Article - Weak protection for offshore data - the ALRC recommendations for Cross Border Transfers (November 2008)
- The proposed UPP 11
- The new accountability principle
- The adequate laws exception
- The adequate contracts exception
- Restriction to UPPs
- The consent exception
- The required or authorised exception
- The ‘Note’ re use and disclosure
- Cross-border data transfers and notice (UPP 3)
The recent Australian Law Reform Commission report - For Your Information: Australian Privacy Law and Practice  - contains an important recommendation on the management of cross-border data transfers.
The ALRC proposes to introduce a new Unified Privacy Principle 11 (UPP 11) that attempts to combine the ‘accountability’ approach to cross-border privacy protection (similar in part to the approach taken in Japan, New Zealand and Canada) with elements of the existing, more traditional ‘adequacy’ approach (similar in part to the approach taken in the EU).
This Article examines the ALRC proposal in detail, and raises significant concerns about both the drafting and the likely impact of the proposal. There are fears that UPP 11 is so weak that all of the privacy protections contained in the other ten UPPs will be thrown away the minute data moves offshore. The proposed UPP 11 requires significant re-drafting so that the accountability principle is properly implemented, and steps must be taken to limit the broad exemptions contained in the proposal.
The proposed UPP 11
UPP 11. Cross-border Data Flows
If an agency or organisation in Australia or an external territory transfers personal information about an individual to a recipient (other than the agency, organisation or the individual) who is outside Australia and an external territory, the agency or organisation remains accountable for that personal information, unless the:
(a) agency or organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds privacy protections that are substantially similar to these principles;
(b) individual consents to the transfer, after being expressly advised that the consequence of providing consent is that the agency or organisation will no longer be accountable for the individual’s personal information once transferred; or
(c) agency or organisation is required or authorised by or under law to transfer the personal information.
Note: Agencies and organisations are also subject to the requirements of the ‘Use and Disclosure’ principle when transferring personal information about an individual to a recipient who is outside Australia.
The scope of the privacy protections in the cross-border data flow principle has been extended to include both agencies and organisations. This is a significant improvement on the current Privacy Act, where National Privacy Principle 9 only applies to organisations.
The new accountability principle
The ALRC proposal contains a requirement that agencies and organisations will remain accountable for personal information they have collected, even when it is transferred overseas. This is potentially an attractive development as it may motivate agencies and organisations to take care when transferring data to other jurisdictions, and it provides consumers with some local rights against collecting agencies and organisations when breaches occur.
This accountability approach appears in a limited way in the privacy laws of Canada, Japan and New Zealand. It is also a key principle in the APEC Privacy Framework.
However, the ALRC recommendation on accountability suffers from two key weaknesses.
Firstly, it does not apply to every transfer of data, as a series of exceptions apply (discussed below). It is difficult to see why the accountability principles does not apply to all transfers. The exception for circumstances where a consumer insists on the transfer is understandable - the other exceptions make no sense. In practice, 90-95% of cross-border data transfers are likely to be subject to a contract, so they will be covered by the exception in UPP 11 (a). This means that the accountability principle will only apply to a tiny fraction of data transfers from Australia.
Secondly, the accountability principle does not assist consumers rectify a breach that occurs in another jurisdiction. Although they may have a valid complaint against a local agency or organisation, the damage will occur in a foreign location and will not be subject to remedial action (such as the removal, correction or destruction of information). In privacy law, remedial action is often more important to consumers than compensation. The proposed UPP 11 appears to rely heavily on the accountability principle, without recognising this limitation for consumers.
Overall, the proposed UPP 11 is the weakest possible implementation of the accountability principle, and will do little to increase confidence in this new approach to privacy protection.
The adequate laws exception
The continued presence of an adequacy test in Australian privacy law (in the face of strong opposition) is welcome. Adequacy tests are the mainstay of the traditional EU approach to data protection and appear in a limited way in some other jurisdictions (including Australia).
However, the adequacy test is very poorly implemented in the proposed UPP 11 (a). In fact it is only included as an exception to the accountability principle, rather than as an exception to retaining the information in Australia (the position in the current Privacy Act under National Privacy Principle 9 and the position in the EU Data Protection Directive).
The test in exception (a) relies on the ‘reasonable belief’ of the sending party that a foreign law effectively upholds privacy protections that are substantially similar to the UPPs. This is a weak test and is doomed to become a wide loop-hole for transfers that weaken privacy, either through error or deliberate action.
Elsewhere in the Report the ALRC have recommended that Australia develop a list of countries who provide privacy protection that is substantially similar to the UPPs (Recommendation 31-6). Ideally, if a country is on that list this should replace the weaker reasonable belief test.
However, if a country is not on that list, the sender can still hold a reasonable belief under UPP 11 (a) and send the data anyway. This is highly dangerous. Indeed, if a country is not on the list it is almost certain that the sender’s reasonable belief will be wrong. However, the sender will no longer be accountable for any breaches that occur once the data moves offshore.
There are numerous examples where a sender may have a reasonable belief that data will be safe in the foreign jurisdiction, but this belief will be mistaken.
For example, Peter Fleischer, the Global Privacy Counsel for Google has stated that Japan has adequate privacy laws and he questions why the EU have not added Japan to their white-list. Many people may develop a reasonable belief that data is protected by reading the Japanese Act on the Protection of Personal Information 2003 quickly and reading blogs and other online materials (e.g. the Google statements).
In fact, great care needs to be taken when sending data to Japan. Privacy protection could be zero in many circumstances. For example, many key exceptions to the Japanese law, including their exception for small records, are not contained in the Act itself. They are contained in Cabinet orders and some have not even been officially translated into English.
There are numerous other similar examples in the region. Korea and Taiwan both have strong privacy laws, but they only apply to certain industries and categories of data. Hong Kong and New Zealand have strong privacy laws, but protection for onward transfer of data is weak or non-existent.
It will be important to replace the dangerous ‘reasonable belief’ test with a test that requires actual protection or reliance on an official list of adequate laws. It will be more efficient to develop and maintain a single official list, rather than requiring thousands of individual businesses to seek individual legal advice on dozens of jurisdictions. A central list will also provide greater certainty to businesses.
The adequate contracts exception
As it stands, UPP 11 (a), when used in conjunction with a contract, is probably the exception that will raise the greatest concerns. It combines the weakness of the ‘reasonable belief’ test with an untested / non-standard contract and removes the accountability principle entirely. Unfortunately this exception probably applies to 90-95% of current cross-border data transfers as virtually all offshoring / outsourcing arrangements are subject to a contract between the parties.
The law of privity of contract excludes the consumer from taking direct action against the outsourcing company in the destination country if a breach of a contract between the sender and receiver occurs. However, this can potentially be managed by classifying a breach of a contract made under the Privacy Act as a breach of the Act itself, actionable at least by the Privacy Commissioner. This already occurs for Government outsourcing contracts to the private sector under Section 13A of the Act. This issue is not mentioned in the ALRC Report.
Indeed, a strange result of the new UPP 11 is that Government agencies will face stringent requirements for outsourcing to local contractors, but virtually no requirements for outsourcing to foreign contractors.
It is also difficult to imagine how a consumer would construct a complaint for a breach of the reasonable belief test in UPP 11 where a contract has been used - it is probably easier to have an argument about ‘reasonable belief’ in relation to a law than a contract. Contracts are likely to be confidential and difficult to debate in the open, as opposed to laws. Indeed, most consumers are unlikely to be able to mount an effective challenge under UPP 11 (a).
However, contracts are a common form of protecting privacy in cross-border transfers and they are unlikely to disappear. Other jurisdictions recognise contracts as providing a layer of protection, and then try to establish standards for such contracts. Approaches include testing whether the contract is “concluded in the interest of the individual” (e.g. NPP 9 and the EU) or whether the contract includes audit powers (Japan). However, the dominant approach to enhancing privacy standards in contracts is the publication of mandatory contract terms (e.g. the EU).
The EU mandatory contract terms were the subject of harsh (and justified) criticism throughout the late nineties and the early part of this decade. However, they have been revised and re-issued in consultation with stakeholders (including business groups). The new contract terms represent a significant improvement and there do not appear to be any remaining criticisms. They offer a consistent mechanism for achieving compliance in cross-border transfers for many businesses.
Australia could learn from this experience and publish mandatory contract terms that organisations can use to incorporate the UPPs and other Privacy Act requirements into their cross-border contracts. This would provide a higher level of protection than the ‘reasonable belief’ test. The ALRC Report does discuss the development of ‘guidance’ on matters to be addressed in a contract (Recommendation 31-7), but this falls well short of mandatory contract terms and is unlikely to enhance actual protection.
In practice, a combination of the accountability principle and mandatory contract terms could be a very popular mechanism for protecting privacy in cross-border transactions. It avoids the onerous ‘registration’ requirements of other proposals - for example the proposed APEC Cross Border Privacy Rules (CBPRs) - at a time when businesses and regulators face a strain on privacy compliance/legal resources.
In order to achieve this positive result, UPP 11 would have to be amended to ensure that the accountability principle applied to all transfers, and contracts should be subject to a test of either ‘actual’ protection or conformance with contract terms developed by the Privacy Commissioner.
Restriction to UPPs
The proposed test in UPP 11 (a) is whether a foreign law or contract effectively upholds privacy protections that are substantially similar to “these principles” - meaning the new Unified Privacy Principles. This restricts protection to a fraction of the potential breaches of privacy contained in the broader Privacy Act. This proposal should be amended to ensure that key protections are not lost.
The current text would exclude data breach rules, health and credit reporting regulations and other protections scattered through the Act. Many of these are important protections to consumers in the context of offshore data. For example, consumers are likely to be seriously concerned about a data breach, whether the breach occurs at a local data centre or an offshore data centre.
The consent exception
The consent exception in UPP 11 (b) is more restricted than the consent provisions in the current Privacy Act under National Privacy Principle 9. It restricts the role of consent to situations where a consumer insists that data is transferred even when they are informed that the organisation will no longer be accountable for their personal information.
However, the ALRC Report does not resolve the issue of bundled consent - the situation where consent to one transfer (e.g. a transfer to a foreign jurisdiction) that is not desired by the consumer is bundled together with the consent for other uses of the information (e.g. processing of an application). Until this issue is resolved the reliance on consent in UPP 11 (b) will remain weak.
The required or authorised exception
The exception in UPP 11 (c) for transfers where they are “required or authorised by or under law” is a necessary exception, although the term ‘authorised’ is quite broad. This exception could be improved by limiting it to situations where the specific transfer is required by a specific law.
The ‘Note’ re use and disclosure
The note at the end of the Principle reminds agencies and organisations that they are also bound by the Use and Disclosure principle (UPP 5) when they are sending information offshore. This is a bizarre addition to the Principle that is open to misinterpretation by an agency or organisation who might believe that, as the note only refers to ‘Use and Disclosure’, they do not need to consider the other Principles. In fact all of the Principles should apply to all personal information all of the time. UPP 7 (Data Quality) and UPP 8 (Data Security) are particularly relevant to the offshore transfer of data, and they are not mentioned in the note. The note should be removed to reduce confusion about the application of the UPPs to all data at all times.
Cross-border data transfers and notice (UPP 3)
The proposed UPPs in the ALRC Report are undoubtedly well intended, and the first ten UPPS do deliver some improvements. However, UPP 11 fails to provide even a basic level of privacy protection, and undermines all of the other UPPs as a result.
The ALRC proposal relies heavily on the accountability principle - indeed it replaces the former system of restricting transfers to certain ‘safe’ scenarios with a new system of allowing all transfers but requiring ongoing accountability. But then in the very next sentence (UPP 11 (a)) it abandons the accountability requirement for the vast majority of data transfers, leaving no restrictions or protections in place.
As a result, all of the privacy protections contained in the other ten UPPs will be thrown away the minute data moves offshore. In particular, where data has been transferred subject to a contract, the accountability principle is immediately removed in its entirety. The only remaining protection is the weak requirement that the sender had a ‘reasonable belief’ that the contract provided adequate protection. Even if this belief is wrong, there is no comeback for the consumer.
If UPP 11 was implemented without change today, it is likely that every single offshore transfer of data would move to a contractual basis in order to avoid the accountability principle, and to benefit from this weak test for compliance. Indeed, legal advisers would not be doing their job if they didn’t point out this neat exception to their clients.
There will also be broader consequences from the implementation of a weak UPP 11. Australia will find it impossible to satisfy the adequacy test in the EU Data Protection Directive. Even if the small business and employee record exemptions are removed, as proposed by the ALRC, UPP 11 would not satisfy EU concerns regarding onward transfer. Also, the flawed implementation of the accountability principle will weaken support for the APEC Privacy Framework. The accountability principle is the poster child of the APEC approach -it looks set to fail at the very first hurdle unless UPP 11 is amended.
 This article is an extension of an earlier speech at the Meeting privacy challenges symposium (University of NSW, 2 October 2008).
 Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, Report 108, August 2008, chapter 31, <http://www.austlii.edu.au/au/other/alrc/publications/reports/108/31.html> (‘ALRC Report 108’).
 Act on the Protection of Personal Information 2003 (Japan), <http://www5.cao.go.jp/seikatsu/kojin/foreign/act.pdf>.
 For example: Cabinet Order for the enforcement of the Act on the Protection of Personal Information, 10 December 2003, <http://www5.cao.go.jp/seikatsu/kojin/foreign/cabinet-order.pdf>
 The contract terms are available at: <http://ec.europa.eu/justice_home/fsj/privacy/modelcontracts/index_en.htm>