[Previous] [Next] [Title]

5. Data export restrictions in Asia Pacific laws


European national laws are not alone in containing data export restrictions. In the Asia Pacific, the privacy laws of Québec, Hong Kong and Taiwan already contain such restrictions, and in the next few years they are likely to be joined by the laws of Australia, possibly New Zealand and Canada, and other countries. The Asia Pacific situation is similar now to that of Europe in the early 1980s, when the presence of such restrictions in what was then a handful of European laws helped lead to the European privacy Convention to ensure the free flow of personal information in Europe by providing a guaranteed base level of privacy protection. This part surveys the current and proposed restrictions in the Asia Pacific.

5.1. Québec's data export prohibitions

Québec's Act respecting the protection of personal information in the private sector; 1993 is the only comprehensive private sector privacy law in North America. The Act contains data export prohibitions, but they are only likely to affect information relating to persons residing in Québec. Section 17 provides that persons carrying on an enterprise in Québec who communicate outside Québec information relating to persons residing in Québec must take `all reasonable steps to ensure' (i) that information is not used for purposes not relevant to the object of the file, or communicated to third persons without the consent of the persons concerned (unless situations similar to exceptions in s18 apply); and (ii) in the case of lists of named persons (`nominative lists'), the persons concerned have a `valid opportunity' to refuse to allow their names to be used for commercial or philanthropic marketing, and can have their details deleted (with some exceptions in ss 22 and 23). These requirements also apply where a Québec enterprise entrusts a person outside Québec with holding, using or communicating the information on the enterprise's behalf (eg an off-shore processing bureau, or a regional headquarters).

The Québec limitation is therefore limited to ensuring that the `finality' principle is observed in relation to exported data, and does not require that the recipient observe other principles such as subject access and correction rights, or adequate security.

The Québec restriction also applies to other Canadian provinces (`outside Québec'), a matter of considerable interest to other federations like Australia. The Québec law will increase the pressure on other Canadian provinces or the Canadian federal government to enact comprehensive privacy laws.

5.2. Hong Kong's data export prohibitions

Assuming that the proposed overseas processing of the data is a permitted use of the data, Hong Kong's Personal Data (Privacy) Ordinance 1995 107 prohibits the export of personal information from Hong Kong unless the information will receive similar protection in the importing country to that which it is given under Hong Kong law, or certain exceptions apply (s33). The approach taken in the Hong Kong law is to prohibit the data user from transferring personal data to a place outside Hong Kong (including to other parts of China) unless one of the following conditions apply:

(a) the place has been specified (by the Commissioner) by a Gazette notice to have laws which are substantially similar to, or serve the same purpose as, the HK law; or
(b) the user has reasonable grounds for believing that the place has such laws; or
(c) the data subject has consented in writing to the transfer; or
(d) the user has reasonable grounds for believing that the transfer is to mitigate adverse action against the data subject, who would have consented to it if it was practicable to obtain their consent; or
(e) the data are covered by an exemption from data protection principle 3 under Part VIII (`domestic purposes', `security', `crime prevention', `health', reporting news, and some others); or
(f) `the user has taken all reasonable precautions and exercised all due diligence' to ensure that the data will not be dealt with in any manner in that place which, if it had occurred in Hong Kong, would contravene the Ordinance.

Breach of s33 can result in an enforcement notice by the Commissioner (s50), or an action for compensation for any damage, including injury to feelings (s66).

The s33 restriction applies not only to personal data which has (prior to export) been collected, held, processed or used in Hong Kong, but also to data which `is controlled by a data user whose principal place of business is in Hong Kong'. Such a `Hong Kong business' cannot therefore set up an `offshore' personal data processing operation to avoid the law, even in relation to data that has never entered Hong Kong. For example, if a Hong Kong business controls data being processed by its Singapore office or processing bureau, there cannot be data transfers between the Singapore office and Australia unless there is compliance with s33[108].

The Ordinance came into force generally on 20 December 1996, but s33 has not been proclaimed as yet. This was in line with a recommendation by the Commissioner, who wanted time to issue guidelines on how to comply with s33. He has now issued such guidance, as discussed below, but s33 is still not yet in force. Perhaps it will come in force after October 1998.

Model Contract for personal data exports

The Hong Kong Privacy Commissioner issued in April 1997 a `Model Contract' between exporters of personal data bound by Hong Kong law and importers of that data, designed to satisfy the `due diligence' alternative in s33(f)[109]. The Model Contract will satisfy the requirements of s33 (when it is in force), but whether it will satisfy the EU Directive is a more difficult question (discussed earlier in relation to supplier / recipient contracts and the problem of lack of contractual rights for the person whose privacy is affected). There is no exact equivalent in the EU Directive to s33(f).

5.3. Taiwan's data export prohibitions

Taiwan's Computer-Processed Personal Data Protection Law 1995[110] is not a comprehensive law but it covers both the public sector and some parts of the private sector (`non-public institutions'). The Law is implemented by the Enforcement Rules of 1 May 1996.

George Chen explains the limits of coverage of the Taiwan law[111]http://stlc.iii.org.tw/stlc/itable1.htm]:

"The wording of this provision only covers public institutions (legally constituted central or local government bodies that exercise civil authority) and nonpublic institutions (there are eight listed under this category: credit information organizations, hospitals, schools, telecommunications business, bank/financial businesses, securities business, insurance businesses, mass communications, and other businesses whose main operation involves the collection fails and computer processing of personal data). However, the provision fails to cover other categories of users including individuals or legal entities whose business activities involve the collection. Processing , and use of information available on the Internet. Therefore, if any of these individuals or legal entities misuse personal data via the Internet it may not be possible to regulate them under Taiwan's law. Although the law does provide that certain entities can be designated by the ministry of Justice(MOJ), and the central government authorities governing that business, as falling under Taiwan's legal jurisdiction even though they are not specifically covered under the public or nonpublic organizations defined above, the MOJ has not yet taken steps to designate such entities The difficulty of this task may lead to significant delays in implementing a comprehensive protection for personal data. "
The Taiwanese law is therefore an instance of where there may be sectoral `adequate protection' under A25(1) of the EU Directive.

Disclosure of data

Before the question of the overseas destination of the data is relevant, the disclosure must come within the permitted purposes of the use of the information. Use or disclosure by the Taiwan data exporter is `processing' under Article 18. The data can only be used for the `specific purpose' on the basis of which the data file has been registered (A18). Such processing must also fall within one of the five clauses of Article 18. Unless the data is `in public domain', then the data can only be collected or processed on the basis of written consent from the individual concerned (A 18(1)) or on the basis of `a contractual or quasi-contractual relationship with the party concerned and having no potential harm to be done to the party concerned' (A 18(2).

However, the Enforcement Rules seem to water down the `written consent' requirement by allowing organisations to simply provide consumers/clients with written notice of the intended purpose of use, and a right to object within a specified period, after which `written consent' is presumed (A 30). The `quasi-contractual relationship' is also defined so as to include pre-contractual negotiations and post-contractual dealings (A 32).

In relation to uses beyond the specific purpose of collection, Article 23 goes on to provide that such uses can only be made under one of four circumstances, of which the two relevant to the proposed processing are the written consent of the individual concerned, and `where it is necessary for preventing grave damages to rights and interests of others'. These are quite strict conditions.

Non-public institutions must be registered with the government authority relevant to their sector and issued with a licence, or `collection, computerized processing, international transmission and use of personal data' is illegal (A19). Furthermore, a credit investigation business or (in effect) a data processing business must obtain permission (presumably for their specific processing activities) from the relevant government authority (A 19). Considerable disclosure of information about the processing, including details of `direct recipients of international transmission' is necessary for registration (A 20).

The export restrictions

The Computer-Processed Personal Data Protection Law 1995, provides in A 9 that international transmissions by public organisations must be `in accordance with relevant laws and ordinances'. In relation to private sector organisations, the government authority in charge of the particular sector in which a business falls may issue restrictions on particular transfers (A 24), for four reasons:

(i) to protect Taiwan's national interests;
(ii) where specially provided for in an international treaty or agreement;
(iii) `Where the receiving country lacks proper laws and / or ordinances to adequately protect personal data and where there are apprehensions of injury to the rights and interests of a concerned party'; and
(iv) `To indirectly transmit to and use from a third country personal information so as to evade control of this law'.

The third reason is similar to the EU's requirement for `adequate protection'. The fourth reason is novel, as it explicitly allows prohibition of transfers to countries with `adequate' laws, if this is a sham to allow further transmission to a country without adequate laws.

The Enforcement Rules provide in Article 13 that the `international transmissions' referred to in Articles 9 and 24 of the Law only mean transmissions via communications networks (irrespective of medium), but not data transmitted by mail, electromagnetic records etc. The rather illogical result is that whether the data export prohibition provisions apply depends on the means of transmission.

There are no provisions in the Enforcement Rules which expand on the meaning of Article 24.

Business organisations in Taiwan have made submissions requesting more certainty in the international transfer provisions, possibly in the form of a regulation naming countries with `adequate' laws, but this has not been implemented in the Enforcement Rules.

5.4. The proposed Australian export restrictions

In the Australian Privacy Commissioner's `National Principles' (discussed above) Principles 9 `Transborder Data Flows' states:
"9 An organisation should only transfer personal information outside Australia if:
(a) the organisation reasonably believes that the recipient of the information is subject to a statute, binding scheme or contract which effectively upholds principles for fair information handling that are substantially similar to these principles; or
(b) the individual concerned consents to the transfer;
(c) the transfer is necessary for the performance of a contract between the individual concerned and the organisation, or for the implementation of pre-contractual measures taken in response to the individual's request; or
(d) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual concerned between the organisation and a third party; or
(e) the transfer is for the benefit of the individual concerned, and
(i) it is not practicable to obtain the consent of the subject of the information to that transfer; and
(ii) if it were practicable to obtain such consent, the subject of the information would be likely to give it; or
(f) the organisation has taken reasonable steps to ensure that the information which it has transferred will not be collected, held, used or disclosed by the recipient of the information inconsistently with these principles."

This principle has now become significant beyond being a self-regulatory exhortation, because the Commissioner's `National Principles' are to be the basis of the new Victorian Data Protection Bill. Exactly how Principle 9 will translate into the co-regulatory environment envisaged for Victoria is as yet uncertain, but it seems that one Australian jurisdiction will have some form of data export prohibition.

Unlike Québec and Hong Kong, it is notable that the proposed Australian restriction is limited to transfers `outside Australia'. The Victorian legislation is likely to follow this, because restrictions on data exports to another Australian State might contravene the provision in s92 of Australia's federal Constitution requiring freedom of inter-state trade.

107 The Ordinance is described by Mark Berthold in 2 PLPR 164, and analysed at length in Berthold and Wacks Data Privacy Law in Hong Kong - Professional Guide, FT Law & Tax Asia Pacific, 1997.

[108] see M Berthold `Hong Kong's new privacy law' (1995) 2 PLPR 164

[109] See G Greenleaf `Hong Kong's Model Contract clears the way for data export prohibitions' (1997) 4 PLPR 14

[110] For a comparison of the Taiwanese, Hong Kong and Japanese public sector laws, see Stephen Lau `Observance of the OECD Guidelines and the EU Directive in Asia' (1997) 4 PLPR 144

[111] George Chen `The Internet and its Legal Ramifications in Taiwan' Seattle Unviersity Law Review Vol 29 No 3, 1997 - at


[Previous] [Next] [Title]