National Privacy and Data Protection Summit
IBC Conferences - Sydney 17 & 18 May 2000

Exporting and importing personal data: The effects of the Privacy Amendment (Private Sector) Bill 2000

Graham Greenleaf
Professor of Law, University of New South Wales
15 May 2000

 

(This paper was written before the availability of the Article 29 Data Protection Working Party' Opinion 4/2000 on the level of protection provided by the "Safe Harbor Principles" (16 May 2000) but that Optinion reinforces its conclusions.)
 

Contents


1 Dimensions of importing and exporting personal data

There are four different dimensions to the question 'how does the Privacy Amendment (Private Sector) Bill 2000 (the '2000 Bill') affect the ability of Australian businesses to export or to import personal information?'

1.1. Australian - Off-shore processing and Australian law

The 2000 Bill will apply in some instances to processing of personal information outside Australia.

1.2. Australian - Restrictions on exports of personal data from Australia

The 2000 Bill imposes such export limitations for the first time.

1.3. European - Restrictions on personal data imports to Australia

The EU privacy Directive prohibits EU businesses from exporting personal information about Europeans to countries that do not have 'adequate' privacy laws

1.4. Regional - Other Asia-Pacific laws are including data export restrictions

In the Asia Pacific, the privacy laws of Québec, Hong Kong and Taiwan already contain such restrictions, and are now being joined by the laws of various Australian jurisdictions. In the next few years they may be joined by other regional countries with comprehensive privacy laws such as New Zealand and Canada.

Australian companies wishing to export personal information from these regional countries will increasingly have to take into account their data export restrictions. And our own restrictions, and the adequacy of regional countries laws will have to be taken into account when exporting personal data to them.

 The Asia Pacific situation is similar now to that of Europe in the early 1980s. Then, the presence of such restrictions in what was then a handful of European laws helped lead to the European privacy Convention[1]http://europa.eu.int/comm/dg15/en/media/dataprot/con10881.htm] in 1981 to ensure the free flow of personal information in Europe by providing a guaranteed base level of privacy protection.

2 Australian businesses overseas under the 2000 Bill

The Bill aims to stop avoidance of its provisions by moving personal information overseas. In summary 5B gives almost all of the Act extra-territorial operation in relation to information about an Australian citizen or resident, provided one of two types of nexus is satisfied:

 (a) An organisational link with Australia - The organisation must be an Australian citizen or resident, or a partnership, trust or company formed here, or an unincorporated association managed and controlled here; or

 (b) An operational link with Australia - The organisation carries on business here, or the personal information was collected or held here by that organisation either before or at the time of action complained of.

 The Privacy Commissioner's powers to investigate and make determinations are extended to cover this extra-territorial operation.

 If an act or practice is required by an applicable law of a foreign country it will not constitute a breach of the Australian Act (s13D). This avoids clashes between observance of Australian privacy law and the law of the foreign country.

 This exact extent of this extra-territorial operation concerning Australians may be more extensive than it looks at first:

In contrast, it may be less extensive than it needs to be if (as discussed later) s5D does not extend to anyone who is not an Australian, and therefore EU citizens are unprotected against their data being exported to Australian businesses in privacy-unfriendly foreign countries.

3 Data imports - What will the EU Directive mean after 'Safe Harbor'?

The European Commission and the US Department of Commerce have reached a compromise over the 'Safe Harbor' proposals which are intended to provide a basis for transfers to the USA of personal information concerning Europeans to be considered to have 'adequate' privacy protection as required by the EU privacy Directive. The US has released an amended version of the 'Safe Harbor' proposal, and the European Commission has announced it is willing to support a formal Decision by the Committee of Member States under the Directive declaring that the proposal is 'adequate'.

However, the acceptance of the Commission's proposal is not a foregone conclusion, as it may still face significant opposition from Europe's national Data Protection Commissioners (who comprehensively rejected the previous draft as inadequate)[2]. The approval procedures are expected to take until late 2000. Until the process is complete, the international benchmark for what is necessary in order to avoid data export restrictions (and the benchmark for information privacy standards) will remain uncertain[3].

3.1. The EU Commission promotes a compromise

The European Commission has given Internal Market Commissioner Frits Bolkestein approval to seek the support of EU Member States for accepting the March 2000 version of the US' Safe Harbor proposal 'which the Commission considers to offer "adequate" protection'[4]. The Commission explains the process:
Under the EU's data protection Directive, Member States must ensure personal data transferred to non-EU countries is 'adequately' protected. The same Directive provides that the Commission may make a positive finding when the protection offered by a particular country meets this adequacy requirement. Following two years of discussion, the US is now ready to put in place an arrangement which the Commission considers to offer "adequate" protection. Before adopting a formal decision to this effect, the Commission must seek the support of a qualified majority of Member States. It must also consult their data protection commissioners and the European Parliament. Once adopted the decision will be binding on all Member States and so constitute a strong guarantee against the interruption of data flows from the EU to "safe harbour" participants in the US. Approval procedures will take some time, but the arrangement should be finalised by the summer and operational in the autumn.
The arrangement must now be approved by a qualified majority of Member States meeting in the framework of a Committee established under Article 31 of the Directive. Its members have been regularly consulted on the progress of the dialogue with the US. Prior to seeking the opinion of the Committee, the Commission will seek the opinions on the arrangement from Member States' data protection commissioners (meeting in the framework of the working party established by Article 29 of the Directive). Before finalising the decision, the Commission must also submit it to the scrutiny of the European Parliament, which will check that the Commission is using its powers under the directive correctly.
The Commission expects the formal approval procedures to commence in May[5] and to be 'finalised by the summer and operational in the autumn'.

3.2. The new 'Safe Harbor' compromise

The full text of the new version of the Safe Harbor proposal accompanies this article. The US Commerce Department's Safe Harbor web site[6] contains a 'redlined' version of the proposal showing what has been added and deleted since the December 1999 version[7] and comments on the proposal from business and consumer organisations[8].

 The changes do address some of the criticisms made of the previous version by the EU national Data Protection Commissioners[9]:

3.3. Will it satisfy the national Data Protection Commissioners?

The EU national Data Protection Commissioners (the Article 29 Committee) have not yet (15 May 2000) delivered a further opinion on the March version, but have made it clear that they expect the Article 31 Committee and the European Parliament to give them the opportunity to deliver their final opinion before those bodies make any final decisions:
"The Working Party thus invites the Article 31 Committee and the Commission to ensure that the final steps of this important process are taken only in the light of the final opinion of the Working Party, not least because the outcome will have important consequences for the national authorities represented in the Working Party."[11]
There are many deficiencies identified by the Commissioners that remain in this new version of the Safe Harbor principles, including the following: Given the above list of unresolved weaknesses, it seems likely that the A29 Committee will remain very critical of the Safe Harbor proposals and the draft Decision.

3.4. How strong are the 'Safe Harbor' protections?

The new Safe Harbor proposals have been criticised by a coalition of European and US consumer organisations (the Trans Atlantic Consumer Dialogue - TACD)[14], particularly for its lack of sufficient enforcement mechanisms. Some crucial weaknesses of the Safe Harbor proposals are summed up in these TACD comments:
... in stark contrast to the current protections offered by the EU Data Protection Directive where individuals are granted a specific right to judicial remedy and data protection authorities are obligated to follow up on those complaints, the FTC is not required to pursue the claims of any individual consumers.
...
Civil penalties or sanctions for one-time or persistent violations of Safe Harbor principles may only be assessed by the Federal Trade Commission (FTC) after being referred via industry-funded self-regulatory groups such as TRUSTe or BBBOnline, ADR bodies, or data protection authorities in EU member countries. Despite past cases where individual privacy has been compromised, no self-regulatory group has ever referred a member company for investigation and the FTC has never provided remedies for any of the companies with which they have reached settlements.
In comparison with most information privacy laws, the six principles in the Safe Harbor proposal are very weak. For example, the 'Choice' principle only gives individuals the right to opt out from any uses of their information incompatible with the purpose of collection, or any disclosures other than the incompatible with the purpose of collection. Except for 'sensitive' information (where 'opt in' is required) there is therefore a blanket opt out rule for all secondary uses of personal information. This is contrary to the normal approach requiring consent (opt in), with specific exceptions.

3.5. The draft EU Decision

The Article 31 Committee has not yet (15 May 2000) made its Decision, but the draft Decision drawn up by the Commission is available[15]. As stressed above, in the absence of the A29 Committee's final report and the views of the European Parliament, it is too early to say whether it will be adopted in this form. It is possible that the Commission will be required to attempt to negotiate further modifications to the Safe Harbor scheme before the A31 Committee is willing to adopt it.

 If adopted by the A31 Committee, the draft Decision accepts that the Safe Harbor proposals do constitute 'adequate' protection in relation to those US companies that have 'unambiguously and publicly disclosed' (in writing to the Commerce Department) a commitment to comply, and come within the statutory powers of a US government body with powers to investigate and obtain relief against unfair or deceptive practices, irrespective of the residence or nationality of the complainant[16].

It remains to be seen what percentage of US organisations that wish to obtain personal data from EU counties will be able to satisfy these criteria.

 There are provisions for a European national Commissioner to take unilateral action to suspend transfers where there is evidence of violations by US companies which create an 'imminent risk of grave harm' to Europeans and a reasonable basis for believing US remedies are inadequate[17]. There is also provision for a review of the Decision after three years.

3.6. Implications for Australia and the Asia-Pacific

The implications of the still-unresolved Safe Harbor outcome for Asia-Pacific countries are significant but vary very much between countries. Assuming that some version of the Safe Harbor proposal is approved by the EU (but perhaps with significant qualifications and possibly even a further redraft), here are a few:

4 Data imports - Will the 2000 Bill be 'adequate' for the EU?

A final assessment must await the outcome of the A31 Committee's deliberations on the Safe Harbor proposal, which will set the benchmark for what constitutes 'adequacy'.

 If the current version of Safe Harbor, or something like it, is accepted as adequate, then most aspects of the 2000 Bill would appear to meet that standard.

However, even with as weak a benchmark as the current Safe Harbor proposal, there are a number of aspects of the 2000 Bill which are likely to limit the scope of any EU finding of adequacy for Australia, and will therefore constitute problems for some sectors of Australian businesses:

5 Data export restrictions under the 2000 Bill

NPP 9 prohibits 'transfers' of personal information by an organisation to someone (other than the organisation) in a foreign country unless one of six conditions (a) - (e) is satisfied.

If one of the conditions is satisfied, then the Australian organisation which transferred the data does not have any liability under the Act for any privacy breaches which may occur subsequently. It is therefore important, from the individual's point of view, to ensure that the conditions do not allow transfers which create unjustified privacy risks.

All of the publications by the A29 Committee of the EU have interpreted the 'adequacy' requirement of the Directive as requiring some such 'onward transfer' restriction, so this will be an aspect of the Bill that the EU looks at carefully.

 It is important to remember that any transfer to a third party overseas also involves a 'disclosure' of personal information, and NPP 2 limiting disclosures for secondary uses must also be complied with.

 Where a transfer is to the same organisation overseas, NPP 9 does not apply but the extra-territorial operation of the Act comes into play. However, where it is to the same organisation, there is no need to consider whether any of the six enabling conditions apply, and it is Australian law that will apply, not (only) the law of the foreign country.

5.1. Six conditions allowing overseas transfers

The six conditions will generally be sufficient to allow any legitimate transfer overseas of personal information.

Condition (a) plays the role of A25 of the Directive (which allows transfers to foreign countries with 'adequate' laws), but is weaker.

(a) the organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the National Privacy Principles.
Instead of any objective and expert determination by a government or Privacy Commissioner of which overseas countries have 'adequate' laws (the 'white list' approach), the condition is satisfied by the mere 'reasonable belief' of the Australian organisation disclosing the information. The 'reasonable belief' need only be that the overseas arrangement 'effectively upholds' privacy principles, not that there are enforcement mechanisms substantially similar to those in the Australian Act.

 Conditions (b) - (e) are similar to those in A26(1) of the Directive and largely uncontentious:

(b) the individual consents to the transfer; or (c) the transfer is necessary for the performance of a contract between the individual and the organisation, or for the implementation of pre-contractual measures taken in response to the individual's request; or (d) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the organisation and a third party; or (e) all of the following apply: (i) the transfer is for the benefit of the individual; (ii) it is impracticable to obtain the consent of the individual to that transfer; (iii) if it were practicable to obtain such consent, the individual would be likely to give it
Condition (f), however, is much weaker than anything found in the Directive:
(f) the organisation has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the National Privacy Principles.
This does not even require that the individual should have some recourse against anyone in the event that the 'reasonable steps' turn out to be inadequate.

 The subjective and imprecise nature of condition (a), and the weak and imprecise nature of exception (f), means that there is real danger that personal information will be exported from Australia under conditions which give little protection to privacy.

 The EU may well regard these two aspects of NPP 9 as inadequate protection for EU citizens.

6 Exports and imports by Australian public sector bodies

To complete the picture, we need to look at where public sector bodies stand in relation to exports and imports.

 In relation to imports from the EU, the following is not the complete picture, as some forms of governmental use of personal information are not covered by the Directive.

6.1. Commonwealth agencies - No protection in the Privacy Act 1988

The 2000 Bill does not prevent Commonwealth agencies exporting personal information that they hold to overseas countries with no adequate privacy laws. This is a gap in the protection to Commonwealth agencies that might wish to import personal information from EU countries. The Act does not have extra-territorial effect in relation to agencies, either, as they are not 'organisations' (s6D).

6.2. NSW agencies - s19 Privacy and Personal Information Protection Act 1998

New South Wales enacted the Privacy and Personal Information Protection Act 1998 in November 1998, replacing the previous Privacy Committee Act 1975. The Act's Information Protection Principles (IPPs) only cover the State public sector, not the private sector. The Act contains Australia's first legislated restriction on personal data exports. The provisions in s19(2)-(5) require quotation in full:
(2) A public sector agency that holds personal information must not disclose the information to any person or body who is in a jurisdiction outside New South Wales unless: (a) a relevant privacy law that applies to the personal information concerned is in force in that jurisdiction, or (b) the disclosure is permitted under a privacy code of practice. (3) For the purposes of subsection (2), a relevant privacy law means a law that is determined by the Privacy Commissioner, by notice published in the Gazette, to be a privacy law for the jurisdiction concerned. (4) The Privacy Commissioner is, within the year following the commencement of this section, to prepare a code relating to the disclosure of personal information by public sector agencies to persons or bodies outside New South Wales. (5) Subsection (2) does not apply: (a) until after the first anniversary of the commencement of this section, or (b) until a code referred to in subsection (4) is made, whichever is the later.
The purpose of the provision is that NSW public sector agencies should not disclose personal information to persons or bodies outside NSW unless there are appropriate privacy laws or other forms of protection (recognised in a code of conduct) in operation in the other jurisdiction.

A benefit of this provision (once it is in force) is that it could provide protection to NSW agencies against any data import restrictions being imposed against them. For example, a European government could otherwise refuse to disclose personal information to a NSW agency on the grounds that , no matter how strong the privacy protection in NSW might be, there was nothing to stop the NSW agency from passing on the data to an unprotected jurisdiction.

 An important factor to note is the broad scope of the prohibition. It extends to other State and Territory governments in Australia. It also applies (in theory) to Commonwealth agencies located outside NSW (although the Commonwealth Privacy Act would presumably be a 'relevant privacy law'). It also applies to any private sector organisations outside NSW (in the absence of the proposed federal legislation).

 However, the export restrictions are not yet in force, and it is uncertain when or if they will ever be in force. First, the Privacy Commissioner must prepare a code (s19(4)), but then only the Minister can 'make' the code (s31(4)). If no code is ever made s19(2) will never come into operation because of s19(5).

6.3. Agencies of other States and Territories

No State or Territory other than NSW has a privacy law which covers its whole public sector, so they have no legislative protection against the imposition of EU export controls. However, some categories of public sector information are not included.



[1] Council of Europe Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data (Convention No 108) -

[2] See G Greenleaf 'Death of the EU Privacy Directive?: Choppy waters in the Safe Harbour' 6 PLPR 81 for details of the Commissioners' criticisms.

[3] See the above article for the significance of the Safe Harbour proposal for international standards.

[4] European Commission Internal Market DG - Press Release 'Data protection: Commission endorses "safe harbor" arrangement with US' (29 March 2000) <http://europa.eu.int/comm/internal_market/en/media/dataprot/news/harbor4.htm>

[5] European Commission Internal Market DG - Press Release 'Data protection: draft package agreed for protection of data transferred from EU to US' (15 March 2000) <http://europa.eu.int/comm/internal_market/en/media/dataprot/news/harbor3.htm>

[6] US Commerce Department's Safe Harbour web site - <http://www.ita.doc.gov/td/ecom/menu1.html>

[7] 'Redlined' version of Safe Harbour proposal - <http://www.ita.doc.gov/td/ecom/RedlinedPrinciples31600.htm>

[8] Comments are at <http://www.ita.doc.gov/td/ecom/Comments400/publiccomments0400.html>

[9] For details of these criticisms see a summary in Greenleaf 6 PLPR 81

[10] See FAQ 6 - Self-Certification <http://www.ita.doc.gov/td/ecom/RedlinedFAQ6selfcert300.htm>

[11] The Working Party on the Protection of Individuals With Regard to the Processing of Personal Data Opinion 3/2000 on the EU/US dialogue concerning the "Safe harbor" arrangement (adopted 16th March 2000) - <http://europa.eu.int/comm/internal_market/en/media/dataprot/wpdocs/wp31en.htm>

[12] The draft Decision requires this, but not the Safe Harbour proposal.

[13] It only refers to 'damages awarded where the applicable law or private sector initiative so provides'.

[14] Submission of the Trans Atlantic Consumer Dialogue (TACD) (30 March 2000) <http://www.ita.doc.gov/td/ecom/Comments400/TACDComments1.htm>

[15] European Commission Internal Market DG - Draft Commission Decision on the adequacy of the US Safe Harbor Principles (29 March 2000) - <http://www.ita.doc.gov/td/ecom/Art256Decision.htm> (on US Commerce Department site)

[16] Article 1 of the draft Decision

[17] Article 2 of the draft Decision

[18] "generally available publication" 'means a magazine, book, newspaper or other publication that is or will be generally available to members of the public (however published)' - s6, as amended by the Bill, Schedule 1, Item 14).