Journal of Law, Information and Science
|
|
Home
| Databases
| WorldLII
| Search
| Feedback
Journal of Law, Information and Science |
|
PROFESSOR GREG TUCKER[*]
In this article the author examines the international transfer of personal information. The extent of the regulatory problem is examined, as are the existing protections and some conclusions are drawn as regards possible future directions.
International transfers of personal information are not a new phenomenon. They are also known by the somewhat cumbersome title of "transborder data flows". For the purposes of this article, they are defined as movement of personal data across national borders by whatever medium.[1] The definition includes transfers by post, telecommunications, satellite, computer networks and even personal delivery of data. It also incorporates domestic data transfers using satellites owned and operated by another country. In this case, the data goes out of the jurisdiction momentarily and then returns.
International data transfers only relate to personal data which is information relating to an identified or identifiable individual[2]. The flow of international data is not a separate issue from the regulation of domestic transfers; it is an extension of this discussion clouded by issues of sovereignty and trade. Indeed, it will be demonstrated that the very same laws which may be invoked to protect domestic transfers may be applied equally to international flows.
The polemic in this area is the means of control or regulation of these international data flows. What protection should data transferred to another country be accorded - the same or a similar level as the transferring country, or is something less acceptable? Much has been written in this area.[3] No uniform international regulatory model exists. Essentially, it is an issue of control or sovereignty by individuals over their personal data. This is only one aspect of a more general problem: that is, how can information be controlled once it goes beyond jurisdiction? This includes commercial secrets and intellectual property rights.
This article reviews the extent of the regulatory problem and considers the approaches of other jurisdictions and the impact of the OECD Guidelines, the Council of Europe Convention 108 and the likely impact of the European Union ("EU") draft Directive on data protection. An outline is provided of existing protections for transnational flows of personal information sent to or from Australia leading to some tentative conclusions for the future of this area.
It is essential to recognise several matters: firstly, the volume of international transfers is enormous when one considers the number of individual flows which take place in the finance, travel and insurance sectors alone on a daily basis. Secondly, it is impossible to regulate international transfers absolutely. The disparate methods of transferring information are such that if one means fails another could be used. For example, if a company is prevented from sending information electronically, it may have it delivered personally on diskettes or by post.
Thirdly, the speed of many transfers makes effective regulation difficult. This has two aspects: data may be transferred almost instantaneously through private networks so, in regulatory terms, it is almost impossible to stop. Furthermore, the imperatives of business require that transactions be conducted in a timely manner. A regulatory mechanism may place additional pressure on business and have an adverse impact on competitiveness.
A report from an OECD conference commented:
"Crucial to managing international operations is the availability of accurate and timely information with the flow of information paralleling the increasing flow of goods and services. As computerisation diffuses throughout the economy and communication between computers becomes increasingly practical, more and more of this exchange of information takes the form of transborder data flows".[4]
Existing and new technologies spanning the globe and beyond, make the collection, storage and transfer of information a simple matter. The convergence of data processing with communications technology has lead to the ease of distribution of data in large quantities. The Council of Europe has stated:
"Videotex, for example, now allows users to access data bases located in different countries. International carriers using satellites and fibre optics have vastly increased facilities for promoting electronic mail use and other technologies conforming to the conversational model".[5]
It is difficult to estimate the extent to which international transfers take place. Some indication emerged from a major Canadian study which provided insights into the destination of various categories of international flows and assessed the protection offered to the information in that new jurisdiction.[6] The study revealed that approximately 21% of the largest public organisations and private firms in Canada sent personal data abroad with considerable variation in volume between sectors.[7] Public organisations transmitted data to other public organisations abroad whereas private sector companies transferred over 50% of their personal data which is sent abroad to companies within its own organisation or corporate group[8]. In the private sector, insurance companies recorded the highest volume of transfers, followed by transportation and tourism companies, then financial institutions[9].
The view has been expressed that threats of loss of trade in processing personal data led substantially to the enactment of the Data Protection Act 1984 in the United Kingdom[10]. The Lindop Committee, enquiring into data protection, stated:
"data protection authorities in other countries might impose restrictions on the export to the UK of personal data about their own citizens if the processing of such data were excluded from the protection of the UK Act. Indeed, we understand that UK service companies, competing for Swedish data processing contracts, have already suffered from restrictions imposed by the Swedish Data Inspection Board, because of the absence of data protection legislation in the UK."[11]
This suggests that the amount of international trade in processing of personal data was considerable in the UK.
The international transfer of personal data has become institutionalised which, in turn, suggests that routine transfers take place. Organisations and computer networks exist to transfer personal and other information. These include: the Society for Worldwide Interbank Financial Telecommunications, Internet; Interpol's network; many banks which have their own private international networks as do many other multinational corporations such as IBM, Shell and Siemens; the Base One network used by Visa card to verify credit card transactions; and the Galileo/Fantasia/Sabre systems used worldwide in the travel industry.
Moreover, increases in international data flows are assured by moves by corporations to "outsource" data processing. This occurs where a company has the processing done by another organisation. The processor may be situated in another country, typically where the unit cost of labour is lower.
Celebrated anecdotal instances exist in France, Germany and the United Kingdom in which the transfer of personal data abroad was restricted or prohibited[12]. As at 1990, Sweden's Data Inspectorate had had approximately 100 cases where personal data was prohibited from being sent abroad or where it had to be modified before it was sent.[13] These cases result from the requirement under the Data Act that data controllers have to obtain permission from the Inspectorate before the data is sent abroad where the data will be subject to automatic processing and where the destination country has not ratified the Council of Europe Convention 108.
There is no evidence to suggest that a flashpoint has developed where some countries have refused to permit data to be sent to another country because another country has inadequate protections. Although there are a significant number of examples of restrictions by some countries this is not a substantial amount in the context of the huge number of international transfers which take place on a daily basis.
It must emphasised that it is unlikely that any regime will ever control absolutely the transfer of data abroad. Some concession to reality must be made, but this is no reason not to attempt some control in order to protect personal data. The range of regulatory approaches merits consideration.
Several different ideological positions have been taken to regulation of international data transfers.[14] The major competing ideologies are, firstly, that international transfers of personal information ought to be regarded as subject to the fundamental human right to privacy and control by individuals over their personal information. On the other side of the same coin, it is argued that trade and commerce relies upon the free flow of information and these flows ought not to be unduly hindered. In this context, data protection may viewed as a hidden trade barrier. A tension between these positions, but they are not antithetical. To date, no reconciliation has been warranted as significant volumes of data have not been restricted routinely.[15]
It is appropriate to begin international comparisons by looking briefly at what some individual countries have done as many of these initiatives predate the proposals of international organisations.[16] Many European and Scandinavian countries have their own generic laws restricting the international flow of personal information. Typically, these provisions form part of each country's data protection legislation. No such provisions exist in Australia, Japan, New Zealand, or the United States.
As noted earlier, the Swedish Data Act provides that the approval to the Data Inspectorate has to be gained where personal information to be sent abroad will be subject to automated processing.[17] Austria, Norway and Portugal have similar provisions.
In Germany, the United Kingdom and Ireland there are specific powers to restrict these flows however there is no requirement that data controllers notify the relevant authority of proposed transfers.
The Netherlands has no special regulation, rather the view has been taken that data controllers established in the Netherlands must observe the provisions of the data protection legislation concerning Dutch residents wherever the personal data are situated.
It is evident that provisions exist to regulate the international flow of personal data. Yet these have not been invoked in any significant way relative to the volume of these data crossing borders daily. It has been commented that:
"Data protection is still a relatively new field. So far, data protection authorities have not really ventured into transborder enforcement."[18]
This could be one reason, although many of the data protection regimes are quite mature having been in existence for up to 23 years. It may be that the issue has not been pursued because it cannot be taken in isolation but is inextricably entwined with trade and sovereignty issues.
The impact of one country deciding to strictly monitor and restrict and, in cases, prohibit, data exports could be severe on all parties. It may lead to a decrease in foreign income through the loss of trade opportunities and also lead to a reduction in foreign investment in that country as investors react to the restrictions. Moreover, it may lead to countries which are affected by the restrictions taking political and economic action which adversely affects the country. International instruments may provide comfort in this regard as they bring some solidarity and strength of numbers to better support more widespread regulation.
The prohibition on transborder data flows in the Council of Europe Convention 108 represents the clearest example of international regulation to date. It outlines the principle that the transfer of personal information to another country shall be unimpeded where that other country has equivalent protection.[19] A corollary of this is that countries which lack equivalent protection may have data transfers impeded by countries which have ratified the Convention. The notion of equivalence here is an interesting one as the Convention does not contain detailed provisions for data protection regulation in each country. Rather, it sets out a broad framework which can then be translated into more detailed national legislation by each country which ratifies the Convention. Accordingly, countries which have ratified the Convention have adopted significantly different regulatory models and provisions yet, for the purposes of the Convention, they afford equivalent protection. More than thirteen European and Scandinavian countries have ratified the Convention.
The OECD Guidelines were developed contemporaneously with Convention 108. These are voluntary guidelines or principles designed to meet the needs and constraints of a wider membership of countries than the membership of the Council of Europe. The OECD has twenty-four member countries many of which are not members of the Council of Europe.[20] These Guidelines provide similar counsel to member countries as does Convention 108.
The OECD Guidelines provide encouragement for member countries to adopt appropriate domestic regulation to protect privacy, to support self regulatory initiatives and for adequate remedies and sanctions to be made available where there is failure to observe the principles laid down in the Guidelines.[21] From this permissive domestic framework the Guidelines encourage countries to ensure that transborder data flow procedures are simple and compatible with those of other countries.[22] However, in practice the different domestic standards make this very difficult to achieve unless a minimum standard is agreed between countries. As noted earlier, this has only taken place to a limited extent through ratification by some countries of the Council of Europe Convention 108.
In 1985, the Ministers of the OECD adopted a Declaration on Transborder Data Flows which stated:
"Having regard to their national laws, (the governments of Member countries) do hereby DECLARE THEIR INTENTION TO:
a) Promote access to data and information and related services, and avoid the creation of unjustified barriers to the international exchange of data and information;
b) Seek transparency in regulations and policies relating to information, computer and communications services affecting transborder data flows;
c) Develop common approaches for dealing with issues related to transborder data flows and, when appropriate, develop harmonised solutions;
d) Consider possible implications for other countries when dealing with issues related to transborder data flows."
This declaration attempts to walk the fine line between ensuring the free flow of information and accepting that there may be justifiable reasons for restricting these flows. One thing is certain the development of common approaches and harmonisation referred to in paragraph (c) has not occurred between the OECD countries, let alone the world at large.
The European Union has produced two draft directives relating to data protection within the twelve member states. The first proposal is the general data protection directive designed to provide the minimum framework for privacy rights within the member states.[23] The second directive is sectoral and relates to the regulation of telecommunications and privacy.[24] In this context consideration shall only be given to the general data protection directive as it has specific provisions relating to the export of personal data to countries outside of the EU.
The broad approach of the general data protection directive is to provide specific regulatory provisions rather than merely the framework within which member countries can themselves provide the detail as appropriate. In this way a minimum standard is set and maintained for EU member states. Thus the draft directive is fundamentally different from the Council of Europe Convention 108.[25]
Articles 26 and 27 regulate international transfers and have been the subject of much debate between the United States government and representatives of the EU. The international transfer restrictions apply only where the personal information is transferred and undergoes, or may undergo, some form of processing, automatic or manual.[26] Article 27 prohibits the transfer of personal data to a non member country unless it ensures an "adequate" level of data protection. There can be much debate about what constitutes an adequate level of protection. This term is not defined. Does it mean equivalence or can there be a different benchmark measure for non member countries than for member countries? Some guidance is provided. A member country shall generally have reference to all the circumstances surrounding the proposed data transfer(s) and to the following factors in particular:
(i) the nature of the data to be transferred;
(ii) the purpose(s) and duration of the proposed operation(s);
(iii) the legislative provisions, both general and sectoral in force in the non-member country; and
(iv) any relevant professional rules.[27]
Determination, and then assessment of these matters by the member country, could be time consuming and unnecessarily bureaucratic in circumstances where decisions are needed without delay.
There are a number of exceptions which permit transfers despite the lack of adequate protection by a non member country. These exceptions are where:
(i) the data subject has consented to the transfer preliminary to entering into a contract;
(ii) the transfer is necessary for the performance of a contract between the data subject and the controller of the data provided that the data subject has been informed that the controller is, or is likely to, transfer the data to a non member country which does not ensure an adequate level of protection;
(iii) the transfer is necessary on important public interest grounds; or,
(iv) the transfer is necessary to protect the vital interests of the data subject.[28]
If the level of protection is not "adequate" the EU must be informed, whereupon it undertakes its own assessment of the country. No guidelines exist for this process. If the EU finds it is inadequate and that it is likely to harm the interests of the EU or of a member country then it may enter into negotiations with the country to attempt to resolve the matter. It may reach a decision that a non member country has adequate protection based on that country's international obligations or its domestic laws.[29] Decisions of the EU must be "in keeping" with any international agreements such as the Council of Europe Convention 108.[30] Thus this Convention remains the minimum standard to which the EU must adhere in its deliberations.
Finally, data may still be sent to the non member countries where the data controller provides evidence that the transferee organisation has adequate data protection, including the effective exercise of the data subjects' rights, even though the country lacks such protection.[31] Any proposed exception must be notified to the EU and other member states which are given the opportunity to object to the data transfer. If there is an objection then member countries will provide an opinion and the EU will take account of this opinion in reaching its final decision.[32] This seems to give the EU the ultimate decision making power.
This final form of exception from the prohibition gives sectoral organisations and individual companies the opportunity to demonstrate that they have mechanisms in place that ensure adequate protection. These protections will probably be contractual in form as this may be the easiest way to secure protection of the data subjects' rights. Typically, the data subjects will not be parties to the agreement, rather the contract will import the law of the member country sending the data.[33] For example, it is envisaged that data subjects would have the same rights of access and amendment as in their home country and breach of this term would terminate the underlying contract.[34] The position of transferee companies may also be supported by codes of practice or internal guidelines which demonstrably increase the level of data protection.
It remains unclear whether all the member countries of the EU support the same approach. Both Italy and Greece still lack generic data protection laws and Belgium has only recently enacted its law.
In Australia, there is no regulatory framework for international data transfers. Restriction or prohibition of data outflows may occur as the result of a number of provisions. Some of these arise in the data protection/privacy context, others merely have this effect incidentally. The following is an outline of some of these provisions.
The International Covenant on Civil and Political Rights ("ICCPR") was ratified by Australia on 13 August 1980. This Covenant includes article 17 which states:
1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.
2. Everyone has the right to the protection of the law against such interference or attacks.
This article does not deal specifically with international transfers but does indicate commitment to privacy protection at an international level.
The federal government formally adopted the OECD Guidelines in 1984 and at that time recommended that the States and the private sector adhere to them.[35] This announcement indicated two things: that the federal government recognised the importance of the Guidelines and the need to have a common international position; and that the area of privacy was regarded as one in which the states and territories had residual constitutional power. The latter point is polemic as constitutional coverage of this area may well be within the external affairs power in section 51 (xxix) of the Federal Constitution Act 1900. This point is discussed elsewhere.[36]
As indicated earlier, the OECD Guidelines do not provide a prescriptive framework for regulating transnational flows of personal data, it sets out broad principles. Adoption of the Guidelines indicates a commitment to the area by the federal government but it has not lead to any specific regulation.
The Privacy Act 1988 regulates, inter alia, federal government agencies and the credit reporting industry. It does not refer specifically to the regulation of international transfers of personal data but some of its general provisions seem to apply to transfers irrespective of whether the transfers are domestic or international.
In relation to federal government agencies, it sets out information privacy principles ("IPPs") the breach of which constitutes an interference with privacy under the Act.[37] Federal agencies in possession or control of a record that contains personal information, are required only to use information for the purposes for which it was collected subject to certain exceptions.[38] In addition, the agencies are prohibited from disclosing personal information except within the prescribed exceptions.[39]
Set in the context of the preamble to the Act, which refers to the international commitments of Australia under the ICCPR and the OECD Guidelines, the Act seems to cover personal information possessed or controlled by an agency overseas. This gives rise to a number of situations. Firstly, where an agency transfers personal information it possesses or controls in Australia, including its territories, to another party abroad. Secondly, where the information is transferred internally by an agency to one of its offices in another country; here the agency remains in possession and control of the data. Finally, where the agency has personal information stored in one of its overseas offices and the agency transfers it to another party.
The first case is a straightforward application of the legislation; the transfer should not occur unless it falls within an exception.[40] The other two instances raise the issue of extraterritorial operation of the Act. The Act seems to apply wherever the agency is in possession or control of personal information not just within Australia or its territories. In this way the provisions of the Privacy Act seem to control information flows of federal government agencies abroad.
A similar argument may be raised under the credit reporting provisions of the Act. Part IIIA of the Act uses a number of federal constitutional provisions to establish jurisdiction including the corporations, telecommunications, and trade and commerce powers. Specifically, sections 18C and 18D contemplate the operations of credit reporting business extending beyond Australia and raises the argument that the credit reporting provisions apply to the transfer of personal information abroad either internally within an organisation or where it is transferred to another party.
An interesting situation arises under the Act. The common law as stated in Bank of Tokyo v Karoon[41] provides that where information is transferred from one bank to another related bank overseas this infringes bank secrecy laws.[42] This is now at odds with section 18N (1)(d) of the Privacy Act. This section begins with a prohibition against disclosure of personal information relating to credit reports or other records concerning an individual's creditworthiness, credit standing, credit history or credit capacity[43] and then provides in paragraph (1)(d), by way of exception, that this information may be disclosed to a related corporation.[44] This appears to permit the transfer of data to the subsidiary of a bank whether situated inside or outside Australia. Where the subsidiary is outside Australia it raises questions of the extraterritorial reach of the legislation which are beyond the scope of this article. It also raises the issue of further disclosures by the related company in the foreign jurisdiction. Are these caught by the Privacy Act[45] or are they subject to the laws of that other country? Whatever the technical answer, it is clear that enforcement of the provisions of the Act may be very difficult.
Indirect regulation of international transfers occurs through the myriad of secrecy provisions buried in federal, state and territory legislation. These provisions vary in coverage and penalties enforced. Many of them specifically prohibit the disclosure of information relating to the affairs of another person.[46] These prohibitions would apply equally to domestic or international disclosures of the information.
A number of well established traditions exist in the law to protect the disclosure of information arising from certain relationships. Professional privilege exists between doctor/patient, solicitor/client and priest and parishioner. In these circumstances the professional is bound to observe the confidentiality of the relationship. In the bank/customer relationship an implied contractual duty of confidentiality also arises.[47]
Each of these relationships extend the protection to disclosures whether they are domestic or international. Thus where a bank sends personal information concerning a customer to another organisation abroad then it would be subject to the bank secrecy requirements.[48]
There are a number of computer crime provisions at federal, state and territory levels.[49] These crimes vary significantly in scope. In relation to transnational transfers they are relevant where the data has been accessed illegally in Australia and then taken abroad. These flows are prima facie illegal although the precise terms of each of the laws has to be considered to determine whether all the elements of the crime are made out in circumstances where the access to the data may have been from another country. Of course, these provisions are not directed at the controller of the data but at the person gaining unlawful access.
It is always possible for the parties to a contract to provide their own privacy or secrecy provisions. This solution may not be as satisfactory as it first appears. Typically, the data subjects are not parties to the contract and thus may lack standing to enforce it. Even if they do have the standing it may be of little importance where the party in breach of the contract is located in another jurisdiction and has no readily available assets in Australia.
This type of solution has been pursued by the Council of Europe, European Union and the International Chamber of Commerce which, together, have drafted a model contract.[50]
It is appropriate to look briefly at the position with personal data flowing into Australia. The same issue of extraterritoriality arises as in the last section; which country has control/sovereignty over the information transferred? This will vary according to the type of information and the laws of the country of origin of the data and the appropriate Australian laws.
The principal concern in this area is the impact of the transborder flow provisions of the Council of Europe Convention 108 and the proposed EU data protection directive discussed earlier.
To date there is little evidence that Convention 108 has made any significant difference to the nature of international data flows within or outside Europe. There is some concern that the draft directive will have an impact as it is more detailed and prescriptive. Just how much effect it has remains to be seen, there is still no certainty of the final terms of the directive or whether it will be implemented. It is over four years since the first draft and the anticipated date of enforcement, 1 January 1993, has long gone.
An assessment of the adequacy of the Australian data protection under the EU directive would be complicated as there is no national generic data protection law. Each sector/organisation would have to assessed to take account of its particular circumstances. This would make the whole exercise very bureaucratic and protracted. Ultimately, this process may not provide a clear answer. For example, the protections offered under the federal Privacy Act would be likely to be regarded as "adequate" yet protection afforded within the insurance industry or by the code of conduct of the Australian Direct Marketing Association may not. Where does this leave Australia overall? Should the EU directive enter into force and be strictly observed, each sector/organisation may be judged on a case by case basis so it would be incumbent on the relevant sector/organisation to present its position as required.
In Australia, there seems to be no political imperative to follow the New Zealand lead and enact comprehensive generic data protection laws. Many of these issues would be resolved if such laws existed.
Transnational flows of personal data have not led to the establishment of data havens as forecast in the 1980s.[51] Financial data havens have been established for the purpose of storing funds in secret. These countries, including Vanuatu, the Caymen Islands, Luxembourg, Panama and the Channel Islands, have formidable bank secrecy provisions. Money, and the associated data, flows into financial institutions located there and the secrecy laws prevent the details from being revealed.[52] The thrust of these havens is not to store personal information but to hide money, thus it is not a data haven in the sense contemplated here.
Data havens have not arisen as there have been insufficient restrictions on international flows to warrant it. Personal information continues to flow across borders in vast quantities quite freely.
It is difficult for Australia to have a coherent international position when none exists at a national level. The enactment of national legislation to protect personal information, or at least a co-operative approach by the states and territories, is a sensible way forward rather than the patchwork of laws that currently exist. Without a coherent approach Australia will be reactive to any transnational data flow issues which may arise.
There is no single solution to a multi-layered problem of the regulation of international personal data flows. Basic philosophical differences exist from region to region which impede convergent approaches.
It is difficult to envisage any region placing a general moratorium on personal data flows. In the absence of appropriate regulation, this leaves most sectors/organisations in Australia to forge ad hoc solutions to any transnational data flow difficulties which may arise.
[*] BA LLM, Syme Business School - Frankston, Monash University
[1] See OECD, Guidelines for the Protection of Privacy and Transborder Flows of Personal Data, Part one para 1(c) ("OECD Guidelines") and Council of Europe, Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, no.108/1981, Strasbourg art.12 ("Council of Europe Convention 108"). Some commentators have cast the definition more narrowly: Miller, "Teleinformatics Transborder Data Flows and the Emerging Struggle for Information: An Introduction to the Arrival of the New Information Age" (1986) 20 Colombia Journal of Law and Social Problems 89, at p.96 and Brown, "Economic and Trade Related Aspects of Transborder Data Flow: Elements of a Code of Transnational Commerce" (1984) 6 Northwestern Journal of International Law & Business 1.
[2] Council of Europe Convention 108 art.2a and OECD Guidelines Part One, para.1(b).
[3] Reidenberg, "Rules of the Road for Global Electronic Highways: Merging the Trade and Technical Paradigms" (1993) 6 Harvard Journal of Law & Technology 287; Kirby, "Informatics, Transborder data flows and law - the New Challenges" (1988) New Zealand Law Journal 381; Nugter, Transborder Flow of Personal Data Within the EC Kluwer, Holland, 1990; Miller, "Teleinformatics, Transborder Data Flows and the Emerging Struggle for Information: An introduction to the Arrival of the New Information Age" (1986) 20 Colombia Journal of Law and Social Problems 89; OECD, Transborder Data Flows - Proceedings of an OECD Conference North Holland, the Netherlands, 1985; Grossman,"Transborder Data Flow: Separating the Privacy Interests of Individuals and Corporations" (1982) 4 N.W.Journal of International Law & Business 1.
[4] Ergas and Reid, "Transborder Flows in International Enterprises in Transborder Data Flows" Transborder Data Flows: Proceedings of an OECD Conference, OECD, North Holland, Netherlands, 1985, p.245.
[5] New Technologies: A Challenge to Privacy Protection, European Committee on Legal Co-operation, Council of Europe, Strasbourg, 1989.
[6] Lapierre et al., Crossing the Borders of Privacy: Transborder Flows of Personal Data from Canada, Department of Justice, Canada 1991.
[7] Ibid pp.289-90.
[8] Ibid p.290.
[9] Ibid p.291.
[10] Bennett, Regulating Privacy, Cornell University Press, Canada, 1992, pp.141-3.
[11] Report of the Committee on Data Protection, HMSO London, 1978, p.246.
[12] Tucker, Privacy and Data Protection: Issues and Challenges OECD, Paris, 1994 pp.56-9.
[13] Wahlstrom, "International Data Transfer Experiences" paper delivered at the XIIth Data Protection Commissioners' Conference, Paris, 1990.
[14] See Miller op.cit. pp.104 - 118; Reidenberg op.cit. p.287; and Grossman, "Transborder Data Flow: Separating the Privacy Interests of Individuals and Corporations" (1982) 4 Northwestern Journal of International Law and Business 1.
[15] The key protagonists for these different positions have been the United States, which has taken a free trade line, and the European Union and the Council of Europe which has adopted the human rights approach.
[16] For an insightful history of the development of national and international regulation see Bennett op.cit. ch.4.
[18] Jay, "Transborder Data Flows" (1991) New Law Journal 241, 249.
[19] Article 12/2.
[20] Australia, Canada, Japan, New Zealand and the United States.
[21] OECD Guidelines, Part Four.
[22] OECD Guidelines, Part Five.
[23] See Directive on the protection of individuals with regard to the processing of personal data COM(92) 422 final SYN287, 1992.
[24] Directive on the protection of personal data and privacy in the context of digital telecommunications networks in particular the integrated services digital network and digital mobile networks COM(90) 314 final SYN288, 1990.
[25] See generally: Berkvens and Shauss, "The Amended Proposal for an EC Directive on Data Protection; Progress on the Face of it, Disillusion after Scrutiny" Journal of International Banking and Finance Law Feb. 1993, p80; Tucker, "International Legal Notes" (1991) 65 ALJ 354, 560 and (1993) 67 ALJ 550; and Tapper, "New European Directions in Data Protection" (1992) 3 Journal of Law and Information Science 9.
[26] Article 2(b).
[27] Article 26/2.
[28] Article 26/1.
[29] Article 26/5.
[30] Article 26/6.
[31] Article 27/1.
[32] Articles 27/3 & 34/2.
[33] For example, the French data protection authority, Commission Nationale de l'Informatique et des Libertes, imposed such conditions in a contract involving the transfer of data to Italy and Belgium, see Deliberation No. 89-78 of 11 July 1989, and Deliberation No. 89-98 of September 1989 respectively.
[34] See Council of Europe, proposed model contract, Privacy Laws & Business, Dresner (pub.) No.22, 1992, United Kingdom, p.17.
[35] Federal Attorney-General, Press Release, 10 December 1984, no.180/84.
[36] See Australian Law Reform Commission, Privacy Report, no.22, vol2, 1983, para.1092 and Tucker Information Privacy Law in Australia, Longman Cheshire, 1992, 63-8.
[38] Section 14, IIP 10.
[39] Section 14, IPP 11.
[40] IPP 11.
[42] Ibid pp.53-4.
[43] Section 18N(9).
[44] Section 6(8) states that this has the same meaning as under the Corporations Law.
[45] See s.18Q.
[46] For example: Health Insurance Act 1973 s.130; the Epidemiological Studies (Confidentiality) Act ss.4,6 & 8; and the Income Tax Assessment Act 1936 s.16.
[47] Tournier v National Provincial and Union Bank of England [1924] 1 KB 461.
[48] See generally, Spender and Burton, "Aspects of Conflict of Laws in Banking Transactions" (1987) 61 ALJ 65 at p.71. In addition, the Privacy Act 1988 (C'th) s.18N may also apply.
[49] For example: Criminal Code Ordinance 1983 (Northern Territory) s.222; Crimes Act (NSW) s.309(1); Summary Offences Act 1966 (Vic.) s.9A; Criminal Code (Western Australia} s.440A; Crimes Act (C'th) ss.76B & D and Privacy Act (C'th) s.18S.
[50] See Privacy Laws & Business Dresner (ed.) issue 22, 1992, U.K., p.13.
[51] Australian Law Reform Commission, Privacy Report, no. 22/1983 vol.2 para.1417.
[52] See generally, Campbell, International Bank Secrecy Sweet and Maxwell, England, 1992 and Spender and Burton, p.71.
AustLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.austlii.edu.au/au/journals/JlLawInfoSci/1994/2.html