privacy law, remedial action, such as the removal, correction or destruction of information is crucial, and often more important than providing compensation.⁷⁴ However, as the ALRC has observed, “the ability to investigate breaches of local privacy laws in foreign countries poses particular challenges for privacy regulators”.⁷⁵

11.72 A solution to this problem is to improve and enhance Australia’s involvement in co-operative arrangements with regulators in other jurisdictions. The ALRC referred to various ongoing arrangements such as the OPC’s membership of the Asia Pacific Privacy Authorities Forum, the APEC Privacy framework and the agreement with the New Zealand Privacy Commissioner by virtue of a Memorandum of Understanding that includes sharing of information and co-operative complaint handling as well as possibly undertaking joint investigations.⁷⁶ The Commission agrees with the ALRC that seeking further opportunities for such co-operation with foreign privacy regulators would help to deal with more effective implementation of UPP 11.

INTERACTION WITH OTHER UPPs

11.73 UPP 11 is fundamentally about disclosure of personal information to other countries. Thus, as a first step, an agency or organisation that transfers information overseas must also comply with the other UPPs. In effect, UPP 11 should then be consistent with all other UPPs and should comply with the requirements of all other UPPs.

11.74 Thus, it is appropriate that UPP 4 includes cross-border transfers in the list of matters that must be included in a Privacy Policy. When an organisation or agency wants to transfer information overseas, it must first determine whether it complies with UPP 5, the use and disclosure principle. UPP 7, which deals with data quality and UPP 8, which deals with data security are also particularly relevant to the offshore transfer of data.

11.75 In practice therefore, the UPPs should apply to all data at all times. As much as all disclosures of personal information should be regulated by the “Use and Disclosure” principle in the first instance since the ‘Cross-border’ principle only applies to cross-border transfer of that information, so also it must be considered in the light of all other UPPs.

11.76 Given the general interaction of principles with each other, the Note to UPP 11 cross referencing UPP 11 and the use and disclosure principle (UPP 5) to each other would seem to be unnecessary and could potentially be open to misinterpretation that the only interaction required is between those two principles. On the contrary, all of the principles should be considered and should apply to all personal information.

11.77 The Commission is therefore of the view that Note 3 to UPP 5 and the Note to UPP 11 should be removed and replaced with a Note stating that agencies and organisations are subject to the requirements of all other UPPs when transferring personal information about an individual to a recipient who is outside Australia.

RECOMMENDATION 18

Note 3 to UPP 5 should be deleted and the Note to UPP 11 should be replaced with a note stating that agencies and organisations are subject to the requirements of all other principles when transferring personal information about an individual to a recipient who is outside Australia.

11.78 On the one hand, the shift to adopting the accountability approach and limiting the exceptions to three circumstances would seem to provide greater protection to cross-border transfers. However, the above discussion raises some significant issues that limit the scope of the current UPP 11.1 and weaken its efficacy. Indeed, one view is that “UPP 11 fails to provide even a basic level of privacy protection, and undermines all of the other UPPs as a result”.⁷⁷

11.79 The Commission’s recommended modification to UPP 11 addresses the problems it has identified and the concerns raised by limiting the scope of the exceptions and clarifying the meaning of accountability. As redrafted below, the Commission is of the view that UPP 11 has the potential to provide adequate protection to individuals whose personal information is subject to the cross-border data flows principle.

11.80 In keeping with the Commission’s evaluation of the UPPs as drafted by the ALRC, the form of UPP 11 set out below is a revised model UPP. Obviously, at the time when a State or Territory adopts the UPPs into its own legislation, the UPPs will be adapted to make sense in that State or Territory context, while preserving uniformity. For example, when UPP 11 is adopted in NSW legislation the principle will deal with the transfer of information outside NSW and will reference NSW legislative instruments.

RE-DRAFTED UPP 11

11. If an agency or organisation in Australia or an external territory transfers personal information about an individual to a recipient (other than the agency, organisation or the individual) who is outside Australia and an external territory, the agency or organisation remains accountable for that personal information, unless:

(a) the recipient of the information is subject to:


(i) a law or binding scheme that effectively upholds privacy protections that are substantially similar to, or more favourable than, the protections afforded by privacy legislation in Australia, and that applies in a listed jurisdiction; or

(ii) a contract containing mandatory contract terms which incorporate privacy protections that are substantially similar to, or more favourable than, the protections afforded by privacy legislation in Australia.


(b) the individual expressly consents to the transfer, after being expressly notified of the following:

(i) the destination jurisdiction/s of the transfer and the likelihood of further transfers;

(ii) the intended recipient/s;

(iii) the intended uses (if known); and

(iv) the consequence of providing consent is that the agency or organisation will no longer be accountable for the individual’s personal information once transferred; or


(c) the agency or organisation is required by or under law to transfer the personal information.

An agency or organisation being “accountable” for personal information means:

(a) being responsible for the acts and practices of a recipient of personal information, the subject of a cross-border transfer; and

(b) being liable for a breach of UPP 11 if the acts and practices of the recipient would have amounted to an interference with the privacy of an individual, if done in Australia.

A “listed jurisdiction” is one that is specifically identified in a legislative instrument for the purposes of UPP 11.

Note: Agencies and organisations are also subject to the requirements of all other principles when transferring personal information about an individual to a recipient who is outside Australia.

1. Wallis Consulting Group, Community Attitudes Towards Privacy 2007 (2007), 36, Office of the Privacy Commissioner website «www.privacy.gov.au/materials/types/download/8820/6616» at 10 August 2009.

2. National Privacy Phone-In June 2006. See also Unisys, Submission PR 569, 12 February 2008; B Laing, Submission PR 339, 12 November 2007, cited in Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, Report No 108 (2008) (“ALRC Report 108”) vol 2 [31.4]-[31.5].

3. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, 23/11/95, 31-50.

4. Countries that have been assessed as ‘adequate’ for this purpose are: Canada, Switzerland, Argentina, Guernsey and the Isle of Man. The US Department of Commerce’s Safe Harbour Privacy Principles and the ‘transfer of Air Passenger Name Records to the United States Bureau of Customs and Border protection’ have also been given adequacy status: ALRC Report 108 vol 2 [31.17]. Australian privacy law has not yet gained formal recognition by the EU as being adequate: ALRC Report 108 vol 2 [31.21] - [31.28].

5. EU Directive, Article 29 and ALRC Report 108 vol 2 [31.17].

6. European Commission, Working Party on the Protection of Individuals with regard to the Processing of Personal Data, Working Document, Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive (WP 12), Adopted by the Working Party 24 July 1998, 26.

7. Commission of the European Communities, Report from the Commission: First Report on the implementation of the data protection Directive (2003) 95/46/EC, 19.

8. EU Directive, Articles 18 and 19.

9. EU Directive, Article 21.

10. G Sutton, Z Xinbao and T Hart, Personal Data Protection in Europe and China: What lessons to be learned? EU-China Information Society Project, November 2007, China Information Society News «http://www.information-society.de/files/DP_EU-China2007.pdf» at 14 September 2009.

11. C Connolly, Asia-Pacific Region at the Privacy Crossroads (2008), 3. The EU approach, Galexia Pty Ltd «http://www.galexia.com/public/research/articles/research_articles-pa06.html» at 10 August 2009.

12. Meeting Privacy Challenges: ALRC and NSWLRC Privacy Reviews Seminar, Panel Session 4, Faculty of Law, UNSW, Sydney, 2 October 2008.

13. ALRC Report 108 vol 2 [31.49].

14. Meeting Privacy Challenges: ALRC and NSWLRC Privacy Reviews Seminar, Panel Session 4, Faculty of Law, UNSW, Sydney, 2 October 2008.

15. See G Greenleaf, “APEC’s Privacy Framework: A New Low Standard” (2005) 11 Privacy Law & Policy Reporter 121, 122.

16. The lack of this principle in the APEC Privacy framework distinguishes it from the Asia-Pacific Privacy Charter which otherwise shares many similarities with the APEC Framework.

17. Privacy Act 1988 (Cth) section 5B, as paraphrased by the ALRC at ALRC Report 108 vol 2 [31.71].

18. This was the Commission’s view in CP 3 [6.61]-[6.62] consistent with the advice of the Crown Solicitor and the Privacy Commissioner. This view has been further confirmed in GQ v NSW Department of Education and Training (No 2) [2008] NSWADT 319.

19. Privacy Act 1988(Cth) s 5B.

20. ALRC Report 108 vol 2 [31.79].

21. See para 11.22-11.24.

22. ALRC Report 108 vol 2 [31.175].

23. Office of the Privacy Commissioner, Submission PR 499, 20 December 2007, quoted at ALRC Report 108 vol 2 [31.186].

24. Microsoft Asia Pacific, Submission PR 463, 12 December 2007, quoted in ALRC Report 108 vol 2 [ 31.187].

25. ALRC Report 108 vol 2 [31.182]- [31.191].

26. ALRC Report 108 vol 2 [31.192].

27. ALRC Report 108 vol 2 [31.194].

28. Microsoft Asia Pacific, Submission PR 463, 12 December 2007; GE Money Australia, Submission PR 537, 21 December 2007, referred to in ALRC Report 108 vol 2 [31.201]-[31.202].

29. ALRC Report 108 vol 2 Recommendation 31.5.

30. ALRC DP 72 Proposal 28-4.

31. ALRC Report 108 vol 2 [31.107]-[31.108].

32. See C Connolly, “Weak protection for offshore data – the ALRC recommendations for Cross-border Transfers” (2008) 5 (3-4) Privacy Law Bulletin 42, 43.

33. ALRC Report 108 vol 2 [31.109]-[31. 118].

34. Microsoft Asia Pacific, Submission PR 463, 12 December 2007, quoted in ALRC Report 108 vol 2 [31.114].

35. Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008, cited in ALRC Report 108 vol 2 [31.111].

36. GE Money Australia Submission PR 537, 21 December 2007, quoted in ALRC Report 108 vol 2 [31.112].

37. ALRC Report 108 [31.119]-[31.126].

38. ALRC Report 108 vol 2 [31.123].

39. Cyberspace Law and Policy Centre, Best Practice Privacy Principles: suggested improvements to the ALRC’s model unified privacy principles (UPPs), Submission to the Australian Government (2008), 38.

40. Cyberspace Law and Policy Centre, Best Practice Privacy Principles: suggested improvements to the ALRC’s model unified privacy principles (UPPs), Submission to the Australian Government (2008), 38.

41. Public Interest Advocacy Centre, Submission PR 548, 26 December 2007, cited in ALRC Report 108 vol 2 [31.131].

42. Confidential, Submission PR 535, 21 December 2007, quoted in ALRC Report 108 vol 2 [31.132].

43. Australian Communication and Media Authority, Submission PR 522, 21 December 2007, cited in ALRC Report 108 vol 2 [31.134].

44. C Connolly, “Weak protection for offshore data – the ALRC recommendations for Cross-border Transfers” (2008) 5 (3-4) Privacy Law Bulletin 42, 44.

45. Cyberspace Law and Policy Centre, Best Practice Privacy Principles: suggested improvements to the ALRC’s model unified privacy principles (UPPs), Submission to the Australian Government (2008), 36.

46. C Connolly, “Weak protection for offshore data – the ALRC recommendations for Cross-border Transfers” (2008) 5 (3-4) Privacy Law Bulletin 42, 44.

47. C Connolly, “Weak protection for offshore data – the ALRC recommendations for Cross-border Transfers” (2008) 5 (3-4) Privacy Law Bulletin 42, 44.

48. ALRC Report 108 Recommendation 31-6.

49. ALRC Report 108 Recommendation 31-7.

50. C Connolly, “Commentary on the ALRC Recommendations for Cross Border Trasfers” (2008), 2, paper presented at Meeting Privacy Challenges: ALRC and NSWLRC Privacy Reviews Seminar, Faculty of Law, UNSW, Sydney, 2 October 2008, «http://www.cyberlawcentre.org/ipp/events/symposium08/materials/4_Connolly_Paper2.pdf » at 14 September 2009.

51. Cabinet Order for the enforcement of the Act on the Protection of Personal Information, 10 December 2003: referred to in C Connolly, “Weak protection for offshore data – the ALRC recommendations for Cross-border Transfers” (2008) 5 (3-4) Privacy Law Bulletin 42, 43.

52. For example, Korea and Taiwan have privacy legislation that does not apply to certain industries and categories of data. Similarly, Hong Kong and New Zealand have weak or non-existent protection for onward transfer of data: referred to in C Connolly, “Weak protection for offshore data – the ALRC recommendations for Cross-border Transfers” (2008) 5 (3-4) Privacy Law Bulletin 42, 43.

53. ALRC Report 108 vol 2 [31.210]-[31.215].

54. ALRC Report 108 vol 2 [31.217].

55. ALRC Report 108 vol 2 [31.140].

56. ALRC Report 108 vol 2 [31.224]-[31.225].

57. See para 11.53-11.55.

58. ALRC Report 108 vol 2 [31.230], Recommendation 31-7(c).

59. Office of the Victorian Privacy Commissioner, Model Terms for Cross-Border Data Flows of Personal Information, June 2006, Privacy Victoria «www.privacy.vic.gov.au» (publications – guidelines) at 28 June 2009.

60. ALRC Report 108 vol 1 Chapter 18.

61. See para 4.24.

62. C Connolly, “Commentary on the ALRC Recommendations for Cross Border Trasfers” (2008), 4, paper presented at Meeting Privacy Challenges: ALRC and NSWLRC Privacy Reviews Seminar, Faculty of Law, UNSW, Sydney, 2 October 2008, «http://www.cyberlawcentre.org/ipp/events/symposium08/materials/4_Connolly_Paper2.pdf » at 14 September 2009.

63. Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007 offered qualified support; Office of the Victorian Privacy Commissioner, Submission PR 567, 19 December 2007; Queensland Government, Submission PR 490, 19 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007, cited in ALRC Report 108 vol 2 [31.163].

64. Civil Liberties Australia, Submission PR 469, 14 December 2007; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007, cited in ALRC Report 108 vol 2 [31.164].

65. ACT Government Department of Disability, Housing and Community Services, Submission PR 495, 19 December 2007; Australian Government Attorney General’s Department, Submission PR 546, 24 December 2007, cited in ALRC Report 108 vol 2 [31.163].

66. Australian Federal Police, Submission PR 545, 24 December 2007 called for an exception that allowed it to perform all its functions under the Australian Federal Police Act 1979; Australian Communications and Media Authority, Submission PR 522, 21 December 2007; Australian Taxation Office, Submission PR 515, 21 December 2007; Centrelink, Submission PR 555, 21 December 2007, cited in ALRC Report 108 vol 2 [31.160].

67. Australian Communications and Media Authority, Submission PR 522, 21 December 2007, cited in ALRC Report 108 vol 2 [31.160].

68. Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007, cited in ALRC Report 108 vol 2 [31.167].

69. C Connolly, “Weak protection for offshore data – the ALRC recommendations for Cross-border Transfers” (2008) 5 (3-4) Privacy Law Bulletin 42, 45.

70. See NSW Law Reform Commission, Invasion of Privacy, Report 120 (2009) para 6.4.

71. See, eg, Rahman v Ashpole [2007] FCA 1067.

72. See, eg, Caratti v Commissioner of Taxation (1999) 99 ATC 5044, [27] (French J).

73. ALRC DP 72 vol 2 [28.68].

74. C Connolly, “Weak protection for offshore data – the ALRC recommendations for Cross-border Transfers” (2008) 5 (3-4) Privacy Law Bulletin 42, 43.

75. ALRC Report 108 vol 2 [31.219].

76. ALRC Report 108 vol 2 [31.219]-[31.222].

77. C Connolly, “Weak protection for offshore data – the ALRC recommendations for Cross-border Transfers” (2008) 5 (3-4) Privacy Law Bulletin 42, 45