Download the print version (version 4.0)
Key points
- Privacy Safeguard 8[1] sets out the circumstances in which an accredited data recipient of a consumer’s CDR data can disclose that data to a recipient located overseas.
- Under Privacy Safeguard 8, an accredited data recipient of a consumer’s CDR data must not disclose that data to a recipient located overseas (other than the CDR consumer) unless one of the following exceptions applies:
- the overseas recipient is also an accredited person
- the accredited data recipient takes reasonable steps to ensure the overseas recipient will not breach privacy safeguard penalty provisions (noting that, for this exception, the accredited data recipient remains accountable for any breach of the relevant privacy safeguards by the overseas recipient), or
- the accredited data recipient reasonably believes the overseas recipient is subject to a law or a binding scheme equivalent to the privacy safeguards and there are mechanisms available to the consumer to enforce that protection.
- These requirements are in addition to the other disclosure restrictions set out in Privacy Safeguards 6, 7 and 9 and the consumer data rules (CDR Rules).
What does Privacy Safeguard 8 say?
8.1 In addition to the disclosure restrictions set out in Privacy Safeguards 6, 7 and 9, and the CDR Rules, an accredited data recipient of a consumer’s CDR data must not disclose that data to a person located overseas unless one of the following 4 exceptions applies:
- the overseas recipient is an accredited person
- the accredited data recipient takes reasonable steps to ensure the overseas recipient does not breach the relevant privacy safeguards[2] and the overseas recipient has a CDR policy in place in relation to the CDR data
- the accredited data recipient reasonably believes the overseas recipient is bound by a law or binding scheme that provides substantially similar protection for the CDR data as the privacy safeguards provide in relation to accredited data recipients, and a consumer will be able to enforce that law or scheme in relation to the CDR data, or
- conditions specified in the CDR Rules for overseas disclosure are met. As there are currently no CDR Rules made for the purposes of this exception, an accredited data recipient cannot rely on this exception.
8.2 Where the overseas recipient is not accredited or subject to a similar law or binding scheme to the privacy safeguards, even if an accredited data recipient takes reasonable steps to ensure the overseas recipient does not breach the privacy safeguards, but the overseas recipient nevertheless breaches a relevant privacy safeguard, the accredited data recipient remains accountable for that breach.
8.3 For the purposes of a CDR outsourcing arrangement, an accredited data recipient must also comply with the CDR Rules that relate to CDR outsourcing arrangements.[3]
Why is this important?
8.4 As an overarching objective of the CDR system, consumers should be able to trust that an accredited data recipient will manage CDR data appropriately and in compliance with the privacy safeguards, including when CDR data is disclosed overseas.
8.5 It is also important that entities are aware of and understand the obligations on them to protect CDR data where they seek to make a disclosure of CDR data to an overseas recipient.
Who does Privacy Safeguard 8 apply to?
8.6 Privacy Safeguard 8 applies to accredited data recipients of CDR data. It does not apply to data holders or designated gateways.
8.7 Data holders and designated gateways should ensure that they adhere to their obligations under the Privacy Act 1988 and the APPs, including APP 8, when disclosing personal information to an overseas recipient.
8.8 As a non-accredited entity, a CDR representative is not directly bound by Privacy Safeguard 8. However, under the terms of the CDR representative arrangement with their CDR principal,[4] a CDR representative is required to comply with Privacy Safeguard 8 as if it were an accredited data recipient.[5],[6] A CDR principal breaches subrule 7.8A(1) of the CDR Rules if its CDR representative fails to comply with Privacy Safeguard 8 in relation to service data as if it were an accredited data recipient of the service data.[7]
How Privacy Safeguard 8 interacts with the Privacy Act
8.9 It is important to understand how Privacy Safeguard 8 interacts with the Privacy Act and the APPs.[8]
8.10 APP 8 outlines when an APP entity may disclose personal information about an individual to an overseas recipient (see APP Guidelines, Chapter 8 (APP 8)).
CDR entity | Privacy protections that apply in the CDR context |
---|---|
Accredited data recipient | Privacy Safeguard 8 For accredited data recipients of a consumer’s CDR data, Privacy Safeguard 8 applies to any overseas disclosures of that CDR data.[9] APP 8 does not apply in relation to that CDR data.[10] |
Designated gateway | APP 8 Privacy Safeguard 8 does not apply to a designated gateway. |
Data holder[11] | APP 8 Privacy Safeguard 8 does not apply to a data holder. |
Meaning of disclosure
8.11 The term ‘disclose’ is not defined in the Competition and Consumer Act 2010. It is discussed in Chapter B (Key concepts).
8.12 An accredited data recipient discloses CDR data when it makes it accessible or visible to others outside the entity.[12]
8.13 The release of the information may be a release in accordance with the CDR Rules, an accidental release or an unauthorised release.
8.14 This focuses on the act done by the disclosing party. The state of mind or intentions of the recipient does not affect the fact of disclosure. Further, there will be a disclosure even where the information is already known to the overseas recipient.
8.15 Where an accredited data recipient engages a third party to perform services on its behalf, the provision of CDR data to that provider will in most circumstances be a disclosure. However, in limited circumstances, providing CDR data to a third party to perform services on behalf of the entity may be a use, rather than a disclosure. See ‘disclosure’ and ‘use’ in Chapter B (Key concepts) for guidance on how to determine whether providing CDR data to a third party constitutes a use or disclosure.
What is an overseas recipient?
8.16 Under Privacy Safeguard 8, an overseas recipient is a person,[13] who receives CDR data from an accredited data recipient, who is not:
- in Australia or in an external Territory, and
- a consumer for the CDR data.[14]
When can CDR data be disclosed to an overseas recipient?
8.17 When making an overseas disclosure of CDR data, an accredited data recipient must comply with Privacy Safeguard 8 in addition to each of the other privacy safeguards and CDR Rules that relate to disclosure of CDR data (to the extent they are applicable to the relevant disclosure). [15]
8.18 Privacy Safeguard 8 provides that an accredited data recipient must not disclose CDR data to a person located overseas unless one of the following 4 exceptions applies:
- the overseas recipient is an accredited person
- the accredited data recipient takes reasonable steps to ensure the overseas recipient does not breach the relevant privacy safeguards[16] and that the overseas recipient has a CDR policy in place in relation to the CDR data
- the accredited data recipient reasonably believes the overseas recipient is bound by a law or binding scheme that provides substantially similar protection for the CDR data as the privacy safeguards provide in relation to accredited data recipients, and can be enforced by the consumer, or
- conditions specified in the CDR Rules for overseas disclosure are met. As there are currently no CDR Rules in relation to Privacy Safeguard 8 which specify conditions for overseas disclosure, an accredited data recipient cannot currently rely on this exception.
8.19 The flow chart following outlines at a high level when an accredited data recipient may disclose CDR data to an overseas recipient, including by demonstrating the point at which the entity must consider other relevant privacy safeguards and CDR Rules, and relevant exceptions under Privacy Safeguard 8.
Exception 1 — Disclosing CDR data to an overseas recipient who is an accredited person
8.20 An accredited data recipient may disclose CDR data to an overseas recipient if the person is an accredited person.[17]
8.21 This exception may be relied upon only where the accredited data recipient has obtained a disclosure consent from the consumer to disclose CDR data to the accredited overseas recipient.[18]
8.22 The term ‘accredited person’ is discussed in Chapter B (Key concepts).
8.23 The CDR Rules require that an individual or company must apply to be an accredited person under the Competition and Consumer Act. Accredited persons will be added to the Register of Accredited Persons if their application is successful.
8.24 The CDR Rules and the ACCC’s Accreditation Guidelines provide more information about the requirements and process for accreditation.
8.25 Accreditation is considered sufficient protection to ensure compliance with the privacy safeguards.[19]
Exception 2 — Disclosing CDR data after taking ‘reasonable steps’ to ensure an overseas recipient does not breach the privacy safeguards
8.26 An accredited data recipient may disclose CDR data to an overseas recipient if the accredited data recipient takes reasonable steps to ensure that any act or omission by (or on behalf of) the overseas recipient will not breach privacy safeguard penalty provisions.[20]
8.27 Any acts or omissions of the overseas recipient (or those who acted on behalf the overseas recipient) are also considered to be acts or omissions of the accredited data recipient who disclosed the CDR data.[21]
8.28 Examples for persons acting on behalf of the overseas recipient could include employees, directors, officers, or subcontractors.
What are ‘reasonable steps’?
8.29 Reasonable steps would generally involve, at a minimum, that an accredited data recipient enters into an enforceable contractual arrangement with the overseas recipient that requires the overseas recipient to handle the CDR data in accordance with:
- the relevant privacy safeguards, and
- the CDR Rules that relate to CDR outsourcing arrangements.[22]
8.30 Whether an accredited data recipient has taken reasonable steps to ensure the overseas recipient can comply with the CDR system may include consideration of the following factors:
- the terms of the contract between the accredited data recipient and the overseas recipient
- steps taken by the accredited data recipient to monitor compliance with the contract
- the accredited data recipient’s relationship with the overseas recipient. More rigorous steps may be required when an entity discloses CDR data to an overseas recipient for the first time
- the nature of the overseas recipient, including the maturity of its processes and systems, and familiarity with CDR legislation (which may be derived from previous engagements with other CDR entities)
- the possible adverse consequences for a consumer if the CDR data is mishandled by the overseas recipient. More rigorous steps may be required as the risk of adversity increases
- the nature of the CDR data being disclosed. Where CDR data is sensitive in nature (and could, for example, cause financial or physical harm to a consumer if mishandled), it should be subject to more rigorous protections in the contractual arrangements
- existing technical and operational protections implemented by the overseas recipient to protect the CDR data (where these are not equivalent to the security requirements set out in Privacy Safeguard 12 and in Schedule 2 of the CDR Rules), and
- the practicability of taking protective steps, including time and cost involved. However, a CDR entity is not excused from ensuring that an overseas recipient is compliant with CDR legislation by reason only that it would be inconvenient, time-consuming or impose some cost to do so. Whether these factors make it unreasonable to take particular steps will depend on whether the burden is excessive in all the circumstances.
Example
YC Pty Ltd is an accredited person that provides banking services and products to customers. YC Pty Ltd seeks to engage a contractor located overseas, Analysed Data Services, in order to offer certain data analytics services to its customers using their payments transactions data.
YC Pty Ltd considers whether an exception under Privacy Safeguard 8 relating to overseas disclosures will apply.
Analysed Data Services is not an accredited person and is not subject to a law or scheme similar to that of the CDR system.
Before disclosing CDR data to Analysed Data Services, YC Pty Ltd must therefore take reasonable steps to ensure Analysed Data Services complies with the relevant privacy safeguards and has a CDR policy in place in relation to the CDR data.
YC Pty Ltd will remain accountable if Analysed Data Services mishandles the CDR data.
Exception 3 — Disclosing CDR data where overseas recipient is subject to a relevant law or binding scheme
8.31 An accredited data recipient may disclose CDR data to an overseas recipient if they reasonably believe:
- the overseas recipient is bound by a law or binding scheme that provides substantially similar protection for the CDR data as the privacy safeguards provide in relation to accredited data recipients, and
- this law or binding scheme can be enforced by the consumer.[23]
What is ‘reasonable belief’?
8.32 To rely on this exception, an accredited data recipient must have a reasonable belief that an overseas recipient is subject to a law, or binding scheme that provides substantially similar protection for the CDR data as the privacy safeguards provide in relation to accredited data recipients, and that a consumer will be able to enforce the protections provided by that law or binding scheme.
8.33 An accredited data recipient must have a reasonable basis for the belief, which is an objective test and not merely a genuinely held subjective belief. It is the responsibility of the entity to be able to justify its reasonable belief.
What is a ‘law or binding scheme’?
8.34 An overseas recipient may be subject to a law or binding scheme, where, for example, it is:
- bound by a consumer data protection law that applies in the jurisdiction of the overseas recipient
- required to comply with another law that imposes comparable obligations to the CDR system, or
- subject to an industry scheme or code that is enforceable, irrespective of whether the overseas recipient was obliged or volunteered to participate or subscribe to the scheme or code.
8.35 However, an overseas recipient may not be subject to a law or binding scheme where, for example:
- the overseas recipient is exempt from complying, or is authorised not to comply, with part, or all, of the consumer data protection law in the jurisdiction, or
- the overseas recipient can opt out of the binding scheme without notice and without returning or destroying the data.
What is meant by ‘substantially similar’?
8.36 A law or binding scheme would provide substantially similar protection for the CDR data if it would provide a comparable, or a higher level of privacy protection for the CDR data to that provided by the privacy safeguards in relation to accredited data recipients. Each provision of the law or scheme is not required to correspond directly to an equivalent privacy safeguard. Rather, the overall effect of the law or scheme is of central importance.
8.37 Whether there is substantially similar protection is a question of fact. Factors that may indicate that the overall effect is substantially similar, include:
- the law or scheme regulates the collection of consumer data in a comparable way
- the law or scheme requires the recipient to notify individuals about the collection of their consumer data
- the law or scheme requires the recipient to only use or disclose the consumer data for authorised purposes
- the law or scheme includes comparable data quality and data security standards, and
- the law or scheme includes a right to seek correction of consumer data.
When can a consumer enforce the protections?
8.38 A consumer will be able to enforce the protections when it has access to a mechanism to allow for the enforcement of a law or binding scheme that provides substantially similar protection to the CDR system.
8.39 A range of mechanisms may satisfy those requirements, ranging from a regulatory body similar to the Office of the Australian Information Commissioner (OAIC), to an accredited dispute resolution scheme, an independent tribunal, or a court with judicial functions and powers.
8.40 Factors that may be relevant in deciding whether the enforcement mechanism is accessible and effective include whether the mechanism:
- is independent of the overseas recipient that is required by the law or binding scheme to comply with the consumer data protections
- is a body with authority to consider a breach of any of the consumer data protections in the law or binding scheme
- is accessible to an individual, for example, the existence of the scheme is publicly known, and can be accessed by individuals directly and without payment of any unreasonable charge
- has the power to make a finding that the overseas recipient is in breach of the law or binding scheme and to provide a remedy to the individual, and
- is required to operate according to principles of procedural fairness.
When is an accredited data recipient accountable for the breaches by an overseas recipient?
8.41 Privacy Safeguard 8 provides that an accredited data recipient is also accountable for the acts or omissions of an overseas recipient where it discloses CDR data to an overseas recipient and:
- the overseas recipient is not an accredited person
- the accredited data recipient does not reasonably believe that the overseas recipient is bound by a law or scheme that provides substantially similar protection for the CDR data as the privacy safeguards provide in relation to accredited data recipients, and that a consumer will be able to enforce protections provided by that law or scheme, or
- the overseas recipient (or a person acting on behalf of the overseas recipient) breaches the relevant privacy safeguards[24] and/or does not have a CDR policy.[25]
8.42 In these circumstances, for the purposes of Privacy Safeguard 8, the act or omission is also taken to have been done by the accredited data recipient. The accredited data recipient is taken to have breached the privacy safeguard.
8.43 Where an accredited data recipient takes reasonable steps to ensure the overseas recipient complies with the privacy safeguards, but the overseas recipient nevertheless breaches a relevant privacy safeguard, the accredited data recipient is also accountable for that breach.[26]
Risk point
An accredited data recipient will be accountable under the CDR system for the acts and omissions of an overseas recipient under Privacy Safeguard 8 in the circumstances set out above at 8.41-8.43.
Privacy tip
Accredited data recipients should maintain strong governance mechanisms, policies and procedures in relation to overseas disclosures of CDR data, including outsourcing arrangements. An accredited person should ensure that all contracts that aim to ensure compliance with the ‘reasonable steps’ exception in Privacy Safeguard 8 contain enforceable provisions that extend to the acts or omissions of subcontractors. Disclosing CDR data to overseas participants who are either accredited persons or bound by a law, or binding scheme that provides substantially similar protection for the CDR data as the privacy safeguards provide in relation to accredited data recipients will reduce the risk profile for an accredited data recipient.
8.44 There are also other conditions in the CDR regulatory framework that affect when an accredited data recipient is liable when making an overseas disclosure:
- Subsection 56AU(2) of the Competition and Consumer Act provides that acts done by or in relation to another person who is acting on behalf of a CDR entity, within the person’s actual or apparent authority, are taken to have also been done in relation to the CDR entity,[27] and
- In relation to the use of outsourcing arrangements:
- subrule 7.6(2) of the CDR Rules provides that an accredited data recipient will be liable for any use or disclosure of CDR data it disclosed to an outsourced service provider (or that the outsourced service provider has disclosed to its own subcontractors)
- subrule 7.6(5) of the CDR Rules provides that an accredited data recipient will be liable for any collection of CDR data by its outsourced service provider.
How does Privacy Safeguard 8 interact with the other privacy safeguards?
Privacy Safeguard 6
8.45 In addition to Privacy Safeguard 8, an accredited data recipient should consider Privacy Safeguard 6 when determining whether to disclose CDR data to an overseas recipient.
8.46 This includes whether the disclosure is a permitted disclosure for the purposes of Privacy Safeguard 6 and also whether the accredited data recipient will need to comply with CDR outsourcing arrangements relating to outsourced service providers. See Chapter 6 (Privacy Safeguard 6).
Privacy Safeguard 7
8.47 In addition to Privacy Safeguard 8, an accredited data recipient should consider Privacy Safeguard 7 where they are seeking to disclose CDR data to engage in permitted direct marketing activities. See Chapter 7 (Privacy Safeguard 7).
Privacy Safeguard 9
8.48 In addition to Privacy Safeguard 8, an accredited data recipient should also consider Privacy Safeguard 9 where CDR data it is seeking to disclose to an overseas recipient contains government identifiers. See Chapter 9 (Privacy Safeguard 9).
Footnotes
[1] Competition and Consumer Act, section 56EK.
[2] The relevant privacy safeguards are the privacy safeguard penalty provisions as defined in section 56EU of the Competition and Consumer Act (Privacy Safeguards 3–13 inclusive, and the requirement to have a CDR policy in Privacy Safeguard 1).
[3] CDR Rules, rule 1.10, subrule 1.16(1), paragraph 7.5(1)(d) and rule 7.6. For more information on CDR outsourcing arrangements, please refer to Chapter B (Key concepts).
[4] A CDR representative arrangement is a written contract between a CDR representative and their CDR principal that meets the minimum requirements listed in subrule 1.10AA(2) of the CDR Rules.
[5] CDR Rules, paragraph 1.10AA(2)(f).
[6] See Chapter B (Key concepts) for more information on ‘CDR principal’, ‘CDR representative’, ‘CDR representative arrangement’ and ‘service data’.
[7] CDR Rules, subrule 7.8A(1). See also rule 1.16A in relation to a CDR principal’s obligations and liability.
[8] The Privacy Act includes 13 APPs that regulate the handling of personal information by certain organisations and Australian Government agencies (APP entities).
[9] Privacy Safeguard 8 applies from the point when the accredited person becomes an accredited data recipient of the CDR data. An accredited person becomes an accredited data recipient for CDR data when:
- CDR data is held by (or on behalf of) the person
- the CDR data, or any other CDR data from which it was directly or indirectly derived, was disclosed to the person under the consumer data rules, and
- the person is neither a data holder, nor a designated gateway, for the first mentioned CDR data. See section 56EK of the Competition and Consumer Act.
[10] The APPs do not apply to an accredited data recipient of CDR data, in relation to that CDR data: Competition and Consumer Act, paragraph 56EC(4)(a). However, subsection 56EC(4) does not affect how the APPs apply to accredited persons and accredited data recipients who are APP entities, in relation to the handling of personal information outside the CDR system. (Note: Small business operators accredited under the CDR system are APP entities in relation to information that is personal information but is not CDR data. See Privacy Act, subsection 6E(1D).) Subsection 56EC(4) also does not affect how the APPs apply to an accredited person who does not become an accredited data recipient of the CDR data (other than for Privacy Safeguards 1 – 4). See Competition and Consumer Act, paragraph 56EC(5)(aa).
[11] In this chapter, references to data holders include AEMO. See Chapter B (Key concepts) for further information about how the privacy safeguards apply to AEMO.
[12] Whether an accredited data recipient retains effective control over the data does not affect whether data is ‘disclosed’.
[13] Being a body corporate, body politic or individual.
[14] Competition and Consumer Act, paragraph 56EK(1)(b).
[15] This includes Privacy Safeguard 6 and the CDR Rules relating to permitted disclosures (CDR Rules, subrules 7.5(1) and 7.5(2), and rules 7.5A, 7.6 and 7.7); Privacy Safeguard 7 and the CDR Rules relating to disclosure of CDR data for direct marketing (CDR Rules, subrule 7.5(3), and rules 7.6 and 7.8); Privacy Safeguard 9 relating to disclosure of government related identifiers; CDR Rules relating to AP disclosure consents (e.g. CDR Rules, rule 4.7B, paragraph 7.5(1)(ca) and 7.5(1)(g) and subrule 7.5A(1); CDR Rules relating to TA disclosure consents (e.g. CDR Rules, paragraph 7.5(1)(ca) and subrule 7.5A(2)); CDR Rules relating to insight disclosures (e.g. CDR Rules, paragraph 7.5(1)(ca) and subrule 7.5A(3)); and CDR Rules relating to outsourced service providers and CDR outsourcing arrangements (e.g. CDR Rules paragraph 7.5(1)(d) and rule 7.6).
[16] The relevant privacy safeguards are the privacy safeguard penalty provisions defined in section 56EU of the Competition and Consumer Act (Privacy Safeguards 3–13 inclusive, and the requirement to have a CDR policy in Privacy Safeguard 1).
[17] Competition and Consumer Act, paragraph 56EK(1)(c).
[18] Under the CDR Rules, an accredited data recipient may only disclose CDR data to an accredited person where they have a ‘disclosure consent’ from the consumer: see CDR Rules, rule 1.10A. A disclosure consent is a consent given by a consumer for the accredited data recipient to disclose CDR data to an accredited person: in response to consumer data request (an ‘AP disclosure consent’), or for the purposes of direct marketing: CDR Rules, paragraph 1.10A(1)(c). Disclosure of CDR data to an accredited person under an ‘AP disclosure consent’ has been permitted since 1 July 2021: CDR Rules, subrule 7.5A(1).For further information on disclosure consents, see Chapter C (Consent).
[19] Explanatory Memorandum, Treasury Laws Amendment (Consumer Data Right) Bill 2019, section 1.351.
[20] Competition and Consumer Act, paragraph 56EK(1)(d).
[21] Competition and Consumer Act, subsections 56EK(2) and 56EK(3). See also Competition and Consumer Act, section 56AU.
[22] CDR Rules, rule 1.10, subrule 1.16(1), paragraph 7.5(1)(d) and rule 7.6. For more information on CDR outsourcing arrangements, please refer to Chapter B (Key concepts).
[23] Competition and Consumer Act, paragraph 56EK(1)(e).
[24] The relevant privacy safeguards are those privacy safeguard penalty provisions in defined in s 56EU of the Competition and Consumer Act (privacy safeguards 3–13 inclusive, and the requirement to have a CDR policy in Privacy Safeguard 1).
[25] Competition and Consumer Act, subsection 56EK(2).
[26] See also Competition and Consumer Act, section 56AU. Please also note the similar liability position under rule 7.6 of the CDR Rules relating to outsourced service providers where the use, disclosure or collection of CDR data by the outsourced service provider (or by one of its subcontractors) is taken to be the use, disclosure or collection of the principal under the CDR outsourcing arrangement whether or not in accordance with the arrangement between the parties.
[27] See also Competition and Consumer Act, subsection 56AU(1), which provides that the conduct of agents of a CDR entity are attributable to the CDR entity.