A Bill for an Act to protect jobs in Australia by preventing the transfer of personal information to other countries without consent, and for related purposes
The Parliament of Australia enacts:
Part 1—Preliminary
1 Short title
This Act may be cited as the Keeping Jobs from Going Offshore (Protection of Personal Information) Act 2009.
2 Commencement
This Act commences on the day after it receives the Royal Assent.
3 Objects
The objects of this Act are:
(a) to ensure that personal information held by businesses in Australia is not transferred overseas without the informed consent of the individual to whom the information relates; and
(b) to protect employment in Australia by reducing the outsourcing of customer service and call centre jobs overseas.
4 Interpretation of this Act
(1) In this Act:
interference with the privacy of an individual has the meaning given by the Privacy Act, affected by section 13 of this Act.
mandatory industry code has the meaning given by the Trade Practices Act, affected by section 15 of this Act.
organisation has the meaning given by section 6C of the Privacy Act.
personal information has the meaning given by section 6 of the Privacy Act, affected by subsection (2).
Privacy Act means the Privacy Act 1988.
Privacy Law includes:
(a) the Privacy Act;
(b) the Information Privacy Principles and National Privacy Principles set out in that Act;
(c) any approved privacy code, Code of Conduct or industry standard agreed, made or authorised under that Act;
(d) any guidelines or regulations made under that Act. telecommunications network has the meaning given by section 7 of the Telecommunications Act 1997.
telemarketing call has the meaning given by section 5 of the Do Not Call Register Act 2006.
Trade Practices Act means the Trade Practices Act 1974.
Trade Practices Law includes:
(a) the Trade Practices Act;
(b) any industry code made or authorised under that Act;
(c) any guidelines made under that Act;
(d) any regulations made under that Act.
transfer, in relation to personal information, means communicate, send, trade or republish that information by any means whatsoever, including by transmitting the information over a telecommunications network from a source located in Australia or an external Territory so that it can be accessed by a person in a foreign location.
voice call has the meaning given by section 4 of the Do Not Call Register Act 2006.
(2) Personal information held by an organisation in relation to an individual includes, but is not restricted to:
(a) personal identifiers, including:
(i) any name by which the individual is or has been known, including any family name;
(ii) date of birth;
(iii) mother’s maiden name;
(b) secondary identifiers, including:
(i) street address, postal address or post‑office box number;
(ii) phone number;
(iii) e‑mail address;
(iv) driver’s licence number;
(v) tax file number;
(vi) medicare number;
(c) any identifying information allocated by an organisation, or by any third party, including any customer identification number or code;
(d) financial information, including:
(i) credit card details;
(ii) bank account details;
(iii) details of any financial transaction;
(e) medical records;
(f) passwords;
(g) any information relating to any business transaction between the individual and the organisation or any third party.
(3) Unless the contrary intention appears, any other term used in this Act which is defined in the Privacy Act 1988 has the meaning given in that Act.
Part 2—Consent to transfer personal information
5 Consent requirements for the transfer of personal information
(1) An organisation in Australia or an external Territory (the transferring organisation) must not transfer personal information about an individual to an organisation in a foreign country (the receiving organisation) unless the requirements of this Part have been met.
(2) To avoid doubt, subsection (1) applies in each of the following cases:
(a) where there is no connection between the two organisations;
(b) where the receiving organisation is a part, however described, of the transferring organisation;
(c) where the receiving organisation is an associated entity, or a part of an associated entity, of the transferring organisation;
(d) where the receiving organisation is performing any function under contract to the transferring organisation.
(3) To avoid doubt, the requirements of this Part apply in addition to the requirements of National Privacy Principle 9.
6 Countries certified as having adequate protection
If the receiving organisation is located in a country that is certified as having adequate privacy protections, the transferring organisation may transfer personal information about an individual to the receiving organisation only if:
(a) the transferring organisation has informed the individual of the intention to transfer personal information; and
(b) the individual has not objected to the transfer.
7 Countries not certified as having adequate protection
If the receiving organisation is located in a country that is not certified as having adequate privacy protections, the transferring organisation may transfer personal information about an individual to the receiving organisation only if:
(a) the transferring organisation has specifically informed the individual, in writing, of:
(i) the intention to transfer information to a country that is not certified as having adequate privacy protections; and
(ii) the content of the information proposed to be transferred; and
(iii) the purpose of transferring the information; and
(iv) the identity of the receiving organisation or organisations; and
(b) the individual has consented to the transfer, in writing, not more than 12 months prior to the transfer of the information.
8 Consent decision not to affect business relationship
An organisation must not:
(a) deny the provision of goods or services to an individual; or
(b) change the terms of a business relationship with an individual; or
(c) refuse to enter into a business relationship with an individual;
based upon that individual’s decision whether or not to consent to the transfer of personal information under this Act.
9 Certification of privacy protections
(1) The Minister may certify that a country has adequate privacy protections, if the Minister is satisfied that the law of the country effectively upholds principles for the fair handling of information that are substantially similar to the National Privacy Principles.
(2) In determining whether to certify a country in accordance with subsection (1), the Minister may seek the advice of the Office of the Privacy Commissioner.
(3) The Minister must, from time to time, publish a list of the countries that have been certified in accordance with subsection (1).
Part 3—Call centre disclosure requirements
10 Call centre disclosure requirements
(1) If a person makes a voice call to an organisation, and that call is answered by, or transferred to, a foreign call centre, the person responding to the call must identify the city and country in which the call centre is located.
(2) If a person receives a telemarketing call from or on behalf of an organisation, which originates from a foreign call centre, the person initiating the call must identify the city and country in which the call centre is located.
(3) For the purposes of this section, a voice call to any telephone number related to, or advertised in any medium as being related to, an organisation is a voice call to that organisation, unless the contrary is proved
11 Foreign call centre
For the purposes of this Part an organisation is a foreign call centre for another organisation if,
(a) the first organisation makes, receives or deals with voice calls for or on behalf of the second organisation; and
(b) the first organisation meets the definition of receiving organisation in relation to the second organisation for the purposes of section 5.
Part 4—Interaction with Privacy Law
12 Interaction with Privacy Law
(1) This Act is intended to supplement the Privacy Law to enhance the protection afforded personal information, particularly in relation to transborder data flows.
(2) Nothing in this Act removes or reduces any obligation placed on any individual or organisation by the Privacy Law.
13 Interference with privacy
(1) For the purposes of the Privacy Law, an act or practice that effects a transfer of personal information about an individual in contravention of section 5 is an interference with the privacy of the individual.
(2) An act or practice that may be an interference with the privacy of an individual because of this section may be dealt with in accordance with Parts V and VI of the Privacy Act.
Note: Parts V and VI of the Privacy Act deal with complaints; investigations by the Privacy Commissioner and others; determinations, including entitlement to compensation; and enforcement.
Part 5—Interaction with Trade Practices Law
14 Interaction with Trade Practices Law
(1) This Act is intended to supplement the Trade Practices Law to enhance consumer protection in relation to the fair handling of personal information.
(2) Nothing in this Act removes or reduces any obligation placed on any individual or organisation by the Trade Practices Law.
15 Intentional breach of consent condition
(1) For the purposes of the Trade Practices Law, an organisation that:
(a) intentionally effects a transfer of personal information about an individual in contravention of section 5; or
(b) takes any action in contravention of section 8; or
(c) fails to make a disclosure required by section 10;
is taken to have contravened a mandatory industry code.
(2) An organisation that is taken to have contravened a mandatory industry code because of this section may be dealt with in accordance with Part VI of the Trade Practices Act.
Note: Part VI of the Trade Practices Act deals with enforcement and remedies.
(3) This section has effect only in relation to organisations which are corporations within the meaning of section 4 of the Trade Practices Act.
Part 6—Miscellaneous
16 Regulations
The Governor‑General may make regulations prescribing matters:
(a) required or permitted by this Act to be prescribed; or
(b) necessary or convenient to be prescribed for carrying out or giving effect to this Act.