Australia and the APEC Cross-Border Privacy Rules (CBPR) System — submission to Attorney-General’s Department

27 July 2017

Our reference: D2017/005913

Information Law
Civil Law Unit
Attorney-General’s Department
3-5 National Circuit

By Email:

Submission on the Australia and the APEC Cross-Border Privacy Rules (CBPR) System

I welcome the opportunity to comment on the Attorney-General’s Department’s (AGD) consultation paper, Australia and the APEC Cross-Border Privacy Rules (CBPR) System (the consultation paper). I also note that my Office had the opportunity to contribute to the development of the consultation paper.

I understand that this consultation is intended to provide AGD with an understanding of stakeholder and community views on the CBPR system, to inform discussion, and advice to government, including on whether Australia should consider participation in the system.[1] In my view, this provides an important opportunity to gauge support for this initiative, as well as examine privacy concerns, some of which are outlined in the consultation paper.

As Australian Privacy Commissioner, I recognise that organisations carry on their business globally and that personal information is regularly disclosed, handled and stored overseas. Personal data protection is a global regulatory challenge. My Office is therefore committed to internationally coordinated approaches to privacy regulation. This includes participating in several international fora and arrangements to promote best privacy practice internationally, address emerging privacy issues in our region, and cooperate on cross-border privacy regulation and enforcement matters. As noted in the consultation paper, this includes participation in two cross-border privacy enforcement arrangements, the APEC Cross-border Privacy Enforcement Arrangement (CPEA) and the Global Privacy Enforcement Network (GPEN). Other examples include my Office’s participation in the Asia Pacific Privacy Authorities (APPA).

Given the increasing regional engagement in the CBPR system referred to in the consultation paper, I am particularly interested to understand whether there is broad industry and community support for Australia’s participation. I will also be looking to understand whether any privacy concerns raised in this consultation can be addressed by tailoring the implementation of this system to ensure consistency with Australia’ domestic privacy framework.

If there is support for Australia’s participation, I look forward to working with AGD to ensure the CBPR system is implemented in a way that maintains and builds upon the existing privacy protections set out in the Privacy Act 1988 (the Privacy Act), and reflects community expectations of privacy. In particular, I will be looking to ensure the CBPR system strikes a reasonable balance between facilitating the free flow of information across borders while ensuring that the privacy of individuals is respected, consistent with the objects of the Privacy Act.[2] This would include ensuring that the system, as implemented in Australia, provides for appropriate and accessible complaint and redress mechanisms.

If you would like to discuss these comments or have any questions, please contact Sophie Higgins, Director, Regulation & Strategy, on [contact details removed].

Yours sincerely

Timothy Pilgrim PSM
Australian Information Commissioner
Australian Privacy Commissioner

27 July 2017


[1] See consultation paper, page 3.

[2] See Privacy Act, section 2A.

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at