The Québec limitation is therefore limited to ensuring that the `finality' principle is observed in relation to exported data, and does not require that the recipient observe other principles such as subject access and correction rights, or adequate security.
The Québec restriction also applies to other Canadian provinces (`outside Québec'), a matter of considerable interest to other federations like Australia. The Québec law will increase the pressure on other Canadian provinces or the Canadian federal government to enact comprehensive privacy laws.
(a) the place has been specified (by the Commissioner) by a Gazette notice to
have laws which are substantially similar to, or serve the same purpose as, the
HK law; or
(b) the user has reasonable grounds for believing that the
place has such laws; or
(c) the data subject has consented in writing to
the transfer; or
(d) the user has reasonable grounds for believing that the
transfer is to mitigate adverse action against the data subject, who would have
consented to it if it was practicable to obtain their consent; or
(e) the
data are covered by an exemption from data protection principle 3 under Part
VIII (`domestic purposes', `security', `crime prevention', `health', reporting
news, and some others); or
(f) `the user has taken all reasonable
precautions and exercised all due diligence' to ensure that the data will not
be dealt with in any manner in that place which, if it had occurred in Hong
Kong, would contravene the Ordinance.
Breach of s33 can result in an enforcement notice by the Commissioner (s50), or an action for compensation for any damage, including injury to feelings (s66).
The s33 restriction applies not only to personal data which has (prior to export) been collected, held, processed or used in Hong Kong, but also to data which `is controlled by a data user whose principal place of business is in Hong Kong'. Such a `Hong Kong business' cannot therefore set up an `offshore' personal data processing operation to avoid the law, even in relation to data that has never entered Hong Kong. For example, if a Hong Kong business controls data being processed by its Singapore office or processing bureau, there cannot be data transfers between the Singapore office and Australia unless there is compliance with s33[108].
The Ordinance came into force generally on 20 December 1996, but s33 has not been proclaimed as yet. This was in line with a recommendation by the Commissioner, who wanted time to issue guidelines on how to comply with s33. He has now issued such guidance, as discussed below, but s33 is still not yet in force. Perhaps it will come in force after October 1998.
George Chen explains the limits of coverage of the Taiwan law[111]http://stlc.iii.org.tw/stlc/itable1.htm]:
"The wording of this provision only covers public institutions (legally constituted central or local government bodies that exercise civil authority) and nonpublic institutions (there are eight listed under this category: credit information organizations, hospitals, schools, telecommunications business, bank/financial businesses, securities business, insurance businesses, mass communications, and other businesses whose main operation involves the collection fails and computer processing of personal data). However, the provision fails to cover other categories of users including individuals or legal entities whose business activities involve the collection. Processing , and use of information available on the Internet. Therefore, if any of these individuals or legal entities misuse personal data via the Internet it may not be possible to regulate them under Taiwan's law. Although the law does provide that certain entities can be designated by the ministry of Justice(MOJ), and the central government authorities governing that business, as falling under Taiwan's legal jurisdiction even though they are not specifically covered under the public or nonpublic organizations defined above, the MOJ has not yet taken steps to designate such entities The difficulty of this task may lead to significant delays in implementing a comprehensive protection for personal data. "The Taiwanese law is therefore an instance of where there may be sectoral `adequate protection' under A25(1) of the EU Directive.
However, the Enforcement Rules seem to water down the `written consent' requirement by allowing organisations to simply provide consumers/clients with written notice of the intended purpose of use, and a right to object within a specified period, after which `written consent' is presumed (A 30). The `quasi-contractual relationship' is also defined so as to include pre-contractual negotiations and post-contractual dealings (A 32).
In relation to uses beyond the specific purpose of collection, Article 23 goes on to provide that such uses can only be made under one of four circumstances, of which the two relevant to the proposed processing are the written consent of the individual concerned, and `where it is necessary for preventing grave damages to rights and interests of others'. These are quite strict conditions.
Non-public institutions must be registered with the government authority relevant to their sector and issued with a licence, or `collection, computerized processing, international transmission and use of personal data' is illegal (A19). Furthermore, a credit investigation business or (in effect) a data processing business must obtain permission (presumably for their specific processing activities) from the relevant government authority (A 19). Considerable disclosure of information about the processing, including details of `direct recipients of international transmission' is necessary for registration (A 20).
(i) to protect Taiwan's national interests;
(ii) where specially provided
for in an international treaty or agreement;
(iii) `Where the receiving
country lacks proper laws and / or ordinances to adequately protect personal
data and where there are apprehensions of injury to the rights and interests of
a concerned party'; and
(iv) `To indirectly transmit to and use from a
third country personal information so as to evade control of this law'.
The third reason is similar to the EU's requirement for `adequate protection'. The fourth reason is novel, as it explicitly allows prohibition of transfers to countries with `adequate' laws, if this is a sham to allow further transmission to a country without adequate laws.
The Enforcement Rules provide in Article 13 that the `international transmissions' referred to in Articles 9 and 24 of the Law only mean transmissions via communications networks (irrespective of medium), but not data transmitted by mail, electromagnetic records etc. The rather illogical result is that whether the data export prohibition provisions apply depends on the means of transmission.
There are no provisions in the Enforcement Rules which expand on the meaning of Article 24.
Business organisations in Taiwan have made submissions requesting more certainty in the international transfer provisions, possibly in the form of a regulation naming countries with `adequate' laws, but this has not been implemented in the Enforcement Rules.
"9 An organisation should only transfer personal information outside Australia if:
(a) the organisation reasonably believes that the recipient of the information is subject to a statute, binding scheme or contract which effectively upholds principles for fair information handling that are substantially similar to these principles; or
(b) the individual concerned consents to the transfer;
(c) the transfer is necessary for the performance of a contract between the individual concerned and the organisation, or for the implementation of pre-contractual measures taken in response to the individual's request; or
(d) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual concerned between the organisation and a third party; or
(e) the transfer is for the benefit of the individual concerned, and
(i) it is not practicable to obtain the consent of the subject of the information to that transfer; and
(ii) if it were practicable to obtain such consent, the subject of the information would be likely to give it; or
(f) the organisation has taken reasonable steps to ensure that the information which it has transferred will not be collected, held, used or disclosed by the recipient of the information inconsistently with these principles."
This principle has now become significant beyond being a self-regulatory exhortation, because the Commissioner's `National Principles' are to be the basis of the new Victorian Data Protection Bill. Exactly how Principle 9 will translate into the co-regulatory environment envisaged for Victoria is as yet uncertain, but it seems that one Australian jurisdiction will have some form of data export prohibition.
Unlike Québec and Hong Kong, it is notable that the proposed Australian restriction is limited to transfers `outside Australia'. The Victorian legislation is likely to follow this, because restrictions on data exports to another Australian State might contravene the provision in s92 of Australia's federal Constitution requiring freedom of inter-state trade.
107 The Ordinance is described by Mark Berthold in 2 PLPR 164, and analysed at length in Berthold and Wacks Data Privacy Law in Hong Kong - Professional Guide, FT Law & Tax Asia Pacific, 1997.
[108] see M Berthold `Hong Kong's new privacy law' (1995) 2 PLPR 164
[109] See G Greenleaf `Hong Kong's Model Contract clears the way for data export prohibitions' (1997) 4 PLPR 14
[110] For a comparison of the Taiwanese, Hong Kong and Japanese public sector laws, see Stephen Lau `Observance of the OECD Guidelines and the EU Directive in Asia' (1997) 4 PLPR 144
[111] George Chen `The Internet and its Legal Ramifications in Taiwan' Seattle Unviersity Law Review Vol 29 No 3, 1997 - at