For example, s12 of the United Kingdom Data Protection Act 1984 provides that where data is to be transferred to a State which is not a party to the European Convention, the Data Protection Registrar may issue a Transfer Prohibition Notice if he is satisfied that the transfer is likely to lead to a contravention of the data protection principles in the United Kingdom Act because the other country does not have adequate data protection laws. The Registrar cannot prevent the transfer of personal data to any State which is bound by the Council of Europe Convention unless he is satisfied that it is intended to be transferred to another country where there is likely to be a contravention of the data protection principles. The Registrar issued the first Transfer Prohibition Notice in 1990 (see below).
Some countries go further, specifying that an `export licence' must be obtained for the exporting of any personal data coming within the legislation (Iceland, Portugal), or that this must occur for specified categories of personal data (Austria, Belgium, Denmark, Finland, Norway, Spain and Sweden)[61]. A few countries also require licences for the import of personal data, not merely compliance with national laws.
A survey by Vassilaki[62] of the enforcement of data export restrictions by European data protection agencies summarises over 30 cases where proposed transfers have been prohibited or only allowed if conditions were observed. The authorities who have imposed the bulk of the restrictions are those of France, Germany, Austria, and Sweden, but restrictions imposed by the UK and Norway are also noted. However, the cases summarised are only a sample, as in Austria alone there were 40 cases where restrictions were imposed from 1987-89, and the Swedish authority considered over 100 transfer applications from 1982-1992.
* Employees - France required Fiat France to obtain contractual
guarantees of privacy protection (based on observance of the French legislation
and the Council of Europe Convention) from Fiat Italy before employee data
could be transferred to Italy (1989). Similar restrictions were imposed on
another company's transfers to Switzerland (1990). France imposed greater
restrictions on a North American cosmetics multinational, only allowing it to
transfer coded forms of employee names to Belgium to effect salary processing
(1990). Germany has blocked transfers of `sensitive' staff data unless there is
employee consent (1989). A US-based multinational was prevented from
transferring all its German data processing to the USA, and had to set up a
subsidiary company in Germany to process German employee data (1989).
* Medical treatment - France prohibited French doctors from
transferring patient names to a European centre for cancer research and
treatment, located in Belgium, so as to obtain results of medical tests, until
strict software security measures were implemented and transfers were only by
coded versions of names (1989).
* Product research - Data on clinical testing of pharmaceutical
products could only be transferred from Sweden to the Belgium and the USA on
the basis of the informed consent of the individuals concerned and subject to
security and anonymity of reports conditions (1989).
* Direct marketing - The UK prohibited the export of personal data
to a mail order company which operated from the USA. There was evidence that
the company had breached UK consumer protection laws, and had been prosecuted
under similar US laws (1990). Germany prohibited mailing lists being
transferred to the former East Germany (1991). Sweden has refused all but one
application for transfers to other countries for direct marketing purposes.
* Telecommunications - French telecommunications operators are not
allowed to tell operators in another state the identity of a calling party, in
case it is wrongly disclosed (1990).
* Airlines - An airline under Swedish law was not allowed to deliver
personal data to US Customs without first warning passengers of the
inadequacies of US data protection laws, and therefore obtaining informed
consent (1991).
* Financial services - Norway refused to allow a credit bureau's
files to be relocated to its head office in Sweden, as Swedish credit reporting
law was not as strong as that in Norway (1990). Austria prohibited a transfer
of credit information from an Austrian finance company to a German credit
bureau because a vague contractual clause did not comprise the necessary
`express' consent for data export (1990). SWIFT in Belgium has been required to
give contractual guarantees that transfers of data from Austria will observe
Austrian data protection law (1992). Plans to transfer details of German
clients to a French financial company were stopped after German objections.
* Data processing bureaus - A German data processing bureau was
prevented from carrying out its processing in the UK, due to inadequacies in UK
law (under negotiation 1993).
* Religion - France required contractual guarantees of adherence to
French law before Mormon genealogical records could be transferred to Utah.
* Gambling `blacklists' - Germany prohibited transfers of data on
persons excluded from gambling by German casino corporations to an Austrian
casino corporation because Austrian law did not apply to manual data. The
corporations subsequently signed a data protection contract (1991).
* Social Security - Germany would not allow Italian Social Security
authorities online access to German registers of migrant workers, even though
German Social Security authorities had such access to Italian files.
* Immigration - Sweden refused to allow transfer to Italian
authorities of a list of Italian permanent residents of Sweden, for purposes of
issuing passports (1990).
* Archives - France refused to allow files concerning Spanish civil
war refugees to be provided to Spanish archives authorities (1986). It was
necessary to extract anonymous data in France and only transfer that to Spain.
The EU data protection Directive will make such enforcement mandatory, and can be expected to increase the number of enforced restrictions against Asia-Pacific countries.
* New Zealand[64] - Privacy Act
1993;
* Québec - Act respecting the protection of personal information
in the private sector; 1993 and Act respecting access to documents held
by public bodies and the protection of personal information, 1993;
* Hong Kong[65] - Personal Data
(Privacy) Ordinance, 1995; and
* Taiwan[66] -Computer-Processed
Personal Data Protection Law, 1995.
Each of these laws provides a set of rights which (at the very least) are equivalent to the Principles in the OECD Guidelines, and are enforceable against the public and private sectors.
The Australian Cabinet decided on 1 December 1995 to extend the Privacy Act 1988 (Cth) to the private sector, and to take an approach to codes of conduct influenced by the New Zealand Act[67]. With a Federal election pending in Australia, the future of such legislation is unlikely to be known until after the election[68].
The only other possible source of comprehensive `adequate' data protection would be the general law of each country. In the case of Australia, New Zealand, Canada and the USA, this is a differing mix of common law (including in some cases a limited privacy tort), equity (including the law of breach of confidence), administrative law, criminal law, constitutional rights, and legislative bills of rights. While these rights can be substantial[69], it is difficult to see the cumulative effect of such rights in any of these jurisdictions even approaching the specific set of rights set out in the EU Directive.
In relation to the United States, a draft report under preparation by two US academics for the EU Commission is reported[70] to argue that US laws as a whole do not provide 'adequate protection', not even on a sectoral basis (in most cases), so that any transfers of personal data to the USA will have to be considered in relation to the specific organisations involved (ie as authorisations under A26(2)). One of the authors of the report, in a study of the inadequacy of `targeted' (sub-sectoral) US laws in the private sector, indicates his pessimistic conclusions[71]:
Because key standards of transparency, finality and enforcement are often ignored by targeted standards in the United States, the scrutiny on a micro-level of international data processing increases the prospect that European regulators will restrict more data flows if the US private sector does not augment existing standards.
While the argument sketched above requires more analysis than is possible here, it suggests that all but four jurisdictions in the Asia-Pacific are vulnerable to restrictions on transfers of personal data from countries in the European Union, at least insofar as the majority of their private sector organisations are concerned.
As we will now see, there is also likely to be an increase in restrictions of transfers of personal data within the Asia-Pacific.
This has now changed, with the privacy laws of Québec, Hong Kong and Taiwan all imposing such restrictions.
The Québec limitation is therefore limited to ensuring that the `finality' principle is observed in relation to exported data, and does not require that the recipient observe other principles such as subject access and correction rights, or adequate security.
The Québec restriction also applies to other Canadian provinces (`outside Québec'), a matter of considerable interest to other federations like Australia. It is therefore likely that the Québec law will increase the pressure on other Canadian provinces (or the Canadian federal government) to enact comprehensive privacy laws.
(a) the place has been specified (by the Commissioner) by a Gazette notice to
have laws which are substantially similar to, or serve the same purpose as, the
HK law; or
(b) the user has reasonable grounds for believing that the
place has such laws; or
(c) the data subject has consented in writing to
the transfer; or
(d) the user has reasonable grounds for believing that the
transfer is to mitigate adverse action against the data subject, who would have
consented to it if it was practicable to obtain their consent; or
(e) the
data are covered by an exemption from data protection principle 3 under Part
VIII (`domestic purposes', `security', `crime prevention', `health', reporting
news, and some others); or
(f) `the user has taken all reasonable
precautions and exercised all due diligence' to ensure that the data will not
be dealt with in any manner in that place which, if it had occurred in Hong
Kong, would contravene the Ordinance.
Breach of s33 can result in an enforcement notice by the Commissioner (s50), or an action for compensation for any damage, including injury to feelings (s66).
The s33 restriction applies not only to personal data which has (prior to export) been collected, held, processed or used in Hong Kong, but also to data which `is controlled by a data user whose principal place of business is in Hong Kong'. Such a `Hong Kong business' cannot therefore set up an `offshore' personal data processing operation to avoid the law, even in relation to data that has never entered Hong Kong. For example, if a Hong Kong business controls data being processed by its Singapore office or processing bureau, there cannot be data transfers between the Singapore office and Australia unless there is compliance with s33[72] .
(i) to protect Taiwan's national interests;
(ii) where specially provided
for in an international treaty or agreement;
(iii) `Where the receiving
country lacks proper laws and / or ordinances to adequately protect personal
data and where there are apprehensions of injury to the rights and interests of
a concerned party'; and
(iv) `To indirectly transmit to and use from a
third country personal information so as to evade control of this law'.
The third reason is similar to the EU's requirement for `adequate protection'. The fourth reason is novel, as it explicitly allows prohibition of transfers to countries with `adequate' laws, if this is a sham to allow further transmission to a country without adequate laws. `Dirty data havens', beware!
Enforcement Rules (regulations) under the Act are yet to be promulgated. Business organisations in Taiwan have made submissions requesting more certainty in the international transfer provisions, possibly in the form of a regulation naming countries with `adequate' laws - in which list they suggest Australia and the USA, for reasons best known to themselves!
The second approach, exemplified by the Hong Kong and Québec laws, imposes an obligation on any data user who proposes to export personal data to ensure that there is some form of adequate protection in the jurisdiction of the recipient, and makes it a breach of the law by the data user to fail to do so, for which the data subject can take proceedings to obtain compensation or other remedies. The two approaches can be combined, as they are in the Hong Kong Act.
The first approach is likely to be driven by data protection authorities, whereas the second is more under the control of the data subject. Reidenberg sees data export laws such as that of Québec as the key to a `reconceptualised' `contract model' of providing adequate protection[74], in which the data subject's interests are directly protected by the data subject's rights under the law of the exporting country, whereas `the implementation of standards for foreign treatment of personal information becomes a private contractual matter between the exporter and the recipient'[75]. This is a useful analysis, but it overstates the centrality of an exporter-recipient contract, for the simple reason that in some cases industry codes of conduct, professional rules or other sources of law may be basis on which the exporter concludes that the recipient's jurisdiction provides `adequate' protection.
The OECD's 4 Principles concerning trans-border data flows
15. Member countries shall take into consideration the implications for other
Member countries of domestic processing and re-export of personal data.
16. Member countries should take all reasonable and appropriate steps
to ensure that transborder flows of personal data, including transit through a
Member country, are uninterrupted and secure.
17. A member country should refrain from restricting transborder flows of personal data between itself and another Member country except where the latter does not yet substantially observe these Guidelines or where the re-export of such data would circumvent its domestic privacy legislation. A Member country may also impose restrictions in respect of certain categories of personal data for which its domestic privacy legislation includes specific regulations in view of the nature of those data and for which the other member country provides no equivalent protection.
18. Member countries should avoid developing laws, policies and practices in the name of the protection of privacy and individual liberties, which would create obstacles to transborder flows of personal data that would exceed requirements for such protection.
The main thrust of these OECD Principles is that member countries should avoid restrictions on the free flow of personal data between themselves, with three exceptions in Guideline 17.
The first exception in Guideline 17 is where the other member country (such as Australia) `does not yet substantially observe these Guidelines' (including the Principles of domestic application). The OECD Guidelines apply to both the public and private sectors.
The position in relation to Australia's compliance with the OECD Guidelines is much the same as with the discussion above concerning the `adequacy' of Australian laws and the EU Directive. The Privacy Act 1988 (Cth) substantially implements the Guidelines in respect of the Commonwealth public sector. State and Territory Freedom of Information Acts implement the subject access and correction Guidelines in relation to their public sectors. However, Australia's current lack of privacy laws in the private sector makes it difficult to argue that it complies with the Guidelines in any private sector area except that of credit reporting. The proposed extension of the Privacy Act will change this.
Therefore, the Guidelines do not provide at present provide protection against the imposition of data export restrictions by other OECD countries against Australia.
Once Australia does implement private sector privacy legislation to the level required by the OECD Guidelines, it could argue that any data export restrictions imposed by EU countries (virtually all of which are OECD members) must not exceed the requirements of Guidelines 17 and 18. The OECD Guidelines could then help to protect Australia against implementation of any European data export restrictions, whether flowing from the EU Directive or otherwise, if such restrictions required a level of `adequacy' of Australian laws exceeding that required by OECD Guidelines 7-14 (`Basic Principles of National Application'). In other words, Australia could argue that OECD Guidelines 7-14 define the maximum content of `adequacy' that European OECD members may impose without breaching OECD Guideline 18. It is also important to note that the OECD Guidelines provide the only guarantee of free flow of personal data, as the EU Directive imposes no obligation on EU countries to allow exports to non-EU countries which have `adequate' laws, it only protects them from restrictions by other EU countries if they do so, and prohibits them from allowing exports to countries without `adequate' laws.
The second exception to OECD Guideline 17 is `where the re-export of such data would circumvent its domestic privacy legislation'. This exception appears to envisage restrictions on exports to countries which do not prevent further re-export to third countries which do not have laws which comply with the OECD Guidelines. Neither the Privacy Act nor other Australian legislation imposes any special restrictions on the export of personal data from Australia (or its import into Australia). The implications of this exception are that (i) any EU country could require Australia to have data export limitations in Australian law before permitting exports to Australia, without breaching the OECD Guidelines; and (ii) Australia would not breach the OECD Guidelines by refusing data exports to other countries which did not have a reciprocal provision.
The third exception in Guideline 17 allows additional restrictions to be imposed in relation to `sensitive' data.
The requirement in Guideline 15 that trans-border data flows `including transit through a Member country, are uninterrupted and secure' may be addressed in part by such legislation as the Telecommunications (Interception) Act 1979.
[60] C Millard `European Data Protection Laws' (Table) in Privacy Laws & Business No 30, June 1993, p29. For a detailed explanation of the laws as at 1989, see Nugter (1990).
[61] Millard ibid
[62] I Vassiliki 'An empirical survey of cases concerning the transborder flow of personal data', (1993) 9 Computer Law and Security Report 33; A Canadian study is Laperierre, R et al Crossing the Borders of Privacy: Transborder flows of Personal Data from Canada, Department of Justice, Canada, 1991
[63] Examples are summarised from Vassiliki, ibid, where original citations are given. Dates refer to the cited date of the report.
[64] See T McBride `NZ's Privacy Act 1993' (1994) 1 PLPR 4 for a summary; see E Longworth and T McBride The Privacy Act - A Guide, GP Publications, Wellington 1994
[65] For a detailed account of the new Act, see M Berthold `Hong Kong's new privacy law' (1995) 2 PLPR, Issue 9 (forthcoming, December 1995); for the Bill on which it was based, see Berthold, M 'Hong Kong's data privacy proposals' (1994) 1 PLPR (Pt I) 165 and (Pt II) 188
[66] See the Annexure to this paper for details of the Taiwan law.
[67] As reported in the Sydney Morning Herald, 2 December 1995
[68] The Opposition parties have not yet announced a policy on such an extension of the Privacy Act.
[69] For a recent survey of relevant Australian laws, see K O'Connor `Privacy', Section 21, Chapter 4, Laws of Australia, Law Book Co, 1995 - Part D `Other laws relating to privacy'.
[70] Privacy Journal, October 1994; the report is Paul M Schwartz and Joel R Reidenberg A study of American data protection law and practice: Report to the Commission of the European Communities (forthcoming)
[71] J Reidenberg `Setting standards for fair information practice in the US private sector' (1995) Iowa Law Review, vol 80 No 3, 497 at 545
[72] see M Berthold `Hong Kong's new privacy law' (1995) 2 PLPR, Issue 9 (forthcoming, December 1995)
[73] Berthold, ibid
[74] Reidenberg (1995) op cit, 545-548
[75] Reidenberg (1995) op cit, 547