Consultation paper: international money transfers public interest determination applications

Download the printable version

Download the Word version

Purpose of consultation paper

The Office of the Australian Information Commissioner (OAIC) is seeking your views in relation to two applications it has received for public interest determinations (PIDs) in relation to International Money Transfers (IMTs).

Background

Part VI of the Privacy Act 1988 gives the Australian Information Commissioner (Information Commissioner) the power to make a determination, by legislative instrument, that an act or practice of an Australian Government agency, or a private sector organisation, which may constitute a breach of an Australian Privacy Principle (APP) shall be regarded as not breaching that APP for the purposes of the Privacy Act.

In doing so, the Information Commissioner must be satisfied that the public interest in the act or practice, substantially outweighs the public interest in adhering to the APP. A determination made under Part VI is referred to as a public interest determination (PID). The Information Commissioner also has the power to make a temporary public interest determination (TPID), in limited circumstances, where a PID application raises issues that require an urgent decision.

A PID and TPID can both provide that the determination will have general effect — that is, it will apply to acts and practices engaged in by APP entities that were not a party to the application.

Applications for new public interest determinations received

The OAIC has received two applications for PIDs under section 73 of the Privacy Act.

1. An application from the Reserve Bank of Australia (RBA), received on 2 December 2019
2. An application from the Australia and New Zealand Banking Group Limited (ANZ), received on 5 December 2019.

Owing to the similar nature of the applications, the OAIC considers that consultation on both applications can occur in the same process.

The applications seek new PIDs to permit ANZ—along with other authorised-deposit taking institutions within the meaning of the Banking Act 1959 (ADIs)—and the RBA to disclose the personal information of a beneficiary of an IMT to an overseas financial institution when processing an IMT without breaching the APPs.

These new PIDs would replace existing PIDs concerning IMTs that are due to sunset on 25 February 2020:

1. Privacy (International Money Transfers) Public Interest Determination 2015 (No. 1) (made under subsection 72(2) in respect of the ANZ)
2. Privacy (International Money Transfers) Public Interest Determination 2015 (No. 2) (made under subsection 72(2) in respect of the RBA), and
3. Privacy (International Money Transfers) Generalising Determination 2015 (made under subsection 72(4) that no other ADI is taken to contravene section 15 or 26A if, while that determination is in force).

These PIDs have allowed the ANZ, other ADIs, and the RBA to continue their existing practices in relation to processing IMTs without breaching the Privacy Act since 2014.

The applications for PIDs from both the RBA and ANZ are substantially similar to those received previously in 2014. Therefore, it is proposed that new PIDs (set out as draft determinations in the Consultation Paper) be made on substantially the same terms as the PIDs that are currently in force.

In its application, the RBA has acknowledged that the Commissioner may make a generalising determination under section 72(4) of the Privacy Act to apply to all ADIs that process IMTs, and the RBA supports this. The RBA is not an ADI and, therefore, has sought its own determination under s 72(2).[1] In its application, the ANZ has also acknowledged that the Commissioner can make a generalising determination.

Due to the limited period of time available between lodging of the applications to the OAIC and the expiry of the PIDs, both ANZ and the RBA have included a request for temporary public interest determinations (TPIDs) in the event that PIDs are unable to be registered prior to sunsetting on 25 February 2020. If significant issues are raised during consultation, it is open to the Commissioner to make TPIDs which would preserve the status quo whilst also allowing for a further period of time to consider the applications for longer-term PIDs.

View ANZ’s application for a public interest determination

View RBA’s application for a public interest determination

Purpose of consultation

The OAIC has issued this consultation paper to assist interested parties in preparing comments as part of the Commissioner’s consideration of the PID applications and the proposed making of PIDs to replace existing PIDs.

This consultation paper, the applications and the draft PIDs are available from the OAIC’s website at www.oaic.gov.au.

How to make comments

Submissions can be made by:

Email: consultation@oaic.gov.au

Post: GPO Box 5218 Sydney NSW 2001

The closing date for submissions is Friday 31 January 2020.

The OAIC intends to make all submissions publicly available. Please indicate when making your submission if it contains confidential information you do not want made public and why it should not be published. Requests for access to confidential comments will be determined in accordance with the Freedom of Information Act 1982 (FOI Act).

Although you may lodge submissions electronically or by post, electronic lodgement is preferred. To help meet accessibility obligations, please provide your submission in a web accessible format or, alternatively, in a format that will allow conversion to HTML code — for example Rich Text Format (.rtf) or Microsoft Word (.doc or .docx) format.

Consultation questions

The OAIC seeks views on the following matters:

1. What additional steps (if any) ANZ, other ADIs, and the RBA could take to comply with APP 8.1 (that is, to ensure that the overseas financial institution to which they disclose the beneficiary’s personal information does not breach the APPs in relation to that information).
2. Whether ANZ, other ADIs, and the RBA should remain accountable for the handling of the beneficiary’s personal information by the overseas financial institution under s 16C (that is, whether ANZ, the relevant ADI, or the RBA as the case may be, or the beneficiary, should bear the risk of the overseas financial institution not handling the beneficiary’s personal information in accordance with the APPs).
3. Whether the draft PIDs in Attachments A to C should only apply to a disclosure by ANZ, another ADI or the RBA, as the case may be, to an overseas financial institution that takes place over the SWIFT network.
4. The extent to which the draft PIDs in Attachments A to C are inconsistent with an individual’s reasonable expectation of privacy.
5. The nature of the public interest objectives served by the proposed interference with privacy.
6. The impact on the public interest if PIDs are not made.
7. Any relevant matters which have changed since 2015 and may impact on the public interest test.
8. The number of years that the PIDs, if made, should remain in force.

These questions are not intended to limit the issues that may be raised. You may wish to respond to some or all questions, or to raise other issues related to the applications.

Privacy collection statement

The OAIC will use the personal information it collects in the course of this consultation only for the purpose of considering and dealing with the applications.

Legislation overview and the ANZ and RBA applications

Provisions for public interest determinations

In limited circumstances, the Privacy Act enables the Commissioner to examine a matter and, if appropriate, to issue a PID that permits certain activities that may otherwise breach an APP.

The Commissioner may make a PID under s 72 of the Privacy Act by declaring that a specific act or practice of an APP entity will not be in breach of the APPs, where the Commissioner is satisfied that the public interest in doing so substantially outweighs the public interest in adhering to the APP in question. Where a matter requires an urgent decision, the Commissioner may make a temporary PID under s 80A(2) for a period of up to 12 months, while the Commissioner considers the matter further.

Where a PID is issued, the Commissioner may also decide to issue a determination under s 72(4) giving general effect to the PID. A generalising determination has the effect of permitting APP entities, other than the applicant, to do an act or practice that is the subject of the PID, without breaching the APPs.

Applications

As noted above, the OAIC has received two PID applications: one from ANZ and the other from the RBA (also acknowledging that the Commissioner may make a generalising determination).

The ANZ and RBA applications state that, in the absence of a PID, they may breach APP 8.1 when processing an IMT. Further, that they may also be taken to breach another APP (other than APP 1) as a result of being held accountable for an act or practice of an overseas financial institution in relation to personal information disclosed when processing an IMT (in accordance with s 16C(2)), in circumstances where it is not practicable for them to take further steps to prevent such breaches.

Existing Public Interest Determinations

On 19 February 2015 the Commissioner made the following PIDs:

1. Privacy (International Money Transfers) Public Interest Determination 2015 (No. 1) (ANZ PID)
2. Privacy (International Money Transfers) Public Interest Determination 2015 (No. 2)
3. Privacy (International Money Transfers) Generalising Determination 2015.

These determinations allowed the ANZ, other ADIs, and the RBA to continue their existing practices in relation to processing IMTs without breaching the Privacy Act. These determinations will sunset on 25 February 2020.

Background to the international money transfer process

The following information is drawn from the applications.

An IMT is the term used for a payment made by an Australian sender to a beneficiary outside of Australia.[2] The IMT process is usually initiated by the sender (an ADI customer) completing an IMT application form. To perform an IMT, it is mandatory for an ADI to disclose the personal information of the beneficiary of the IMT to an overseas financial institution. The personal information required to process an IMT will generally include the name and account information of the beneficiary. However, some overseas financial institutions require the ADI to provide further information, such as the account name, residential address of the beneficiary and additional details about the sender and beneficiary. Generally, this additional information is requested because of in-country regulatory requirements, anti-money laundering (AML) and counter-terrorism financing (CFT) requirements or to allow sanction checks to be performed.

Both ANZ and the RBA utilise a range of processes to effect an IMT which generally include the use of the SWIFT system as part of the process. In the majority of cases, ANZ and other ADIs use the SWIFT network directly for IMTs. Alternatively, ANZ and other ADIs may transfer funds to an offshore branch or subsidiary that will then make a payment to the beneficiary’s financial institution within that jurisdiction.

The SWIFT network is a member-owned cooperative established in 1973. In their applications, ANZ and RBA note that:

• the SWIFT network is used by more than 10,000 financial institutions, securities institutions and corporate customers in over 200 countries
• the SWIFT network is a secure and highly confidential network, which facilitates the transfer of payments and other financial messages between SWIFT users
• high levels of confidentiality are imposed and security is reinforced through the encryption of messages
• SWIFT is also subject to a governance structure and publicly available data retrieval policies that enable SWIFT to meet the security commitments required by users
• there are three categorised groups of users: supervised financial institutions, non-supervised entities active in the financial industry and closed user groups/corporate entities
• SWIFT users are only able to send financial messages within their user category (therefore a user, for example ANZ, is only able to send financial messages within their user category)
• SWIFT has documented, neutral and risk based processes to validate SWIFT users on an ongoing basis
• once a financial institution becomes a SWIFT user, it can transact with other financial institutions through ‘account relationships’ (which are contractual relationships) or by using the ‘Relationship Management Application’ within SWIFT, which allows for the processing of IMTs without an account relationship.

If ANZ or another ADI does not have an account relationship with the beneficiary’s overseas financial institution, it may still transfer money using SWIFT by sending payment instructions to an ‘intermediary bank’ (also a SWIFT user), which will then route the payment instructions to the beneficiary’s financial institution. More than one intermediary bank may be involved in the process before the money reaches the beneficiary’s financial institution.

IMTs are also processed via ANZ’s or another ADI’s own commercial arrangements, with or without the use of the SWIFT network. For example, ANZ and other ADIs may transfer funds to an offshore branch or subsidiary that will then make a payment to the beneficiary’s financial institution within that jurisdiction using the SWIFT Network or the local payment and settlement system. ANZ submitted that payments between ANZ entities will be at least as secure as SWIFT as it occurs within ANZ’s own firewall and the local payment and settlement system will be a regulated and secure environment.

In some instances, IMTs are processed by the RBA using the SWIFT network in the same way as ANZ and other ADIs, as described above. In other instances, the RBA initially transfers the relevant payment instructions to an ‘Agent’ (a foreign bank whose Australian branch is an ADI) through a secure dedicated network. That Agent then uses the SWIFT network.

However, in most instances, the RBA transfers the relevant payment instructions through a secure dedicated network to the Agent. That Agent (or its related entity or agent) then arranges for payment to the beneficiary’s financial institution using the local payment and settlement system. The RBA’s application notes that these types of local settlement system payments operate in a regulated and secure environment in which transfers are completed.

The RBA has a contract in place with Agents which contains obligations on the Agent including:

• to use and disclose personal information only for the purposes of the contract
• not to breach the APPs (while providing that the Agent will not be taken to be in breach in connection with payment and disclosure of personal information of a beneficiary for the purpose of remitting funds to the beneficiary’s financial institution)
• to comply with any request reasonably made by the RBA to comply with the Privacy Act and any other relevant privacy law, and
• to ensure that its representatives are made aware of and comply with the Agent’s obligations in relation to personal information.

The applications from ANZ and the RBA outline in considerable detail (and with diagrams) the IMT processes used by ANZ and other ADIs, and the RBA respectively. Interested parties should refer to the applications for a full explanation of those processes.

Relevant Australian Privacy Principles

APP 8 and s 16C

APP 8 regulates the cross-border disclosure of personal information. Under APP 8.1, before an APP entity discloses personal information to an overseas recipient, the entity must take reasonable steps to ensure the overseas recipient does not breach the APPs in relation to that information. APP 8.2 sets out a number of exceptions to this requirement, including if:

• the entity reasonable believes that:
  • the recipient of the information is subject to a law or binding scheme that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the APPs protect the information, and
  • there are mechanisms that the individual can access to take action to enforce that protection of the law or binding scheme (APP 8.2(a)), or
• both of the following apply:
  • the entity expressly informs the individual that if he or she consents to the disclosure of the information, subclause 8.1 will not apply to the disclosure, and
  • after being so informed, the individual consents to the disclosure (APP 8.2(b)).

APP 8 applies when an APP entity discloses personal information. An APP entity discloses personal information when it makes it accessible to others outside of the entity and releases the subsequent handling of that information from its effective control.[3]

Where APP 8.1 applies and the overseas recipient is not bound by the APPs, the entity will also be held accountable if the overseas recipient does an act or engages in a practice in relation to the personal information that would breach an APP (other than APP 1) (s 16C). That is, ANZ, another ADI or the RBA (as applicable) will be taken to have breached the APP.

Together, APP 8.1 and s 16C create a framework for the cross-border disclosure of personal information that reflects a central object of the Privacy Act: ‘to facilitate the free flow of information across national borders while ensuring that the privacy of individuals is respected’ (s 2A(f)).

To comply with APP 8.1, the Commissioner generally expects that the relevant APP entity will enter into an enforceable contractual arrangement with an overseas recipient that requires the overseas recipient to handle personal information in accordance with the APPs (other than APP 1). However, it is acknowledged that whether a contract is required, and the terms of the contract, will depend on the circumstances, including the:

• sensitivity of the personal information
• the entity’s relationship with the overseas recipient
• possible adverse consequences if the personal information is mishandled by the overseas recipient
• existing technical and operational safeguards implemented by the overseas recipient
• practicability of entering into an enforceable contractual arrangement.[4]

Compliance with APPs when processing an international money transfer

Both ANZ and the RBA note in their applications that the exemptions in APP 8.2 are not generally available in the context of the IMT process.

As noted above, the IMT process may involve as many as 10,000 SWIFT-member financial institutions in more than 200 countries.

ANZ stated that the nature of the IMT process with a wide range and significant volume of transactions makes it impractical to have enforceable contractual relationships with every potential overseas recipient.

Both ANZ and the RBA submitted that:

• it would not be practical to obtain up-to-date legal advice on the privacy regimes of every jurisdiction to which IMTs may be sent—which may include any jurisdiction that has a functioning banking system. The RBA noted that there are currently 146 jurisdictions to which IMTs initiated by RBA customers are sent.
• even if they did obtain such legal advice, those countries which do not have substantially similar privacy schemes and do not allow individuals to take action to enforce protection of their personal information, would fall outside of the exception in APP 8.2(a).

This would result in an inability to send IMTs to beneficiaries in particular countries and likely disadvantage both the sender and the beneficiary. ANZ has noted that that may motivate senders to rely on less secure means of processing IMTs, for example, through less formal money remittance services.

Further, ANZ and the RBA submitted that their role in the IMT process is limited to collecting the information about the beneficiary from the sender of the IMT. There is no legal (or other) relationship between either the RBA or ANZ and the beneficiary, and there would not be an opportunity for ANZ or the RBA to seek the beneficiary’s consent in accordance with the exception in APP 8.2(b) prior to processing the IMT. Further, ANZ and RBA submitted that due to the large volume of IMTs processed, it would not be feasible to contact each beneficiary across a wide range of jurisdictions to obtain their consent before disclosing their personal information in connection with the IMT process.

ANZ and the RBA both submitted that as they cannot rely on any of the relevant APP 8.2 exceptions, they will need to comply with APP 8.1 when processing IMTs and take reasonable steps to ensure that the overseas financial institution receiving the beneficiary’s personal information does not breach the APPs when handling that information. Both ANZ and the RBA submitted that it is not practicable to have enforceable contractual arrangements with every potential overseas financial institution to which they might disclose the beneficiary’s personal information when processing an IMT. Rather, when using the SWIFT network to process IMTs, ANZ, other ADIs and the RBA rely on the relationships created by the SWIFT network.

Further, ANZ has noted that each bank that received information as part of an IMT transaction is operating under its own privacy regime and there would be little to no incentive to agree to separate privacy standards to process IMTs received from ANZ. In addition, ANZ submitted that it is unlikely that overseas financial institutions would agree to enter into contracts requiring them to handle personal information in accordance with the APPs given the protections afforded by the SWIFT network. As such, it is not feasible for it, or another ADI, to try to alter SWIFT to impose contractual obligations on other SWIFT users requiring them to comply with the APPs in relation to the personal information of IMT beneficiaries.

ANZ has noted that it has not received any complaints from beneficiaries relating to how their personal information is dealt with in processing IMTs since Privacy (International Money Transfers) Public Interest Determination 2015 (No. 1) commenced. ANZ has further submitted that the collection and disclosure of the beneficiary’s name and account number enables ANZ to comply with mandatory AML and CTF obligations.

The RBA indicated in its application that it mostly uses an Agent to process IMTs (as explained above) and that it has a contract with the Agent which contains obligations in relation to the handling of personal information. The RBA submitted that the RBA and the Agent recognise that it is not reasonable to expect that the Agent would accept an obligation to ensure that all organisations in the payment chain agree to comply with the APPs.

ANZ and the RBA submitted that although they take steps to protect the beneficiary’s information where it is disclosed overseas during the processing of an IMT (for example, whether the transfer occurs as part of the SWIFT network or outside of this network, there are mechanisms in place to ensure the security and confidentiality of that information), there continues to be uncertainty about whether these steps would satisfy the ‘reasonable steps’ test in APP 8.1. For this reason, ANZ, any other ADI or the RBA may breach APP 8.1 when disclosing a beneficiary’s personal information to an overseas financial institution during the processing of IMTs.

Further, both ANZ and the RBA submitted that, it would not be practicable to take further steps to ensure that the overseas financial institution does not do an act or engage in a practice that would breach the APPs, there is a risk that they will be taken to have breached the APPs (other than APP 1) as a result of s 16C(2).

Public interest

Public interest benefits associated with making a PID to allow the IMT process to continue in its current form

In its application, ANZ outlined a number of public interest benefits associated with making IMTs available to Australian ADI customers:

• IMTs allow individuals to benefit from the global movement of money. They can be used, for example, to allow families to support one another over long distances, and allow private transactions to take place involving parties in different jurisdictions.
• IMTs provide simple, secure, cost-effective and reliable means for the global transfer of money.
• IMTs provide payment security and transaction certainty. This also assists government to better enforce AML and CTF rules.
• IMTs are an important element of international financial relations, with SWIFT processing a daily average of 31.3 million payment messages.
• Australia is one of the largest economies in the world, a leading economy in the Asia Pacific Region and a member of the Group of 20 Nations. The IMT process, in its current form, is one component of the global financial system, and Australia is a significant contributor to that system. ANZ submitted that it would be detrimental for Australia’s reputation as a leading international financial participant if it becomes impracticable for ADIs in Australia to process IMTs. Maintaining the certainty, reliability and efficiency of IMT processing by ADIs in Australia serves an important public interest within the context of Australia’s role within the global economy.

The RBA submitted that the public benefits in RBA processing IMTs include:

• IMTs allow the government to meet its obligations to overseas beneficiaries in a timely and secure manner.
• IMTs provide payment security and transaction certainty. This assists government to better enforce AML and CTF requirements.
• The IMT process, in its current form, is one component of the global financial system, and Australia is a significant contributor to that system. Maintaining the certainty, reliability and efficiency of IMT processing serves an important public interest within the context of Australia’s role within the global community.

Public interest benefits associated with not making PIDs to allow the IMT process to continue in its current form

ANZ and the RBA both submitted that the main public benefit associated with APP 8 compliance during IMT processing is to ensure the protection of the personal information of beneficiaries.

ANZ noted that, in this respect, personal information is already protected in a number of ways when processing IMTs:

• Disclosure to an overseas financial institution is conducted within a secure environment. IMTs are processed in a heavily regulated and controlled environment, the basis of which is a trusted network of relationships between financial institutions. Where IMTS are processed using the SWIFT network, personal information is protected by a secure and highly protected proprietary system. Otherwise ANZ only sends payment messages to financial institutions that are licenced, authorised or registered with and subject to the supervision of that financial market regulator.
• The disclosures that do occur as part of the IMT process are the minimum needed to allow the IMT to be processed.
• The current IMT process is a successful and secure means of conducting international money transfers. ANZ stated that it is not aware of any complaint being made by a beneficiary in relation to the offshore disclosure of their personal information in order to process an IMT.

The RBA indicated that, in line with the practices of other Australian banks, it is currently protecting the security and confidentiality of any personal information that needs to be sent overseas in order to process an IMT.

The draft public interest determinations

Given the considerations above, the Commissioner’s preliminary view is that PIDs should be made to permit the ongoing processing of IMTs by ANZ and the RBA in the manner described in their applications. Although the risk of breaching APP 8.1 may be minor, the Commissioner’s preliminary view is that the PIDs should extend to cover a breach of APP 8.1 (in addition to a breach of an APP (other than APP 1) by reason of s 16C) given the significant detrimental consequences that may result from a disruption to the IMT process.

Further, the Commissioner is of the view that the considerations that apply to ANZ in relation to the processing of IMTs apply equally to other ADIs that undertake IMTs, and that a generalising determination should be made to cover all other ADIs.

The OAIC has not received any complaints in relation to the three PIDs that are currently in force.

Therefore, subject to the result of this consultation, the Commissioner proposes that the draft PIDs in Attachments A to C be made for a period of 5 years. The Commissioner considers this to be an appropriate period of time, as it will provide certainty for all ADIs and the RBA, but will also enable the Commissioner to assess any impacts that emerge; including any impacts resulting from changes to the SWIFT network and any complaints by beneficiaries about the handling of their personal information.

If significant issues are raised during consultation, it is open to the Commissioner to make TPIDs which would preserve the status quo whilst also allowing for a further period of time to consider the applications for longer-term PIDs.

The draft PIDs would permit ANZ and the RBA to disclose the beneficiary’s personal information to an overseas financial institution for the purpose of processing an IMT in circumstances where:

• ANZ and the RBA are not in a position to take additional steps to comply with APP 8.1
• it is not practicable for ANZ and the RBA to rely on the relevant exceptions in APP 8.2, and
• ANZ and the RBA take a number of steps to ensure the security and confidentiality of the personal information disclosed
• in the case of the RBA, the RBA does not have a contractual relationship with the overseas financial institution that obliges the overseas financial institution to comply with the APPs other than APP 1.

Where the overseas financial institution does an act or practice that may lead to either entity being taken to have breached an APP (other than APP 1) by reason of the application of s 16C(2), the draft PIDs would relieve them of this accountability. The draft of the generalising determination in Attachment B makes the draft PID in Attachment A (in respect of ANZ) apply to all other ADIs.

In all other respects, the privacy protection afforded by the APPs will continue to apply to ANZ, other ADIs and the RBA in relation to the beneficiary’s personal information.

Attachment A: Draft Privacy (International Money Transfers) Public Interest Determination 2020 (No. 1)

I, Angelene Falk, Privacy Commissioner, make the following public interest determination under subsection 72(2) of the Privacy Act 1988 (Privacy Act).

Dated: [dd mm] 2020
Signed

Angelene Falk
Privacy Commissioner

1 Name of public interest determination

This public interest determination is the Privacy (International Money Transfers) Public Interest Determination 2020 (No. 1).

2 Authority

This public interest determination is made under subsection 72(2) of the Privacy Act.

3 Commencement

This public interest determination commences on [dd mm] 2020.

4 Expiry

This public interest determination expires at the end of [dd mm yyyy] as if it had been repealed by another instrument.

5 Repeal

The Privacy (International Money Transfers) Public Interest Determination 2015 (No. 1)(FRLI F2015L00199) is repealed immediately before this public interest determination commences.

6 Definitions

Terms defined in the PrivacyAct have the same meanings in this public interest determination.

7 Application for a public interest determination

(1) Australia and New Zealand Banking Group Limited (ANZ) is an APP entity under subsection 6(1) of the Privacy Act because it is an organisation under section 6C of the Privacy Act.

(2) ANZ has applied under section 73 of the Privacy Act for a public interest determination in relation to the acts and practices set out in section 8 below.

8 International money transfer processing

(1) The disclosure of personal information about an individual to an overseas recipient by ANZ breaches, or may breach, Australian Privacy Principle (APP) 8.1 where:

1. ANZ, as an authorised deposit-taking institution within the meaning of the Banking Act 1959, is processing an international money transfer (IMT) on behalf of one of its customers, and
2. in order to process the international money transfer, ANZ discloses personal information of the individual who is the beneficiary of the IMT (beneficiary) to another financial institution that is not in Australia or an external Territory (overseas financial institution) for the purpose of:
   1. remitting the relevant funds, to the beneficiary’s financial institution for payment, or
   2. a communication that is necessary to confirm receipt of the funds or to facilitate processing or return of the funds by the beneficiary’s financial institution.

(2) The acts and practices set out in subsection (1) above may also lead to ANZ breaching other APPs (other than APP 1) by reason of the application of subsection 16C(2) of the Privacy Act if the overseas financial institution does an act, or engages in a practice, in relation to the information that would be a breach of an APP (other than APP 1) if the APPs applied to that act or practice.

9 Public Interest

(1) The public interest in ANZ carrying out the acts and practices set out in section 8 above outweighs to a substantial degree the public interest in adhering to APP 8.1 or ANZ being taken to have breached an APP (other than APP 1) as a result of the acts of practices of the overseas financial institution where:

1. it is not practical for ANZ to rely on the exceptions set out at APP 8.2(a) or APP 8.2(b) when disclosing the personal information,
2. the other exceptions in APP 8.2 are not relevant to the disclosure of the personal information,
3. ANZ takes a number of steps to ensure the security and confidentiality of the personal information disclosed, and
4. the nature of the arrangements that support and facilitate the processing of IMTs means that ANZ is not in a position to take additional steps to comply with APP 8.1 before disclosing the personal information.

(2) For the purpose of paragraph 9(1)(a) above, it may not be practical for ANZ to rely on the exception at APP 8.2(a) when engaging in the acts and practices set out in section 8 due to:

1. the potentially large number of overseas locations to which the personal information may be disclosed, and
2. ANZ not having any relationship with the beneficiary, or the means to establish that relationship, in order to gain the beneficiary’s consent to the disclosure of the personal information.

10 Public interest determination

(1) Accordingly, by operation of subsection 72(3) of the Privacy Act, while this public interest determination is in force ANZ is taken not to breach section 15 of the Privacy Act if:

1. ANZ breaches APP 8.1 when engaging in the acts and practices set out in section 8 above, or
2. an overseas financial institution does an act, or engages in a practice, in relation to the personal information disclosed to it by ANZ in the course of ANZ doing the acts or engaging in the practices set out in section 8 above, that would be a breach of an APP (other than APP 1) if the APPs applied to that act or practice.

Attachment B: Draft Privacy (International Money Transfers) Generalising Determination 2020

I, Angelene Falk, Privacy Commissioner, make the following public interest determination under subsection 72(4) of the Privacy Act 1988 (Privacy Act).

Dated: [dd mm] 2020
Signed

Angelene Falk
Privacy Commissioner

1 Name of determination

This determination is the Privacy (International Money Transfers) Generalising Determination 2020.

2 Authority

This determination is made under subsection 72(4) of the Privacy Act 1988.

3 Commencement

This determination commences on [dd mm] 2020.

4 Expiry

This determination expires at the end of [dd mm yyyy] as if it had been repealed by another instrument.

5 Repeal

The Privacy (International Money Transfers) Generalising Determination 2015(FRLI - F2015L00201) is repealed immediately before this determination commences.

6 Definitions

Terms defined in the Privacy Act have the same meanings in this determination.

7 Giving the public interest determination general effect

(1) Noting that Privacy (International Money Transfers) Public Interest Determination  2020 (No. 1) applies to the disclosure of personal information to an overseas recipient where:

1. Australia and New Zealand Banking Group Limited (ANZ), as an authorised deposit-taking institution within the meaning of the Banking Act 1959 (ADI), is processing an international money transfer (IMT) on behalf of one of its customers, and
2. in order to process the IMT, ANZ discloses personal information of the individual who is the beneficiary of the IMT (beneficiary) to another financial institution that is not in Australia or an external Territory (overseas financial institution) for the purpose of:
   1. remitting the relevant funds to the beneficiary’s financial institution for payment, or
   2. a communication that is necessary to confirm receipt of the funds or to facilitate processing or return of the funds by the beneficiary’s financial institution.

(2) No other ADI is taken to breach section 15 of the Privacy Act while Privacy (International Money Transfers) Public Interest Determination 2020 (No. 1) is in force if:

1. the ADI breaches Australian Privacy Principle 8.1 when engaging in the acts and practices described in Privacy (International Money Transfers by ANZ) Public Interest Determination 2014 (No. 1) and set out in subsection 7(1) above, or
2. an overseas financial institution does an act, or engages in a practice, in relation to the personal information disclosed to it by the ADI in the course of the ADI engaging in the acts and practices described in Privacy (International Money Transfers) Public Interest Determination  2020 (No. 1) and set out in subsection 7(1) above, that would be a breach of an APP (other than APP 1) if the APPs applied to that act or practice.

Attachment C: Draft Privacy (International Money Transfers) Public Interest Determination 2020 (No. 2)

I, Angele Falk, Privacy Commissioner, make the following public interest determination under subsection 72(2) of the Privacy Act 1988 (Privacy Act).

Dated: [dd mm] 2020
Signed

Angelene Falk
Privacy Commissioner

1 Name of public interest determination

This public interest determination is the Privacy (International Money Transfers) Public Interest Determination 2020 (No. 2).

2 Authority

This public interest determination is made under subsection 72(2) of the Privacy Act 1988 (Privacy Act).

3 Commencement

This public interest determination commences on [dd mm] 2020.

4 Expiry

This public interest determination expires at the end of [dd mm yyyy] as if it had been repealed by another instrument.

5 Repeal

The Privacy (International Money Transfers) Public Interest Determination 2015 (No. 2) (FRLI - F2015L00200) is repealed immediately before this public interest determination commences.

6 Definitions

Terms defined in the Privacy Acthave the same meanings in this public interest determination.

7 Application for a public interest determination

(1) The Reserve Bank of Australia (RBA) is an APP entity under subsection 6(1) of the Privacy Act because it is an agency under section 6(1) of the Privacy Act, and an organisation under section 7A(3) of the Privacy Act for particular acts and practices.

(2) The RBA has applied under section 73 of the Privacy Act for a public interest determination in relation to the acts and practices set out in section 8 below.

8 International money transfer processing

(1) The disclosure of the personal information about an individual to an overseas recipient by the RBA breaches or may breach Australian Privacy Principle (APP) 8.1 where:

1. the RBA, as authorised to carry out banking business under the Banking Act 1959 and the Reserve Bank Act 1959, is processing an international money transfer (IMT) on behalf of one of its customers, and
2. in order to process the IMT, the RBA discloses personal information of the individual who is the beneficiary of the IMT (beneficiary) to another financial institution thatis not in Australia or an external Territory (overseas financial institution) for the purpose of:
1. remitting the relevant funds to the beneficiary’s financial institution for payment, or
2. a communication that is necessary to confirm receipt of the funds or to facilitate processing or return of the funds by the beneficiary’s financial institution, and
3. the RBA does not have a contractual relationship with the overseas financial institution that obliges the overseas financial institution to comply with the APPs other than APP 1.

(2) The acts and practices set out in subsection (1) above may also lead to the RBA breaching other APPs (other than APP 1) by reason of the application of subsection 16C(2) of the Privacy Act if the overseas financial institution does an act, or engages in a practice, in relation to the information that would be a breach of an APP (other than APP 1) if the APPs applied to that act or practice.

9 Public Interest

(1) The public interest in the RBA carrying out the acts and practices set out in section 8 above outweighs to a substantial degree the public interest in adhering to APP 8.1 or the RBA being taken to have breached an APP (other than APP 1) as a result of the acts of practices of the overseas financial institution where:

1. it is not practical for the RBA to rely on the exceptions set out at APP 8.2(a) or APP 8.2(b) when disclosing the personal information,
2. the other exceptions in APP 8.2 are not relevant to the disclosure of the personal information,
3. the RBA takes a number of steps to ensure the security and confidentiality of the personal information disclosed, and
4. the nature of the arrangements that support and facilitate the processing of IMTs means that the RBA is not in a position to take additional steps to comply with APP 8.1 before disclosing the personal information.

(2) For the purpose of paragraph 8(1)(a) above, it may not be practical for the RBA to rely on the exception at APP 8.2(a) when engaging in the acts and practices set out in section 8 due to:

1. the potentially large number of overseas locations to which the personal information may be disclosed, and
2. the RBA not having any relationship with the beneficiary, or the means to establish that relationship, in order to gain the beneficiary’s consent to the disclosure of the personal information.

10 Public interest determination

(1) Accordingly, by operation of subsection 72(3) of the Privacy Act, while this public interest determination is in force the RBA is taken not to breach section 15 of the Privacy Act if:

1. the RBA breaches APP 8.1 when engaging in the acts and practices set out in section 7 above, or
2. an overseas financial institution does an act, or engages in a practice, in relation to the personal information disclosed to it by the RBA in the course of the RBA doing the acts or engaging in the practices set out in section 8 above, that would be a breach of an APP (other than APP 1) if the APPs applied to that act or practice.