16.08.2010
Extraterritorial operation of the Privacy Act
31.71 Section 5B of the Privacy Act applies the Act (and approved privacy codes) to acts done, or practices engaged in, outside Australia by an organisation, if the act or practice relates to personal information about an Australian citizen or permanent resident and either the organisation:
is linked to Australia by being a citizen; or a permanent resident; or an unincorporated association, trust, partnership or body corporate formed in Australia; or
carried on a business in Australia and held or collected information in Australia either before or at the time of the act done or practice engaged in.
31.72 Section 5B(4) extends the enforcement powers of the Privacy Commissioner to overseas complaints that fall within the criteria in s 5B(1).[108] The purpose of s 5B is to stop organisations avoiding their obligations under the Act by transferring the handling of personal information to countries with lower privacy protection standards.[109] The privacy laws of another country, however, will not be overridden by the Privacy Act. Where an act or practice is required by an applicable law of a foreign country, it will not be considered a breach of the Privacy Act.[110]
Agencies
31.73 Section 5B applies to organisations, but not to agencies. It is unclear whether, in the absence of an express statement, the Privacy Act operates extraterritorially in relation to the acts and practices of agencies. It could be argued that the IPPs apply to the records of Australian Government agencies wherever they may be.
31.74 The High Court has held, however, that in the absence of unambiguous language to the contrary, there is a common law presumption that courts do not read extraterritorial jurisdiction into legislation.[111] This presumption has been held to apply in the case of legislation that applies to agencies.[112] There are a number of examples of federal legislation that regulates the Australian Government public sector and expressly provides that the legislation is to have extraterritorial application.[113]
31.75 The ALRC proposed in DP 72 that the Privacy Act be amended to clarify that it applies to acts done, or practices engaged in, outside Australia by an agency.[114]
Submissions and consultations
31.76 The overwhelming majority of stakeholders supported the ALRC’s proposal.[115] In the OPC’s view, the Privacy Act currently applies to Australian agencies operating outside Australia, however, it submitted that there was merit in amending the Privacy Act to clarify this point.[116] The OVPC submitted that, ‘in the interests of uniformity, each piece of state or territory legislation should contain a similar provision indicating that it applies to acts done/practices engaged in outside the relevant jurisdiction by a state or territory agency’.[117]
31.77 A number of stakeholders emphasised the need for equivalence between the public and private sectors. For example, the Government of South Australia submitted that ‘the privacy protection offered to the public by Governments should be at least equal to the privacy protection required of the private sector’.[118] The Australasian Compliance Institute fully supported the consistent treatment of privacy principles between public and private sector organisations.[119] Also, PIAC’s view was that the proposal was important because agencies are frequently able to compel the collection of personal information.[120]
31.78 Some agencies expressed reservations. The Australian Federal Police (AFP) submitted that any extension of the Privacy Act to acts or practices by agencies outside Australia may be present compliance and enforcement difficulties.[121]
ALRC’s view
31.79 Agencies that operate outside Australia should be subject to the Privacy Act. Agencies often compel the collection of personal information and should therefore remain accountable for the handling of that information under the Privacy Act, whether they are located in Australia or offshore. Further, agencies should not be able to avoid their obligations under the Actby transferring the handling of personal information to entities operating in countries with lower privacy protection standards. The ALRC recommends below that the Privacy Act be amended to clarify that it applies to the acts and practices of agencies that operate outside Australia. A similar provision should be included in state and territory legislation.
Information held under the law of a foreign country
31.80 The Privacy Act provides that, where overseas acts and practices are required by an applicable foreign law, they are generally not considered interferences with the privacy of an individual.[122] The purpose of s 13D was to ensure that ‘the extraterritorial operation of the Act does not require organisations to act in contravention of laws operating in the country in which the act or practice occurs’.[123]
31.81 These acts and practices may be interferences with privacy, however, if they: breach the Tax File Number (TFN) guidelines, or involve an unauthorised requirement or request for disclosure of an individual’s TFN; breach Part 2 of the Data-matching Program (Assistance and Tax) Act 1990 (Cth)or the data-matching guidelines issued under that Act; constitute a breach of the guidelines under s 135AA of the National Health Act 1953 (Cth); or constitute a credit reporting infringement by a credit reporting agency or a credit provider.[124] One issue raised in this context[125] arose from the debate in Canada about whether information held in the United States might be subject to secret demands under the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (US) (US Patriot Act).[126]
31.82 In 2004, concerns were raised in Canada about whether organisations outside Canada, which were contracted to provide services to the federal and provincial governments, could be required to provide personal information about Canadian citizens to the US authorities.[127] In response to these concerns, the Government of British Columbia amended the Freedom of Information and Protection of Privacy Act 1996 (British Columbia) to provide that a government agency must ensure that personal information in its custody or under its control is stored only in Canada and accessed only in Canada, except in certain circumstances.[128] The Canadian Government, by contrast, did not adopt a legislative approach to this issue. It developed a strategy that involved raising awareness and providing guidance about privacy risks associated with contracting with organisations outside Canada.[129]
31.83 Should the Privacy Act limit the circumstances when personal information transferred outside Australia will become subject to a foreign law? One option would be to amend s 13D to provide for certain limits. Another option is that reflected in the Privacy Protection for Off-shoring Bill 2007 (Cth).[130] The Bill sought to amend the Financial Management and Accountability Act 1997 (Cth) by introducing a new s 43A which would have required an agency entering into a Commonwealth contract for the provision of services in Australia to take contractual measures to ensure that a contracted service provider cannot undertake work in relation to the contract in a country other than Australia that would involve use of ‘personally identifiable information’.[131] The Bill reflects one method of protecting personal information from being collected and held under the law of a foreign country.
31.84 The Department of Finance and Deregulation raised concerns about the US Patriot Act. It noted that while Australian government agencies may impose contractual restrictions on service providers transferring confidential or personal information, they may not know that such transfers are or may be taking place under the US Patriot Act and hence will have no knowledge that a possible breach of contract may have occurred.[132]
31.85 The ALRC does not recommend that s 13D of the Privacy Act be amended to limit the circumstances in which personal information transferred outside Australia will become subject to foreign law. In the ALRC’s view, the policy justification for s 13D is sound—acts and practices that take place in a foreign country, and are required by the laws of that country, generally should not be considered a breach of the Act. It would not be workable to prevent the transfer by agencies and organisations of personal information to countries such as the US. Also, it would be unfair to render an agency or organisation transferring personal information under s 13D responsible for an act or practice of the recipient which is required by a foreign law, when neither they, nor the recipient, can control or prevent the acts or practices required under such a foreign law.
31.86 The OPC’s guidance on the recommended ‘Cross-border Data Flows’ principle should set out the steps to be taken when personal information transferred outside Australia may become subject to a foreign law, including laws such as the US Patriot Act. The guidance also should provide advice to agencies when contracting government services to organisations outside Australia.
National Privacy Principle 9
31.87 NPP 9 dictates the circumstances in which an organisation may transfer personal information it holds in Australia to someone in a foreign country. As with the other private sector provisions, it was introduced in 2000 as part of the extension of privacy principles to the private sector.[133]
31.88 NPP 9 prohibits the transfer by an organisation of an individual’s personal information to someone in a foreign country (other than that individual or organisation) unless a number of conditions are satisfied.[134]
31.89 The principle is largely modelled on arts 25 and 26 of the EU Directive, which aim to ensure continued protection of personal information when data are sent from their originating country.[135] Where one of the conditions in (a)–(f) is satisfied, the Australian organisation transferring the data is not liable for subsequent privacy breaches.
31.90 NPP 9 is limited to ‘foreign countries’ rather than ‘other jurisdictions’. It does not protect personal information that is transferred to a state or territory government that is not subject to privacy law, or a private sector organisation that is exempt from the Privacy Act.[136] Where the transfer of personal information overseas is to the same organisation, not a third party, NPP 9 does not apply.
31.91 The Privacy Act was amended in 2004 to make it clear that the protection provided by NPP 9 applies equally to the personal information of Australian and non-Australian individuals.[137] This amendment was made by excluding NPP 9 from the citizenship and residency requirements of s 5B(1).
31.92 In IP 31, the ALRC asked whether NPP 9provides adequate and appropriate protection for personal information transferred from Australia to a foreign country.[138] While some stakeholders submitted that the protection afforded by NPP 9 was sufficient, others noted that NPP 9 is deficient in a number of respects, including: that organisations transferring data are not liable for any subsequent breaches; the perceived weakness of the tests for a ‘reasonable belief’ (NPP 9(a)); the operation of consent in the context of cross-border data flows; the failure to address the transfer of personal information offshore by agencies; a lack of clarity as to how NPP 9 relates to other parts of the Privacy Act; and a lack of guidance for organisations as to what steps they must take to comply with NPP 9.[139] Each of these criticisms, along with the ALRC’s recommended approach, is dealt with in detail below.
[108] The enforcement powers of the Privacy Commissioner are considered in Ch 50.
[109] J Douglas-Stewart, Annotated National Privacy Principles (3rd ed, 2007), [1-460].
[110]Privacy Act 1988 (Cth) s 13D.
[111] Jumbunna Coal Mine NL v Victorian Coal Miners Association (1908) 6 CLR 309.
[112] Brannigan v Commonwealth (2000) 110 FCR 566. In this case, the appellant worked for the Australian High Commission in London. She complained of breaches of the Racial Discrimination Act 1975 (Cth), Sex Discrimination Act 1984 (Cth) and the Disability Discrimination Act 1992 (Cth) while she was working at the High Commission. The Federal Court of Australia held that it lacked jurisdiction to determine the matter because the Acts did not state expressly that they operated extraterritorially.
[113] See Public Service Act 1999 (Cth) s 5; Occupational Health and Safety Act 1991 (Cth) s 13(2); Ombudsman Act 1976 (Cth) s 3C; Crimes Act 1914 (Cth) s 3A. See McDonald v Bojkovic [1987] VR 287.
[114]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 28–1.
[115]Unisys, Submission PR 569, 12 February 2008; Government of South Australia, Submission PR 565, 29 January 2008; Australian Government Department of Finance and Deregulation, Submission PR 558, 11 January 2008; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Australian Government Department of Broadband‚ Communications and the Digital Economy, Submission PR 512, 21 December 2007; Australian Collectors Association, Submission PR 505, 20 December 2007; Association of Market and Social Research Organisations and Australian Market and Social Research Society, Submission PR 502, 20 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Queensland Government, Submission PR 490, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; Australasian Compliance Institute, Submission PR 419, 7 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007.
[116]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[117]Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.
[118]Government of South Australia, Submission PR 565, 29 January 2008.
[119]Australasian Compliance Institute, Submission PR 419, 7 December 2007.
[120]Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.
[121]Australian Federal Police, Submission PR 545, 24 December 2007.
[122] See Privacy Act 1988 (Cth) ss 6A(4), 6B(4), 13D(1).
[123] Revised Explanatory Memorandum, Privacy Amendment (Private Sector) Bill 2000 (Cth), notes on clauses [65], [70].
[124]Privacy Act 1988 (Cth) s 13E.
[125] Other concerns raised by stakeholders in relation to information held under the law of a foreign country are discussed in Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [28.14]–[28.20].
[126]Office of the Victorian Privacy Commissioner, Submission PR 217, 28 February 2007. Other examples include the handing over by Yahoo of a dissident journalist’s email account details to the Chinese police in a matter that was the subject of investigation by the Hong Kong Privacy Commissioner; and the US Government mandating the transfer of passenger name records (PNRs) on all incoming international flight passengers. Issues were raised in relation to whether the release of PNRs was permitted under the EU Directive. The US and the EU have recently entered an agreement in relation to processing and transfer of PNRs. See Agreement between the European Union and the United States of America on the Processing and Transfer of Passenger Name Record (PNR) Data by Air Carriers to the United States Department of Homeland Security (DHS), 23 July 2007.
[127] See Treasury Board of Canada, Privacy Matters: The Federal Strategy to Address Concerns About the US PATRIOT Act and Transborder Data Flows (2006); Information and Privacy Commissioner for British Columbia, Privacy and the USA Patriot Act: Implications for British Columbia Public Sector Outsourcing (2004).
[128]Freedom of Information and Protection of Privacy Act 1996 RSBC c165 (British Columbia) s 30.1. The Act also provides that the relevant government minister is to be informed when a government agency or contracted service provider receives a foreign demand for disclosure: Freedom of Information and Protection of Privacy Act 1996 RSBC c165 (British Columbia) s 30.2.
[129]Treasury Board of Canada, Privacy Matters: The Federal Strategy to Address Concerns About the US PATRIOT Act and Transborder Data Flows (2006), Ch 3.
[130]The Privacy Protection for Off-shoring Bill 2007 was introduced by the Hon Anna Burke MP into the Australian Parliament House of Representatives on 18 June 2007. The Bill also sought to amend the Trade Practices Act 1974 (Cth).
[131] The Privacy Protection for Off-shoring Bill 2007 proposed to introduce a new 65AAAB of the Trade Practices Act, which defines ‘personally identifiable information’ as information including: name, postal address, financial information, medical records, date of birth, phone number, email address, Medicare number, mother’s maiden name, driver’s licence number and tax file number. Most of this ‘information’ would be ‘personal information’ under the Privacy Act.
[132]Australian Government Department of Finance and Deregulation, Submission PR 558, 11 January 2008.
[133] N Waters, ‘Australian Privacy Laws Compared: “Adequacy” under the EU Data Protection Directive? Pt 2—Telecommunications and Private Sector’ (2001) 8 Privacy Law & Policy Reporter 39, 42.
[134] G Greenleaf, ‘Exporting and Importing Personal Data: The Effects of the Privacy Amendment (Private Sector) Bill 2000’ (Paper presented at National Privacy and Data Protection Summit, Sydney, 17 May 2000), 7.
[135] Office of the Federal Privacy Commissioner, Guidelines to the National Privacy Principles (2001), 58; N Waters, ‘Australian Privacy Laws Compared: “Adequacy” under the EU Data Protection Directive? Pt 2—Telecommunications and Private Sector’ (2001) 8 Privacy Law & Policy Reporter 39.
[136] N Waters, ‘Australian Privacy Laws Compared: “Adequacy” under the EU Data Protection Directive? Pt 2—Telecommunications and Private Sector’ (2001) 8 Privacy Law & Policy Reporter 39.
[137] J Douglas-Stewart, Annotated National Privacy Principles (3rd ed, 2007), [1-460].
[138] Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 13–1.
[139] Stakeholder views on this issue were canvassed in detail in Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [28.28]–[28.31], [28.48], [28.52], [28.55], [28.60], [28.63]–[28.64].