Europe’s US-EU Safe Harbor Framework appears straightforward: EU companies can send personal data to United States companies who self-certify compliance with certain privacy standards.

However, the Advocate General (AG) of the Court of Justice of the European Union suggests that it should not be that simple. In light of a challenge to Facebook’s transfer of European personal data to the United States, the AG recommends the Court invalidate the Framework.

Its reasoning is that the “mass indiscriminate surveillance” of data in the US interferes with fundamental personal rights recognised in Europe.

By contrast, Australia’s privacy regime has always maintained that no overseas regime is inherently safe; organisations must be aware of the risks of transferring personal information to any overseas jurisdiction.

Austrian student Max Schrems’ action about Facebook data transfers is (rather ironically) not personal. It is a ‘model’ case designed to highlight broader trends in data mining and data access in foreign jurisdictions like the US.  That data is often personal information.

The Advocate General’s Opinion released on 23 September 2015 urges the Court of Justice of the European Union to invalidate the US-EU Safe Harbor Framework. 

The AG is critical of the Framework’s broad national security exception, which permits personal data to be disclosed to US law enforcement agencies.

The AG argues that the ability of such agencies to access information stored by Facebook US allows for secretive and broad access to EU personal data, without an independent control mechanism to prevent privacy breaches. 

It also interferes with the right of EU citizens to private life, recognised by the Charter of Fundamental Rights of the EU. 

While the AG’s Opinion is a recommendation and not binding on the Court, the Court is expected to make its decision by the end of this year. 

What is Australia’s overseas data transfer framework?

Australia’s privacy regime differs from Europe’s in that it can’t be challenged on the basis of a human rights instrument. Nevertheless, Australian privacy laws do protect a number of the same rights and freedoms as in Europe.

Under the Privacy Act, an Australian organisation that discloses personal information to an overseas recipient must take reasonable steps to ensure the recipient does not breach the Australian Privacy Principles (APPs), and will be accountable for any such breach. [1]

However, this doesn’t apply if the Australian organisation reasonably believes the recipient is subject to a law or binding scheme imposing privacy protections that are substantially similar to the APPs.

It also doesn’t apply where the individual gives informed consent to the disclosure and to the Australian organisation not being accountable for the acts of the overseas recipient.

Most overseas data transfers will amount to a ‘disclosure’ of personal information and be subject to APP 8.  However, if there is only a ‘use’ of personal information (where the organisation retains effective control over the information), APP 8 will not apply. [2]

Compliance steps to take when disclosing to an overseas recipient

Due diligence and a carefully-drafted contract are your best tools for protecting yourself and ensuring you comply with the APPs.

  1. Due diligence: Start with a thorough review of the recipient’s operations and data security processes, and consider the local privacy laws. This will enable you to assess their privacy processes and risks regarding data security and business continuity. When looking into cloud computing solutions, the BSA Global Cloud Computing Scorecard[3] gives a snapshot of each country’s relevant privacy and data laws.
  2. Contract: Pursue a strong privacy clause in your contract that requires the recipient to comply with the relevant aspects of Australian privacy laws, and your privacy policies and directions. Seek appropriate warranties and indemnities around the recipient’s treatment of personal information. Get legal advice on the contract!

Information transfers from Australia to the US

Data surveillance laws in the US that concerned the AG in the Schrems case do not (yet) impact an Australian organisation’s ability to disclose personal information to the US. 

Where an overseas recipient does something with personal information that is required by an applicable foreign law – in the US context, the USA PATRIOT Act [4] can require a US company to disclose personal information to the US government – this will not breach the APPs. [5]

However, you should inform your customers that you may transfer their data to the US in your Privacy Policy and APP 5 privacy collection notice.

More focus on overseas data transfers

The Schrems case will potentially have a significant impact on the Framework and the ability of US companies to import personal data from the EU. Whatever the result, its outcome will heighten privacy awareness globally, and perhaps trigger a reassessment of privacy risks with overseas data transfers.

Given the growing focus on this area, be aware of the legal frameworks in jurisdictions to which you transfer (and from which you collect) data.

Now is also the time to assess just how effective your contracts and other protections are in meeting your obligations under Australian privacy laws.