Part 8: Overseas data flows

8.1          Today’s global digital economy relies on data being able to flow securely and efficiently across borders.[180] According to the Export Council of Australia, Australia's digital exports were worth around $6 billion in 2017, equivalent to Australia's fourth largest export sector, and this figure is set to grow.[181] At the same time, cross-border data flows are subject to increased concern and scrutiny around the world.[182]

8.2          Data flows do not recognise geographical borders, and these data flows have made us more interconnected than ever before. It is therefore essential for international privacy laws to set up appropriate and interoperable frameworks that facilitate the efficient movement of data across borders while providing strong protections for individuals’ personal information. Global interoperability does not require all countries to have identical frameworks. Instead, it allows for bridges to be built across frameworks that reflect the cultural, social and legal norms of their society. These bridges should allow data to flow safely and efficiently. 

8.3          Under the Privacy Act, the framework for cross-border data flows is established in two ways:

  • Cross-border disclosures of personal information by APP entities are enabled by APP 8, which relies on an accountability approach.
  • The extraterritoriality provisions in s 5B, which set out when the Act will apply to acts or practices engaged in outside Australia and the external Territories.  

8.4          This review also presents an opportunity to consider how Australia can facilitate the safe and efficient disclosure of personal information from overseas entities to entities based in Australia. Many of the cross-border disclosure mechanisms in global privacy laws allow data to be transferred to other jurisdictions with comparable privacy protections. It is therefore important to consider the ways in which the Privacy Act can be reformed to facilitate this. The role of ‘adequacy’ status and certification are considerations here.

8.5          The accountability approach, extraterritoriality and adequacy are discussed further below. Certification is discussed in Part 7 of this submission, above.

The accountability approach

48.     What are the benefits and disadvantages of the current accountability approach to cross-border disclosures of personal information?

a.       Are APP8 and section 16C still appropriately framed?

8.6          The Privacy Act creates a framework for the cross-border disclosure of personal information through the operation of APP 8 and s 16C. The framework generally requires an APP entity to ensure that an overseas recipient will handle an individual’s personal information in accordance with the APPs and makes the APP entity accountable if the overseas recipient mishandles the information.[183]

8.7          This accountability approach reflects a central object of the Privacy Act to facilitate the free flow of information across national borders while ensuring that the privacy of individuals is respected.[184] Personal information is protected because it requires the disclosing APP entity to take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information.[185] The APP entity also remains accountable for acts or practices done by the overseas recipient.[186] This approach gives substance to the general principle of accountability by ensuring that individuals have a meaningful way of seeking redress under the Privacy Act against the disclosing APP entity.

8.8          APP 8.2 establishes some exceptions to the requirement in APP 8.1 and to the accountability provision in s 16C. For example, an APP entity may disclose personal information to an overseas recipient without complying with APP 8.1 where:

  • The APP entity reasonably believes that the overseas recipient is subject to a law or binding scheme that has the effect of protecting the information in a way that is substantially similar to the APPs, and individuals can access mechanisms to enforce those protections.
  • The APP entity expressly informs an individual that if they consent to the disclosure, this principle will not apply, and the individual then consents to the disclosure.

8.9          APP 8 only applies to cross border disclosures of personal information. That is, it applies to circumstances in which an APP entity has released the personal information from its effective control. APP 8 does not cover circumstances in which an APP entity ‘uses’ personal information overseas, that is, where it handles, or undertakes an activity with the personal information, within the entity’s effective control. For example, routing personal information, in transit, through servers located outside Australia, would usually be considered a ‘use’. In these instances, the APP entity would still remain accountable for any breach of the APPs against the information it ‘uses’ overseas, as it is still considered to ‘hold’ the personal information and is thus subject to the Privacy Act.

8.10       The OAIC considers that the accountability approach established by APP 8 and s 16C remains an appropriate way of enabling personal information to flow overseas, whilst ensuring there are meaningful redress mechanisms available to Australians. This is an important mechanism to ensure that individuals’ personal information is still protected in situations where the Privacy Act may not have extraterritorial jurisdiction.

8.11       The Privacy Act review presents an important opportunity to consult with businesses to understand how they operationalise cross-border disclosures in their business activities. For example, there may be some businesses that are currently not subject to the Privacy Act who are nonetheless disclosing personal information overseas. These businesses may be required to comply with the privacy laws of other jurisdictions, whilst not having obligations to Australians’ whose personal information they are handling. The OAIC’s recommendation 27 to remove the small business exemption would address this inconsistency.

8.12       The review may also wish to consider whether additional legislated transfer mechanisms that are found in other global privacy laws should be introduced into legislation to assist businesses in complying with the requirements under APP 8. Three examples of these mechanisms, discussed in more detail below, are:

  • Contractual safeguards
  • Certification
  • 'Adequacy’ or whitelists

Contractual safeguards

8.13       One way that APP entities can comply with APP 8.1 is through a contractual agreement that requires the overseas recipient to comply with the APPs. These contractual arrangements provide substance to the accountability approach by ensuring that the APP entity has an enforceable arrangement to require the overseas recipient to comply with the APPs. Contractual arrangements are widely recognised across the EU and Asian frameworks as a valid means for an organisation to discharge their obligations under privacy legislation.[187]

8.14       Many jurisdictions have developed model clauses, or standard contractual clauses to facilitate cross border data flows. Under New Zealand’s reformed Privacy Act, personal information may be disclosed overseas once a due diligence process establishes that certain privacy standards are met. The Office of the Privacy Commissioner New Zealand has published model clauses that assist entities in meeting these obligations.

8.15       It may be appropriate to consider whether Australia should develop model clauses for disclosing APP entities to use in complying with APP 8.1. The OAIC recommends that such model clauses remain a tool to support an APP entity’s accountability under APP 8.1, as opposed to an exception to accountability under APP 8.2.

8.16       The recent decision of the Court of Justice of the European Union (the Schrems Decision) has highlighted the importance of entities being able to satisfy themselves that the receiving entity is able to comply with the Standard Contractual Clauses in a way which provides meaningful equivalent protections.[188] The Schrems Decision established that where transfers are being made under Article 46, EU based entities must also take due account of the surrounding environment in which transferred data is subject to and make an assessment as to whether the implemented safeguards provide an equivalent standard of protection in reality. In particular, the Schrems Decision places the onus on data controllers, exporters and importers to:

  • assess the laws and practices of third country jurisdictions, with regard to powers that enable public authorities to access EU citizens’ data, before a transfer of data from the EU to a third country is made
  • determine whether supplementary measures need to be in place, in addition Standard Contractual Clauses, to ensure protection meets the EU standard.

8.17       Implications from the Schrems Decision suggest that organisations may need to implement additional supplementary measures, beyond Standard Contractual Clauses, to satisfy themselves that the data is protected to an essentially equivalent standard.  This decision will have implications for EU entities wishing to transfer personal information to Australia (discussed further in the Adequacy section below), but the Privacy Act review should also consider whether APP entities relying on an exception under APP 8.2 should similarly be required to take account of the broader environmental context into which they are disclosing personal information.

Certification schemes

8.18       Many international frameworks provide for certifications as a transfer mechanism.[189] Certification schemes are likely provided for under the APP 8.2(a) exception, where the certification has a binding effect, and provides mechanisms for individuals to seek redress.

8.19       Certification schemes present an opportunity for global interoperability if multiple jurisdictions were to recognise the same certification scheme as a valid transfer mechanism. If this was to occur, certification schemes could act as a bridge connecting different regional frameworks.

8.20       The APEC CBPR is operational and has the potential to provide this. However, the lack of business uptake has limited its success.[190] Australia was endorsed as a participating economy in 2018. The review presents an opportunity for Government to consult businesses to determine whether CBPR certification would assist entities in complying with APP 8. The OAIC recommends that the CBPR Program Requirements be carefully assessed to determine whether they satisfy the APP 8.2(a) requirement of ‘protecting in information in a way that, overall, is at least substantially similar to the way in which the APPs protect the information’.[191]

8.21       Certification is discussed further in Part 7 of this submission.

‘Adequacy’ or whitelists

8.22       One of the exceptions in APP 8.2 is where information is subject to a law with substantially similar protections.[192] Currently, Australian businesses are required to make this assessment based on their own due diligence. It may assist APP entities, if the Australian Government were to establish a whitelist of countries that satisfy the requirements of APP 8.2(a).

8.23       The OAIC notes the European experience of creating ‘adequacy’ lists, which suggests that there are practical difficulties in establishing such a list. EU Adequacy Decisions have been subject to long and costly negotiations. To date, only 12 countries have received an Adequacy Decision from the EU Commission. 

8.24       If the Australian Government were to develop a whitelist, it would be important to give due consideration to the available mechanisms for an individual to enforce protection as required under APP 8.2(a)(ii). The Schrems Decision draws attention to the need to consider the broader legal frameworks and practices that the receiving country’s privacy framework is subject to in order to accurately assess whether an equivalent standard of protection is reached. The Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield as a mechanism for transferring data between the EU and the US.[193] The CJEU found that the ability of US public authorities to access personal data were not sufficiently limited or subject to effective redress mechanisms made available to data subjects. As such, the CJEU found that the EU Commission’s Adequacy Decision in relation to the EU-US Privacy Shield disregarded the requirements of providing an adequate level of protection required under the GDPR and the rights established under the EU Charter of Fundamental Rights of the European Union.

8.25       This Decision highlights the importance of maintaining contemporary privacy frameworks and actively monitoring legal and cultural developments that might impact the effectiveness of data protection standards.

Recommendation 46 – Consider whether additional legislated transfer mechanisms could enhance the APP 8 accountability approach. These could include:

  • Contractual safeguards (to support an APP entity’s accountability under APP 8.1, rather than an exception to accountability under APP 8.2)
  • Certification
  • ‘Adequacy’ or whitelists

Extraterritorial application of the Act

49.     Is the exception to extraterritorial application of the Act in relation to acts or practices required by an applicable foreign law still appropriate?

8.26       Section 5B of the Privacy Act establishes the extraterritorial reach of the Act. In particular, the Privacy Act will extend to an act done or practice engaged in outside Australia by an organisation that has an Australian link. One way of establishing that an organisation has an Australian link is if the organisation carries on business in Australia (s 5B(3)(b)) and collected or held the personal information in Australia at the time of the breach (s 5B(3)(c)).

8.27       It should be noted that an act or practice of an organisation done or engaged in outside Australia and an external Territory will not be an interference with the privacy of an individual if the act or practice is required by an applicable law of a foreign country (s 13D). The review may wish to consider if this provision is remains fit for purpose.

8.28       As the Issues Paper notes, the extraterritorial application of the Act is intended to capture multinational corporations based overseas with offices in Australia, as well as entities with an online presence, but no physical presence in Australia. An increasing number of the matters being considered by the Commissioner present factual situations that enliven s 5B(3) of the Privacy Act.

8.29       Large multinational companies often provide services to Australian customers through an entity in the corporate group located overseas. Often, the personal information collected from those customers by the original company is transferred to other company group members in different overseas jurisdictions for processing and storage. Such transfers are generally permitted by s 13B of the Privacy Act. When a breach of the Privacy Act occurs, there could potentially be multiple companies within the multinational group involved, in different locations and performing different functions.

8.30       Similarly, foreign businesses may collect and trade in data about Australians but may not collect Australians’ information directly from Australia. They may collect personal information from a digital platform that does not have servers in Australia. When a breach of the Privacy Act occurs, a threshold issue will be to establish that these businesses collect or hold personal information in Australia.

8.31       It can be resource intensive to establish jurisdiction under s 5B(3), particularly against motivated and well-resourced international companies. The OAIC therefore considers that there are opportunities for the extraterritorial operation of the Privacy Act to be enhanced, to more effectively address the privacy risks posed to Australians by overseas companies.

8.32       It is particularly important to ensure that there is certainty about the entities that the Privacy Act applies to in light of the proposed online platforms code, which will apply to social media services, data brokerage companies and other entities that trade in personal information.

8.33       The OAIC has identified options for potential reform of the extraterritorial operation of the Privacy Act, which we consider could address the issues raised above. The OAIC recommends that the Privacy Act review consider these options further:

  • Remove the requirement in s 5B(3)(c) for the information to have been collected or held in Australia be removed, and instead the collection or holding of information could be considered an indicator of ‘carrying on a business in Australia’ (discussed further below). The effect of removing this provision would be that the Commissioner would only need to establish that a foreign company carries on business in Australia. This would generally align with the extra-territorial operation of the Competition and Consumer Act 2010 (Cth),[194] and would be closer to the extraterritorial operation of the New Zealand Privacy Act.
  • Amend s 5B(3) to refer to particular indicators of ‘carrying on business in Australia’ for the purposes of the Privacy Act. For example, an entity is considered to be ‘carrying on business in Australia’ if the entity collects and/or holds personal information about an individual who is located in Australia. Additionally, some of the elements in the Explanatory Memorandum to the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 could be elevated into s 5B(3) as indicators. For example, the Explanatory Memorandum says ‘a collection is taken to have occurred “in Australia” where an individual is physically located in Australia or an external Territory, and information is collected from that individual via a website, and the website is hosted outside of Australia, and owned by a foreign company that is based outside of Australia and that is not incorporated in Australia. It is intended that, for the operation of paragraphs 5B(3)(b) and (c) of the Privacy Act, entities such as those described above who have an online presence (but no physical presence in Australia), and collect personal information from people who are physically in Australia, carry on a “business in Australia or an external Territory”.’
  • To address the issue of disclosures within a corporate group, where the recipient entity is not covered by the Privacy Act, the review could consider extending the extra-territorial operation of the Privacy Act to a body corporate that has collected Australians’ personal information from a related body corporate to which s 5B(3) applies (irrespective of whether it carries on business in Australia in its own right). This approach appears to be consistent with the intention with the note in s 13B of the Privacy Act, which indicates that related bodies corporate that receive personal information from a related entity should be covered by the Privacy Act.

8.34       The OAIC considers that the extraterritoriality provisions in s 4 of the new Privacy Act 2020 (NZ) provide a good model for reform of the Privacy Act. The NZ Act builds on the Australian extraterritoriality framework with some of the clarifications or additions proposed above, for example:

  • Section 4(1)(b) says the NZ Act applies to an overseas entity (B) ‘in relation to any action taken by B in the course of carrying on business in New Zealand in respect of personal information collected or held by B.’
  • Section 4(2)(a) and (b) of the NZ Act clarify that it does not matter where the personal information was collected or held by the agency in order for it be carrying on business in New Zealand (in contrast to s 5B(3)(c) of the Australian Privacy Act).
  • Section 4(3) of the NZ Act clarifies that certain elements do not have to be present in order for an entity to be treated as carrying on business in New Zealand, for example, it does not have to have a place of business in New Zealand (section 4(3)(a)) or receive any monetary payment for the supply of goods or services (section 4(3)(c)).

Recommendation 47 – Amend the Privacy Act to address issues with the extraterritoriality of the Act, including:

  • Remove the requirement in s 5B(3)(c) for the information to have been collected or held in Australia be removed, and instead the collection or holding of information could be considered an indicator of ‘carrying on a business in Australia’.
  • Amend s 5B(3) to refer to particular indicators of ‘carrying on business in Australia’ for the purposes of the Privacy Act.
  • Extend the extraterritorial operation of the Privacy Act to a body corporate that has collected Australians’ personal information from a related body corporate to which s 5B(3) applies (irrespective of whether it carries on business in Australia in its own right).

Adequacy

52. What would be the benefits or disadvantages of Australia seeking adequacy under the GDPR?    

8.35       Many international privacy frameworks prohibit the flow of personal data to jurisdictions that do not provide a sufficient level of protection. It is therefore important to ensure that Australia’s privacy framework does not fall behind international standards in order to support Australian businesses competitive participation in the global digital economy.

8.36       Across the globe, the GDPR is considered a high standard of data protection, and many jurisdictions that are introducing privacy legislation for the first time are looking to the GDPR as a model. However, Australia has a well-established privacy framework, which is a product of our culture and norms. A formal EU Adequacy Decision does not require Australia’s framework to be a mirror of the GDPR. Instead, a formal EU Adequacy Decision recognises that Australia provides a comparable level of protection.[195]

8.37       Many of the OAIC’s recommendations throughout this submission support the interoperability of the Privacy Act with global privacy laws, including the GDPR, and assist Australian entities to satisfy their global counterparts that Australia’s privacy framework provides similar levels of coverage and protection. For example, the OAIC’s recommendations 27, 28 and 29 to extend the Privacy Act to small businesses, employee records and political parties would assist in demonstrating comparability and in efforts to achieve an EU Adequacy Decision, should the Australian Government decide to seek this.[196] 

8.38       A formal EU Adequacy Decision may also elevate the international perception of Australia’s privacy framework and assist in establishing Australia’s framework as providing an adequate level of protection, and thus being interoperable, with jurisdictions beyond the EU. This may have an added benefit in assisting other countries that are evaluating Australia’s privacy framework.

8.39       Regardless of whether Australia seeks an Adequacy Decision, EU entities transferring data to Australian entities will need to satisfy themselves that the transferred data is subject to an essentially equivalent level of protection in Australia. This was highlighted in the Schrems Decision, which found that where an EU entity was relying on Standard Contractual Clauses under Article 46 of the GDPR, they must consider the broader environment of the overseas recipient, and the impact that might have on their ability to provide essentially equivalent protections.[197] The Schrems Decision is likely to have implications for the international flow of data because it requires a rigorous assessment of not just the privacy frameworks, but also the broader cultural environment that the transferred data is subject to, in order to determine whether essentially equivalent protections are provided. A formal EU Adequacy Decision would alleviate the need for EU and Australian entities to take further steps in assessing the effectiveness of the Article 46 GDPR transfer tool being used and considering whether additional safeguards are needed.[198]

8.40       The importance of ensuring that Australia’s Privacy Act is interoperable with global privacy laws therefore goes beyond the formal processes for seeking adequacy under the GDPR. As different approaches are adopted around the world, it is important that Australia’s domestic frameworks remain interoperable, so that data can flow across borders whilst also protecting personal information.

Challenges of implementing the CBPR System in Australia

50.     What (if any) are the challenges of implementing the CBPR system in Australia?

8.41       As noted in the Certification section in Part 7 of this submission, the OAIC supports the introduction of an independent third-party certification scheme. Privacy certification schemes have a role to play in facilitating overseas transfers of personal information. An independent certification mechanism could also significantly increase the transparency of organisations’ data practices

8.42       The APEC CBPR System operates as a regional certification scheme and requires certified businesses to demonstrate compliance with a commonly understood set of privacy standards. The APEC Joint Oversight Panel of the Data Privacy Subgroup endorsed Australia’s application to participate in the CBPR System in 2018.

8.43       The Issues Paper notes that one way of incorporating the CBPR system requirements into Australian law is through a code developed under Part IIIB of the Act.

8.44       As outlined in more detail in Part 3, there are certain limitations with the existing APP code framework under Part IIIB. In relation to the CBPR system, the development of a code would require the Commissioner to identify a code developer, who would then be responsible for developing the code and ensuring that it adequately gives effect to the requirements of the CBPR system. The code developer must also ensure that appropriate consultation takes place with relevant stakeholders, including the public and the OAIC. A CBPR code would need to apply to a broad range of entities across the economy, making it challenging to identify a code developer that is representative of the entities that the code would cover.

8.45       The OAIC’s Recommendation 14 to provide the Commissioner with the power to develop an APP code in the first instance would enable the OAIC to have leadership over the development of a CBPR code and ensure that it fully and adequately gives effect to the requirements of the CBPR system. 


[182]92% of Australians are somewhat to very concerned about their data being sent overseas, see OAIC (2020) Australian Community Attitudes to Privacy Survey 2020, report prepared by Lonergan Research, p. 39.

Over recent years there have been numerous cases in the EU regarding the transfer of data from the EU to the US under a range of mechanisms including the Safe Harbour Agreement, the Privacy Shield and Standard Contractual Clauses, see: Maximilian Schrems v Data Protection Commissioner (2015) C-362/14Data Protection Commissioner v Facebook Ireland LTD, Maximillian Schrems, (2020) C-3111/18; 

UNCTAD, ‘Data protection regulations and international data flows: Implications for trade and development’, (2016) See: http://unctad.org/en/PublicationsLibrary/dtlstict2016d1_en.pdf

[183] Privacy Act 1988 (Cth), s 16C, APP 8.1.

[184] Privacy Act 1988 (Cth), s 2A(f).

[185] Privacy Act 1988 (Cth), APP 8.1

[186] Privacy Act 1988 (Cth), s 16C

[187] General Data Protection Regulation, Article 46; According to the Australian Business Law Institute, at least 10 jurisdictions across Asia (Australia, Hong Kong SAR, Japan, Macau SAR, Malaysia, New Zealand, Philippines, Singapore, South Korea, and Thailand) explicitly or implicitly recognise that appropriate safeguards may be provided by ‘transfer  contracts’ or ad hoc contractual provisions where processing is the purpose of data transfer. see Asian Business Law Institute, ‘Transferring Personal Data in Asia: Carving a path to legal certainty and convergence between Asian frameworks on cross-border data flows’ May 2020, page 38.

[188] Data Protection Commissioner v Facebook Ireland LTD, Maximillian Schrems, (2020) C-3111/18.

[189] The GDPR provides for certification, see General Data Protection Regulation, Article 46(2)(f). Certification is also provided for in a number of Asian countries, according to the Asian Business Law Institute, certification is explicitly provided for in Japan, Singapore, and in the amended legislation of New Zealand. It is further implicit in Philippines and Thailand. For now, such an admission is unclear but conceivable in the laws of Hong Kong SAR, Macau SAR, and the Data Protection Bill of Indonesia. It is also conceivable, although more remotely, in the Data Protection Bill of India. See: Asian Business Law Institute, ‘Transferring Personal Data in Asia: Carving a path to legal certainty and convergence between Asian frameworks on cross-border data flows’ May 2020, page 49.

[190] Currently there are around 36 CBPR certified companies. See directory of CBPR certified companies at: http://cbprs.org/compliance-directory/cbpr-system/.

[191] Privacy Act 1988 (Cth) APP 8.2(a)(i).

[192] Privacy Act 1988 (Cth) APP 8.2(a).

[193] Data Protection Commissioner v Facebook Ireland LTD, Maximillian Schrems, (2020) C-3111/18

[194] Competition and Consumer Act 2010 (Cth) s 5.

[195] General Data Protection RegulationArticle 45 (1).

[196] Note that the predecessor to the European Data Protection Board, the Article 29 Working Party issued an Opinion which raised concerns that the exemptions under the Privacy Act 1988 (Cth) meant that Australia could only be considered adequate if appropriate safeguards were introduced to meet the Working Party’s concerns. See: Article 29 Data Protection Working Party, Opinion 3/2001 on the level of protection of the Australian Privacy Amendment (Private Sector) Act 2000.

[197] Data Protection Commissioner v Facebook Ireland LTD, Maximillian Schrems, (2020) C-3111/18.