Home
| Databases
| WorldLII
| Search
| Feedback
Privacy Law Resources |
[Home] [Databases] [Search] [Feedback] [Help] | ||
(This paper was written before the availability of the Article 29 DataProtection Working Party' Opinion 4/2000 on the level of protection
providedby the "Safe Harbor Principles" (16 May 2000) but that Optinion reinforcesits conclusions.)
Australian companies wishing to export personal information from theseregional countries will increasingly have to take into account their dataexport restrictions. And our own restrictions, and the adequacy of regionalcountries laws will have to be taken into account when exporting personaldata to them.
The Asia Pacific situation is similar now to that of Europe inthe early 1980s. Then, the presence of such restrictions in what was thena handful of European laws helped lead to the European privacy Convention[1]http://europa.eu.int/comm/dg15/en/media/dataprot/con10881.htm]in 1981 to ensure the free flow of personal information in Europe by providinga guaranteed base level of privacy protection.
(a) An organisational link with Australia - The organisationmust be an Australian citizen or resident, or a partnership, trust or companyformed here, or an unincorporated association managed and controlled here;or
(b) An operational link with Australia - The organisationcarries on business here, or the personal information was collected orheld here by that organisation either before or at the time of action complainedof.
The Privacy Commissioner's powers to investigate and make determinationsare extended to cover this extra-territorial operation.
If an act or practice is required by an applicable law of a foreigncountry it will not constitute a breach of the Australian Act (s13D). Thisavoids clashes between observance of Australian privacy law and the lawof the foreign country.
This exact extent of this extra-territorial operation concerningAustralians may be more extensive than it looks at first:
However, the acceptance of the Commission's proposal is not a foregoneconclusion, as it may still face significant opposition from Europe's nationalData Protection Commissioners (who comprehensively rejected the previousdraft as inadequate)[2].The approval procedures are expected to take until late 2000. Until theprocess is complete, the international benchmark for what is necessaryin order to avoid data export restrictions (and the benchmark for informationprivacy standards) will remain uncertain[3].
Under the EU's data protection Directive, Member States mustensure personal data transferred to non-EU countries is 'adequately' protected.The same Directive provides that the Commission may make a positive findingwhen the protection offered by a particular country meets this adequacyrequirement. Following two years of discussion, the US is now ready toput in place an arrangement which the Commission considers to offer "adequate"protection. Before adopting a formal decision to this effect, the Commissionmust seek the support of a qualified majority of Member States. It mustalso consult their data protection commissioners and the European Parliament.Once adopted the decision will be binding on all Member States and so constitutea strong guarantee against the interruption of data flows from the EU to"safe harbour" participants in the US. Approval procedures will take sometime, but the arrangement should be finalised by the summer and operationalin the autumn.
The arrangement must now be approved by a qualified majorityof Member States meeting in the framework of a Committee established underArticle 31 of the Directive. Its members have been regularly consultedon the progress of the dialogue with the US. Prior to seeking the opinionof the Committee, the Commission will seek the opinions on the arrangementfrom Member States' data protection commissioners (meeting in the frameworkof the working party established by Article 29 of the Directive). Beforefinalising the decision, the Commission must also submit it to the scrutinyof the European Parliament, which will check that the Commission is usingits powers under the directive correctly.The Commission expects the formal approval procedures to commence in May[5]and to be 'finalised by the summer and operational in the autumn'.
The changes do address some of the criticisms made of the previousversion by the EU national Data Protection Commissioners[9]:
"The Working Party thus invites the Article 31 Committee andthe Commission to ensure that the final steps of this important processare taken only in the light of the final opinion of the Working Party,not least because the outcome will have important consequences for thenational authorities represented in the Working Party."[11]There are many deficiencies identified by the Commissioners that remainin this new version of the Safe Harbor principles, including the following:
... in stark contrast to the current protections offered bythe EU Data Protection Directive where individuals are granted a specificright to judicial remedy and data protection authorities are obligatedto follow up on those complaints, the FTC is not required to pursue theclaims of any individual consumers....
Civil penalties or sanctions for one-time or persistent violationsof Safe Harbor principles may only be assessed by the Federal Trade Commission(FTC) after being referred via industry-funded self-regulatory groups suchas TRUSTe or BBBOnline, ADR bodies, or data protection authorities in EUmember countries. Despite past cases where individual privacy has beencompromised, no self-regulatory group has ever referred a member companyfor investigation and the FTC has never provided remedies for any of thecompanies with which they have reached settlements.In comparison with most information privacy laws, the six principles inthe Safe Harbor proposal are very weak. For example, the 'Choice' principleonly gives individuals the right to opt out from any uses of their informationincompatible with the purpose of collection, or any disclosures other thanthe incompatible with the purpose of collection. Except for 'sensitive'information (where 'opt in' is required) there is therefore a blanket optout rule for all secondary uses of personal information. This is contraryto the normal approach requiring consent (opt in), with specific exceptions.
If adopted by the A31 Committee, the draft Decision accepts thatthe Safe Harbor proposals do constitute 'adequate' protection in relationto those US companies that have 'unambiguously and publicly disclosed'(in writing to the Commerce Department) a commitment to comply, and comewithin the statutory powers of a US government body with powers to investigateand obtain relief against unfair or deceptive practices, irrespective ofthe residence or nationality of the complainant[16].
It remains to be seen what percentage of US organisations that wishto obtain personal data from EU counties will be able to satisfy thesecriteria.
There are provisions for a European national Commissioner to takeunilateral action to suspend transfers where there is evidence of violationsby US companies which create an 'imminent risk of grave harm' to Europeansand a reasonable basis for believing US remedies are inadequate[17].There is also provision for a review of the Decision after three years.
If the current version of Safe Harbor, or something like it, isaccepted as adequate, then most aspects of the 2000 Bill would appear tomeet that standard.
However, even with as weak a benchmark as the current Safe Harbor proposal,there are a number of aspects of the 2000 Bill which are likely to limitthe scope of any EU finding of adequacy for Australia, and will thereforeconstitute problems for some sectors of Australian businesses:
New Zealand's Privacy Commissioner recently proposed that the NZPrivacy Act 1993 be amended to ensure that non-citizens have all rightsunder the Act, in order to ensure adequacy under EU law and that of otherjurisdictions
such as Hong Kong. The Australian Bill is failing to do this.
If one of the conditions is satisfied, then the Australian organisationwhich transferred the data does not have any liability under the Act forany privacy breaches which may occur subsequently. It is therefore important,from the individual's point of view, to ensure that the conditions do notallow transfers which create unjustified privacy risks.
All of the publications by the A29 Committee of the EU have interpretedthe 'adequacy' requirement of the Directive as requiring some such 'onwardtransfer' restriction, so this will be an aspect of the Bill that the EUlooks at carefully.
It is important to remember that any transfer to a third partyoverseas also involves a 'disclosure' of personal information, and NPP2 limiting disclosures for secondary uses must also be complied with.
Where a transfer is to the same organisation overseas, NPP 9 doesnot apply but the extra-territorial operation of the Act comes into play.However, where it is to the same organisation, there is no need to considerwhether any of the six enabling conditions apply, and it is Australianlaw that will apply, not (only) the law of the foreign country.
Condition (a) plays the role of A25 of the Directive (which allows transfersto foreign countries with 'adequate' laws), but is weaker.
(a) the organisation reasonably believes that the recipientof the information is subject to a law, binding scheme or contract whicheffectively upholds principles for fair handling of the information thatare substantially similar to the National Privacy Principles.Instead of any objective and expert determination by a government or PrivacyCommissioner of which overseas countries have 'adequate' laws (the 'whitelist' approach), the condition is satisfied by the mere 'reasonable belief'of the Australian organisation disclosing the information. The 'reasonablebelief' need only be that the overseas arrangement 'effectively upholds'privacy principles, not that there are enforcement mechanisms substantiallysimilar to those in the Australian Act.
Conditions (b) - (e) are similar to those in A26(1) of the Directiveand largely uncontentious:
(b) the individual consents to the transfer; or (c) the transferis necessary for the performance of a contract between the individual andthe organisation, or for the implementation of pre-contractual measurestaken in response to the individual's request; or (d) the transfer is necessaryfor the conclusion or performance of a contract concluded in the interestof the individual between the organisation and a third party; or (e) allof the following apply: (i) the transfer is for the benefit of the individual;(ii) it is impracticable to obtain the consent of the individual to thattransfer; (iii) if it were practicable to obtain such consent, the individualwould be likely to give itCondition (f), however, is much weaker than anything found in the Directive:
(f) the organisation has taken reasonable steps to ensure thatthe information which it has transferred will not be held, used or disclosedby the recipient of the information inconsistently with the National PrivacyPrinciples.This does not even require that the individual should have some recourseagainst anyone in the event that the 'reasonable steps' turn out to beinadequate.
The subjective and imprecise nature of condition (a), and theweak and imprecise nature of exception (f), means that there is real dangerthat personal information will be exported from Australia under conditionswhich give little protection to privacy.
The EU may well regard these two aspects of NPP 9 as inadequateprotection for EU citizens.
In relation to imports from the EU, the following is not the completepicture, as some forms of governmental use of personal information arenot covered by the Directive.
(2) A public sector agency that holds personal informationmust not disclose the information to any person or body who is in a jurisdictionoutside New South Wales unless: (a) a relevant privacy law that appliesto the personal information concerned is in force in that jurisdiction,or (b) the disclosure is permitted under a privacy code of practice. (3)For the purposes of subsection (2), a relevant privacy law means a lawthat is determined by the Privacy Commissioner, by notice published inthe Gazette, to be a privacy law for the jurisdiction concerned. (4) ThePrivacy Commissioner is, within the year following the commencement ofthis section, to prepare a code relating to the disclosure of personalinformation by public sector agencies to persons or bodies outside NewSouth Wales. (5) Subsection (2) does not apply: (a) until after the firstanniversary of the commencement of this section, or (b) until a code referredto in subsection (4) is made, whichever is the later.The purpose of the provision is that NSW public sector agencies shouldnot disclose personal information to persons or bodies outside NSW unlessthere are appropriate privacy laws or other forms of protection (recognisedin a code of conduct) in operation in the other jurisdiction.
A benefit of this provision (once it is in force) is that it could provideprotection to NSW agencies against any data import restrictions being imposedagainst them. For example, a European government could otherwise refuseto disclose personal information to a NSW agency on the grounds that ,no matter how strong the privacy protection in NSW might be, there wasnothing to stop the NSW agency from passing on the data to an unprotectedjurisdiction.
An important factor to note is the broad scope of the prohibition.It extends to other State and Territory governments in Australia. It alsoapplies (in theory) to Commonwealth agencies located outside NSW (althoughthe CommonwealthPrivacy Act would presumably be a 'relevant privacylaw'). It also applies to any private sector organisations outside NSW(in the absence of the proposed federal legislation).
However, the export restrictions are not yet in force, and itis uncertain when or if they will ever be in force. First, the PrivacyCommissioner must prepare a code (s19(4)), but then only the Minister can'make' the code (s31(4)). If no code is ever made s19(2) will never comeinto operation because of s19(5).
[2] SeeG Greenleaf 'Death of the EU Privacy Directive?: Choppy waters in the SafeHarbour' 6 PLPR 81 for details of the Commissioners' criticisms.
[3] Seethe above article for the significance of the Safe Harbour proposal forinternational standards.
[4] EuropeanCommission Internal Market DG - Press Release 'Data protection: Commissionendorses "safe harbor" arrangement with US' (29 March 2000) <http://europa.eu.int/comm/internal_market/en/media/dataprot/news/harbor4.htm>
[5] EuropeanCommission Internal Market DG - Press Release 'Data protection: draft packageagreed for protection of data transferred from EU to US' (15 March 2000)<http://europa.eu.int/comm/internal_market/en/media/dataprot/news/harbor3.htm>
[6] USCommerce Department's Safe Harbour web site - <http://www.ita.doc.gov/td/ecom/menu1.html>
[7] 'Redlined'version of Safe Harbour proposal - <http://www.ita.doc.gov/td/ecom/RedlinedPrinciples31600.htm>
[8] Commentsare at <http://www.ita.doc.gov/td/ecom/Comments400/publiccomments0400.html>
[9] Fordetails of these criticisms see a summary in Greenleaf 6 PLPR 81
[10] SeeFAQ 6 - Self-Certification <http://www.ita.doc.gov/td/ecom/RedlinedFAQ6selfcert300.htm>
[11]The Working Party on the Protection of Individuals With Regard to the Processingof Personal Data Opinion 3/2000 on the EU/US dialogue concerning the"Safe harbor" arrangement (adopted 16th March 2000) - <http://europa.eu.int/comm/internal_market/en/media/dataprot/wpdocs/wp31en.htm>
[12]The draft Decision requires this, but not the Safe Harbour proposal.
[13]It only refers to 'damages awarded where the applicable law or privatesector initiative so provides'.
[14]Submission of the Trans Atlantic Consumer Dialogue (TACD) (30 March 2000)<http://www.ita.doc.gov/td/ecom/Comments400/TACDComments1.htm>
[15]European Commission Internal Market DG - Draft Commission Decision onthe adequacy of the US Safe Harbor Principles (29 March 2000) - <http://www.ita.doc.gov/td/ecom/Art256Decision.htm>(on US Commerce Department site)
[16]Article 1 of the draft Decision
[17]Article 2 of the draft Decision
[18]"generally available publication" 'means a magazine, book, newspaper orother publication that is or will be generally available to members ofthe public (however published)' - s6, as amended by the Bill, Schedule1, Item 14).
WorldLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.worldlii.org/int/other/PrivLRes/2000/2.html