Impact of “BREXIT” on Australia’s cross-border data transfer laws

Impact of “BREXIT” on Australia’s cross-border data transfer laws

Impact of “BREXIT” on Australia’s cross-border data transfer laws

The cross-border transfer of personal information from Australia is regulated by Australia’s data protection laws, most relevantly Australian Privacy Principle 8.  At present, an entity in Australia can be reasonably confident that the transfer of personal information to a recipient in Britain will be lawful and will not give rise to liability on the part of the Australian entity if the recipient in Britain mishandles that information.  This is because Britain’s data protection laws, which implement the EU’s data protection requirements,1 are generally considered to be “substantially similar” to the Australian Privacy Principles (APPs).  

The outcome of the “Brexit” referendum, which was conducted on 23 June 2016, was majority support for Britain to leave the EU.  Whilst that result is not binding, the new government has expressed a commitment to implement it.  Precisely how Britain’s exit from the EU will manifest itself, the terms on which that will occur, and over what time frame, are uncertain.  Nevertheless, it is necessary for non-European countries to begin assessing the potential ramifications of a “Brexit”, including the possible impact it may have on the cross-border transfer of personal information to and from Britain.

If Britain does leave the EU, it may no longer be required to maintain data protection laws which are consistent with the EU’s data protection requirements.  Whilst there is every incentive for Britain to do so, it can no longer be simply assumed that it will.  The practical effect may be the same, but the paradigm is different. 

The constraints attaching to the collection within Australia of personal information transferred from Britain are likely to remain unaffected.

Cross-border transfer of personal information from Australia 

The principal constraints attaching to the overseas transmission of personal information from Australia are contained within the Privacy Act 1988 (Cth) (Act).  Restrictions are also contained in some Australian state and territory legislation, to similar effect. 

Schedule 1 to the Act comprises the APPs.  APP 8 deals with the cross-border disclosure of personal information.  Of particular relevance is APP 8.2(a)(i), which effectively excuses an Australian-based exporter of personal information from liability for the mishandling of that information by the overseas recipient, if the Australian entity “reasonably believes that…the recipient…is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the Australian Privacy Principles protect the information“. 

The Office of the Australian Information Commissioner does not publish a list of countries with privacy laws considered to be “substantially similar” to the APPs for the purposes of APP 8.

“Substantial similarity” of Britain’s current data protection laws

Britain enacted the Data Protection Act 1998 in order to bring its data protection laws into conformity with the European Union’s Directive 95/46/EC entitled “Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of such Data” (EU Directive).

It can be assumed that European countries with privacy laws implemented pursuant to the EU Directive, including Britain, satisfy the necessary threshold under APP 8.2(a)(i) of being “substantially similar” to the APPs. 

This was assumed, for example, by the Australian Information Commissioner’s determination in ‘HW‘ and Freelancer International Pty Limited [2015] A1Cmr 86 (18 December 2015), even though the law of Poland (not Britain) was under consideration and it was ultimately unnecessary for the point to be decided.

As a consequence, an Australian-based entity transmitting personal information to Britain can at present confidently rely upon APP 8.2(a)(i). 

Foreshadowed changes to the EU’s data protection laws

The EU Directive will be replaced on 25 May 2018 by the “General Data Protection Regulation” (Regulation).  

An agreement on the Regulation was finally reached on 15 December 2015 between the EU Council, the European Parliament and the European Commission.  A confirmation vote occurred at the European Parliament’s Civil Liberties Committee on 17 December 2015.  The legislation entered into force on 24 May 2016 and will take effect after two years on 25 May 2018.

EU member states will be required to pass new domestic data protection laws which are consistent with the Regulation’s more stringent data protection requirements, including obligations relating to mandatory data breach reporting and the concept of the so-called “right to be forgotten”.  

These new laws are expected to continue to satisfy the necessary threshold under APP 8.2(a)(i) of being “substantially similar” to the APPs.

In the event of “Brexit”, and subject to the terms on which that occurs, Britain may be free from its obligations as a member of the EU when legislating in relation to privacy and data protection.  Assuming Britain is not required to maintain laws which are consistent with the EU’s data protection requirements, it is unclear whether Britain will choose to pass new laws which are nevertheless consistent with the Regulation, maintain its existing laws which are consistent with the EU Directive, or wind back its laws such that they become inconsistent with both the EU Directive and Regulation.  

There will, however, be every incentive for Britain to maintain legislation which is consistent with the EU’s data protection requirements, because EU members will continue to be subject to a requirement that personal data can only be transferred to non-member countries if the non-member countries can ensure “an adequate level of protection essentially equivalent to that ensured within the Union“.

Impact of Brexit on the collection of personal information from overseas sources

Whilst the Act does not expressly regulate the “importation” into Australia of personal information from overseas sources, such importation by Australian-based entities must comply with the various conditions set out in the APPs attaching to the collection of personal information in the same way that those conditions apply to the collection of personal information from sources within Australia.

It is also relevant to consider the position from the perspective of overseas-based data exporters.  Many overseas countries have their own “substantially similar law” requirements.  These countries will accordingly continuously assess the “adequacy” of Australia’s privacy and data protection laws when compared against their own.  

Relevantly, Australia’s laws have in the past been found to be “inadequate” from a European perspective.  

On 26 January 2001, the European “Article 29 Working Party” issued its “Opinion 3/2001 on the level of protection of the Australian Privacy Amendment (Private Sector)” and concluded that data transfers from European countries to Australia could not be regarded as “adequate” under the laws in force in Australia.  

Key concerns included Australia’s small business exemption (under which, subject to limited exceptions, a small businesses with an annual turnover of less than $3 million does not have to comply with the APPs) and Australia’s employee data exemption (under which a private sector employer does not have to comply with the APPs in relation to employee records).  

Although the Act was subsequently substantially revamped by amendments which came into effect in 2014, it is likely that Australia’s data protection laws remain “inadequate” from a European perspective, because the above key exemptions of concern remain in place today.  

As a result, unless the “adequacy” requirement is removed from Britain’s data protection laws (which is improbable) or (even less probably) Britain introduces its own small business and/or employee data exemptions, Australia’s data protection laws will most likely continue to be considered “inadequate” regardless of what (if any) post-Brexit amendments are made to the UK’s data protection laws.

Accordingly, as a result of the likely ongoing “inadequacy” of Australia’s laws, entities in Britain will likely need to continue to obtain consent before they transfer to recipients in Australia any personal information which is subject to Britain’s data protection laws.


End notes

  1. The EU’s data protection requirements are currently set out in the EU Data Protection Directive and will in the future be reflected in the General Data Protection Regulation.
Previous article Recent data protection developments in Australia Next article Technology, media and telecommunications law update – June 2016