[Previous] [Next] [Up] [Title]

5. Implications of data export restrictions for the Asia-Pacific


5.1. Existing national data export restrictions in Europe - examples

Since the Swedish Data Act (1973), national data protection legislation has now been enacted in twenty European countries. All European data protection Acts contain provisions by which their national data protection agency has authority to restrict `exports' of personal data[60].

For example, s12 of the United Kingdom Data Protection Act 1984 provides that where data is to be transferred to a State which is not a party to the European Convention, the Data Protection Registrar may issue a Transfer Prohibition Notice if he is satisfied that the transfer is likely to lead to a contravention of the data protection principles in the United Kingdom Act because the other country does not have adequate data protection laws. The Registrar cannot prevent the transfer of personal data to any State which is bound by the Council of Europe Convention unless he is satisfied that it is intended to be transferred to another country where there is likely to be a contravention of the data protection principles. The Registrar issued the first Transfer Prohibition Notice in 1990 (see below).

Some countries go further, specifying that an `export licence' must be obtained for the exporting of any personal data coming within the legislation (Iceland, Portugal), or that this must occur for specified categories of personal data (Austria, Belgium, Denmark, Finland, Norway, Spain and Sweden)[61]. A few countries also require licences for the import of personal data, not merely compliance with national laws.

A survey by Vassilaki[62] of the enforcement of data export restrictions by European data protection agencies summarises over 30 cases where proposed transfers have been prohibited or only allowed if conditions were observed. The authorities who have imposed the bulk of the restrictions are those of France, Germany, Austria, and Sweden, but restrictions imposed by the UK and Norway are also noted. However, the cases summarised are only a sample, as in Austria alone there were 40 cases where restrictions were imposed from 1987-89, and the Swedish authority considered over 100 transfer applications from 1982-1992.

Examples of enforcement

A few examples follow, illustrative of the range of contexts in which restrictions have been imposed[63]. References to countries imposing prohibitions are to their national data protection authorities. Unless noted otherwise, the reason for the prohibition was that the recipient country did not have a data protection law covering the sector in question.


* Employees - France required Fiat France to obtain contractual guarantees of privacy protection (based on observance of the French legislation and the Council of Europe Convention) from Fiat Italy before employee data could be transferred to Italy (1989). Similar restrictions were imposed on another company's transfers to Switzerland (1990). France imposed greater restrictions on a North American cosmetics multinational, only allowing it to transfer coded forms of employee names to Belgium to effect salary processing (1990). Germany has blocked transfers of `sensitive' staff data unless there is employee consent (1989). A US-based multinational was prevented from transferring all its German data processing to the USA, and had to set up a subsidiary company in Germany to process German employee data (1989).


* Medical treatment - France prohibited French doctors from transferring patient names to a European centre for cancer research and treatment, located in Belgium, so as to obtain results of medical tests, until strict software security measures were implemented and transfers were only by coded versions of names (1989).


* Product research - Data on clinical testing of pharmaceutical products could only be transferred from Sweden to the Belgium and the USA on the basis of the informed consent of the individuals concerned and subject to security and anonymity of reports conditions (1989).


* Direct marketing - The UK prohibited the export of personal data to a mail order company which operated from the USA. There was evidence that the company had breached UK consumer protection laws, and had been prosecuted under similar US laws (1990). Germany prohibited mailing lists being transferred to the former East Germany (1991). Sweden has refused all but one application for transfers to other countries for direct marketing purposes.


* Telecommunications - French telecommunications operators are not allowed to tell operators in another state the identity of a calling party, in case it is wrongly disclosed (1990).


* Airlines - An airline under Swedish law was not allowed to deliver personal data to US Customs without first warning passengers of the inadequacies of US data protection laws, and therefore obtaining informed consent (1991).


* Financial services - Norway refused to allow a credit bureau's files to be relocated to its head office in Sweden, as Swedish credit reporting law was not as strong as that in Norway (1990). Austria prohibited a transfer of credit information from an Austrian finance company to a German credit bureau because a vague contractual clause did not comprise the necessary `express' consent for data export (1990). SWIFT in Belgium has been required to give contractual guarantees that transfers of data from Austria will observe Austrian data protection law (1992). Plans to transfer details of German clients to a French financial company were stopped after German objections.


* Data processing bureaus - A German data processing bureau was prevented from carrying out its processing in the UK, due to inadequacies in UK law (under negotiation 1993).


* Religion - France required contractual guarantees of adherence to French law before Mormon genealogical records could be transferred to Utah.


* Gambling `blacklists' - Germany prohibited transfers of data on persons excluded from gambling by German casino corporations to an Austrian casino corporation because Austrian law did not apply to manual data. The corporations subsequently signed a data protection contract (1991).


* Social Security - Germany would not allow Italian Social Security authorities online access to German registers of migrant workers, even though German Social Security authorities had such access to Italian files.


* Immigration - Sweden refused to allow transfer to Italian authorities of a list of Italian permanent residents of Sweden, for purposes of issuing passports (1990).


* Archives - France refused to allow files concerning Spanish civil war refugees to be provided to Spanish archives authorities (1986). It was necessary to extract anonymous data in France and only transfer that to Spain.

The implications of European enforcement

Whatever view is taken of the reasonableness of these restrictions, there is no doubt that European countries are already taking a serious approach to the enforcement of data export restrictions in national laws, even though (in most countries) the imposition of such restrictions is not mandatory but at the discretion of the national authority.

The EU data protection Directive will make such enforcement mandatory, and can be expected to increase the number of enforced restrictions against Asia-Pacific countries.

5.2. Which Asia-Pacific laws provide 'adequate protection' for the EU Directive?

Comprehensive `adequacy'

There are only four jurisdictions in the Asia-Pacific region which could mount a convincing argument that they have existing privacy laws covering the whole of their private and public sectors which provide 'adequate' privacy protection in terms of the EU Directive, so that no EU country could justifiably prohibit transfers of personal data to them. These are:


* New Zealand[64] - Privacy Act 1993;


* Québec - Act respecting the protection of personal information in the private sector; 1993 and Act respecting access to documents held by public bodies and the protection of personal information, 1993;


* Hong Kong[65] - Personal Data (Privacy) Ordinance, 1995; and


* Taiwan[66] -Computer-Processed Personal Data Protection Law, 1995.

Each of these laws provides a set of rights which (at the very least) are equivalent to the Principles in the OECD Guidelines, and are enforceable against the public and private sectors.

The Australian Cabinet decided on 1 December 1995 to extend the Privacy Act 1988 (Cth) to the private sector, and to take an approach to codes of conduct influenced by the New Zealand Act[67]. With a Federal election pending in Australia, the future of such legislation is unlikely to be known until after the election[68].

The only other possible source of comprehensive `adequate' data protection would be the general law of each country. In the case of Australia, New Zealand, Canada and the USA, this is a differing mix of common law (including in some cases a limited privacy tort), equity (including the law of breach of confidence), administrative law, criminal law, constitutional rights, and legislative bills of rights. While these rights can be substantial[69], it is difficult to see the cumulative effect of such rights in any of these jurisdictions even approaching the specific set of rights set out in the EU Directive.

Sectoral `adequacy'

Otherwise, such privacy legislation as does exist in the Asia-Pacific could only constitute 'adequate protection' for specific sectors, if at all. For example, Australia's Privacy Act 1988 would provide adequate protection in relation to any information held by Federal Government agencies, and in relation to credit reporting (Part IIIA), but there is no other legislation which would provide adequate protection in relation to information held by State government agencies, or the rest of the private sector. Similarly, in Canada, some Acts such as British Columbia's Freedom of Information and Protection of Privacy Act would constitute adequate protection in relation to that Province's public sector records, but there is no legislation providing adequate protection for the whole of the private sector. It is likely that Japan's Personal Data Protection Act 1988 would provide adequate protection for its public sector, and the 1994 Korean law may also do so. Other legislation covers only specific parts of the private sector, such as Singapore's Banking Act s47 and Malaysia's Banking and Financial Institutions Act 1989, Pt XIII, which cover the banking sector.

In relation to the United States, a draft report under preparation by two US academics for the EU Commission is reported[70] to argue that US laws as a whole do not provide 'adequate protection', not even on a sectoral basis (in most cases), so that any transfers of personal data to the USA will have to be considered in relation to the specific organisations involved (ie as authorisations under A26(2)). One of the authors of the report, in a study of the inadequacy of `targeted' (sub-sectoral) US laws in the private sector, indicates his pessimistic conclusions[71]:

Because key standards of transparency, finality and enforcement are often ignored by targeted standards in the United States, the scrutiny on a micro-level of international data processing increases the prospect that European regulators will restrict more data flows if the US private sector does not augment existing standards.

The overall picture in the Asia-Pacific

The effectiveness of codes of conduct to provide adequate protection is still contentious, but is unlikely to be a panacea.

While the argument sketched above requires more analysis than is possible here, it suggests that all but four jurisdictions in the Asia-Pacific are vulnerable to restrictions on transfers of personal data from countries in the European Union, at least insofar as the majority of their private sector organisations are concerned.

As we will now see, there is also likely to be an increase in restrictions of transfers of personal data within the Asia-Pacific.

5.3. Data export prohibitions in the Asia-Pacific

Until recently, the privacy laws of Asia-Pacific countries did not yet contain data export restrictions. At best, provisions in laws such as the Privacy Acts in Australia and New Zealand dealing with secondary use and disclosure of personal information could have the incidental effect of prohibiting disclosures outside the jurisdiction simply because there were no legitimate users of the information outside the jurisdiction, but never because of the inadequacy of the laws in the recipient's jurisdiction.

This has now changed, with the privacy laws of Québec, Hong Kong and Taiwan all imposing such restrictions.

Québec's data export law

In Québec's Act respecting the protection of personal information in the private sector; 1993, s17 provides that persons carrying on an enterprise in Québec who communicate outside Québec information relating to persons residing in Québec must take `all reasonable steps to ensure' (i) that information is not used for purposes not relevant to the object of the file, or communicated to third persons without the consent of the persons concerned (unless situations similar to exceptions in s18 apply); and (ii) in the case of lists of named persons (`nominative lists'), the persons concerned have a `valid opportunity' to refuse to allow their names to be used for commercial or philanthropic marketing, and can have their details deleted (with some exceptions in ss 22 and 23). These requirements also apply where a Québec enterprise entrusts a person outside Québec with holding, using or communicating the information on the enterprise's behalf (eg an off-shore processing bureau, or a regional headquarters).

The Québec limitation is therefore limited to ensuring that the `finality' principle is observed in relation to exported data, and does not require that the recipient observe other principles such as subject access and correction rights, or adequate security.

The Québec restriction also applies to other Canadian provinces (`outside Québec'), a matter of considerable interest to other federations like Australia. It is therefore likely that the Québec law will increase the pressure on other Canadian provinces (or the Canadian federal government) to enact comprehensive privacy laws.

Hong Kong's data export law

Since July 1995, Hong Kong's Personal Data (Privacy) Ordinance 1995 prohibits the export of personal information from Hong Kong unless the information will receive similar protection in the importing country to that which it is given under Hong Kong law, or certain exceptions apply (s33). The approach taken in the Hong Kong law is to prohibit the data user from transferring personal data to a place outside Hong Kong (including to other parts of China) unless one of the following conditions apply:

(a) the place has been specified (by the Commissioner) by a Gazette notice to have laws which are substantially similar to, or serve the same purpose as, the HK law; or
(b) the user has reasonable grounds for believing that the place has such laws; or
(c) the data subject has consented in writing to the transfer; or
(d) the user has reasonable grounds for believing that the transfer is to mitigate adverse action against the data subject, who would have consented to it if it was practicable to obtain their consent; or
(e) the data are covered by an exemption from data protection principle 3 under Part VIII (`domestic purposes', `security', `crime prevention', `health', reporting news, and some others); or
(f) `the user has taken all reasonable precautions and exercised all due diligence' to ensure that the data will not be dealt with in any manner in that place which, if it had occurred in Hong Kong, would contravene the Ordinance.

Breach of s33 can result in an enforcement notice by the Commissioner (s50), or an action for compensation for any damage, including injury to feelings (s66).

The s33 restriction applies not only to personal data which has (prior to export) been collected, held, processed or used in Hong Kong, but also to data which `is controlled by a data user whose principal place of business is in Hong Kong'. Such a `Hong Kong business' cannot therefore set up an `offshore' personal data processing operation to avoid the law, even in relation to data that has never entered Hong Kong. For example, if a Hong Kong business controls data being processed by its Singapore office or processing bureau, there cannot be data transfers between the Singapore office and Australia unless there is compliance with s33[72] .

Taiwan's data export law

International transmissions by public organisations must be `in accordance with relevant laws and ordinances' (A 9). In relation to private sector organisations, the government authority in charge of the particular sector in which a business falls may issue restrictions on particular transfers (A 24), for four reasons:

(i) to protect Taiwan's national interests;
(ii) where specially provided for in an international treaty or agreement;
(iii) `Where the receiving country lacks proper laws and / or ordinances to adequately protect personal data and where there are apprehensions of injury to the rights and interests of a concerned party'; and
(iv) `To indirectly transmit to and use from a third country personal information so as to evade control of this law'.

The third reason is similar to the EU's requirement for `adequate protection'. The fourth reason is novel, as it explicitly allows prohibition of transfers to countries with `adequate' laws, if this is a sham to allow further transmission to a country without adequate laws. `Dirty data havens', beware!

Enforcement Rules (regulations) under the Act are yet to be promulgated. Business organisations in Taiwan have made submissions requesting more certainty in the international transfer provisions, possibly in the form of a regulation naming countries with `adequate' laws - in which list they suggest Australia and the USA, for reasons best known to themselves!

Closing the EU `loophole'

Otherwise comprehensive laws (such as the New Zealand law) could be seen from the EU perspective to have a `loophole' in that there is nothing specific in them to stop data which is imported from Europe being `re-exported' to some other jurisdiction where no adequate privacy protection applies. Section 33 of the Hong Kong Ordinance closes this loophole, intentionally[73]. In contrast, Québec's s17 does not apply to data which has been imported into Québec (say, from the EU) about persons residing outside Québec, so it does not `close the loophole'.

Export restrictions within the Asia-Pacific

Now that export restrictions are arising in the laws of other Asia-Pacific countries, then there will be barriers to the free flow of personal information within the Asia-Pacific (ie within APII), not only between the EU and the Asia-Pacific. With the enactment of the Hong Kong law, one such set of barriers already exist. If different personal data export restrictions arise in different Asia-Pacific countries, as is already occurring, there will be significant impediments to the development of electronic services and trade within the region. Such inconsistencies between European countries was one of the main factors leading to the EU privacy Directive.

Two models for data export restrictions - `prohibition order' and `breach'

Two main approaches to data export restrictions are apparent from the European and recent Asia-Pacific laws. The first approach, exemplified by s12 of the UK Data Protection Act, and by the Taiwan Act, and also embodied in the EU Directive, imposes no export restrictions on data users unless and until a data protection authority issues some type of export prohibition order, either in relation to a particular transfer, or in relation to a particular foreign country as a whole.

The second approach, exemplified by the Hong Kong and Québec laws, imposes an obligation on any data user who proposes to export personal data to ensure that there is some form of adequate protection in the jurisdiction of the recipient, and makes it a breach of the law by the data user to fail to do so, for which the data subject can take proceedings to obtain compensation or other remedies. The two approaches can be combined, as they are in the Hong Kong Act.

The first approach is likely to be driven by data protection authorities, whereas the second is more under the control of the data subject. Reidenberg sees data export laws such as that of Québec as the key to a `reconceptualised' `contract model' of providing adequate protection[74], in which the data subject's interests are directly protected by the data subject's rights under the law of the exporting country, whereas `the implementation of standards for foreign treatment of personal information becomes a private contractual matter between the exporter and the recipient'[75]. This is a useful analysis, but it overstates the centrality of an exporter-recipient contract, for the simple reason that in some cases industry codes of conduct, professional rules or other sources of law may be basis on which the exporter concludes that the recipient's jurisdiction provides `adequate' protection.

5.4. Do the OECD Guidelines protect against export prohibitions?

The OECD's Guidelines contain four principles concerning freedom of, and legitimate restrictions on, `transborder flows of personal data' (Principles 15-18). In 1985 the Ministers of the OECD Member countries adopted a Declaration on Transborder Data Flows agreeing to undertake further joint work on EXPORT issues.

The OECD's 4 Principles concerning trans-border data flows

15. Member countries shall take into consideration the implications for other Member countries of domestic processing and re-export of personal data.

16. Member countries should take all reasonable and appropriate steps to ensure that transborder flows of personal data, including transit through a Member country, are uninterrupted and secure.

17. A member country should refrain from restricting transborder flows of personal data between itself and another Member country except where the latter does not yet substantially observe these Guidelines or where the re-export of such data would circumvent its domestic privacy legislation. A Member country may also impose restrictions in respect of certain categories of personal data for which its domestic privacy legislation includes specific regulations in view of the nature of those data and for which the other member country provides no equivalent protection.

18. Member countries should avoid developing laws, policies and practices in the name of the protection of privacy and individual liberties, which would create obstacles to transborder flows of personal data that would exceed requirements for such protection.

The main thrust of these OECD Principles is that member countries should avoid restrictions on the free flow of personal data between themselves, with three exceptions in Guideline 17.

The first exception in Guideline 17 is where the other member country (such as Australia) `does not yet substantially observe these Guidelines' (including the Principles of domestic application). The OECD Guidelines apply to both the public and private sectors.

The position in relation to Australia's compliance with the OECD Guidelines is much the same as with the discussion above concerning the `adequacy' of Australian laws and the EU Directive. The Privacy Act 1988 (Cth) substantially implements the Guidelines in respect of the Commonwealth public sector. State and Territory Freedom of Information Acts implement the subject access and correction Guidelines in relation to their public sectors. However, Australia's current lack of privacy laws in the private sector makes it difficult to argue that it complies with the Guidelines in any private sector area except that of credit reporting. The proposed extension of the Privacy Act will change this.

Therefore, the Guidelines do not provide at present provide protection against the imposition of data export restrictions by other OECD countries against Australia.

Once Australia does implement private sector privacy legislation to the level required by the OECD Guidelines, it could argue that any data export restrictions imposed by EU countries (virtually all of which are OECD members) must not exceed the requirements of Guidelines 17 and 18. The OECD Guidelines could then help to protect Australia against implementation of any European data export restrictions, whether flowing from the EU Directive or otherwise, if such restrictions required a level of `adequacy' of Australian laws exceeding that required by OECD Guidelines 7-14 (`Basic Principles of National Application'). In other words, Australia could argue that OECD Guidelines 7-14 define the maximum content of `adequacy' that European OECD members may impose without breaching OECD Guideline 18. It is also important to note that the OECD Guidelines provide the only guarantee of free flow of personal data, as the EU Directive imposes no obligation on EU countries to allow exports to non-EU countries which have `adequate' laws, it only protects them from restrictions by other EU countries if they do so, and prohibits them from allowing exports to countries without `adequate' laws.

The second exception to OECD Guideline 17 is `where the re-export of such data would circumvent its domestic privacy legislation'. This exception appears to envisage restrictions on exports to countries which do not prevent further re-export to third countries which do not have laws which comply with the OECD Guidelines. Neither the Privacy Act nor other Australian legislation imposes any special restrictions on the export of personal data from Australia (or its import into Australia). The implications of this exception are that (i) any EU country could require Australia to have data export limitations in Australian law before permitting exports to Australia, without breaching the OECD Guidelines; and (ii) Australia would not breach the OECD Guidelines by refusing data exports to other countries which did not have a reciprocal provision.

The third exception in Guideline 17 allows additional restrictions to be imposed in relation to `sensitive' data.

The requirement in Guideline 15 that trans-border data flows `including transit through a Member country, are uninterrupted and secure' may be addressed in part by such legislation as the Telecommunications (Interception) Act 1979.

[60] C Millard `European Data Protection Laws' (Table) in Privacy Laws & Business No 30, June 1993, p29. For a detailed explanation of the laws as at 1989, see Nugter (1990).

[61] Millard ibid

[62] I Vassiliki 'An empirical survey of cases concerning the transborder flow of personal data', (1993) 9 Computer Law and Security Report 33; A Canadian study is Laperierre, R et al Crossing the Borders of Privacy: Transborder flows of Personal Data from Canada, Department of Justice, Canada, 1991

[63] Examples are summarised from Vassiliki, ibid, where original citations are given. Dates refer to the cited date of the report.

[64] See T McBride `NZ's Privacy Act 1993' (1994) 1 PLPR 4 for a summary; see E Longworth and T McBride The Privacy Act - A Guide, GP Publications, Wellington 1994

[65] For a detailed account of the new Act, see M Berthold `Hong Kong's new privacy law' (1995) 2 PLPR, Issue 9 (forthcoming, December 1995); for the Bill on which it was based, see Berthold, M 'Hong Kong's data privacy proposals' (1994) 1 PLPR (Pt I) 165 and (Pt II) 188

[66] See the Annexure to this paper for details of the Taiwan law.

[67] As reported in the Sydney Morning Herald, 2 December 1995

[68] The Opposition parties have not yet announced a policy on such an extension of the Privacy Act.

[69] For a recent survey of relevant Australian laws, see K O'Connor `Privacy', Section 21, Chapter 4, Laws of Australia, Law Book Co, 1995 - Part D `Other laws relating to privacy'.

[70] Privacy Journal, October 1994; the report is Paul M Schwartz and Joel R Reidenberg A study of American data protection law and practice: Report to the Commission of the European Communities (forthcoming)

[71] J Reidenberg `Setting standards for fair information practice in the US private sector' (1995) Iowa Law Review, vol 80 No 3, 497 at 545

[72] see M Berthold `Hong Kong's new privacy law' (1995) 2 PLPR, Issue 9 (forthcoming, December 1995)

[73] Berthold, ibid

[74] Reidenberg (1995) op cit, 545-548

[75] Reidenberg (1995) op cit, 547


[Previous] [Next] [Up] [Title]