Litigation 101 Series: Privacy (transferring personal information internationally)

James Constantine, Jess Ilich, Sam Fiddian and David Benson
24 Jun 2022
Time to read: 4.5 minutes

Australian businesses that collect personal information which they transfer overseas need to be mindful of their obligations under our privacy laws.

Privacy law in Australia and the global context

In today's global digital economy, it is almost unavoidable that companies will, at some point, transfer to an overseas entity personal information they have collected in Australia.

An obvious example is using a data storage provider with servers located overseas, but it may also occur in connection with cross-border disputes, conducting foreign court proceedings, or engaging with international experts and witnesses.

Given these commonplace scenarios, Australian-based companies need to carefully consider how the law applies to information they collect here, but send to a foreign jurisdiction. With increasing regulatory, government and consumer scrutiny of data and privacy compliance, we recommend adopting a best practice approach.

Who has to comply with the Privacy Act?

The Privacy Act 1988 (Cth) (Privacy Act) imposes obligations on 'APP entities', which includes:

  • Commonwealth Government agencies, all health services providers and Commonwealth Government contractors, regardless of their turnover; and
  • private sector and non-profit organisations with an annual turnover of more than $3 million.

Businesses with an annual turnover of less than $3 million may still fall within the definition of APP entities where, for example, they trade in personal information or are related to a larger business.

The definition of APP entities may soon be expanded following proposed Privacy Act reform. It is currently estimated that only 4.8% of the approximately 2.4 million actively trading Australian businesses fall within the scope of the Privacy Act. This is against the background of the Office of the Australian Information Commissioner receiving hundreds of enquiries and complaints each year in respect of small businesses which are not otherwise required to protect an individual' personal information. On the flipside, for reputational reasons and to demonstrate their 'best practice' credentials, many businesses still choose to comply with the Privacy Act.

What is personal information?

The Privacy Act only applies to personal information, which is information or an opinion "about an individual" or from which "an individual… is reasonably identifiable". Examples of personal information include a person's name, date of birth, address, banking details, and information about their health.

What are an APP entity's privacy obligations?

A key obligation imposed by the Privacy Act on APP entities is compliance with the Australian Privacy Principles (APPs). Relevantly, these APPs include obligations to:

  • provide individuals with a choice as to whether their information is collected, to the extent reasonable and/or possible (APP 3);
  • notify individuals of the collection of their personal information, including standard processes for collection, storage and use of that information (APPs 1 and 5);
  • prevent harm, which includes taking account of risks, preventing misuse, and, where applicable, implementing remedial measures (APP 11); and
  • ensure the accuracy of the information collected and stored, and provide individuals with a right to access and, if necessary, correct that information (APPs 12 and 13).

Transferring personal information internationally

An international transfer of personal information occurs when an APP entity discloses information that it holds to an overseas recipient (which must be a different entity). So an APP entity in Australia sending information to an overseas office of that entity will not need to comply with APP 8; they will, however, where they send personal information to an overseas 'related body corporate'.

Prior to transferring personal information internationally, a two-step analysis needs to occur.

Step 1: Is disclosure lawful?

The APP entity needs to ensure that it is able to lawfully disclose the relevant personal information to the recipient under APP 6. 

APP 6 provides that an APP entity can only use or disclose personal information for the particular purpose or purposes for which it was collected (known as the 'primary purpose' of collection), unless an exception applies.

It is unlikely that disclosure in the context of legal proceedings, for example, will be the primary purpose for which personal information held by the APP entity was collected. Accordingly, the APP entity will need to consider whether an exception applies. In the context of litigation and disputes, such exceptions may include where:

  • the individual consents to the disclosure;
  • the disclosure is required or authorised by or under an Australian law or a court/tribunal order;
  • the disclosure is necessary in order to take appropriate action in relation to suspected unlawful activity or serious misconduct;
  • the disclosure is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim; or
  • the disclosure is reasonably necessary for the purposes of a confidential alternative dispute resolution (ADR) process.

Step 2: Reasonable steps to ensure no breach

The APP entity will then need to ensure that it takes any steps required by APP 8. APP 8.1 requires, subject to certain exceptions, that an APP entity take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to that information (even if it is not itself subject to them).

What constitutes "reasonable steps" will depend on the circumstances. One common approach adopted to meet this obligation is to enter into an enforceable, and appropriately detailed, contractual arrangement to ensure that the overseas recipient handles the personal information it receives in accordance with the APPs.

A number of factors to consider when determining if reasonable steps have been taken include:

  • whether the personal information is 'sensitive information' (e.g. health information);
  • whether the disclosing entity has had prior dealings with the overseas recipient; and
  • any existing technical and operational safeguards implemented by the overseas recipient.

There are a number of exceptions to the obligation in APP 8.1, including, relevantly where:

  • the APP entity reasonably believes that the overseas recipient is subject to a law or binding scheme that protects information in a substantially similar way to the APPs; or
  • the APP entity obtains the express and informed consent from the individual to disclose their personal information to an overseas recipient.

An example of a binding scheme of the type which would cause the first exception to apply is the APEC Cross-Border Privacy Rules (CBPR) System, which requires participating countries to implement data privacy policies consistent with the APEC Privacy Framework (Privacy Framework). The CBPR System was specifically created by APEC economies to facilitate trust in cross-border disclosure of personal information between participating countries. It requires members to implement data privacy policies in accordance with its 'Privacy Framework principles', which are broadly similar to Australia's APPs. Participating countries include Australia, the United States of America, Canada, Japan and Singapore.

Before transferring personal information internationally: a checklist

If a disclosure of personal information is permitted under APP 6, then before transferring personal information internationally, an APP entity should consider the following:

  • Has the personal information been de-identified or, if not, can it be de-identified?
  • Is the overseas recipient subject to a law or binding scheme that protects personal information in a substantially similar way to the APPs (eg, the APEC Privacy Framework or the European Union's General Data Protection Regulation)?
  • Has the APP entity obtained the express and informed consent of an individual to disclose their personal information to the overseas recipient?

If the answer to any of the above questions is 'yes', compliance with APP 8.1 would not be necessary.

However, the Commonwealth Government, regulators, and individuals are becoming increasingly aware of data and privacy issues, particularly those associated with international transfers. For this reason, even where compliance with APP 8.1 is not strictly necessary, it is best practice for APP entities to consider whether the overseas recipient:

  • has policies and procedures in place with respect to the handling of personal information that are regularly reviewed and updated;
  • has operationalised its policies and procedures through on-going training and monitoring of compliance with those policies and procedures;
  • has data security policies and procedures that capture data created in all circumstances to ensure that certain file types or data processes will not slip between the cracks;
  • uses multi-factor authenticators and encryption in all circumstances to ensure personal information is protected; and
  • has a sophisticated and tested incident response plan which will respond appropriately to a data breach involving personal information, including by notifying the APP entity of the breach promptly.

We're here to help

If you would like to discuss your privacy and cybersecurity obligations more generally, please do not hesitate to contact us. Together with our cybersecurity experts in our Forensic and Technology Services team, we have both the legal and technological expertise to support your privacy and cybersecurity needs.

Disclaimer
Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication. Persons listed may not be admitted in all States and Territories.