Andorra, Argentina, Australia, Canada, Switzerland, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey and Uruguay and the United States’ Safe Harbor scheme
Friday, December 28, 2012
Australian privacy law adequacy under EU directive?
Just before Christmas the European Commission formally recognised the adequacy of personal data protection in New Zealand, opening the way for increased trade with the European Union. The NZ Office of the Privacy Commissioner (OPC) has been working for more than 10 years towards this outcome.
The EU’s 1995 Data Protection Directive states that personal data can be transferred to countries outside the EU and the European Economic Area only when an adequate level of protection is guaranteed.
The Media Release announcing New Zealand adequacy listed other countries recognised by the EU as providing adequate protection:
For years it's been said here there had been no ruling, that the EU had not granted Australia ‘adequacy status’ nor stated that Australia’s privacy regime was inadequate.
Maybe simply too much Ho, Ho, Ho at this time of the year in Brussels?
There is no reference to recognition of Australian adequacy on the OAIC website.
While changes to the Privacy Act in 2004 and some of the recent amendments (still a long way from coming into force in May 2014) may have helped the cause, inadequacies cited in the ALRC 2008 report that have not been addressed include the small business and employee records exemptions and, in the context of cross-border data flows, the development and publication of a list of laws and binding schemes that effectively uphold principles for the fair handling of personal information.
Elsewhere in EU published material is this reference to an agreement between the EU and Australia on the processing and transfer of European Union-sourced passenger name record (PNR) data by air carriers to the Australian Customs Service.
But no published opinion about the adequacy of Australia's privacy law along the lines of that issued for New Zealand and others.