Transferring personal information offshore – how Australian businesses can minimise the risk
16 May 2016
Can Australian businesses send information overseas?
If your business discloses personal information to an overseas recipient, it may be accountable for any actions of the overseas recipient that would breach the APPs. This leaves your business with a significant exposure – your business could be found liable based solely on the actions of the overseas recipient.
The Privacy Act 1988 (Privacy Act) does not prohibit organisations that are bound by the Privacy Act (APP Entities) from sending personal information overseas. Rather, the Privacy Act requires APP Entities to make their own determinations about whether an overseas privacy regime provides similar levels of privacy protection to that of Australia.
Under the Australian Privacy Principles (APPs), if an APP Entity reasonably believes that:
- an overseas recipient of personal information is bound by a law which protects personal information in a way which is at least substantially similar to the way in which the APPs protect personal information; and
- there are mechanisms that an individual can access to take action to enforce that protection of the law,
then the APP Entity is relieved of the obligation to take reasonable steps to ensure that the overseas recipient complies with the APPs.
What is the EU-US Privacy Shield?
Contrasting the Australian position with the European positon, businesses operating within the European Economic Area (EEA) will soon be governed by the EU-US Privacy Shield.
The EU-US Privacy Shield is expected to take effect from June, replacing the 15 year old Safe Harbour agreement which was ruled invalid by the European Court of Justice in October.
EEA businesses will be prohibited from transferring personal information outside the EEA unless the level of protection of personal information in the recipient country is essentially equivalent to that guaranteed within the EEA. The European Commission has the power to make a decision that a recipient country’s privacy protections are essentially equivalent to those afforded within the EU. Once made, an adequacy decision allows personal information to flow between 31 European countries to the outside country without further restrictions.
The EU-US Privacy Shield will impose stronger obligations on the US public and private sector to protect the European personal information. The European Commission has released a draft adequacy decision which provides that if personal information is treated in accordance with the principles set out in the EU-US Privacy Shield, it is considered that the personal information enjoys adequate protection in the US and the compliant US entity will be able to receive data from the EEA.
Australia does not have an equivalent to the EU-US Privacy Shield agreement with any other country, so the burden of assessing the similarity of overseas privacy protections (and, if it goes wrong, the risk) falls to individual businesses.
How can Australian businesses limit that risk?
APP Entities should enter into an enforceable contract with overseas recipient organisations before disclosing personal information to that overseas recipient. These contracts must require the overseas recipient to warrant that it understands, and agrees to act in accordance with the APPs and should address issues such as:
- the purpose for which the overseas recipient is permitted to use or disclose the personal information;
- the minimum measures that will apply to ensure the security of the personal information;
- agreed procedures for providing access to personal information on request, and for making any necessary corrections; and
- mechanisms that enable the APP entity to monitor compliance with these arrangements.
In addition to an enforceable contract, depending on the circumstances, it may be reasonable to monitor the overseas recipient’s compliance more closely and to request copies of the organisation’s internal practices and policies before engaging with that party. These circumstances may include how sensitive the relevant information is and the adverse consequences for the person to whom the information relates if the information was not handled in accordance with the APPs.
This week marks OAIC Privacy Awareness Week. Contiue the conversation: #2016PAW