In December 2019, the Attorney-General announced that the Australian Government would conduct a review (the Review) of the Privacy Act 1988 (Cth) (the Privacy Act). The Review aims to investigate the effectiveness of Australia’s current data protection regime to ensure it “empower[s] consumers, protect[s] their data and best serve[s] the Australian economy”. Since then, the Attorney-General has published an Issues Paper in October 2020 (the Issues Paper) and a Discussion Paper in October 2021 (the Discussion Paper) and conducted several rounds of public consultations. This series from Gilbert + Tobin’s Technology + IP team will guide you through the key issues that have been raised by the Review.
Personal information is very commonly transferred overseas as part of businesses’ ordinary operations, including when cloud and other IT systems are used. The Privacy Act does not restrict companies from transferring, storing or processing personal information outside Australia. However, if a company does so, under APP 8.1, it must take reasonable steps to ensure that the recipient does not breach the Australian Privacy Principles (APPs) in relation to the information, unless an exception applies. This requirement only applies in respect of disclosures, but not in respect of any overseas uses of information.
The Attorney General’s 2021 Discussion Paper (AG Discussion Paper) identified a number of potential reforms to APP 8. If implemented, the proposals would clarify the requirements imposed on Australian companies under APP 8 and aid them to comply with their obligations.
APP 8 – Overseas Transfers of Personal Information
Typically, companies seek to comply with APP 8 by seeking contractual guarantees from any overseas recipient of personal information that it will not breach the APPs. Section 16C of the Privacy Act provides that any acts or practices undertaken by the overseas recipient that would breach the APPs, are taken to have been done by the company itself (the accountability approach). That is, the Australian company will be accountable for those acts or practices under the Privacy Act.
Background: Existing Regime
A company is not required to comply with APP 8.1 if an exception in APP 8.2 applies. The exceptions include (among others) that:
- the company reasonably believes that the recipient is subject to a law or binding scheme that has the effect of protecting the information in a manner at least substantially similar to the APPs, and there are mechanisms available to any individuals that are the subject of the disclosed personal information, to enforce that law or binding scheme;
- the company expressly informs the individual that if they consent, APP 8.1 will not apply to the disclosure, and after being so informed, the individual consents to the disclosure;
- the disclosure is required or authorised by an Australian law, court or tribunal order; and
- a permitted general situation exists in relation to the disclosure (for example, the company believes the disclosure is necessary to prevent a serious threat to life, health or safety and it is not practicable to obtain the individual’s consent).
The Discussion Paper and Industry Submissions
The AG Discussion Paper canvasses a range of issues that have been identified with the existing APP 8 regime, including issues relating to the scope and meaning of requirements imposed and the informed consent exception. Common themes among submissions on these issues observed that APP 8:
- may impose too significant a regulatory burden on Australian companies, particularly those that are small businesses, when they are required to develop and negotiate appropriate contractual clauses with overseas recipients to meet the requirement of APP 8.1;
- does not clearly define the scope of obligations that are imposed, for example, the concept of ‘reasonable steps’ is not given a particular meaning in the context of APP 8 and no relevant criteria are provided for Australian companies to assess their own conduct against this standard; and
- creates exceptions to accountability under APP 8.1, namely the exception of informed consent, that may unfairly impose a burden on consumers to understand the implications of any overseas disclosures.
Generally, submissions were supportive of the accountability approach as a mechanism that creates awareness of data protection in connection with overseas disclosures of personal information.
The AG Discussion Paper also specifically addresses the scope of APP 8 as a requirement that only applies to ‘disclosures’ of information, and not to any ‘transfers’ or ‘uses’. The AG Discussion Paper observes that the question of whether a specific arrangement involves a ‘disclosure’, a ‘use’ or a ‘transfer’ of personal information can be difficult to determine given these terms are not defined in the Privacy Act.
OAIC Guidance on this issue has distinguished between a ‘use’ and ‘disclosure’ by indicating that a disclosure will occur where a company makes information accessible to others outside the company and releases the handling of the information from the company’s effective control. A common example is a cloud services arrangement for storage services, where the Australian company using those cloud services retains the rights to access, determine access, change and retrieve personal information. These arrangements are typically classified as a ‘use’ of information by the cloud storage provider, rather than a ‘disclosure’ to that provider by the Australian company, and are therefore exempt from the requirements of APP 8.
Submissions on this point were varied. Some submissions considered that APP 8 should be extended to apply to any ‘uses’ and ‘transfers’ of personal information overseas, on the basis that the movement of personal information outside of Australia presents an inherent safety and security risk. For example, it was identified that intra-company transfers of information are exempt from APP 8, even though such transfers could result in information being moved to jurisdictions that have no or inadequate data protection laws. Other submissions suggested that personal information is not necessarily safer or more secure just because it is stored in Australia.
The AG Discussion Paper did not go so far as advocated by some submissions and proposed only that a definition for ‘disclosure’ that aligns with the present OAIC Guidance, should be added to the Privacy Act (Proposal 22.5). The AG Discussion Paper noted that this change should clarify that APP 8 does not apply to cloud service providers overseas (although we assume this was meant to refer to cloud service arrangements which have the limited purpose of storage). Intra-company overseas transfers will also remain exempt.
The AG Discussion Paper also made further specific proposals for amendments to APP 8 including that:
- standard contractual clauses for transferring personal information overseas should be made available to Australian companies to facilitate overseas disclosures of personal information (Proposal 22.2);
- amendments should be made to clarify what circumstances are relevant to determining what ‘reasonable steps’ are for the purpose of APP 8.1 (Proposal 22.6); and
- the informed consent exception in APP 8.2(b) should be removed (Proposal 22.3).
Additional proposals from the Discussion Paper relating to overseas transfers of personal information and certification schemes have been discussed in our recent article on global cross-border rules and the Privacy Act reform.
Some concluding thoughts
In our view, the proposed amendments to APP 8 would be beneficial for Australian business and should not cause significant disruption to existing practices, as they reflect, in broad terms, how many Australian companies currently deal with the uncertainties in the application of APP 8.
Based on what we’ve seen so far, our prediction for the Privacy Act exposure draft is that:
- proposals in the AG Discussion Paper relating to amendments to APP 8 will be adopted, including amendments to remove the informed consent exception and to clarify the meaning of ‘reasonable steps’ in APP 8.1; and
- cloud services arrangements which relate only to the storage of personal information overseas, will be expressly made exempt from the requirements of APP 8.
Authors: Andrew Hii and Sophie Bogard