Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

Developing Tools for Global Privacy Compliance

Presentation by John McMillan, Australian Information Commissioner, to panel session at the 35th International Conference of Data Protection and Privacy Commissioners, Warsaw, 23-26 Sept 2013

A striking feature of this conference is that the global dimension of privacy regulation is an explicit theme in most sessions. Many of the examples that are given of privacy threats and challenges extend beyond national boundaries. Data protection and privacy enforcement commissioners are responding by broadening their focus.

Global compliance work is similarly a strong theme in the work of my office, the Office of the Australian Information Commissioner. We engage actively with global networks that have been mentioned today – such as the Asia Pacific Privacy Authorities Forum (APPA), the OECD Global Privacy Enforcement Network (GPEN), the APEC Cross Border Privacy Enforcement Arrangement and the alliance for Improving Practical and Helpful Cooperation Between Data Protection Authorities (PHAEDRA).

We see the benefits of working with other regulators, and indeed would not have been able to undertake some investigations or develop some educational material without drawing on support from other regulators and networks. We know too that privacy protection – locally, nationally and internationally – is advanced by promoting common privacy themes and tools, such as ‘Privacy by Design’ and Privacy Impact Assessments.

We are acutely conscious that the global dimension in privacy analysis is both inescapable and extremely valuable. Nevertheless, I am equally conscious, as the statutory head of a national regulatory body, that all our work – including developing tools for global compliance – must relate back to our national role. We cannot escape the legal and political reality that we are established under a national law that creates a legal framework within which we must work. The Privacy Act 1988 places jurisdictional limits on the matters we can investigate or take up, and limits the circumstances in which we can share information with other bodies or people.

It is also implicit in the national law that we have a legal duty to deal with each local problem that is brought to us. The work coming in the door sets the priorities of the office. Another dimension of being a national regulator is that your accountability is domestically or inwardly focussed, and your stature and respect must be developed locally. Indeed, a national regulator – in Australia at least – is at risk if it over-emphasises global compliance and culture. I could dwell on Australian exceptionalism, which is rooted in the geographic reality of being a large island continent that is strongly influenced by the reality of a physical border that separates issues into being Australian or foreign.

In short, while we can think globally, we mostly act locally. My comments will accordingly focus on global compliance tools that have a national or domestic foundation. There are principally three areas where the external or global perspective in our work becomes important:

  • dealing with a data breach or potential privacy threat that operates across national boundaries
  • ensuring that personal information that originates in Australia is properly safeguarded when it is taken beyond the Australian border to a foreign location
  • interacting with businesses and organisations that conduct global activities.

1.  Dealing with a data breach or potential threat that operates across national boundaries

Examples of privacy breaches that that cross national boundaries will be well known, and include Google Street view cameras, Google glasses, the Sony Playstation data breach and the LinkIn data breach.

Investigation of those broad-scale problems can be cumbersome for a national regulator. Considerable time can be spent identifying which aspect of a breach comes within the national law. Indeed, more time can be spent on that particular issue than on investigating the substantive alleged breach.

There can be an obvious practical and resource advantage in networking with other privacy enforcement authorities to avoid duplication, to share information and to synchronise the release of investigation findings. We do all of that. As well, there are promising projects underway to facilitate and streamline this activity further. GPEN, for example, is developing a secure access website for this purpose.

An additional point I would make – in a sense, my suggestion of a global compliance tool – is that as a general rule a national regulator should formally take the step of opening an investigation into a breach that may have occurred in many countries, even though some other office may carry the bulk of the investigation work.

It can be a salutary lesson for a global company to realise that it is potentially subject to multiple simultaneous investigations in many countries. It can be that much harder for a company to be sure of the outcome and to avoid bad press. Indeed the more investigations, the greater the risk for the company that one of the investigators will be an unpredictable or rogue investigator. As a practical matter, having opened an investigation, a national regulator may have the practical option of playing a minimalist role and allowing another office to take the lead investigatory role.

2.  Ensuring that personal information that originates in Australia is properly safeguarded if it moves to a foreign location

This is where a national regulator can have a big impact. The Australian Privacy Act has recently been amended to include a new Australian Privacy Principle (APP 8) on cross border disclosure. In brief, an Australian entity that is subject to the Privacy Act (which includes both businesses and government agencies) must take reasonable steps to ensure that an overseas recipient of personal information does not breach any of the other Australian Privacy Principles that relate to standard matters such as purpose limitation, data security and access and correction. An investigation and penalties can follow if there is a complaint. There are some necessary and obvious exceptions to this new cross border principle – for example, cross-border responsibility does not apply if there is an intergovernmental agreement on data transfer, if an individual has given their informed consent to personal information being sent overseas, or if it is sent to a country location that has a privacy protection regime comparable to the Australian regime.

However, this new APP is presently focussing the mind of government and business, particularly given the prevalence of cloud storage of data in foreign locations, call centres being based overseas, and data sharing commonly occurring within and between global companies. It is one thing for a company to be responsible for a data breach occurring within its head office. It is a far greater concern to be responsible for a breach by a contractor in another country.

A related concern for an entity that transfers personal information overseas is that the entity may be subject to two or more sets of national privacy principles in relation to the same item of information. From a regulatory perspective, nothing can be more irksome for a company than to be subject to multiple regulatory frameworks, particularly if there are textual differences in the laws applying in each country.

It is therefore in a company’s self-interest to work at the international level to reduce its compliance burden by promoting the development of internationally harmonised privacy principles, and ensuring that its own global operations are privacy compliant. In summary, this national anchor can become an important global compliance tool.

3.  Interacting with businesses and organisations that have a global operation or reach

Many of the government agencies and corporations that my office interacts with conduct global operations or transactions. This provides an opportunity for a soft regulatory approach to promote best practice in personal information management. I will give two examples.

First, my office hosts two advisory committees – a Privacy Advisory Committee and an Information Advisory Committee – and the members of those committees include staff members from Google and from an Australian bank that operates globally. We develop a constructive working relationship with those representatives beyond the committee meetings. In their own companies they can become international emissaries for our domestic regulatory messages.

Secondly, my office is responsible, in addition to privacy protection, for access to information and information policy. Global corporations are among the strongest supporters of the open data movement, because they are among the most avaricious commercial consumers of government data. This alliance between their and our overlapping but different interests creates a good opportunity to build a strong and respectful relationship that buttresses our privacy enforcement role. When the need arises, it is easier for us to open their door to undertake a frank dialogue about a privacy enforcement issue. Indirectly, this is another global compliance tool.

Thank you for the opportunity to share these thoughts.