Privacy Law and Policy Reporter
The inclusion of restrictions on `transborder data flows' from Australia, as proposed in the discussion paper, is highly desirable,1 but the breadth of proposed exceptions may be abused and result in inadequate protection unless there is adequate flexibility to control this by codes of conduct. I will use the more descriptive term in current use, `personal data exports'.
Exports to countries with `adequate' laws In the absence of an international or regional convention to which Australia is a party2 the specification by Australian regulations of `adequate' overseas privacy laws (those `substantially similar to, or serving the same purpose as' Australian laws) is a reasonable approach. However, there are two improvements needed:
(i) such regulations should only be made after the advice of the Privacy Commissioner has been obtained, as the Commissioner is the main national source of expertise on these matters, such advice to be tabled with the regulation; and
(ii) provision should be made for sectoral laws to be declared `adequate' in relation to particular types of data, not only `countries'.
The provisions for exports to countries without such `adequate' laws seem to try to strike a balance between consistency with the approach taken in art 26 of the European Union's privacy Directive, and Australian public interests, and this is a reasonable approach. However, in my view these `exception' provisions are stated far too broadly, and with too little protection of the individual's interests. The underlying deficiency with all of the exceptions is that these data exports are to a third party against whom there is little or no remedy for misuse of the data, in contrast with the remedies that will be available for disclosures to anyone in Australia, or even in `adequate' overseas countries. It must also be remembered that the data export prohibitions will apply equally to the public sector. I will address each proposed exception in turn.
The individual consent exception is weaker than the EU's requirement of `unambiguous consent'. It needs to specify that `the individual specifically consents to the transfer of the information to a country which does not have adequate privacy laws by Australian standards' (optionally naming the country). Blanket consents to disclose the data without giving the individual any hint of the reason for the consent will otherwise be obtained.
Necessity for performance of contracts made after the Act comes into effect in relation to the private sector should not be able to be used as an excuse for not obtaining consent to export as part of the contract-creation process. Otherwise, contracts will just be used as an excuse for not obtaining consent. There should at least be a limit on this exception to the effect that `consent to export could not reasonably be obtained'. The EU Directive is too weak on this point.
The third exception, where the contract is between the individual and a third party (consistent with the EU Directive), is probably reasonable because the individual's interest is the paramount consideration. It might also clarify the first exception to state that either the record-keeper or a third party can obtain the necessary consent.
Exceptions 4-6 constitute a replacement of the EU's exceptions for protection of `important public interest grounds' and `the vital interests of the data subject' with a more specific Australian wording, copied from exceptions (c)-(e) of IPP 11. Leaving aside the fact that the domestic scope of these exceptions is contested by many commentators, the implications of disclosure to a country without adequate privacy laws is quite different. With the extension of Australian privacy laws to the private sector and to State and Territory agencies (as almost all Australian jurisdictions are now proposing), the Australian recipient of information disclosed under these exceptions to IPP 11 will itself be bound by the IPPs in its use of the information, and subject to the remedies that follow misuse. By definition, recipients in overseas countries without such laws are not subject to IPPs and do not provide remedies for misuse.
It seems anomalous that Australian organisations are being given a blank cheque to disclose, quite probably on a systematic basis (for example, to overseas police agencies or financial organisations), without their being any requirement that they even try to obtain `adequate contractual safeguards' (as in the next exception).
The final exception, that the Australian record-keeper has in place `adequate contractual safeguards' with the overseas recipient, would be largely illusory if nothing more was required, because the individual would be unable to sue the recipient for breach of contract because of the doctrine of privity of contract (see 4.4 in the above-cited paper for details). However, the discussion paper proposes the effective solution that the Australian record-keeper would be liable for any relevant breaches of the IPPs (not just the contract!) by the overseas recipient, effectively creating a statutory tort in favour of the individual. The Australian record-keeper can then seek to indemnify itself through the contract which the overseas recipient has now breached. This solution fills a gaping hole in the EU proposals, and is a highly desirable provision.
The contrast between the first six exceptions and the last is stark -- no remedies versus full remedies, so far as the individual is concerned. The problem this raises is that, for any Australian record-keeper that can possibly rely on any of exceptions (1)-(6), there is a strong disincentive for them to seek any contractual safeguards from the overseas recipients, because only if they do so are they themselves liable under the IPPs for overseas misuse. The answer to this dilemma is not obvious: disclosers under exceptions (1)-(6) are not necessarily disclosing to protect their own interests, and may be doing so under compulsion, so it would be unfair to make them liable for breaches by overseas parties over whom they have no control. On the other hand, disclosers who are acting in their own interests (including under systematic reciprocal `data swapping' arrangements with overseas organisations) should be required to seek `adequate contractual safeguards' and then provide the statutory remedy.
The only answer to this dilemma lies in the discussion paper's proposal that the Commissioner be able to modify the data export requirements by codes of practice. This proposal is extremely important and greatly reduces concerns about the possible excessive breadth of the exceptions.
The Commissioner could require, via a code or codes, that systematic data exports be subject to `adequate contractual safeguards', and I recommend that she should be specifically so empowered so that there is no question of her acting ultra vires in so doing. There would also need to some policy direction in the legislation in favour of `adequate contractual safeguards' where it was possible and reasonable for them to be obtained.
If there is any opposition to this proposal on the grounds that this gives the Commissioner excessive powers, and may create uncertainties in what exports are permissible, the answers to these objections are:
(i) the alternative is to have far more tightly worded exemptions (with no flexibility), to avoid the possible abuses mentioned above;
(ii) the code power here creates no more uncertainty than the availability of codes in relation to the IPPs; and
(iii) the Commissioner is only likely to use the power to deal with systematic data exports where there is evidence of abuse, and only then after consultation (as required by any code).
1. Reasons for supporting such restrictions are set out in my paper `International privacy standards -- Implications for Australia and Asia-Pacific' IIR's Recent Developments in Information Privacy Conference, Sydney, December 1996). For earlier versions, see < 2 PLPR 105>, < 2 PLPR 127>.
2. See arguments in above article in favour of an APEC information privacy convention.