Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Standing Committee on Social Policy and Legal Affairs

AHLIN, Mr Sam, Principal Legal Officer, Business and Information Law Branch, Attorney-General's Department

GLENN, Mr Richard Alexander, Assistant Secretary, Business and Information Law Branch, Attorney-General's Department

MINIHAN, Mr Colin, Principal Legal Officer, Business and Information Law Branch, Attorney-General's Department


CHAIR: I welcome the representatives from the Attorney-General's Department. Mr Glenn, would you like to make an opening statement before we go to questions?

Mr Glenn : No.

CHAIR: Did you hear the teleconference with the Office of the Australian Information Commissioner?

Mr Glenn : Yes, we did.

CHAIR: We might go straight to cross-border disclosure. I asked the two previous witnesses whether cross-border compliance is unreasonably burdensome and about the cost versus the convenient flow of information, and then about the submissions from Salmat, ABA and Foxtel, about their being in breach for disclosing personal information. Could you tell us about your negotiations with stakeholders about APP 8 and about the balance between privacy protection and workability and whether that would leave entities that frequently transfer information overseas subject to danger of being guilty of a breach—banks are the obvious one, but there are lots of them.

Mr Glenn : There are a couple of issues in it, so I will try and unpack that along the way.

CHAIR: We should state that we provided the general topics earlier.

Mr Glenn : Perhaps the easiest way into this is to think a little bit theoretically about cross-border data flows, which are important aspects of the international economy and certainly for lots of businesses in Australia. Internationally, there are two main schools of thought as to how you deal with the issue of cross-border data flows. There is the adequacy model, which is generally thought of as the European Union model— it is very strongly advocated by the European Union. That regulation basically says that if the country to which you are disclosing the information or if the person to whom you are disclosing the information in the other country is subject to a law that is adequate you may do so. The Europeans tend to say: 'adequacy equals you have a law that looks like ours'. That is a very strict system and has impacts on the way—

CHAIR: It is a very European attitude too.

Mr Glenn : And it has impacts on the way the global businesses structure themselves. I think Facebook have their servers in Ireland so they can locate them in the EU which deals with some of the transborder data flows for European customers. The other school of thought broadly along the lines of that developed by APEC and the OECD is the accountability model. That says the critical point to think about in transborder data flows is to make sure that someone is accountable for what happens to information once it has gone offshore. The APP 8 implementation that we have here is based on the accountability model which was at a principal level where the ALRC landed as well. So what we have in APP 8 is a situation that says cross-border data flows are not prohibited but there are some steps any entity needs to take if it wants to send information offshore and there are circumstances in which the entity will remain accountable for what happens to that information. Then there are some circumstances if particular processes are put in place that the entity can shift the accountability to the recipient. All of that is designed in a broad policy sense to make sure that the individual whose information is being moved has some recourse in the event that something goes wrong and their information is unlawfully dealt with or unlawfully released.

So the APP 8 says that what you must do before you send information offshore is to take reasonable steps to make sure that the recipient will not breach an Australian privacy principle. Typically we imagine that would be done through contract, that is really people's business relationship saying, 'I have some information, I am going to give it to you. Let's have an agreed statement about how you will deal with the information that I provide you.' Everyone can do that and, if you just do that, then accountability is retained by the disclosing party—the Australian business in this case.

If the disclosing party wants to take the next step and say, 'I want to move accountability away from me to the recipient,' then there are some things that entity can do. Firstly, by consent of the individual, accountability can shift but it is probably more typical if the entity is disclosing information to a recipient who is subject to a substantially similar privacy regime—it could be law or a binding scheme. Then accountability can shift. Equally there are some rules around international agreements, agencies and those sorts of things to be able to exchange information. If you conceive of that as the basic policy framework for this type of flow, we say, firstly, that there is no prohibition on this activity—this is facilitative—and, secondly, we think this strikes the appropriate balance to be able to ensure that individuals whose information is moving have recourse to someone to have their complaint investigated and the issues dealt with, be that the disclosing entity or—if accountability has been shifted—the recipient.

Mr NEUMANN: We do not think that unreasonably burdensome but we have had some issues, as the chair was saying. That is because you talk about practical consequences, there being contractual arrangements involved. I think that is what is referred to in their submissions to us. The consequences are that they then have their employees deal with other employees and draft up contracts and get agreements. Time is money. That is what they are saying.

CHAIR: It might also be an argument that some of the other countries pay lower award wages than Australia. There might be reasons for using employees in other countries.

Mr Glenn : I suppose we do not necessarily say anything about the business choice that the business might be making, but we want to make sure that in that situation the information is given adequate protection.

CHAIR: That would be by a contract in some circumstances?

Mr Glenn : In the current environment entities are essentially obliged to take reasonable steps to ensure that information is protected and typically that is done contractually.

Often these are very significant deals that people are making, either to offshore processing or to have their information dealt with by servers offshore or whatever. We are not, typically, in the environment of small, bespoke deals; we are talking about significant exercises for entities. It is part of the broader structural business process to be able to deal with these types of issues.

Ms ROWLAND: I was involved in a lot of this when I was practising. It is even within multinational companies that you would need to have some sort of contractual basis for sending personal information to the mother company within the entity. So it certainly was not something that was unusual. With the requirement to have essentially a privacy statement, if I am a customer of a bank I cannot negotiate that privacy statement. Essentially they are telling me how they collect, use and disclose my personal information. I do not have any visibility over these contracts—my information is being sent, outsourced to another country. If there is a data breach, how am I going to enforce any rights that I have? I will need to complain to the Australian subsidiary. But in their contract they have limited their liability to someone else. You can see my point. The ordinary consumer might be quite frustrated that they actually do not have any control over the use of information. I am sure you will agree, too, that it becomes even more complicated with social media and where servers of Google and Facebook are located. What does the department say in those situations?

Mr Glenn : On the first part of that point, which is about what can consumers know and what can they be informed about, the new Australian Privacy Principles have obligations to create privacy statements, which is in fact a new feature for the regime. The principle talks about the types of things that need to be included in that statement. Amongst those is information about the countries, typically, to which information could be sent by the entity with which they are doing business. A lot of this is about trying to build consumer awareness about what happens to my information once I have given it to this body, be it a social media organisation, a bank or whatever—what happens to my information, where it might go and where I could go to seek redress.

On the accountability model, if accountability has not been shifted then the individual is entitled to approach the Privacy Commissioner. If accountability has been shifted then one of the bases for shifting that—one of the scenarios we were talking about—is that there is an adequate mechanism for that person to approach to seek redress. That could be through the Privacy Commissioner in Australia in the first instance or it could be direct to some other body, which would need to be, I think—I will probably be corrected if I am wrong—will need to be identified in the privacy statement in the beginning. The requirement is that there are mechanisms that the individual can access to take action or to enforce the protection of the law or of the binding scheme in the shifted accountability situation. We are trying to build that process in to make sure that there are always opportunities for the individual to be able to access redress.

Mr Minihan : That is why accountability does not transfer because there is a contract in place. So your point is exactly on the topic: as a consumer I have no control over that contract and I cannot enforce that contract—it is through the doctrine of privity of contract. So while a contract will be required just to put in place accountability, that will not transfer accountability because I cannot enforce the contract between the two commercial parties.

Ms ROWLAND: Of course.

Mrs MOYLAN: The chair and I heard from one of the banks yesterday, but also the Australian Bankers Association submission suggests that the definition of Australian law should be extended to include applicable overseas law or a government agreement that is binding on the organisation as under the current proposal entities may be in breach of the APPs through providing information that they are required to provide under foreign laws, such as the US Foreign Account Tax Compliance Act.

And added to that, if I might mix it up a little bit, the banks are also saying that they quite often have major international links and they may have subsidiaries in other countries. This is going to cause considerable difficulties, they believe. I wonder would you like to address those two—

Mr Glenn : There are two issues there. One is the idea of Australian law versus foreign law providing authority to do things without breaching the privacy principles. That, effectively, is a conflict of laws situation which exists now, not just in the privacy world but across the board, particularly for entities that do business internationally. The approach we have taken is to say within the Australian privacy principles that, if an Australian law requires or authorises something to be done, complying with that law does not breach the Australian privacy principle. That is the standard setting which exists now in the current Privacy Act. It does not say 'Australian law'; it says 'law', but it has always been interpreted as Australian law.

The difficulty with taking an approach which says that a foreign law could also provide that authorisation is that it means the content of Australia's privacy law is determined by overseas parliaments and that is a tremendously difficult thing because then it becomes completely uncertain for anyone what Australian law actually represents. We understand there are a series of analogous issues which go to this conflict of law question which are being worked through. I suspect the question is much broader and the answer necessarily will be much broader than just the privacy context. One thing that we have heard from the Australian Bankers Association, for example, is that there are US laws and other obligations that potentially conflict with their Australian privacy obligations. They have also mentioned that there are obligations placed by Australian regulators which potentially put them in breach of other obligations they might have in other countries. So it cuts both ways.

Mrs MOYLAN: Are they government concerns?

Mr Glenn : I think these are challenges that are faced by global businesses generally. They are valid concerns and they do need to be worked through. The point I want to make is that one suggestion we have heard from some of the banks is simply to take the approach, 'Let's just make it any foreign law for the privacy regime.' That creates incredible uncertainty and outsources the lawmaking process to other countries. One thing we have said we would work with the Australian Bankers Association to do is to identify the particular points at which their overseas obligations interact with their Australian obligations and to see how we can deal with those as specific issues. There are mechanisms to do that. Somewhere in Australian banking regulation, for example, there is an authority to say we cooperate with our American colleagues and it is okay for you to do so, in which case it is in Australian law saying that you can deal with the information in that way if, which then complies with the APPs. Of course there are other processes available to the Privacy Commissioner to issue what are called public interest determinations, which effectively say that if there is a circumstance that would, as a matter of law, be a breach of privacy but there are grounds to say that it is an appropriate thing to occur, then the commissioner can issue a public interest determination to facilitate that activity.

CHAIR: Is it for an entity or a sector, or can it be either?

Mr Glenn : I think it could be either—I will check that. They can be very broad because they can be talking about a particular set of activities. One which has been used for some time is around the collection of health information from third parties, which is about taking a family history. That is directed at the entire medical profession.

CHAIR: A similar one might be mortgage re-insurance. Say a mortgage insurance company came to you. They are not a credit provider. Obviously they provide insurance to most of the big four and they are not entitled to information.

Mr Glenn : We have had representations from the lenders' mortgage insurers as well, and what we have done is craft a provision, which appears in the bill, which enables credit providers to pass credit information to their mortgage insurers. So we are saying that credit providers are entitled to all this information because they are assessing whether their customer is entitled to credit. The mortgage insurer stands behind them and so we say, 'That is fair enough; you should be able to pass that information to your mortgage insurer,' so that you do not end up with an information asymmetry between those two parties.

CHAIR: We do not want the cost of the mortgage to go up because—

Mr Glenn : Yes. That is how we have tried to address that issue.

CHAIR: Right. I was not aware of that change.

Mr Glenn : Deputy chair, there was a second limb to your question.

Mrs MOYLAN: Yes, it was about the subsidiary organisations.

Mr Glenn : That goes to the question of Australian link, which is a concept that is used across the bill but in particular in relation to the credit reporting provisions. It was designed as a mechanism to deal with cross-border data flows just of credit information. The policy goal is to ensure that Australian credit information does not leak out of the Australian system into foreign credit systems.

Mrs MOYLAN: So it is about the integrity within the individual organisation's system.

Mr Glenn : That is right. And, equally, foreign credit information does not start to be included in the domestic credit reporting system. What we are hearing from the banks is that the way in which we have done that does not match their business models and that, because they have subsidiaries, the existing means to facilitate the exchange of information will not work. So we are having discussions with the banks now as to how to adjust the process, because what we are about is ensuring the integrity of the credit reporting system not about interfering with the business models that are used by banks. So we are having discussions with the banks as to how to adjust that, and there are a couple of models that we are discussing.

Mrs MOYLAN: Thank you very much.

CHAIR: Thank you very much for appearing before us today. My understanding is that you will be able to provide us with some specific information through the questions on notice. We appreciate that. We will welcome any additional or supplementary submissions up until the close of business on Monday.

Resolved (on motion by Ms Rowland):

That this committee authorises publication, including publication on the parliamentary database, of the transcript of the evidence given before it at public hearing this day.

Committee adjourned at 10:47