WorldLII Home | Databases | WorldLII | Search | Feedback

Privacy Law Resources

You are here:  WorldLII >> Databases >> Privacy Law Resources >> 2000 >> [2000] PrivLRes 2

Database Search | Name Search | Recent Documents | Noteup | LawCite | Help

Greenleaf, Graham --- "Exporting and importing personal data" [2000] PrivLRes 2; [2000] CyberLRes 4 (15 May 2000)

WorldLII [Home] [Databases] [Search] [Feedback] [Help]
You are here: WorldLII >> WorldLII Databases >> PrivLRes >> 2000 >> [2000] PrivLRes 2

[Global Search] [PrivLRes Search] [Help]

'Exporting and importing personal data' ([2000] CyberLRes 4) - [2000] PrivLRes 2

Greenleaf (2000)

National Privacy and Data Protection Summit
IBC Conferences - Sydney 17 & 18 May 2000

Exporting and importing personal data: The effects of the Privacy Amendment (Private Sector) Bill 2000

Graham Greenleaf
Professor of Law, University of New South Wales
15 May 2000

(This paper was written before the availability of the Article 29 DataProtection Working Party' Opinion 4/2000 on the level of protection providedby the "Safe Harbor Principles" (16 May 2000) but that Optinion reinforcesits conclusions.)

Contents


1 Dimensions of importing and exporting personaldata

There are four different dimensions to the question 'how does the PrivacyAmendment (Private Sector) Bill 2000 (the '2000 Bill') affectthe ability of Australian businesses to export or to import personal information?'

1.1. Australian - Off-shore processing and Australianlaw

The 2000 Bill will apply in some instances to processing of personal informationoutside Australia.

1.2. Australian - Restrictions on exports of personaldata from Australia

The 2000 Bill imposes such export limitations for the first time.

1.3. European - Restrictions on personal data importsto Australia

The EU privacy Directive prohibits EU businesses from exporting personalinformation about Europeans to countries that do not have 'adequate' privacylaws

1.4. Regional - Other Asia-Pacific laws are includingdata export restrictions

In the Asia Pacific, the privacy laws of Québec, Hong Kong and Taiwanalready contain such restrictions, and are now being joined by the lawsof various Australian jurisdictions. In the next few years they may bejoined by other regional countries with comprehensive privacy laws suchas New Zealand and Canada.

Australian companies wishing to export personal information from theseregional countries will increasingly have to take into account their dataexport restrictions. And our own restrictions, and the adequacy of regionalcountries laws will have to be taken into account when exporting personaldata to them.

The Asia Pacific situation is similar now to that of Europe inthe early 1980s. Then, the presence of such restrictions in what was thena handful of European laws helped lead to the European privacy Convention[1]http://europa.eu.int/comm/dg15/en/media/dataprot/con10881.htm]in 1981 to ensure the free flow of personal information in Europe by providinga guaranteed base level of privacy protection.

2 Australian businesses overseas under the 2000Bill

The Bill aims to stop avoidance of its provisions by moving personal informationoverseas. In summary 5B gives almost all of the Act extra-territorial operationin relation to information about an Australian citizen or resident, providedone of two types of nexus is satisfied:

(a) An organisational link with Australia - The organisationmust be an Australian citizen or resident, or a partnership, trust or companyformed here, or an unincorporated association managed and controlled here;or

(b) An operational link with Australia - The organisationcarries on business here, or the personal information was collected orheld here by that organisation either before or at the time of action complainedof.

The Privacy Commissioner's powers to investigate and make determinationsare extended to cover this extra-territorial operation.

If an act or practice is required by an applicable law of a foreigncountry it will not constitute a breach of the Australian Act (s13D). Thisavoids clashes between observance of Australian privacy law and the lawof the foreign country.

This exact extent of this extra-territorial operation concerningAustralians may be more extensive than it looks at first:

In contrast, it may be less extensive than it needs to be if (as discussedlater) s5D does not extend to anyone who is not an Australian, and thereforeEU citizens are unprotected against their data being exported to Australianbusinesses in privacy-unfriendly foreign countries.

3 Data imports - What will the EU Directive meanafter 'Safe Harbor'?

The European Commission and the US Department of Commerce have reacheda compromise over the 'Safe Harbor' proposals which are intended to providea basis for transfers to the USA of personal information concerning Europeansto be considered to have 'adequate' privacy protection as required by theEU privacy Directive. The US has released an amended version of the 'SafeHarbor' proposal, and the European Commission has announced it is willingto support a formal Decision by the Committee of Member States under theDirective declaring that the proposal is 'adequate'.

However, the acceptance of the Commission's proposal is not a foregoneconclusion, as it may still face significant opposition from Europe's nationalData Protection Commissioners (who comprehensively rejected the previousdraft as inadequate)[2].The approval procedures are expected to take until late 2000. Until theprocess is complete, the international benchmark for what is necessaryin order to avoid data export restrictions (and the benchmark for informationprivacy standards) will remain uncertain[3].

3.1. The EU Commission promotes a compromise

The European Commission has given Internal Market Commissioner Frits Bolkesteinapproval to seek the support of EU Member States for accepting the March2000 version of the US' Safe Harbor proposal 'which the Commission considersto offer "adequate" protection'[4].The Commission explains the process:
Under the EU's data protection Directive, Member States mustensure personal data transferred to non-EU countries is 'adequately' protected.The same Directive provides that the Commission may make a positive findingwhen the protection offered by a particular country meets this adequacyrequirement. Following two years of discussion, the US is now ready toput in place an arrangement which the Commission considers to offer "adequate"protection. Before adopting a formal decision to this effect, the Commissionmust seek the support of a qualified majority of Member States. It mustalso consult their data protection commissioners and the European Parliament.Once adopted the decision will be binding on all Member States and so constitutea strong guarantee against the interruption of data flows from the EU to"safe harbour" participants in the US. Approval procedures will take sometime, but the arrangement should be finalised by the summer and operationalin the autumn.
The arrangement must now be approved by a qualified majorityof Member States meeting in the framework of a Committee established underArticle 31 of the Directive. Its members have been regularly consultedon the progress of the dialogue with the US. Prior to seeking the opinionof the Committee, the Commission will seek the opinions on the arrangementfrom Member States' data protection commissioners (meeting in the frameworkof the working party established by Article 29 of the Directive). Beforefinalising the decision, the Commission must also submit it to the scrutinyof the European Parliament, which will check that the Commission is usingits powers under the directive correctly.
The Commission expects the formal approval procedures to commence in May[5]and to be 'finalised by the summer and operational in the autumn'.

3.2. The new 'Safe Harbor' compromise

The full text of the new version of the Safe Harbor proposal accompaniesthis article. The US Commerce Department's Safe Harbor web site[6]contains a 'redlined' version of the proposal showing what has been addedand deleted since the December 1999 version[7]and comments on the proposal from business and consumer organisations[8].

The changes do address some of the criticisms made of the previousversion by the EU national Data Protection Commissioners[9]:

3.3. Will it satisfy the national Data ProtectionCommissioners?

The EU national Data Protection Commissioners (the Article 29 Committee)have not yet (15 May 2000) delivered a further opinion on the March version,but have made it clear that they expect the Article 31 Committee and theEuropean Parliament to give them the opportunity to deliver their finalopinion before those bodies make any final decisions:
"The Working Party thus invites the Article 31 Committee andthe Commission to ensure that the final steps of this important processare taken only in the light of the final opinion of the Working Party,not least because the outcome will have important consequences for thenational authorities represented in the Working Party."[11]
There are many deficiencies identified by the Commissioners that remainin this new version of the Safe Harbor principles, including the following:Given the above list of unresolved weaknesses, it seems likely that theA29 Committee will remain very critical of the Safe Harbor proposals andthe draft Decision.

3.4. How strong are the 'Safe Harbor' protections?

The new Safe Harbor proposals have been criticised by a coalition of Europeanand US consumer organisations (the Trans Atlantic Consumer Dialogue - TACD)[14],particularly for its lack of sufficient enforcement mechanisms. Some crucialweaknesses of the Safe Harbor proposals are summed up in these TACD comments:
... in stark contrast to the current protections offered bythe EU Data Protection Directive where individuals are granted a specificright to judicial remedy and data protection authorities are obligatedto follow up on those complaints, the FTC is not required to pursue theclaims of any individual consumers.
...
Civil penalties or sanctions for one-time or persistent violationsof Safe Harbor principles may only be assessed by the Federal Trade Commission(FTC) after being referred via industry-funded self-regulatory groups suchas TRUSTe or BBBOnline, ADR bodies, or data protection authorities in EUmember countries. Despite past cases where individual privacy has beencompromised, no self-regulatory group has ever referred a member companyfor investigation and the FTC has never provided remedies for any of thecompanies with which they have reached settlements.
In comparison with most information privacy laws, the six principles inthe Safe Harbor proposal are very weak. For example, the 'Choice' principleonly gives individuals the right to opt out from any uses of their informationincompatible with the purpose of collection, or any disclosures other thanthe incompatible with the purpose of collection. Except for 'sensitive'information (where 'opt in' is required) there is therefore a blanket optout rule for all secondary uses of personal information. This is contraryto the normal approach requiring consent (opt in), with specific exceptions.

3.5. The draft EU Decision

The Article 31 Committee has not yet (15 May 2000) made its Decision, butthe draft Decision drawn up by the Commission is available[15].As stressed above, in the absence of the A29 Committee's final report andthe views of the European Parliament, it is too early to say whether itwill be adopted in this form. It is possible that the Commission will berequired to attempt to negotiate further modifications to the Safe Harborscheme before the A31 Committee is willing to adopt it.

If adopted by the A31 Committee, the draft Decision accepts thatthe Safe Harbor proposals do constitute 'adequate' protection in relationto those US companies that have 'unambiguously and publicly disclosed'(in writing to the Commerce Department) a commitment to comply, and comewithin the statutory powers of a US government body with powers to investigateand obtain relief against unfair or deceptive practices, irrespective ofthe residence or nationality of the complainant[16].

It remains to be seen what percentage of US organisations that wishto obtain personal data from EU counties will be able to satisfy thesecriteria.

There are provisions for a European national Commissioner to takeunilateral action to suspend transfers where there is evidence of violationsby US companies which create an 'imminent risk of grave harm' to Europeansand a reasonable basis for believing US remedies are inadequate[17].There is also provision for a review of the Decision after three years.

3.6. Implications for Australia and the Asia-Pacific

The implications of the still-unresolved Safe Harbor outcome for Asia-Pacificcountries are significant but vary very much between countries. Assumingthat some version of the Safe Harbor proposal is approved by the EU (butperhaps with significant qualifications and possibly even a further redraft),here are a few:

4 Data imports - Will the 2000 Bill be 'adequate'for the EU?

A final assessment must await the outcome of the A31 Committee's deliberationson the Safe Harbor proposal, which will set the benchmark for what constitutes'adequacy'.

If the current version of Safe Harbor, or something like it, isaccepted as adequate, then most aspects of the 2000 Bill would appear tomeet that standard.

However, even with as weak a benchmark as the current Safe Harbor proposal,there are a number of aspects of the 2000 Bill which are likely to limitthe scope of any EU finding of adequacy for Australia, and will thereforeconstitute problems for some sectors of Australian businesses:

5 Data export restrictions under the 2000 Bill

NPP 9 prohibits 'transfers' of personal information by an organisationto someone (other than the organisation) in a foreign country unless oneof six conditions (a) - (e) is satisfied.

If one of the conditions is satisfied, then the Australian organisationwhich transferred the data does not have any liability under the Act forany privacy breaches which may occur subsequently. It is therefore important,from the individual's point of view, to ensure that the conditions do notallow transfers which create unjustified privacy risks.

All of the publications by the A29 Committee of the EU have interpretedthe 'adequacy' requirement of the Directive as requiring some such 'onwardtransfer' restriction, so this will be an aspect of the Bill that the EUlooks at carefully.

It is important to remember that any transfer to a third partyoverseas also involves a 'disclosure' of personal information, and NPP2 limiting disclosures for secondary uses must also be complied with.

Where a transfer is to the same organisation overseas, NPP 9 doesnot apply but the extra-territorial operation of the Act comes into play.However, where it is to the same organisation, there is no need to considerwhether any of the six enabling conditions apply, and it is Australianlaw that will apply, not (only) the law of the foreign country.

5.1. Six conditions allowing overseas transfers

The six conditions will generally be sufficient to allow any legitimatetransfer overseas of personal information.

Condition (a) plays the role of A25 of the Directive (which allows transfersto foreign countries with 'adequate' laws), but is weaker.

(a) the organisation reasonably believes that the recipientof the information is subject to a law, binding scheme or contract whicheffectively upholds principles for fair handling of the information thatare substantially similar to the National Privacy Principles.
Instead of any objective and expert determination by a government or PrivacyCommissioner of which overseas countries have 'adequate' laws (the 'whitelist' approach), the condition is satisfied by the mere 'reasonable belief'of the Australian organisation disclosing the information. The 'reasonablebelief' need only be that the overseas arrangement 'effectively upholds'privacy principles, not that there are enforcement mechanisms substantiallysimilar to those in the Australian Act.

Conditions (b) - (e) are similar to those in A26(1) of the Directiveand largely uncontentious:

(b) the individual consents to the transfer; or (c) the transferis necessary for the performance of a contract between the individual andthe organisation, or for the implementation of pre-contractual measurestaken in response to the individual's request; or (d) the transfer is necessaryfor the conclusion or performance of a contract concluded in the interestof the individual between the organisation and a third party; or (e) allof the following apply: (i) the transfer is for the benefit of the individual;(ii) it is impracticable to obtain the consent of the individual to thattransfer; (iii) if it were practicable to obtain such consent, the individualwould be likely to give it
Condition (f), however, is much weaker than anything found in the Directive:
(f) the organisation has taken reasonable steps to ensure thatthe information which it has transferred will not be held, used or disclosedby the recipient of the information inconsistently with the National PrivacyPrinciples.
This does not even require that the individual should have some recourseagainst anyone in the event that the 'reasonable steps' turn out to beinadequate.

The subjective and imprecise nature of condition (a), and theweak and imprecise nature of exception (f), means that there is real dangerthat personal information will be exported from Australia under conditionswhich give little protection to privacy.

The EU may well regard these two aspects of NPP 9 as inadequateprotection for EU citizens.

6 Exports and imports by Australian public sectorbodies

To complete the picture, we need to look at where public sector bodiesstand in relation to exports and imports.

In relation to imports from the EU, the following is not the completepicture, as some forms of governmental use of personal information arenot covered by the Directive.

6.1. Commonwealth agencies - No protection in thePrivacy Act 1988

The 2000 Bill does not prevent Commonwealth agencies exporting personalinformation that they hold to overseas countries with no adequate privacylaws. This is a gap in the protection to Commonwealth agencies that mightwish to import personal information from EU countries. The Act does nothave extra-territorial effect in relation to agencies, either, as theyare not 'organisations' (s6D).

6.2. NSW agencies - s19 Privacy and Personal InformationProtection Act 1998

New South Wales enacted the Privacy and Personal Information ProtectionAct 1998 in November 1998, replacing the previous Privacy CommitteeAct 1975. The Act's Information Protection Principles (IPPs) only coverthe State public sector, not the private sector. The Act contains Australia'sfirst legislated restriction on personal data exports. The provisions ins19(2)-(5) require quotation in full:
(2) A public sector agency that holds personal informationmust not disclose the information to any person or body who is in a jurisdictionoutside New South Wales unless: (a) a relevant privacy law that appliesto the personal information concerned is in force in that jurisdiction,or (b) the disclosure is permitted under a privacy code of practice. (3)For the purposes of subsection (2), a relevant privacy law means a lawthat is determined by the Privacy Commissioner, by notice published inthe Gazette, to be a privacy law for the jurisdiction concerned. (4) ThePrivacy Commissioner is, within the year following the commencement ofthis section, to prepare a code relating to the disclosure of personalinformation by public sector agencies to persons or bodies outside NewSouth Wales. (5) Subsection (2) does not apply: (a) until after the firstanniversary of the commencement of this section, or (b) until a code referredto in subsection (4) is made, whichever is the later.
The purpose of the provision is that NSW public sector agencies shouldnot disclose personal information to persons or bodies outside NSW unlessthere are appropriate privacy laws or other forms of protection (recognisedin a code of conduct) in operation in the other jurisdiction.

A benefit of this provision (once it is in force) is that it could provideprotection to NSW agencies against any data import restrictions being imposedagainst them. For example, a European government could otherwise refuseto disclose personal information to a NSW agency on the grounds that ,no matter how strong the privacy protection in NSW might be, there wasnothing to stop the NSW agency from passing on the data to an unprotectedjurisdiction.

An important factor to note is the broad scope of the prohibition.It extends to other State and Territory governments in Australia. It alsoapplies (in theory) to Commonwealth agencies located outside NSW (althoughthe CommonwealthPrivacy Act would presumably be a 'relevant privacylaw'). It also applies to any private sector organisations outside NSW(in the absence of the proposed federal legislation).

However, the export restrictions are not yet in force, and itis uncertain when or if they will ever be in force. First, the PrivacyCommissioner must prepare a code (s19(4)), but then only the Minister can'make' the code (s31(4)). If no code is ever made s19(2) will never comeinto operation because of s19(5).

6.3. Agencies of other States and Territories

No State or Territory other than NSW has a privacy law which covers itswhole public sector, so they have no legislative protection against theimposition of EU export controls. However, some categories of public sectorinformation are not included.



[1] Councilof Europe Convention for the Protection of Individuals with Regard tothe Automatic Processing of Personal Data (Convention No 108) -

[2] SeeG Greenleaf 'Death of the EU Privacy Directive?: Choppy waters in the SafeHarbour' 6 PLPR 81 for details of the Commissioners' criticisms.

[3] Seethe above article for the significance of the Safe Harbour proposal forinternational standards.

[4] EuropeanCommission Internal Market DG - Press Release 'Data protection: Commissionendorses "safe harbor" arrangement with US' (29 March 2000) <http://europa.eu.int/comm/internal_market/en/media/dataprot/news/harbor4.htm>

[5] EuropeanCommission Internal Market DG - Press Release 'Data protection: draft packageagreed for protection of data transferred from EU to US' (15 March 2000)<http://europa.eu.int/comm/internal_market/en/media/dataprot/news/harbor3.htm>

[6] USCommerce Department's Safe Harbour web site - <http://www.ita.doc.gov/td/ecom/menu1.html>

[7] 'Redlined'version of Safe Harbour proposal - <http://www.ita.doc.gov/td/ecom/RedlinedPrinciples31600.htm>

[8] Commentsare at <http://www.ita.doc.gov/td/ecom/Comments400/publiccomments0400.html>

[9] Fordetails of these criticisms see a summary in Greenleaf 6 PLPR 81

[10] SeeFAQ 6 - Self-Certification <http://www.ita.doc.gov/td/ecom/RedlinedFAQ6selfcert300.htm>

[11]The Working Party on the Protection of Individuals With Regard to the Processingof Personal Data Opinion 3/2000 on the EU/US dialogue concerning the"Safe harbor" arrangement (adopted 16th March 2000) - <http://europa.eu.int/comm/internal_market/en/media/dataprot/wpdocs/wp31en.htm>

[12]The draft Decision requires this, but not the Safe Harbour proposal.

[13]It only refers to 'damages awarded where the applicable law or privatesector initiative so provides'.

[14]Submission of the Trans Atlantic Consumer Dialogue (TACD) (30 March 2000)<http://www.ita.doc.gov/td/ecom/Comments400/TACDComments1.htm>

[15]European Commission Internal Market DG - Draft Commission Decision onthe adequacy of the US Safe Harbor Principles (29 March 2000) - <http://www.ita.doc.gov/td/ecom/Art256Decision.htm>(on US Commerce Department site)

[16]Article 1 of the draft Decision

[17]Article 2 of the draft Decision

[18]"generally available publication" 'means a magazine, book, newspaper orother publication that is or will be generally available to members ofthe public (however published)' - s6, as amended by the Bill, Schedule1, Item 14).


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.worldlii.org/int/other/PrivLRes/2000/2.html