The volume of personal information collected has increased exponentially in recent years due to advances in technology and the ways individuals interact. Australian legislation has caught up to this trend, introducing a ‘new broom’ in this space – in the same way as the Safe Harbour provisions have in European Union privacy laws. Sweeping changes to the Privacy Act 1988 (Cth) (Privacy Act) took effect on 12 March 2014. One important feature of these changes is the protection of personal information that is transferred to overseas third parties.
Under the new Australian Privacy Priciple (APP) regime, APP 8 (‘cross-border disclosure of personal information’) places the onus on the business collecting personal information. In particular, they must ensure that an overseas entity to whom it discloses personal information complies with the APPs.
There are some important exemptions to APP 8, including that it does not apply if the disclosing entity:
The Australian Privacy Commissioner has stated that an approved ‘white’ list containing the countries with substantially similar privacy laws will not be issued. This places the onus on businesses to take reasonable steps to ensure that the overseas entity is subject to substantially similar privacy laws.
even if it is an administrative burden to do so.
These cross border changes to the privacy regime are particularly relevant to global businesses, including those that use servers overseas and cloud based technology for storing personal information.
Those business should take the broom out of the closet and sweep up the following tasks:
Australia must ensure data sent overseas is protected to the same extent as if it were to remain in Australia, including compliance with the APPs. When working with a vendor to manage data overseas, businesses need to ensure this responsibility is taken seriously by that vendor, via both contractual means and through active monitoring of the engagement. This ‘new broom’ ushers in a brave new world for Australian privacy laws and a new paradigm of borderless accountability.
Posted on: 25 March 2014