25 March 2014 | Reading time: 2 minutes
A new paradigm.
The volume of personal information collected has increased exponentially in recent years due to advances in technology and the ways individuals interact. Australian legislation has caught up to this trend, introducing a ‘new broom’ in this space – in the same way as the Safe Harbour provisions have in European Union privacy laws. Sweeping changes to the Privacy Act 1988 (Cth) (Privacy Act) took effect on 12 March 2014. One important feature of these changes is the protection of personal information that is transferred to overseas third parties.
Cross border disclosure of personal information.
Under the new Australian Privacy Priciple (APP) regime, APP 8 (‘cross-border disclosure of personal information’) places the onus on the business collecting personal information. In particular, they must ensure that an overseas entity to whom it discloses personal information complies with the APPs.
Does APP 8 sweep anything under the carpet?
There are some important exemptions to APP 8, including that it does not apply if the disclosing entity:
Countries with substantially similar laws.
The Australian Privacy Commissioner has stated that an approved ‘white’ list containing the countries with substantially similar privacy laws will not be issued. This places the onus on businesses to take reasonable steps to ensure that the overseas entity is subject to substantially similar privacy laws.
Requirement to list the overseas country.
even if it is an administrative burden to do so.
Who is effected? What should businesses do?
These cross border changes to the privacy regime are particularly relevant to global businesses, including those that use servers overseas and cloud based technology for storing personal information.
Those business should take the broom out of the closet and sweep up the following tasks:
Accountability in overseas data transfer – the new paradigm.
Australia must ensure data sent overseas is protected to the same extent as if it were to remain in Australia, including compliance with the APPs. When working with a vendor to manage data overseas, businesses need to ensure this responsibility is taken seriously by that vendor, via both contractual means and through active monitoring of the engagement. This ‘new broom’ ushers in a brave new world for Australian privacy laws and a new paradigm of borderless accountability.