• Graham Greenleaf

Image: kryptyk / Flickr

23 October 2009Australian Governments of all persuasions stress how essential 'border protection' or 'border security' is in many fields, such as immigration, narcotics, and quarantine.  But when it comes to the protection of our personal information – our privacy – the Rudd Government is proposing to abandon any border protection of personal information, and is not proposing to provide any meaningful protection in its place. The privacy of Australians will be at the mercy of Nigerian scammers, American spammers and Russian mafia. Without border security for personal information, we will be left to pick up the pieces after our personal information has left our shores.

The government is proposing to adopt substantially unchanged what was arguably the worst recommendation made by the Australian Law Reform Commission (ALRC) in its 2008 review of privacy laws. This takes a bit of explaining.

The current protection (National Privacy Principle 9 ‘Transborder data flows’, or NPP 9) is based on a ‘border security’ approach, although one that is too weak. Unless a proposed export (‘transfer’) of personal data outside Australia meets certain criteria, the act of exporting is itself a breach of the Act. The conditions are not strong enough, and included that the exporter only need ‘reasonably believe’ that there was ‘substantially similar’ protections in the recipient's jurisdiction. However, the conditions must be met on an export-by-export basis. If an exporter does not meet the conditions it will be in breach if it transfers personal data outside Australia, simply by the act of transfer. This applies both to transfers to an agent of the exporter, usually for further processing for the exporter (‘outsourcing’), or where transfers are to a third party for its purposes. Proving a breach by exporting without meeting the conditions is possible, though there have as yet been no cases or complaints to test how difficult.

The new ‘borderless’ proposal
The core of the ALRC proposal adopted by the Government is to abandon this border security completely: any personal data about Australians will be able to be exported to anyone, anywhere. Your personal data will be able to be sent to Nigeria, Russia, India, the USA or anywhere else: where would you least like to see it go? There will be no conditions on the legality of the act of exporting. The transfer of the data will still have to comply with NPP 2, which basically means that the discloser has to be transferring the data for a purpose (but not to a place) which the subject of the information ‘would reasonably expect’.

The key point is that it does not matter that the destination country has no privacy laws at all, and no privacy agency that could help you if a problem arose: your information can be sent to the most ‘privacy hostile’ countries in the world. And it can be sent from such countries to other ‘privacy hostile’ countries, all without breaching any local laws. How do you know where your information will end up?

This will apply to information collected by companies, and to the very personal information collected by federal government agencies, often by compulsory powers.

Keeping you in the dark
The Rudd Government is not proposing that you will always need to be told when your information is about to go overseas. It says that the Notification Principle will include the requirement that companies or agencies must take ‘reasonable steps’ to give you notice when collecting your personal information that it may be transferred overseas, and to which countries. This is intended to be an improved protection, but it is full of loopholes. First, there is no need of any mention to be made that the destination countries (or some of them) provide no privacy protection - you need to be an expert on international privacy laws in order to assess the dangers. Second, if the collector has not yet made up its mind whether it will export your information, or to where, then it does not have to say anything. And it is allowed to change its mind after it collects your information. This seems more like a device to keep you in the dark than to put you in the picture.

The ‘accountability’ sham
The supposed virtue of the new approach is that although your personal information can be exported to anywhere that does not have ‘substantially similar’ privacy protections to Australia, if the exporter does so then theoretically they 'remain accountable' for overseas misuses of your personal information. ‘Theoretical’ is the key word, because the onus of proof (on the civil balance of probabilities) of a specific breach of a privacy principles by a specific overseas party still rests with you; as does the requirement to prove that the party in breach received the information directly or indirectly (but foreseeably) from the Australian exporting party; as does the requirement to prove that there was a causal connection between that breach and damage to you.  And of course the country from which the damage to you emanated might not be the same as the country to which the data was exported,  but you are the one who has to join the dots.

How do you satisfy these requirements of proof when your data has travelled to Nigeria, India, Russia, the USA or ‘all of the above’, and you may not even know? Might it be dangerous to try? Might it be expensive?

The so-called 'accountability' principle is a sham: the absence of any real likelihood of accountability is what is rotten at the core of the ALRC and Rudd Government approach.

Absolution from ‘accountability’
To make matters worse, the Rudd Government proposal (following the ALRC) then converts the previous over-broad list of conditions in NPP 9 allowing data exports into a list of excuses. Complying with any one of them will allow the exporter to completely avoid (even in theory) ‘remaining accountable’ for any mis-uses of your personal information by the overseas recipient (or anyone they passed it on to).  The government proposes to tighten some of these conditions in minor ways, but it doesn’t matter: they no longer serve the same function. It may be that this absolution from accountability will even apply to outsourcing of data processing as well as disclosures to third parties, so as to weaken the existing protections of the law of vicarious liability for the acts of your agents – the details are not yet provided.

So you can’t complain to the exporter, there might not be a data protection authority to help you where your data has ended up, and the Australian Privacy Commissioner has no ability or resources to investigate overseas infringements.

Inconsistent border controls on credit reporting
For credit reporting information both the Rudd Government and the ALRC take a completely inconsistent approach, recognising that border controls are necessary for effective protection. The ALRC proposed (recommendation 54-7) that disclosures of credit information to foreign credit providers should be prohibited except according to conditions set out in regulations 'including the availability of effective enforcement and complaint handling in the foreign jurisdiction' - in other words 'border controls'. The government goes further, proposing to erect an almost absolute border control over credit information: no data exports to anywhere but New Zealand; and no capacity for any regulations to change this.

It rejects the ALRC's approach because ‘consideration would still need to be given as to how adequate protections could be put in place to ensure there was no inappropriate secondary use of the information outside the jurisdiction where the information was originally held’. Any benefits ‘would be outweighed by the inability of the Privacy Commissioner to enforce effectively the credit reporting provisions against foreign entities’. Why doesn’t the same reasoning apply to other personal information just as sensitive as credit information?

An international low, putting trade at risk
Australia has requested an ‘adequacy’ finding for its privacy laws from the European Union, so that European oganisations would have a blanket ‘OK’ to transfer personal information on Europeans to Australia. We have not yet received the adequacy finding, and one of the weaknesses of the Australian position is the weakness of the ‘border controls’ in the existing NPP 9, which exposes European data to risks of ‘onward forwarding’ from Australia to countries with even weaker privacy protections.

The Rudd governments proposals on data exports, for all the reasons outlined above, weaken Australia’s position even further, making it more difficult for Australian businesses to get the benefits of an ‘adequacy’ finding to lubricate EU-Australian trade.

No other country which attempts to provide some protection against unrestricted data exports is going as far as Australia in allowing data exports without consent to countries which have less privacy protections, and then absolving them from any accountability if they meet some minimal conditions. In Canada, Korea and Japan these are conditions to which those who have ‘accountability’ must adhere, at least in some cases.

Secure borders plus real accountability: the alternative
A good approach to data exports would provide both secure border protection against unacceptable risks to our personal information, and accountability of those exporting personal information where that was justified. This is achievable in a few steps.

Border security involves defining those countries which provide a similar level of protection to that provided in Australia, including effective enforcement, assessed by objective measures (such as a ‘whitelist’ provided by the Commissioner or regulations). An essential element is that Australian personal data cannot be further exported to other countries with less protection than in Australia.

Data exporters should be able to transfer personal information to those ‘similar protection’ countries without taking any special measures beyond taking reasonable steps to assuring themselves that the recipient has policies and practices that show it complies with local laws. They should still remain accountable for breaches occurring overseas after transfers to their agents under outsourcing arrangements. However, they need not remain accountable if they have properly disclosed to a third party in such a ‘similar level of protection’ jurisdiction.

Notification should be given to consumers and citizens of such proposed overseas transfers at the time their data is collected, and that the transfer is to a country providing a similar level of protection. Consent should not be required, but there should be a right to opt-out of such transfers at any time (prevent processing).

Where an exporter is proposing to transfer personal information to other countries that do not come within the 'similar protection' test, the exporter should have to obtain the consent of the individual concerned, and should remain accountable for any breaches that occur overseas (with the exceptions set out below). Exporters would generally seek an indemnity from the importer if they were sensible. The exporter should have to give explicit notice prior to transfer that it is proposing an overseas transfer to which country, and that that country does not provide 'similar protection'. This is a question of who is in the best position to bear any loss suffered.

In the following circumstances the exporter should be able to transfer personal information to any jurisdiction (a) if it obtains explicit consent to such a transfer (ie not implied or an opt-out), for a purpose that is to the benefit of the individual; or (b) if it is carrying out a contract between the individual and a third party for the benefit of the individual, which requires such a transfer; or (c) if it is acting for the benefit of the individual under circumstances in which it was impractical to obtain the individual’s consent; and in all cases it takes whatever protective measures are reasonable in the circumstances.

If an overseas transfer to a country without equivalent protection is required (not just authorised) by law  (not including contracts), then an organisation (private sector) will not be accountable for any resulting harm, provided it takes whatever protective measures are reasonable in the circumstances.

If overseas transfers of personal information do occur despite being forbidden under these tests, then as well as that being in itself a breach without any proof of any further harm, if the person concerned has suffered damages then there should be a rebuttable presumption that any harm that has occurred is caused by export in breach.
Provisions such as these will protect personal information of Australians while facilitating international trade. The Government and ALRC proposals will not.

20 October 2009

Graham Greenleaf, Professor of Law, University of New South Wales   
International Fellow, Kyung Hee Faculty of Law, Seoul, October 2009   

Links:

For your information: Australian privacy law and practice (ALRC 108)

Enhancing national privacy protection: Australian Government first stage response to the Australian Law Reform Commission Report 108

Image: kryptyk / Flickr