Privacy: a new broom sweeps across borders.

25 March 2014 | Reading time: 2 minutes

A new paradigm.

The volume of personal information collected has increased exponentially in recent years due to advances in technology and the ways individuals interact. Australian legislation has caught up to this trend, introducing a ‘new broom’ in this space – in the same way as the Safe Harbour provisions have in European Union privacy laws. Sweeping changes to the Privacy Act 1988 (Cth) (Privacy Act) took effect on 12 March 2014. One important feature of these changes is the protection of personal information that is transferred to overseas third parties.

Cross border disclosure of personal information.

Under the new Australian Privacy Priciple (APP) regime, APP 8 (‘cross-border disclosure of personal information’) places the onus on the business collecting personal information. In particular, they must ensure that an overseas entity to whom it discloses personal information complies with the APPs.

Does APP 8 sweep anything under the carpet?

There are some important exemptions to APP 8, including that it does not apply if the disclosing entity:

  • reasonably believes that the overseas party is subject to privacy laws or industry codes substantially similar to the APPs and individuals have access to mechanisms to enforce the protections offered by these laws or codes;
  • expressly informs the individual of the disclosure to an overseas third party in advance, and the individual consents to that disclosure; and
  • is required to disclose personal information as a result of a requirement imposed by an Australian law or a court order.

Countries with substantially similar laws.

The Australian Privacy Commissioner has stated that an approved ‘white’ list containing the countries with substantially similar privacy laws will not be issued. This places the onus on businesses to take reasonable steps to ensure that the overseas entity is subject to substantially similar privacy laws.

Requirement to list the overseas country.

Businesses that disclose personal information to overseas third parties are now required to publish a complete list of the countries to which disclosure is likely. The recommended path is to sweep that list into its privacy policy. It is prudent practice to:

  • provide an exhaustive and precise list, and not just regions (such as the European Union); and
  • maintain this list on an ongoing basis when updates are required

even if it is an administrative burden to do so.

Who is effected? What should businesses do?

These cross border changes to the privacy regime are particularly relevant to global businesses, including those that use servers overseas and cloud based technology for storing personal information.
Those business should take the broom out of the closet and sweep up the following tasks:

  • review and update their privacy policy;
  • specify the countries that the data is sent to and keep this list up to date;
  • undertake due diligence in relation to the country the subject of the disclosure;
  • train staff on their privacy policy and obligations;
  • ensure adequate technical and operational safeguards are implemented by the overseas recipient; and
  • ensure that enforceable contracts are in place with the overseas recipient which include privacy undertakings and indemnities.

Accountability in overseas data transfer – the new paradigm.

Australia must ensure data sent overseas is protected to the same extent as if it were to remain in Australia, including compliance with the APPs. When working with a vendor to manage data overseas, businesses need to ensure this responsibility is taken seriously by that vendor, via both contractual means and through active monitoring of the engagement. This ‘new broom’ ushers in a brave new world for Australian privacy laws and a new paradigm of borderless accountability.