[Previous] [No next] [Up] [Title]

Appendix 3 - Australia's abandoned data export restrictions

Until the Prime Minister's abandonment of his Attorney-General's Discussion Paper, Australia seemed headed toward becoming the next country to include personal data export restrictions (called `transborder data flows' in the Discussion Paper) in its privacy laws. If nothing else, it shows that the justification for such restrictions was accepted by many at the highest levels of the Australian government, including by the Attorney-General.

The inclusion of such restrictions in the Discussion Paper, was a desirable and justifiable part of a comprehensive privacy law[53]. However, the breadth of proposed exceptions could have been abused and result in inadequate protection, unless there was adequate flexibility to control this by Codes of Conduct[54]. For completeness, and in the expectation that such proposals will at some stage re-emerge on the Australian legislative agenda at either Commonwealth or State level, an analysis of the Discussion Paper proposals follows.

Exports to countries with `adequate' laws

In the absence of an international or regional convention to which Australia is a party[55] the specification by Australian regulations of `adequate' overseas privacy laws (those `substantially similar to, or serving the same purpose as' Australian laws[56]) is a reasonable approach. However, there are two improvements needed:

(i) such regulations should only be made after the advice of the Privacy Commissioner has been obtained, as the Commissioner is the main national source of expertise on these matters, such advice to be tabled with the regulation; and

(ii) provision should be made for sectoral laws to be declared `adequate' in relation to particular types of data, not only `countries'.

Exports to countries without `adequate' laws - exceptions too broad

The provisions for exports to countries without such `adequate' laws seem to try to strike a balance between consistency with the approach taken in A26 of the European Union's privacy Directive, and Australian public interests, and this is a reasonable approach. However, in my view these `exception' provisions are stated far too broadly, and with too little protection of the individual's interests. The underlying deficiency with all of the exceptions is that these data exports are to a third party against whom there is little or no remedy for misuse of the data, in contrast with the remedies that will be available for disclosures to anyone in Australia, or even in `adequate' overseas countries. It must also be remembered that the data export prohibitions will apply equally to the public sector. I will address each proposed exception in turn.

The individual consent exception is weaker than the EU's requirement of `unambiguous consent'. It needs to specify that `the individual specifically consents to the transfer of the information to a country which does not have adequate privacy laws by Australian standards' (optionally naming the country). Blanket consents to disclose the data without giving the individual any hint of the reason for the consent will otherwise be obtained.

Necessity for performance of contracts made after the Act comes into effect in relation to the private sector should not be able to be used as an excuse for not obtaining consent to export as part of the contract-creation process. Otherwise, contracts will just be used as an excuse for not obtaining consent. There should at least be a limit on this exception to the effect that `consent to export could not reasonably be obtained'. The EU Directive is too weak on this point.

The third exception, where the transfer is necessary for performance of a contract between the individual and a third party, and in the individual's interest), seems reasonable because the individual's interest is the paramount consideration. It is consistent with the EU Directive. It might also clarify the exception to state that either the record-keeper or a third party can obtain the necessary consent.

Exceptions 4-6 constitute a replacement of the EU's exceptions for protection of `important public interest grounds' and `the vital interests of the data subject' with a more specific Australian wording, copied from exceptions (c)-(e) of IPP 11. Leaving aside the fact that the domestic scope of these exceptions is contested by many commentators, the implications of disclosure to a country without adequate privacy laws is quite different. With the extension of Australian privacy laws to the private sector and to State and Territory agencies (as almost all Australian jurisdictions are now proposing), the Australian recipient of information disclosed under these exceptions to IPP 11 will itself be bound by the IPPs in its use of the information, and subject to the remedies that follow misuse. By definition, recipients in overseas countries without such laws are not subject to IPPs and do not provide remedies for misuse.

It seems anomalous that Australian organisations are being given a blank cheque to disclose, quite probably on a systematic basis (for example, to overseas police agencies or financial organisations), without their being any requirement that they even try to obtain `adequate contractual safeguards' (as in the next exception).

The dilemma of `adequate contractual safeguards'

The final exception, that the Australian record-keeper has in place `adequate contractual safeguards' with the overseas recipient, would be largely illusory if nothing more was required, because the individual would be unable to sue the recipient for breach of contract because of the doctrine of privity of contract[57]. However, the Discussion Paper proposes the effective solution that the Australian record-keeper would be liable for any relevant breaches of the IPPs (not just the contract!) by the overseas recipient, effectively creating a statutory tort in favour of the individual. The Australian record-keeper can then seek to indemnify itself through the contract which the overseas recipient has now breached. This solution fills a gaping hole in the EU proposals, and is a highly desirable provision.

The contrast between the first six exceptions and the last is stark - no remedies vs full remedies, so far as the individual is concerned. The problem this raises is that, for any Australian record-keeper that can possibly rely on any of exceptions (1)-(6), there is a strong disincentive for them to seek any contractual safeguards from the overseas recipients, because only if they do so are they themselves liable under the IPPs for overseas misuse. The answer to this dilemma is not obvious: disclosers under exceptions (1)-(6) are not necessarily disclosing to protect their own interests, and may be doing so under compulsion, so it would be unfair to make them liable for breaches by overseas parties over whom they have no control. On the other hand, disclosers who are acting in their own interests (including under systematic reciprocal `data swapping' arrangements with overseas organisations) should be required to seek `adequate contractual safeguards' and then provide the statutory remedy.

The Commissioner's role in export exemptions - essential safeguard

The only answer to this dilemma lies in the Discussion Paper proposal that the Commissioner be able to modify the data export requirements by Codes of Practice. This proposal is extremely important and greatly reduces concerns about the possible excessive breadth of the exceptions.

The Commissioner could require, via a Code or Codes, that systematic data exports be subject to `adequate contractual safeguards', and I recommend that she should be specifically so empowered so that there is no question of her acting ultra vires in so doing. There would also need to some policy direction in the legislation in favour of `adequate contractual safeguards' where it was possible and reasonable for them to be obtained.

If there is any opposition to this proposal on the grounds that this gives the Commissioner excessive powers, and may create uncertainties in what exports are permissible, the answers to these objections are: (i) the alternative is to have far more tightly worded exemptions (with no flexibility), to avoid the possible abuses mentioned above; (ii) the Code power here creates no more uncertainty than the availability of Codes in relation to the IPPs; and (iii) the Commissioner is only likely to use the power to deal with systematic data exports where there is evidence of abuse, and only then after consultation (as required by any Code).

[53] Reasons for supporting such restrictions are set out in my paper [Greenleaf, 1995] `International privacy standards - Implications for Australia and Asia-Pacific' IIR's Recent Developments in Information Privacy Conference (Sydney, December 1995). For earlier versions, see 2 PLPR 105, 2 PLPR 127.

[54] This part of the paper is derived from my submission to the Commonwealth Attorney-General on the Discussion Paper, and will be published in Privacy Law and Policy Reporter, Vol 3 No 10

[55] See later in this paper for discussion of the possibility of such a Convention.

[56] Adopting the approach taken in s33(a) of the Hong Kong legislation - see below.

[57] See [Greenleaf, 1995] 4.4 for details

[Previous] [No next] [Up] [Title]