Part one: Our environment
Global developments
Today, our world is more globally connected and data driven than ever before. By some estimates, cross-border data flows contribute around $USD 2.8 trillion to global economic activity, or 3.5% of global GDP.[1] This signals a shift in the underpinning role that data now plays in our economy.[2]
Our data no longer stops at national borders, technological change is fast-paced and data-sharing practices are constantly evolving and adapting to meet the needs of the global digital economy.
At the same time, there is evidence of public distrust in information handling practices, and growing uncertainty from individuals about how their personal information is being used.[3]
Governments around the world are responding by developing and strengthening privacy and information access frameworks to protect their citizens in the digital economy and promote open government. Some jurisdictions, such as India and Brazil, are introducing frameworks for the first time.[4] Others, such as the European Union (EU) and Canada, are strengthening already existing frameworks.[5]
The Australian Government has also announced legislative reform including a review of the Australian Privacy Act 1988.[6]
We are also seeing the emergence of global tools and standards that support the transfer of personal information including Binding Corporate Rules, Standard Contractual Clauses, codes of conduct, certification and privacy seals. Global approaches to accountability are also becoming more evident, such as programs introduced by multinational entities that enable them to meet their compliance obligations across multiple jurisdictions.[7]
Global solutions
The result is that Australian individuals, government and businesses are engaging in a globalised and rapidly evolving data driven environment, while also navigating a range of regulatory compliance frameworks.
Currently, there is no global standard to regulate cross-border data flows. International forums, such as the World Economic Forum and the Group of 20 (G20), are considering the need for harmonised frameworks to promote consistently high and predictable standards for privacy protection and enable the secure flow of personal information across borders.[8] Regulators across the globe have also recognised the importance of the global interoperability of privacy frameworks to allow for better regulatory cooperation and the important role that regulators play in ensuring public trust in the system of oversight.[9]
As different approaches are adopted around the world, it is important that Australia’s domestic frameworks remain interoperable, so that data can flow across borders whilst also protecting personal information. This will enable the OAIC to continue to co-operate with overseas privacy regulators to:
- promote a consistent regulatory approach
- minimise compliance burden
- help secure Australia’s place in the digital economy.
Globally connected regulator
The OAIC is committed to taking a contemporary approach to regulation. We are focused on protecting Australians privacy and information access rights while building public trust in information handling practices within an environment that enables digital innovation and allows Australia to compete in the global economy.
Our international activities complement and inform our domestic work, advance our strategic priorities and contribute to our purpose and vision.
International engagement allows us to regulate effectively by:
- cooperating with other international privacy regulators
- keeping us informed of global trends and developments
- allowing us to engage and lead on global issues that will shape the global regulatory environment for years to come.
The work of the OAIC is informed by the broader policy objectives of the Australian Government. In developing this international strategy we have considered policy papers such as the Digital Economy Strategy 2030 [10] from the Department of Prime Minister and Cabinet, the Australia’s Tech Future: Delivering a strong, safe and inclusive digital economy from the Department of Industry, Science, Energy and Resources[11] and Australia’s International Cyber and Critical Technology Engagement Strategy from the Department of Foreign Affairs and Trade. [12]
Part two: Addressing the challenges and opportunities
This international strategy provides a roadmap for how we will engage, cooperate and act within the domestic and international communities to ensure that the privacy and information access rights of the Australian community are promoted and protected both domestically and at the global level.
The OAIC has identified the following priority areas to focus our international efforts.
| Priority | Activity | Area |
|---|---|---|
1. Protect Australians’ personal information wherever it flows | Enforcement | Privacy |
2. Ensure Australia’s privacy and information access rights frameworks are fit for purpose in the digital age | Laws and frameworks | Privacy Freedom of Information |
3. Be a leader in the global privacy community to strengthen protections of Australian’s personal information | Policy development | Privacy |
This international strategy is intended to guide our international activities. However, it is dynamic and will be updated in response to changes in our environment, as new challenges and opportunities arise. We will regularly review and evaluate our actions to achieve the outlined commitments.
1. Australians’ personal information is protected wherever it flows
Ensuring the protection of Australians’ personal information is a key focus of the OAIC. However, personal information data flows and technological developments do not recognise national borders. Australian’s personal information moves around the globe, so being globally connected is critical to ensuring that the OAIC is able to effectively regulate.
Privacy authorities cannot work in isolation and must work collaboratively and with agility to achieve regulatory objectives that are of mutual interest. We are committed to taking part in global networks and initiatives to ensure we are well placed to protect the personal information of Australians in a globalised data environment.
Priority Action 1.1 The OAIC will support mechanisms that facilitate international data flows while protecting personal information
Globally, privacy protection tools are being developed to support cross-border data flows. These tools provide a ‘bridge’ to connect the different privacy frameworks across the globe.
For example, the Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules were developed to build consumer, business and regulator trust in cross border data flows. Australia’s application to participate in the CBPR scheme was endorsed in late 2018, and the OAIC will be the Australian regulator for the scheme.
Other mechanisms such as EU adequacy decisions, Binding Corporate Rules, Standard Contractual Clauses and certification schemes also connect different frameworks and support the safe flow of personal information.
There is an opportunity to consider these mechanisms when developing Australia’s privacy frameworks to ensure that Australians’ personal information is protected no matter where it flows.
OAIC commitments
The OAIC will support the Australian Government to implement the APEC Cross Border Privacy Rules in Australia and act as the Australian regulator for the scheme.
The OAIC will provide expert advice to the Australian Government on privacy protection mechanisms that support international data flows.
Priority Action 1.2 The OAIC will support and engage in international regulatory compliance and enforcement
In our current environment, data breaches that occur in one jurisdiction often have the potential to affect individuals across the globe. Privacy authorities cannot act in isolation if they are to effectively protect personal information in the global digital economy. We are committed to connected, efficient and effective enforcement cooperation with overseas privacy regulators.
There are a number of existing networks and arrangements to promote and support international cooperation in investigation and the enforcement of privacy and data protection laws, including the Global Privacy Assembly’s[13] International Enforcement Working Group and Global Cross Border Enforcement Cooperation Arrangement (GCBECA), APEC Cross-border Privacy Enforcement Arrangement (CPEA) and the Global Privacy Enforcement Network (GPEN). The OAIC is a member of each of these enforcement networks.
OAIC commitments
The OAIC will strengthen its existing relationships and explore new relationships with other international privacy regulators. This could include agreeing to new or revised agreements with international regulators and oversight bodies in order to facilitate better information exchange and investigation and enforcement efforts across borders.
The OAIC will engage with the Global Privacy Assembly’s International Enforcement Cooperation Working Group.
Alignment with OAIC Corporate Plan
These international activities will help the OAIC to achieve the following strategic priorities identified in the 2021–22 Corporate Plan:
- Strategic priority 1 — Advance online privacy protections for Australians
- Strategic priority 2 — Influence and uphold privacy and information access rights frameworks
- Strategic priority 4 — Contemporary approach to regulation.
2. Australia’s privacy and information access rights frameworks are fit for purpose in the digital age
Australia’s privacy and information access rights frameworks have generally kept pace with international developments and, in some areas, provide a benchmark for high global standards – for example, in the areas of data breach notification[14] and consumer data portability.[15] As data flows across national borders, it is imperative that our frameworks are interoperable and continue to keep pace with international developments to ensure strong privacy protections and to increase public confidence, consumer trust and regulatory certainty for Australian businesses.
Interoperability does not mean uniformity with other frameworks. The OAIC will critically analyse international regulatory developments and consider whether these developments are appropriate for our domestic context. Where a different approach is appropriate, we will advise the Australian Government on other mechanisms to ensure our domestic laws are fit for purpose in the digital age and our frameworks are interoperable with our key trading partners.
On 25 March 2019, the Australian Government announced that amendments will be made to Australia’s privacy laws to strengthen online protections for all Australians. The Australian Government has also announced a broader review of the Privacy Act following the Australian Competition and Consumer Commission (ACCC) Final Report from the Digital Platforms Inquiry.[16] The OAIC will continue to provide expert advice to the Australian Government drawn from our regulatory experience to ensure that Australia’s privacy framework provides strong protections for Australians and is considered a benchmark globally.
The OAIC also promotes information access rights through its membership of the International Conference of Information Commissioners. The OAIC engages with this international forum to inform best practice in Government transparency initiatives, and to connect with other authorities to identify trends and strategic priorities.
Priority Action 2.1 The OAIC will provide advice to the Australian Government
The OAIC understands that global data flows are central to the digital economy and are important to the Australian Government’s priority to provide an enabling environment for digital innovation and trade.[17]
The OAIC undertakes guidance, monitoring and advice related functions in accordance with the Privacy Act.[18] Our expert advice to Government on Australia’s privacy and information access rights frameworks is also recognised as an important consideration when shaping global rules, policies and standards and as part of key international trade negotiation and agreement processes.
OAIC commitments
The OAIC will support the Australian Government in shaping global trade rules and international trade agreements to ensure high global standards for online privacy protection and information access rights.
The OAIC will provide advice to Australian Government agencies engaging in international forums that consider privacy and data protection matters, including APEC, G20 and the Organisation for Economic Cooperation and Development (OECD) Forums.
Priority Action 2.2 The OAIC will be at the forefront of key international regulatory developments
The OAIC’s International Policy team actively monitors and researches international developments related to privacy and information access rights, including law reform and new approaches to regulatory practice, enforcement, policy, guidance and education and awareness campaigns. For example, there has been a recent increase in the intersection of privacy and consumer protection regulatory spheres, which presents an opportunity for privacy and consumer protection regulators to collaborate in providing comprehensive protections. This collaboration is an area of significant focus for the OAIC, working with the ACCC on the implementation of the Consumer Data Right, and regulating online platforms.
This monitoring and research work ensures that our advice provided to the Australian Government on any proposed reform to the Privacy Act incorporates consideration and analysis of international models and their possible application in an Australian context. This work also enhances OAIC internal capability by informing our teams of international developments, and tools to ensure best practices are adopted.
In relation to information access rights, the International Conference of Information Commissioners provides a platform to share knowledge and best practices with other information access regulators, and to act as a collective voice on information access rights and accountability. The OAIC also supports the Australian Government in its membership to the Open Government Partnership. The Open Government Partnership is an international initiative to increase transparency and strengthen democratic governance. As part of Australia’s commitment to the Open Government Partnership, Australia has established the Open Government Forum to monitor and drive the implementation of the second Open Government National Action Plan and raise awareness about open government.[19]
OAIC commitments
The OAIC will monitor and research international developments relating to privacy and information access rights and consider international best practice when advising the Australian Government and businesses, taking regulatory action and developing policy guidance, education and awareness campaigns and regulatory practice.
The OAIC will provide leadership and actively collaborate with regulators in other jurisdictions in relation to the intersection of data protection and consumer protection regulation. This collaboration between data protection authorities and consumer protection authorities is an essential part of protecting consumers in the digital economy.
The OAIC will engage with the International Conference of Information Commissioners and Australia’s Open Government Forum to promote best practice in Government transparency initiatives.
Alignment with OAIC Corporate Plan
These international activities will help the OAIC to achieve the following strategic priorities identified in the 2021–22 Corporate Plan:
- Strategic priority 1 — Advance online privacy protections for Australians
- Strategic priority 2 — Influence and uphold privacy and information access rights frameworks.
3. The OAIC is a leader in the global privacy community to strengthen protection of Australian’s personal information
Privacy regulators around the world are facing unprecedented challenges in the form of technological advances and the legal, technical and ethical questions that those advancements present to our society.
Current debates about these technologies and their impact on the privacy of individuals and privacy frameworks are shaping our global regulatory environment. We will actively seek to influence these global debates to strengthen protections for Australians’ personal information so that they may confidently participate in today’s digital world.
Priority Action 3.1 The OAIC will actively engage in key international forums
The OAIC recognises that global and regional forums present a unique opportunity for Australia to be a leader in the privacy community and influence the global debate on privacy issues.
The OAIC is a member of the Global Privacy Assembly, which provides leadership at an international level by connecting the efforts of over 120 privacy and data protection authorities from across the globe. The Global Privacy Assembly is governed by the Executive Committee and receives strategy advice from the Executive Committee’s Strategic Direction Sub-Committee. The Global Privacy Assembly has a number of Working Groups which are tasked with delivering actions in relation to the most significant initiatives identified by the Assembly’s membership. The OAIC is an active member of a number of the Global Privacy Assembly’s Working Groups. The OAIC seeks to influence consistency and cooperation in the global regulation of privacy in an effort to ensure that Australian’s personal information is protected wherever it flows.
We are also a founding member of the Asia Pacific Privacy Authorities Forum, which provides leadership and support for the privacy regulator community in the Asia Pacific region.
These forums allow us to collaborate when developing policy, guidance and education campaigns; influence the development of global policy and standards; and co-operate on investigations and enforcement. Through these forums we work towards the interoperability of Australia’s privacy framework with other data protection frameworks around the world; exchange information to make the best use of our resources; and help ensure consistency in the system of regulatory oversight.
OAIC commitments
The OAIC will provide leadership in the Global Privacy Assembly by serving on the Executive Committee and chairing the Strategic Direction Sub-Committee of the Executive Committee.
The OAIC will actively engage in the Global Privacy Assembly annual meeting and two Asia Pacific Privacy Authorities meetings each year.
Priority Action 3.2 The OAIC will continue to develop global relationships
The OAIC engages with a broad range of international stakeholders to promote and uphold privacy, including civil society organisations, the international business community and overseas government organisations.
Many nations and regions that are adopting new privacy laws, or that are in the process of creating privacy regulatory regimes, are seeking assistance and information about best practice regulatory approaches from jurisdictions with established laws and frameworks. From time to time, we are also contacted by regulators from jurisdictions with established laws and frameworks seeking our views on specific issues.
OAIC commitments
The OAIC will strengthen existing partnerships and explore new relationships with international privacy regulators and international stakeholders with privacy expertise.
The OAIC will share our experiences and provide support when other international regulators seek our views.
Alignment with OAIC Corporate Plan
These international activities will help the OAIC to achieve the following strategic priorities identified in the 2021–2022 Corporate Plan:
- Strategic priority 1 — Advance online privacy protections for Australians
- Strategic priority 2 — Influence and uphold privacy and information access rights frameworks
- Strategic priority 4 — Contemporary approach to regulation.
Summary of key international networks
| Name | Description |
|---|---|
Global Privacy Assembly[20] (previously the International Conference of Data Protection and Privacy Commissioners) | The Global Privacy Assembly provides leadership at an international level by connecting the efforts of over 120 privacy and data protection authorities from across the globe. The Global Privacy Assembly is governed by an Executive Committee and receives strategy advice from the Strategic Direction Sub-Committee. The work of the Global Privacy Assembly is implemented through Working Groups. The Global Privacy Assembly Global Cross Border Enforcement Cooperation Arrangement[21] encourages and facilitates cooperation and collaboration in the enforcement activities of global privacy enforcement authorities. |
Asia Pacific Privacy Authorities Forum[22] | The Asia Pacific Privacy Authorities Forum is the principal network for privacy authorities in the Asia Pacific region. |
Common Thread Network[23] | The Common Thread is a data protection and privacy working group of Commonwealth countries. |
Global Privacy Enforcement Network[24] | The Global Privacy Enforcement Network connects privacy enforcement authorities from around the world to promote and support cooperation in cross-border enforcement of laws protecting privacy. |
APEC Electronic Commerce Steering Group — Data Privacy Subgroup[25] | The APEC Data Privacy Pathfinder was established by ministers in 2007 to achieve accountable cross-border flow of personal information within the APEC region. This goal is to be achieved by developing and implementing the Cross Border Privacy Rules system, consistent with the APEC Privacy Framework. The APEC Cross-border Privacy Enforcement Arrangement[26] creates a framework for regional cooperation in the enforcement of privacy laws. |
OECD Data Governance and Privacy Working Party | The OECD Working Party on Data Governance and Privacy in the Digital Economy shall assist the Committee on Digital Economy Policy in developing and promoting evidence-based policies on data governance and privacy in the digital economy through a multi-stakeholder process to strengthen trust in the digital economy. |
| Name | Description |
|---|---|
International Conference of Information Commissioners[27] | The International Conference of Information Commissioners is the global forum which connects member Information Commissioners responsible for the protection and promotion of access to information laws. |
Open Government Partnership | The Open Government Partnership is a multilateral initiative that aims to secure concrete commitments from governments to promote transparency, empower citizens, fight corruption, and harness new technologies to strengthen governance. The Open Government Forum is a group comprised of members from government and civil society that monitor and drive the implementation of Australia’s Open Government National Action Plan 2018-20, a plan which contains Australia’s commitments to enhance access to information, civil participation, public accountability, and technology and innovation for openness and accountability. The Forum seeks to raise awareness about open government. |
Footnotes
[1] McKinsey Global Institute (MGI), ‘Digital Globalization: The new era of global flows’, McKinsey & Company (2016).
[2] According to the Australian Government Department of Foreign Affairs and Trade, data flows now have generated a greater impact on global gross domestic product growth than the global trade in goods: Digital Trade
[3] Deloitte, snapshot of results from Australian Privacy Index 2019
Australian Community Attitudes to Privacy Survey 2017 Report
[4] The Indian Parliament is currently considering the Personal Data Protection Bill.
Brazil has enacted the Brazilian General Data Protection Law (LGPD), Federal Law no. 13,709/2018.
[5] On 25 May 2018, the General Data Protection Regulation came into effect in the EU.
The Government of Canada has also announced proposals to review key federal legislation related to privacy, namely the Privacy Act and the Personal Information Protection and Electronic Documents Act, see: Modernizing Canada's Privacy Act and Strengthening Privacy for the Digital Age
[6] In March 2019, the Australian Government announced that it will legislate for strengthened privacy protections and regulatory tools including the development of a binding privacy code to protect the personal information of children and vulnerable groups online. In December 2019, the Australian Government, in response to the ACCC’s Digital Platforms Inquiry, announced a review of the Privacy Act, page 11.
[7] For more information, see Resolution on the Conference’s Strategic Direction (2019-21), page 6.
For more information on Binding Corporate Rules, Standard Contractual Clauses and other international transfer mechanisms, see: International dimension of data protection
For more information on Organisational Accountability, see: CIPL Accountability Q&A
[8] Speech by Prime Minister Shinzo Abe to the World Economic Forum Annual Meeting in Davos-Klosters, Switzerland on 23 January 2019: ’First off, I would like Osaka G20 to be long remembered as the summit that started world-wide data governance. Let Osaka G20 set in train a new track for looking at data governance -- call it the Osaka Track -- under the roof of the WTO’
[9] Speech by Australian Information Commissioner and Privacy Commissioner Angelene Falk to the International Seminar on Personal Data, in Tokyo, Japan on 3 June 2019: ’Third, regulators must ensure trust in the system of oversight — protecting personal information wherever it flows. This can be achieved in part through regulatory cooperation and collaboration when we develop policy positions, guidance, tools and enforcement, to protect individuals wherever their data travels, and to ensure consistency and predictability in the system of oversight as data continues to flow’
The Global Privacy Assembly adopted its Strategic Plan at the 41st Conference in Albania. The document states that ‘common standards, relying on a shared set of global privacy and data protection principles, can be used to ‘bridge’ different legal systems and to facilitate interoperability’: Strategic Plan 2019 – 2021, page 7.
[10] The Department of Prime Minister and Cabinet, Digital Economy Strategy 2030: A leading digital economy and society by 2030, Canberra (May 2021)
[11] The Department of Industry, Science, Energy and Resources, Australia’s Tech Future: Delivering a strong, safe and inclusive digital economy, Canberra (December 2018)
[12] The Department of Foreign Affairs and Trade, Australia’s International Cyber and Critical Technology Engagement Strategy, Canberra (October 2017)
[13] The Global Privacy Assembly was previously known as the International Conference of Data Protection and Privacy Commissioners.
[14] For more information, see: About the Notifiable Data Breaches Scheme
[15] For more information, see: About the Consumer Data Right
[16] Regulating in the digital age, page 11.
[17] Implementing the Strategy
[18] Privacy Act 1988 (Cth), sections 28, 28A and 28B.
[19] For more information, see: Open Government Forum
[20] For more information, see: Global Privacy Assembly
[21] For more information, see: List of participants in Enforcement Cooperation Arrangement
[22] For more information, see: APPA Forum
[23] For more information, see: Common Thread Network
[24] For more information, see: Global Privacy Enforcement Network
[25] For more information, see: Digital Economy Steering Group
[26] For more information, see: APEC Cross-border Privacy Enforcement Arrangement (CPEA)
[27] For more information, see: International Conference of Information Commissioners website
