In December 2019, the Attorney-General announced that the Australian Government would conduct a review (the Review) of the Privacy Act 1988 (Cth) (the Privacy Act).  The Review aims to investigate the effectiveness of Australia’s current data protection regime to ensure it “empower[s] consumers, protect[s] their data and best serve[s] the Australian economy”.  Since then, the Attorney-General has published an Issues Paper in October 2020 (the Issues Paper) and a Discussion Paper in October 2021 (the Discussion Paper) and conducted several rounds of public consultations.  This series from Gilbert + Tobin’s Technology + IP team will guide you through the key issues that have been raised by the Review.

In a joint media release, the Attorney-General, the Hon. Mark Dreyfus QC MP, and Minister for Trade and Tourism, and Special Minister of State, Sen the Hon. Don Farrell, recently announced that Australia has joined a newly established global forum aimed at facilitating improved cross-border trade through more interoperable data protection frameworks. 

The Global Cross-Border Privacy Rules (Global CBPR) and Privacy Recognition for Processors system (PRP System) are being administered by the Global CBPR forum (the Global Forum), which was launched earlier this year by several of the participating nations of the Asia-Pacific Economic Cooperation (APEC), including the United States, Canada and Japan.

Australia’s participation in the Global Forum further signals the high priority placed on privacy law reform by the Labor Government, with the Attorney-General also recently asserting his intention to follow-through on the long-delayed review of the Privacy Act..

A reformed Privacy Act is almost certainly going to include uplifts aimed at improving Australia’s standing in the global privacy ranks, as well as ensuring proposed transfer mechanisms under Australian Privacy Principle (APP) 8 are fit for Australia’s digital economy and changing privacy expectations in the community. Given this, we consider how Australia’s participation in this new international Global Forum is a sign of more to come in the context of anticipated broader reform.

APEC takes its rules global

Despite the Global Forum making its independence from APEC clear, the new Global CBPR and PRP System are built upon the foundations of the existing APEC Cross-Border Privacy Rules (APEC CBPR) and Privacy Recognition for Processers system (APEC PRP System), which are similar in concept and function to the European Union’s binding corporate rules (BCR) under the GDPR. While distinct, each of these systems deals with approaches and frameworks upon which data can be transferred between jurisdictions in a consistent, secure and regulatorily compliant manner. They are accountability-based and voluntary by design. 

In a similar way, the Global Forum intends the Global CBPR to act as an international privacy certification system for global cross-border transfers of data. Certification itself is facilitated by ‘Accountability Agents’ authorised by member states.

The preamble of the Global CBPR Declaration provides insight into the principles and aims of the undertaking, including that participants join the Global Forum:

• Recognising that growing Internet connectivity and the digitisation of the global economy have resulted in the rapid increase in the collection, use, and transfer of data across borders, a trend that continues to accelerate;
• Conscious that trusted cross-border data flows are indispensable…;
• Believing that cross-border data flows increase living standards, create jobs, connect people in meaningful ways, facilitate vital research and development…;
• Acknowledging that regulatory barriers threaten to undermine opportunities created by the digital economy at a time when companies are relying increasingly on digital technologies…; and
• Recognising the importance of strong and effective data protection and privacy in strengthening consumer and business trust in digital transactions.

The Declaration goes on to state that the Global Forum is expected to promote a global uptake of the Global CBPR and PRP System, disseminate related best practice for data protection, and pursue interoperability with other data protection and privacy frameworks. Participation in the Global Forum is open to any jurisdictions that accept the objectives and principles listed in the Declaration, however, it also appears that new members would require consensus approval by existing members. 

A second life for the APEC CBPR?

Since launching in 2011, the APEC CBPR could not be described as having been a major success-story by most significant metrics. Overshadowed by its European GDPR counterparts, and against the background of rising data localisation requirements around the world (perhaps most notably in China), the APEC CBPR has not fared particularly well when it comes to either nation-state support or private-sector uptake. At present, the system comprises just 9 active nation-state members, and only 34 private companies are APEC CBPR certified.

Translating the same approach beyond the APEC sphere and to a global level may provide the additional incentives necessary for broader participation, both in terms of private-sector engagement but also with respect to those nations who may otherwise continue down increasingly localised data protection pathways.

The Global CBPR and PRP System may also be able to leverage lessons learned from the EU-US Privacy Shield. While the EU-US Privacy Shield was ultimately ruled to be invalid by the Court of Justice of the European Union as part of the seminal Schrems II decision, while it was in existence it was markedly more successful in terms of popular uptake and practical utility than the APEC CBPR has been.

Australia joins the chat

Given Australia’s participation in the APEC CBPR (notwithstanding that we did not appoint a local Accountability Agent), the recent move to join the Global Forum in spruiking a similarly-modelled Global CBPR should come as no surprise.

The move, and indeed much of what is expressed in the Global CBPR Declaration, also appears consistent with where the Privacy Act is being steered by several stakeholders contributing to its ongoing review, led by the Attorney-General’s Department (AGD). First announced all the way back in December 2019, the AGD has facilitated two formal rounds of consultation, inviting interested parties to respond to an AGD-developed Issues Paper, and more recently, Discussion Paper on how best to reform the Privacy Act (the Review).

Both the Issues Paper and Discussion Paper underscore the tension between an international economy fundamentally reliant on cross-border data flows, and the prevailing lack of a global standard regulating such exchanges. Both APEC and EU attempts to respond to this issue were noted, with the former being framed as an example of an accountability-based approach, and the latter centred instead around the concept of adequacy.

The APEC CBPR’s accountability approach affirms the ultimate responsibility of the controller of personal information to ensure that any transfers abroad, regardless of destination, are done with adequate consent or proper due diligence. A similar rationale props up the APP 8 amendments introduced into our own Privacy Act in 2012.

The EU’s longstanding preference for an adequacy approach, however, (while not diametrically contrasted to that of accountability) is focused on certifying ‘essential equivalence’ between the strong data protections of the EU-based data controller, and the protection offered by the recipient jurisdiction. While achieving jurisdictional adequacy is no small feat, it does erect a more stable foundation on which transfers can take place, without the same degree of case-by-case consent-seeking or due diligence.   

Reforms to the Privacy Act based around both accountability and adequacy concepts are mooted in each Review paper, without the suggestion that one necessarily excludes the other. Also discussed in the Review papers is the related concept of a domestic certification regime, which is suggested to be able to generate more widely understandable signals of trust to individuals. For instance, instead of needing to analyse a lengthy privacy policy, an individual could take comfort that a certified data controllers maintains a widely recognised seal of approval when it comes to handling personal information.

The Office of the Australian Information Commissioner (OAIC) was unsurprisingly among those respondents to provide extensive feedback on both Review papers, including on matters of cross-border data flows. Global interoperability of a revised Privacy Act is a core element of the OAIC’s responses to the Review thus far (a focus shared by many respondents). The OAIC provides various analyses with regard to overseas transfers, but specifically with regard to certification schemes has recommended that the Government:

• introduce a mechanism to prescribe countries and certification schemes under existing APP 8.2(a) (or, assumedly, any succeeding principle);
• introduce a voluntary domestic privacy certification scheme that draws on best practice and is interoperable with other certifications schemes; and
• progress implementation of the APEC CBPR system, including potentially through adoption via an APP code.

Despite transitionary procedures and period yet to be finalised, the Global Forum appears to intend that the Global CBPR and PRP System replace the APEC CBPR and APEC PRP System. As such, and depending on any distinguishing features added by the Global Forum as part of the development of the Global CBPR and PRP System, the OAIC’s recommendations may require reconsideration. 

We expect this matter to be further clarified once more is announced by the Attorney-General’s Department regarding the Review.

Authors: Melissa Fai and Bryce Craig