(This paper was written before the availability of the Article 29 Data
Protection Working Party' Opinion 4/2000 on the level of protection provided
by the "Safe Harbor Principles" (16 May 2000) but that Optinion reinforces
its conclusions.)
Australian companies wishing to export personal information from these regional countries will increasingly have to take into account their data export restrictions. And our own restrictions, and the adequacy of regional countries laws will have to be taken into account when exporting personal data to them.
The Asia Pacific situation is similar now to that of Europe in the early 1980s. Then, the presence of such restrictions in what was then a handful of European laws helped lead to the European privacy Convention[1]http://europa.eu.int/comm/dg15/en/media/dataprot/con10881.htm] in 1981 to ensure the free flow of personal information in Europe by providing a guaranteed base level of privacy protection.
(a) An organisational link with Australia - The organisation must be an Australian citizen or resident, or a partnership, trust or company formed here, or an unincorporated association managed and controlled here; or
(b) An operational link with Australia - The organisation carries on business here, or the personal information was collected or held here by that organisation either before or at the time of action complained of.
The Privacy Commissioner's powers to investigate and make determinations are extended to cover this extra-territorial operation.
If an act or practice is required by an applicable law of a foreign country it will not constitute a breach of the Australian Act (s13D). This avoids clashes between observance of Australian privacy law and the law of the foreign country.
This exact extent of this extra-territorial operation concerning Australians may be more extensive than it looks at first:
However, the acceptance of the Commission's proposal is not a foregone conclusion, as it may still face significant opposition from Europe's national Data Protection Commissioners (who comprehensively rejected the previous draft as inadequate)[2]. The approval procedures are expected to take until late 2000. Until the process is complete, the international benchmark for what is necessary in order to avoid data export restrictions (and the benchmark for information privacy standards) will remain uncertain[3].
Under the EU's data protection Directive, Member States must ensure personal data transferred to non-EU countries is 'adequately' protected. The same Directive provides that the Commission may make a positive finding when the protection offered by a particular country meets this adequacy requirement. Following two years of discussion, the US is now ready to put in place an arrangement which the Commission considers to offer "adequate" protection. Before adopting a formal decision to this effect, the Commission must seek the support of a qualified majority of Member States. It must also consult their data protection commissioners and the European Parliament. Once adopted the decision will be binding on all Member States and so constitute a strong guarantee against the interruption of data flows from the EU to "safe harbour" participants in the US. Approval procedures will take some time, but the arrangement should be finalised by the summer and operational in the autumn.
The arrangement must now be approved by a qualified majority of Member States meeting in the framework of a Committee established under Article 31 of the Directive. Its members have been regularly consulted on the progress of the dialogue with the US. Prior to seeking the opinion of the Committee, the Commission will seek the opinions on the arrangement from Member States' data protection commissioners (meeting in the framework of the working party established by Article 29 of the Directive). Before finalising the decision, the Commission must also submit it to the scrutiny of the European Parliament, which will check that the Commission is using its powers under the directive correctly.The Commission expects the formal approval procedures to commence in May[5] and to be 'finalised by the summer and operational in the autumn'.
The changes do address some of the criticisms made of the previous version by the EU national Data Protection Commissioners[9]:
"The Working Party thus invites the Article 31 Committee and the Commission to ensure that the final steps of this important process are taken only in the light of the final opinion of the Working Party, not least because the outcome will have important consequences for the national authorities represented in the Working Party."[11]There are many deficiencies identified by the Commissioners that remain in this new version of the Safe Harbor principles, including the following:
... in stark contrast to the current protections offered by the EU Data Protection Directive where individuals are granted a specific right to judicial remedy and data protection authorities are obligated to follow up on those complaints, the FTC is not required to pursue the claims of any individual consumers....
Civil penalties or sanctions for one-time or persistent violations of Safe Harbor principles may only be assessed by the Federal Trade Commission (FTC) after being referred via industry-funded self-regulatory groups such as TRUSTe or BBBOnline, ADR bodies, or data protection authorities in EU member countries. Despite past cases where individual privacy has been compromised, no self-regulatory group has ever referred a member company for investigation and the FTC has never provided remedies for any of the companies with which they have reached settlements.In comparison with most information privacy laws, the six principles in the Safe Harbor proposal are very weak. For example, the 'Choice' principle only gives individuals the right to opt out from any uses of their information incompatible with the purpose of collection, or any disclosures other than the incompatible with the purpose of collection. Except for 'sensitive' information (where 'opt in' is required) there is therefore a blanket opt out rule for all secondary uses of personal information. This is contrary to the normal approach requiring consent (opt in), with specific exceptions.
If adopted by the A31 Committee, the draft Decision accepts that the Safe Harbor proposals do constitute 'adequate' protection in relation to those US companies that have 'unambiguously and publicly disclosed' (in writing to the Commerce Department) a commitment to comply, and come within the statutory powers of a US government body with powers to investigate and obtain relief against unfair or deceptive practices, irrespective of the residence or nationality of the complainant[16].
It remains to be seen what percentage of US organisations that wish to obtain personal data from EU counties will be able to satisfy these criteria.
There are provisions for a European national Commissioner to take unilateral action to suspend transfers where there is evidence of violations by US companies which create an 'imminent risk of grave harm' to Europeans and a reasonable basis for believing US remedies are inadequate[17]. There is also provision for a review of the Decision after three years.
If the current version of Safe Harbor, or something like it, is accepted as adequate, then most aspects of the 2000 Bill would appear to meet that standard.
However, even with as weak a benchmark as the current Safe Harbor proposal, there are a number of aspects of the 2000 Bill which are likely to limit the scope of any EU finding of adequacy for Australia, and will therefore constitute problems for some sectors of Australian businesses:
New Zealand's Privacy Commissioner recently proposed that the NZ
Privacy Act 1993 be amended to ensure that non-citizens have all rights
under the Act, in order to ensure adequacy under EU law and that of other
jurisdictions such as Hong Kong. The Australian Bill is failing to do this.
If one of the conditions is satisfied, then the Australian organisation which transferred the data does not have any liability under the Act for any privacy breaches which may occur subsequently. It is therefore important, from the individual's point of view, to ensure that the conditions do not allow transfers which create unjustified privacy risks.
All of the publications by the A29 Committee of the EU have interpreted the 'adequacy' requirement of the Directive as requiring some such 'onward transfer' restriction, so this will be an aspect of the Bill that the EU looks at carefully.
It is important to remember that any transfer to a third party overseas also involves a 'disclosure' of personal information, and NPP 2 limiting disclosures for secondary uses must also be complied with.
Where a transfer is to the same organisation overseas, NPP 9 does not apply but the extra-territorial operation of the Act comes into play. However, where it is to the same organisation, there is no need to consider whether any of the six enabling conditions apply, and it is Australian law that will apply, not (only) the law of the foreign country.
Condition (a) plays the role of A25 of the Directive (which allows transfers to foreign countries with 'adequate' laws), but is weaker.
(a) the organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the National Privacy Principles.Instead of any objective and expert determination by a government or Privacy Commissioner of which overseas countries have 'adequate' laws (the 'white list' approach), the condition is satisfied by the mere 'reasonable belief' of the Australian organisation disclosing the information. The 'reasonable belief' need only be that the overseas arrangement 'effectively upholds' privacy principles, not that there are enforcement mechanisms substantially similar to those in the Australian Act.
Conditions (b) - (e) are similar to those in A26(1) of the Directive and largely uncontentious:
(b) the individual consents to the transfer; or (c) the transfer is necessary for the performance of a contract between the individual and the organisation, or for the implementation of pre-contractual measures taken in response to the individual's request; or (d) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the organisation and a third party; or (e) all of the following apply: (i) the transfer is for the benefit of the individual; (ii) it is impracticable to obtain the consent of the individual to that transfer; (iii) if it were practicable to obtain such consent, the individual would be likely to give itCondition (f), however, is much weaker than anything found in the Directive:
(f) the organisation has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the National Privacy Principles.This does not even require that the individual should have some recourse against anyone in the event that the 'reasonable steps' turn out to be inadequate.
The subjective and imprecise nature of condition (a), and the weak and imprecise nature of exception (f), means that there is real danger that personal information will be exported from Australia under conditions which give little protection to privacy.
The EU may well regard these two aspects of NPP 9 as inadequate protection for EU citizens.
In relation to imports from the EU, the following is not the complete picture, as some forms of governmental use of personal information are not covered by the Directive.
(2) A public sector agency that holds personal information must not disclose the information to any person or body who is in a jurisdiction outside New South Wales unless: (a) a relevant privacy law that applies to the personal information concerned is in force in that jurisdiction, or (b) the disclosure is permitted under a privacy code of practice. (3) For the purposes of subsection (2), a relevant privacy law means a law that is determined by the Privacy Commissioner, by notice published in the Gazette, to be a privacy law for the jurisdiction concerned. (4) The Privacy Commissioner is, within the year following the commencement of this section, to prepare a code relating to the disclosure of personal information by public sector agencies to persons or bodies outside New South Wales. (5) Subsection (2) does not apply: (a) until after the first anniversary of the commencement of this section, or (b) until a code referred to in subsection (4) is made, whichever is the later.The purpose of the provision is that NSW public sector agencies should not disclose personal information to persons or bodies outside NSW unless there are appropriate privacy laws or other forms of protection (recognised in a code of conduct) in operation in the other jurisdiction.
A benefit of this provision (once it is in force) is that it could provide protection to NSW agencies against any data import restrictions being imposed against them. For example, a European government could otherwise refuse to disclose personal information to a NSW agency on the grounds that , no matter how strong the privacy protection in NSW might be, there was nothing to stop the NSW agency from passing on the data to an unprotected jurisdiction.
An important factor to note is the broad scope of the prohibition. It extends to other State and Territory governments in Australia. It also applies (in theory) to Commonwealth agencies located outside NSW (although the Commonwealth Privacy Act would presumably be a 'relevant privacy law'). It also applies to any private sector organisations outside NSW (in the absence of the proposed federal legislation).
However, the export restrictions are not yet in force, and it is uncertain when or if they will ever be in force. First, the Privacy Commissioner must prepare a code (s19(4)), but then only the Minister can 'make' the code (s31(4)). If no code is ever made s19(2) will never come into operation because of s19(5).
[2] See G Greenleaf 'Death of the EU Privacy Directive?: Choppy waters in the Safe Harbour' 6 PLPR 81 for details of the Commissioners' criticisms.
[3] See the above article for the significance of the Safe Harbour proposal for international standards.
[4] European Commission Internal Market DG - Press Release 'Data protection: Commission endorses "safe harbor" arrangement with US' (29 March 2000) <http://europa.eu.int/comm/internal_market/en/media/dataprot/news/harbor4.htm>
[5] European Commission Internal Market DG - Press Release 'Data protection: draft package agreed for protection of data transferred from EU to US' (15 March 2000) <http://europa.eu.int/comm/internal_market/en/media/dataprot/news/harbor3.htm>
[6] US Commerce Department's Safe Harbour web site - <http://www.ita.doc.gov/td/ecom/menu1.html>
[7] 'Redlined' version of Safe Harbour proposal - <http://www.ita.doc.gov/td/ecom/RedlinedPrinciples31600.htm>
[8] Comments are at <http://www.ita.doc.gov/td/ecom/Comments400/publiccomments0400.html>
[9] For details of these criticisms see a summary in Greenleaf 6 PLPR 81
[10] See FAQ 6 - Self-Certification <http://www.ita.doc.gov/td/ecom/RedlinedFAQ6selfcert300.htm>
[11] The Working Party on the Protection of Individuals With Regard to the Processing of Personal Data Opinion 3/2000 on the EU/US dialogue concerning the "Safe harbor" arrangement (adopted 16th March 2000) - <http://europa.eu.int/comm/internal_market/en/media/dataprot/wpdocs/wp31en.htm>
[12] The draft Decision requires this, but not the Safe Harbour proposal.
[13] It only refers to 'damages awarded where the applicable law or private sector initiative so provides'.
[14] Submission of the Trans Atlantic Consumer Dialogue (TACD) (30 March 2000) <http://www.ita.doc.gov/td/ecom/Comments400/TACDComments1.htm>
[15] European Commission Internal Market DG - Draft Commission Decision on the adequacy of the US Safe Harbor Principles (29 March 2000) - <http://www.ita.doc.gov/td/ecom/Art256Decision.htm> (on US Commerce Department site)
[16] Article 1 of the draft Decision
[17] Article 2 of the draft Decision
[18] "generally available publication" 'means a magazine, book, newspaper or other publication that is or will be generally available to members of the public (however published)' - s6, as amended by the Bill, Schedule 1, Item 14).