GDPR Australia: When can EU personal data be transferred to Australia?

Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on facebook
Facebook

GDPR Australia: The EU Data Protection Regulation (GDPR) comes into effect on 25 May 2018. In order to ensure that you are GDPR compliant we are offering a series of articles responding to some key questions you might have with respect to the GDPR. For a general overview of the GDPR and whether it might apply to your organisation see https://www.compliancequarter.com.au/understanding-gdpr-opportunities-risks/. You should also check out the comprehensive resource created by the Office of the Australian Information Commissioner at https://oaic.gov.au/agencies-and-organisations/business-resources/privacy-business-resource-21-australian-businesses-and-the-eu-general-data-protection-regulation.

 

Access our Exclusive & Free GDPR Australia checklist

Simply provide your details below to be sent our free GDPR Self Assessment Checklist.

Today we ask: When can personal data of EU origin be transferred to an organisation based in Australia?

We divide the justifications provided by the GDPR for transfer to any other country in to four distinct categories: adequacy, appropriate safeguards, derogations and other. We consider each in turn:

  • Adequacy in GDPR Australia

Personal data can be transferred to any country that has been judged ‘adequate’ under Article 45(1) of the GDPR (henceforth all Article references are to the GDPR). This includes New Zealand but does not include Australia. Therefore, personal data cannot be transferred to Australia on this ground.[1]

  • Appropriate safeguards

Personal data can be transferred to a controller or processor outside of the EU provided that that organisation has appropriate safeguards in place, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available (see Art 46(1)).

Adequate safeguards under the GDPR include:

  • Legal Instrument. a legally binding and enforceable instrument between public authorities or bodies. There is no such instrument in place in Australia at this time.
  • Binding Corporate Rules (BCR). Under Art 47, BCR are a mechanism that permit multinational corporations, international organizations, and corporate groups to make transfers of personal data across borders, but within the broader organisation. They must be approved by a relevant data protection authority (such as the United Kingdom’s Information Commissioner);
  • Standard Data Protection clauses. These are clauses that an organisation can incorporate into a contract with a data supplier that have been adopted by the European Commission (Commission), or a data protection authority, in accordance with Art 93(2).

Thus far, there have not been any standard clauses developed by the Commission that created under this power within the GDPR. However, there have been standard clauses (sometimes called ‘model’ clauses) that have been developed in accordance with the existing EU Data Protection Directive which can be relied on in accordance with Art 46(5).[2]

Note, however, that there is some disagreement as to whether the standard clauses developed under the old Directive are fully GDPR compliant.[3] Any organisation seeking to rely on these clauses must ensure that they will protect personal data in full compliance with the GDPR.

  • Approved Code of Conduct. Industries have the ability to develop a Code of Conduct for their industry which is approved by data protection authorities under Art 40. Organisations can make binding commitments to these codes (if they exist), and associated GDPR protections, in order to fulfil their obligations under the GDPR.
  • Certification Mechanism. This mechanism, developed under Art 42, allows data protection authorities to set up certification processes to approve of specific processors and controllers. Australian organisations should check whether the data supplier’s member state has such a certification mechanism in place.
  • Specifically approved contractual clauses. Under Art 46(3), the data protection authority in a jurisdiction could approve of specific clause between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or
  • Specifically approved administrative provisions. Under Art 46(3) these can be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights. There are no such provisions between the EU and Australia.

Derogations

Even if the conditions specified in categories (1) and (2) are not met, it is still possible for transfer to Australia to happen in accordance with the GDPR. This category, set out in Art 49, applies where the circumstances mean ‘derogation’ from the usual rules is acceptable. This can be used where:

  • the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
  • the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request;
  • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
  • the transfer is necessary for important reasons of public interest;
  • the transfer is necessary for the establishment, exercise or defence of legal claims;
  • the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
  • the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.

Other

Under art 49(1) if the derogation conditions above are not met, transfer may take place only if the following conditions are met:

  • the transfer is not repetitive;
  • concerns only a limited number of data subjects;
  • is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject; and,
  • the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data.

Note, this article is general in nature and does not constitute legal advice. If you are in need of specific assistance in order to comply with the GDPR Australia, please get in touch with us.

[1] For a list of the countries that have been judged ‘adequate’ see https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en).

[2] For applicable standard contractual clauses see https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en.

[3] See www.bdkadvokati.com/blogs/data-protection-and-privacy/transfer/985-standard-contractual-clauses-challenged-by-gdpr-and-scrutinized-by-cjeu)..

More to explorer

Technicians installing photovoltaic solar panels on roof of house.

Compliance Quarter’s Submission to the AER’s Review of the Compliance Procedures and Guidelines

On 11 April 2024, Compliance Quarter put forward its submission on proposed changes to the AER Compliance Procedures and Guidelines. The AER is reviewing its Compliance procedures and guidelines, which set out the manner and form in which energy businesses in jurisdictions that have adopted the National Energy Retail Law must submit compliance information and data to the AER. We argue that there should be consideration of measures to incentivise early reporting of potential breaches. These may, for example, take the

person wearing foo dog costume

Obligations of Energy Retailers Regarding Best Offer Information

Energy retailers in Victoria have specific obligations under the Energy Retail Code of Practice to provide clear information to customers about their ‘best offer’ – that is, the plan that would minimize the customer‘s energy costs based on their usage history. The objective is to ensure small customers can easily understand whether they are on the retailer‘s best plan for them and how to access the retailer‘s best offer if not. One of the significant challenges in the energy sector (as in banking and elsewhere) is that customers

low angle photo of sydney opera house australia

Guide to the National Energy Retail Rules

The National Energy Retail Rules (NERR) are a set of rules that govern the sale and supply of electricity and gas by retailers to consumers in Australia, alongside the related National Energy Retail Law (NERL). The NERR came into effect on 1 July 2012 in Tasmania, the Australian Capital Territory, and the Commonwealth. South Australia followed on 1 February 2013, New South Wales on 1 July 2013, and Queensland on 1 July 2015. The NERR do not yet apply in

Leave a Reply

Your email address will not be published. Required fields are marked *