[Previous] [Next] [Up] [Title]

Appendix 2: Data export prohibitions in the Asia-Pacific

Until recently, the privacy laws of Asia-Pacific countries did not yet contain data export restrictions. At best, provisions in laws such as the Privacy Acts in Australia and New Zealand dealing with secondary use and disclosure of personal information could have the incidental effect of prohibiting disclosures outside the jurisdiction simply because there were no legitimate users of the information outside the jurisdiction, but never because of the inadequacy of the laws in the recipient's jurisdiction.

This has now changed, with the privacy laws of Québec, Hong Kong and Taiwan all imposing such restrictions, and Australia proposing similar restrictions as discussed above.

Québec's data export law

In Québec's Act respecting the protection of personal information in the private sector; 1993, s17 provides that persons carrying on an enterprise in Québec who communicate outside Québec information relating to persons residing in Québec must take `all reasonable steps to ensure' (i) that information is not used for purposes not relevant to the object of the file, or communicated to third persons without the consent of the persons concerned (unless situations similar to exceptions in s18 apply); and (ii) in the case of lists of named persons (`nominative lists'), the persons concerned have a `valid opportunity' to refuse to allow their names to be used for commercial or philanthropic marketing, and can have their details deleted (with some exceptions in ss 22 and 23). These requirements also apply where a Québec enterprise entrusts a person outside Québec with holding, using or communicating the information on the enterprise's behalf (eg an off-shore processing bureau, or a regional headquarters).

The Québec limitation is therefore limited to ensuring that the `finality' principle is observed in relation to exported data, and does not require that the recipient observe other principles such as subject access and correction rights, or adequate security.

The Québec restriction also applies to other Canadian provinces (`outside Québec'), a matter of considerable interest to other federations like Australia. It is therefore likely that the Québec law will increase the pressure on other Canadian provinces (or the Canadian federal government) to enact comprehensive privacy laws.

Hong Kong's data export law

Since July 1995, Hong Kong's Personal Data (Privacy) Ordinance 1995 prohibits the export of personal information from Hong Kong unless the information will receive similar protection in the importing country to that which it is given under Hong Kong law, or certain exceptions apply (s33). The approach taken in the Hong Kong law is to prohibit the data user from transferring personal data to a place outside Hong Kong (including to other parts of China) unless one of the following conditions apply:

(a) the place has been specified (by the Commissioner) by a Gazette notice to have laws which are substantially similar to, or serve the same purpose as, the HK law; or
(b) the user has reasonable grounds for believing that the place has such laws; or
(c) the data subject has consented in writing to the transfer; or
(d) the user has reasonable grounds for believing that the transfer is to mitigate adverse action against the data subject, who would have consented to it if it was practicable to obtain their consent; or
(e) the data are covered by an exemption from data protection principle 3 under Part VIII (`domestic purposes', `security', `crime prevention', `health', reporting news, and some others); or
(f) `the user has taken all reasonable precautions and exercised all due diligence' to ensure that the data will not be dealt with in any manner in that place which, if it had occurred in Hong Kong, would contravene the Ordinance.

Breach of s33 can result in an enforcement notice by the Commissioner (s50), or an action for compensation for any damage, including injury to feelings (s66).

The s33 restriction applies not only to personal data which has (prior to export) been collected, held, processed or used in Hong Kong, but also to data which `is controlled by a data user whose principal place of business is in Hong Kong'. Such a `Hong Kong business' cannot therefore set up an `offshore' personal data processing operation to avoid the law, even in relation to data that has never entered Hong Kong. For example, if a Hong Kong business controls data being processed by its Singapore office or processing bureau, there cannot be data transfers between the Singapore office and Australia unless there is compliance with s33[48].

The rest of the Ordinance came into force on 20 December 1996, but s33 and s30 (concerning data matching) have not been proclaimed. A spokesman for the Secretary for Home Affairs said this was because users considered that they needed more guidance from the Privacy Commissioner, and was in line with a recommendation by the Commissioner.

Will the Hong Kong law survive? The Preparatory Committee (the People's Republic of China's `shadow' government for Hong Kong) has recommended for scrapping or amendment of fifteen Hong Kong laws protecting human rights. The recommendations have been made preparatory to the PRC assuming control of Hong Kong in July. Neither the Personal Data (Privacy) Ordinance as a whole, nor the s33 restriction have (at least at this stage) been included. The Legal Subgroup of the Preparatory Committee has only recommended that s3(2) of the Ordinance (concerning inconsistency with other laws) be repealed.

Taiwan's data export law

In Taiwan's Computer-Processed Personal Data Protection Law 1995[49], international transmissions by public organisations must be `in accordance with relevant laws and ordinances' (A 9). In relation to private sector organisations, the government authority in charge of the particular sector in which a business falls may issue restrictions on particular transfers (A 24), for four reasons:

(i) to protect Taiwan's national interests;
(ii) where specially provided for in an international treaty or agreement;
(iii) `Where the receiving country lacks proper laws and / or ordinances to adequately protect personal data and where there are apprehensions of injury to the rights and interests of a concerned party'; and
(iv) `To indirectly transmit to and use from a third country personal information so as to evade control of this law'.

The third reason is similar to the EU's requirement for `adequate protection'. The fourth reason is novel, as it explicitly allows prohibition of transfers to countries with `adequate' laws, if this is a sham to allow further transmission to a country without adequate laws. `Dirty data havens', beware!

Enforcement Rules (regulations) are required to implement the Act. Business organisations in Taiwan have made submissions requesting more certainty in the international transfer provisions, possibly in the form of a regulation naming countries with `adequate' laws - in which list they suggest Australia and the USA, for reasons best known to themselves!

Closing the EU `loophole'

Otherwise comprehensive laws (such as the New Zealand law) could be seen from the EU perspective to have a `loophole' in that there is nothing specific in them to stop data which is imported from Europe being `re-exported' to some other jurisdiction where no adequate privacy protection applies. The only limitation in such laws is that any exports must comply with the `finality' principle (ie consistency with the purpose of collection), but this limit does not carry with it any of the other protective principles.

Section 33 of the Hong Kong Ordinance closes this loophole, intentionally[50]. In contrast, Québec's s17 does not apply to data which has been imported into Québec (say, from the EU) about persons residing outside Québec, so it does not `close the loophole'.

Export restrictions within the Asia-Pacific

Now that export restrictions are arising in the laws of other Asia-Pacific countries, there will be barriers to the free flow of personal information within the Asia-Pacific (ie within APII), not only between the EU and the Asia-Pacific. With the enactment of the laws discussed above, three such set of barriers already exist, and another is proposed in Australia. If different personal data export restrictions arise in different Asia-Pacific countries, as is already occurring, there will be significant impediments to the development of electronic services and trade within the region. Such inconsistencies between European countries was one of the main factors leading to the EU privacy Directive.

Two models - `prohibition order' and `breach'

Two main approaches to data export restrictions are apparent from the European and recent Asia-Pacific laws. The first approach, exemplified by s12 of the UK Data Protection Act, and by the Taiwan Act, imposes no export restrictions on data users unless and until a data protection authority issues some type of export prohibition order, either in relation to a particular transfer, or in relation to a particular foreign country as a whole.

The second approach, exemplified by the Hong Kong and Québec laws, and the previous Australian proposals, imposes an obligation on any data user who proposes to export personal data to ensure that there is some form of adequate protection in the jurisdiction of the recipient, and makes it a breach of the law by the data user to fail to do so, for which the data subject can take proceedings to obtain compensation or other remedies.

The two approaches can be combined in effect, as they are in the Hong Kong Act and the previous Australian proposals, by provision of regulations which specify those countries which are deemed to have an adequate level of protection. Data exporters need enquire no further if they are exporting to such a listed country.

The EU Directive is silent as to which approach is implemented by each of its member states, but a state that took the first approach would have an obligation to be comprehensive in the prohibitions it issued, to be in accordance with the Directive.

The first approach is likely to be driven by data protection authorities, whereas the second is more under the control of the data subject. Reidenberg sees data export laws such as that of Québec as the key to a `re-conceptualised' `contract model' of providing adequate protection[51], in which the data subject's interests are directly protected by the data subject's rights under the law of the exporting country, whereas `the implementation of standards for foreign treatment of personal information becomes a private contractual matter between the exporter and the recipient'[52]. This is a useful analysis, but it overstates the centrality of an exporter-recipient contract, for the simple reason that in some cases industry codes of conduct, professional rules or other sources of law may be basis on which the exporter concludes that the recipient's jurisdiction provides `adequate' protection.

[48] see M Berthold `Hong Kong's new privacy law' (1995) 2 PLPR 164

[49] See 2 PLPR 160 for a summary

[50] Berthold, ibid

[51] J Reidenberg 'Setting standard for fair information practices in the US private sector', (1995) Iowa Law Review, 545-548

[52] Reidenberg (1995) op cit, 547

[Previous] [Next] [Up] [Title]