Privacy Law and Policy Reporter
One of the objectives of Australia’s Privacy Amendment (Private Sector) Bill 2000 is to ensure that Australian law is considered ‘adequate’ by the European Union (EU), so that Australian businesses may participate in trade involving personal information with EU member states without unnecessary impediments (see cl 2 and the Bills Digest).
However, even with as weak a benchmark for ‘adequacy’ as the EU’s Safe Harbor decision concerning the US (see accompanying article), there are a number of aspects of the Australian Bill which will almost certainly limit the scope of any EU finding of adequacy for Australian law, and so the Bill will fail in its objective of removing problems for some sectors of Australian business.
The European Commission’s submission to the House of Representatives Standing Committee on Legal and Constitutional Affairs made clear where the Bill was deficient from the EU perspective (detailed below), as did other submissions. The Committee’s Advisory Report on the Bill in June 2000 (see analysis in (2000) 7(1) PLPR 1) did not deal with these submissions, instead simply referring them to the Government.
The Federal Government’s proposed amendments to the Bill (tabled 8 September 2000) continue this ‘head in the sand’ approach and (with one minor exception) ignore all of the obstacles to ‘adequacy’ that have been identified by the European Commission and others.
In June, the European Commission made a submission to the House of Representatives Committee (see <http://www.aph.gov.au/house/committee/laca/Privacybill/sub113.pdf>) which made it very clear that the original Bill contained many impediments to an EU finding of ‘adequacy’. None of these problems have been addressed by the Government’s proposed amendments.
Among the points raised by the Commission were:
This litany of concerns from the European Commission demonstrates just how far short of international best practice this Bill is perceived as falling. The most important point is that over 90 per cent of all Australian businesses may find that, despite the new Act, no European business will simply assume that it is permitted to deal with them in personal information business. Each case will have to be assessed on its merits under other provisions of the Directive, with considerable transactions costs and other disincentives for Australian businesses. The Bill will fail to achieve one of its main objectives, causing unnecessary damage to the interests of Australian businesses and consumers.
Some of the problems with the Bill that concern the European Commission are now explained in more detail (derived from my own submissions to the House of Representatives Committee).
There is no equivalent in the EU Directive (or in the Safe Harbor scheme) for an exemption for ‘small’ businesses. The European Commission states that this will result in an ‘adequacy’ decision that expressly excludes exempt Australian ‘small’ businesses from its coverage. However, the resulting difficulties involved in an EU business knowing whether any Australian business was covered by the Act could lead to the type of procedural complexities that legislation was supposed to avoid. The Government’s proposed amendments to the Bill (cl 6EA) address one minor matter: the lack of an ability for small businesses to even ‘opt in’ to the Bill (as recommended in the Advisory Report). Small businesses will now be able to inform the Privacy Commissioner if they wish to be considered as an ‘organisation’ under the Act, and the Commissioner will keep a register of those businesses that so ‘opt in’. However, it would be a mistake to think that this is any general solution to the problems posed by the ‘small business’ exemption. How is an EU business able to know that the Australian business it is dealing with is not a ‘small business’? It can’t look up the Commiss-ioner’s register, because that is only open to ‘small businesses’ that opt in, not ‘larger’ businesses that don’t need to. It would be necessary for EU businesses to have access to some register of all Australian businesses which indicated whether they were ‘small’ businesses or not (and if so, whether they had ‘opted in’). Such a comprehensive register is part of the US Safe Harbor scheme (where it is only possible to opt in), so it is difficult to see why the EU would settle for less in Australia.
The existing s 41(4) of the Act prevents anyone other than Australian citizens and permanent residents from exercising correction rights (IPP 7). The Bill extends this to the private sector (NPP 6 and equivalent provisions in Codes). As with the lack of extraterritorial protection for EU citizens (discussed below), this provision prevents EU citizens obtaining the same benefits as Australians from our privacy law, and is contrary to the EU objective in the notion of ‘adequacy’ that their citizens should be protected by (adequate) local laws wherever their information is used, in the same way the privacy of local citizens is protected. New Zealand’s Privacy Commissioner recently proposed that the NZ Privacy Act 1993 be amended to ensure that non-citizens have all rights under the Act, in order to ensure adequacy under EU law and other jurisdictions such as Hong Kong. The Australian Bill fails to do this.
There is no equivalent general exemption in the EU Directive, and this is likely to lead to any art 31 Declaration excluding any transfer of employment-related information. The art 29 Committee wanted such an exclusion of employment information made explicit in the Safe Harbor proposal because the US Commerce Department did not have jurisdiction over such information. If there is such an exclusion, a European company would not be able to export employee data to a branch of its own company in Australia because the Australian company cannot ‘opt in’ to be covered by the Act in relation to its employment information.
Two of the conditions under which personal information can be exported from Australia under NPP 9 are much weaker than anything found in the Directive. The art 29 Committee has consistently identified controls over onward transfers as one of the key elements of ‘adequacy’, so this may also cause difficulties.
NPP 9 prohibits ‘transfers’ of personal information by an organisation to someone (other than the organisation) in a foreign country unless one of the six conditions (a)-(e) is satisfied.
If one of the conditions is satisfied, then the Australian organisation which transferred the data does not have any liability under the Act for any privacy breaches which may occur subsequently. It is therefore important, from the individual’s point of view, to ensure that the conditions do not allow transfers which create unjustified privacy risks.
All of the publications by the art 29 Committee of the EU have interpreted the ‘adequacy’ requirement of the Directive as requiring some ‘onward transfer’ restriction, so this will be an aspect of the Bill that the EU looks at carefully.
It is important to remember that any transfer to a third party overseas also involves a ‘disclosure’ of personal information, and NPP 2, limiting disclosures for secondary uses, must also be complied with.
Where a transfer is to the same organisation overseas, NPP 9 does not apply, but the extraterritorial operation of the Act comes into play. However, where the transfer is to the same organisation, there is no need to consider whether any of the six enabling conditions apply, and Australian law will apply, not (only) the law of the foreign country.
The six conditions will generally be sufficient to allow any legitimate transfer overseas of personal information.
Condition (a) plays the role of art 25 of the Directive (which allows transfers to foreign countries with ‘adequate’ laws) but is weaker:
(a) the organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the National Privacy Principles.
Instead of any objective and expert determination by a government or privacy commissioner of which overseas countries have ‘adequate’ laws (the ‘white list’ approach), the condition is satisfied by the mere ‘reasonable belief’ of the Australian organisation disclosing the information. The ‘reasonable belief’ need only be that the overseas arrangement ‘effectively upholds’ privacy principles, not that there are enforcement mechanisms substantially similar to those in the Australian Act.
Conditions (b)-(e) are similar to those in art 26(1) of the Directive and largely uncont-entious. Condition (f), however, is much weaker than anything found in the Directive:
(f) the organisation has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the National Privacy Principles.
This does not even require that the individual should have some recourse against anyone in the event that the ‘reasonable steps’ turn out to be inadequate.
The subjective and imprecise nature of condition (a) and the weak and imprecise nature of exception (f) mean that there is real danger that personal information will be exported from Australia under conditions which give little protection to privacy.
The EU may well regard these two aspects of NPP 9 as inadequate protection for EU citizens.
The Bill aims to stop avoidance of its provisions by moving personal information overseas. In summary, cl 5B gives almost all of the Act extraterritorial operation in relation to information about an Australian citizen or resident, provided one of two types of nexus is satisfied:
(a) An organisational link with Australia — The organisation must be an Australian citizen or resident, or a partnership, trust or company formed here, or an unincorporated association managed and controlled here; or
(b) An operational link with Australia — The organisation carries on business here, or the personal information was collected or held here by that organisation either before or at the time of action complained of.
The Privacy Commissioner’s powers to investigate and make determinations are extended to cover this extraterritorial operation.
If an act or practice is required by an applicable law of a foreign country it will not constitute a breach of the Australian Act (s 13D). This avoids clashes between observance of Australian privacy law and the law of the foreign country.
The exact extent of this extraterritorial operation concerning Australians may be more extensive than it looks at first.
Conversely, the extraterritorial operation may be less extensive than it needs to be, because s 5B does not extend the protection of the Act concerning extraterritorial practices of Australian businesses to benefit anyone who is not an Australian. Therefore, EU citizens are unprotected against their data being exported to Australian businesses in privacy-unfriendly foreign countries.
Section 5B only extends the protection of the Act concerning extraterritorial practices of Australian businesses to benefit Australians, and therefore cannot be used to protect citizens of EU countries. NPP 9, dealing with transborder data flows, does not operate to prevent the transfer of the information by an Australian business to its own branch operating overseas, because this is only a transfer to itself (and s 5B would normally apply to extend the protection of the Australian Act). There is therefore a loophole in the Bill whereby an Australian company could import personal information on EU citizens, and could then export it outside Australia to a country with no privacy law without the Australian Act applying.
Graham Greenleaf, General Editor.