All images are of AAR staff and partners
Allens Arthur Robinson
Privacy homeOverviewNPPs & codesComplyingLegislation & linksIndustriesNews
Home »  Overview »  
Print Version
Or use advanced search
Introduction
Who, what & when
International data flow
Sensitive information
Chronology
Spam
Tort of invasion of privacy
 Feedback
 Contacts
 Glossary


International data flow

The privacy regime aims to reduce barriers to international trade that may arise in the absence of compliance with international standards.

Introduction

Many overseas companies are bound by strict privacy rules in their own countries. They must ensure these rules will also be followed by other companies they deal with. So they may be reluctant to send information to - and deal with companies from - a country without equivalent protection. This is particularly important given globalisation and the proliferation of new technologies, such as the Internet, that have made it easy to transfer personal information about an individual around the world. 

The Australian private sector privacy regime aims to:

  • recognise that many organisations now operate across national boundaries;
  • ensure that organisations don't avoid their obligations by simply moving personal information overseas; 
  • remove potential barriers to international trade. 
To toptop of page

Overseas activities

The Act applies to the overseas activities of Australian and foreign organisations, in the context of personal information of an Australian citizen or resident, which have a link with Australia. The organisation has a link with Australia if:

  • there's an organisational link - for example, the organisation is a company incorporated in Australia, or a trust created in Australia; or
  • the organisation carries on business in Australia or an external Territory and the organisation collects or holds personal information in Australia or an external territory. 
To toptop of page

Overseas activity required by law

If an organisation's overseas activity is required by the law of a foreign country, then it doesn't interfere with the privacy of an individual.

To toptop of page

Sending personal information out of Australia

Since 21 December 2001, organisations have had to comply with the NPP 9, which relates to the transborder flow of data. It prohibits the transfer of personal information to other countries unless certain criteria are met. It's based on the restrictions on international transfers of personal information set out in the European Directive 95/46.

NPP 9 does not prevent the transfer of personal information out of Australia by an organisation to another part of that organisation, or to the individual concerned.

An organisation may transfer personal information overseas provided that one of the following conditions is satisfied:

  • the organisation reasonably believes a law, binding scheme or contract applies at the destination which effectively delivers privacy standards substantially similar to the NPPs;
  • the individual consents to the transfer;
  • the transfer is for the benefit of the individual and it's impracticable to obtain consent, but it's likely consent would be given;
  • the transfer is required by a contract between the individual and the organisation, or a contract between the organisation and a third party in the interests of the individual; or
  • the organisation has taken reasonable steps to ensure the information won't be held, used or disclosed by its recipient inconsistently with the NPPs. 

It is important to note that NPP 9 applies to information collected before 21 December 2001, as well as information collected after that date. This means that an organisation must not transfer personal information out of Australia unless one of the criteria in NPP 9 is met, regardless of when it was collected.

To toptop of page

Sending personal information into Australia

The European Union has imposed a minimum standard for data handling practices on its members (EU Directive on the Protection of Individuals with regard to the Processing of Personal Data and the Free Movement of such data 95/46). It requires data transferred outside the EU to be handled in a specific manner.

While the Australian privacy regime aims - among other things - to bring Australia into line with the EU's minimum standard, in 2001 the EU working party released its opinion that Australia's current regime does not meet the EU's minimum standard and more work needs to be done.

Working party concerns

At the top of the EU Data Protection Working Party's ("the Working Party") list of concerns are exemptions from the privacy regime for:

  • small businesses (too broad); and
  • employee information (often sensitive).

It also criticised the privacy regime because:

  • NPP 2.1(g) allows use or disclosure where required by law.
  • NPP 1 allows collection through a third party.
  • NPPs 1 and 2 allow collection for secondary purposes in some circumstances.
  • NPP 10 regulates collection but not use or disclosure of sensitive information (except for health information).
  • NPP 9 allows the transfer of information from Australia to countries without adequate privacy laws.
  • The definition of generally available publication is inappropriate.

What did the Working Party recommend?

The Working Party suggested that the regime would be regarded as adequate if these concerns were addressed. This could be done by using the voluntary codes of conduct provided for in the legislation. The Working Party took into account the enforcement of these codes by the Privacy Commissioner or an independent adjudicator.

Australia's reaction

The Attorney General, in a media release, has rejected the Working Party's findings on the basis that they "display an ignorance about Australia's law and practice". The Attorney General also argued that the Act is world-leading legislation and that, in many ways, it goes significantly further than the US Safe Harbor Agreement, which the EU judged to be adequate.

Latest developments

In 2003, the Working Party released a Working Document addressing international data transfers - the Working Document on Binding Corporate Rules for International Data Transfers. It suggests that procedures could be simplified to enable more efficient international data transfers within multinational corporate groups. The paper suggests that in addition to the ability to transfer personal data internationally from an EU Member State because of:

  1. a Safe Harbour agreement with the recipient country;
  2. an exception, such as consent of the individual about whom the transfer is being made; or
  3. an alternate safeguard, such as a binding contract with the recipient,

it would be beneficial to allow the data transfers to take place between separate parts of a corporate group where certain binding and enforceable corporate rules are in place. These corporate rules would include general data protection principles as well as procedures for audits and complaints. The Working Party has released recommended standard contractual clauses which would satisfy such a corporate rules requirement for international data transfers.

The EU has received contributions from a number of organisations on these issues which have indicated that it will be necessary to clarify and complete some issues before binding corporate rules can be effectively used by operators. In November 2004 the Working Party released a checklist that companies should consider before submitting binding corporate rules for approval by their relevant data protection authorities.


Allens home | Privacy home | Top of page | Disclaimer | Privacy | Sitemap
Allens Arthur Robinson - a leading international law firm
© 2008 Allens Arthur Robinson, Australia | contactus@aar.com.au

 Allens Arthur Robinson - Clear Thinking