Federal Register of Legislation - Australian Government

Primary content

Determinations/Other as made
This instrument repeals and replaces the Privacy (International Money Transfers) Public Interest Determination 2015 (No. 2).
Administered by: Attorney-General's
Registered 18 Feb 2020
Tabling HistoryDate
Tabled HR24-Feb-2020
Tabled Senate24-Feb-2020
To be repealed 17 Feb 2025
Repealed by Self Repealing

Explanatory Statement

Privacy (International Money Transfers) Public Interest Determination 2020 (No. 1), Privacy (International Money Transfers) Public Interest Determination 2020 (No. 2) and Privacy (International Money Transfers) Generalising Determination 2020

Issued by the authority of the Australian Information Commissioner (the Commissioner) under the Privacy Act 1988 (Privacy Act).

This explanatory statement relates to the Privacy (International Money Transfers) Public Interest Determination 2020 (No. 1) (PID 2020-1), the Privacy (International Money Transfers) Public Interest Determination 2020 (No. 2) (PID 2020-2) and the Privacy (International Money Transfers) Generalising Determination 2020 (GD 2020).

This explanatory statement fulfils the Commissioner’s obligations under subsection 15G(4) of the Legislative Instruments Act 2003 (the Legislative Instruments Act).

Authority for the making of the determinations

The Commissioner is empowered by subsection 72(2) of the Privacy Act to make PID 2020-1 and PID 2020-2. The Commissioner is also empowered by subsection 72(4) of the Privacy Act to make GD 2020.

The Commissioner may make a PID if satisfied that:

·         the act or practice that is the subject of an application under section 73 of the Privacy Act for a determination under section 72 of that Act breaches or may breach an Australian Privacy Principle (APP); and

·         the public interest in the entity doing the act or engaging in the practice substantially outweighs the public interest in adhering to the APP in question.

Purpose of the determinations

The purpose of PID 2020-1 and PID 2020-2 is to continue to permit the applicants, ANZ and the RBA (Applicants), to disclose the personal information of a beneficiary of an international money transfer (IMT) to an overseas financial institution when processing an IMT, without the Applicants breaching the APPs. The purpose of GD 2020 is to give PID 2020-1 general effect in relation to all other authorised deposit-taking institutions (ADIs) within the meaning of the Banking Act 1959. This has the effect of permitting other ADIs to disclose personal information of a beneficiary to an overseas financial institution when processing an IMT without breaching the APPs.

Furthermore, the PIDs and GD ensure that the Applicants (and all other ADIs) are not taken to have breached any other APP (other than APP 1) as a result of being held accountable for an act or practice of an overseas financial institution in relation to personal information disclosed when processing an IMT (in accordance with section 16C(2)), in circumstances where it is not practicable for them to take further steps to prevent such breaches.

These PIDs replace the following PIDs concerning IMTs that sunset on 25 February 2020:

1.      Privacy (International Money Transfers) Public Interest Determination 2015 (No. 1) (made under subsection 72(2) in respect of the ANZ)

2.      Privacy (International Money Transfers) Public Interest Determination 2015 (No. 2) (made under subsection 72(2) in respect of the RBA), and

3.      Privacy (International Money Transfers) Generalising Determination 2015 (made under subsection 72(4) that no other ADI is taken to contravene section 15 or 26A while that determination is in force).

 

The applications that the OAIC received from both the RBA and ANZ are substantially similar to those received previously in 2014 in relation to the PIDs listed above. While the new PIDs have been made on substantially the same terms, the Commissioner has also taken into account all relevant information in the applications as well as information received during consultation.

Applications for public interest determinations

Under subsection 73(1) of the Privacy Act, an APP entity may apply to the Commissioner for a determination under section 72 of that Act in relation to an act or practice of that entity. The Commissioner received two such applications:

1.      an application from the Reserve Bank of Australia (RBA) received on 2 December 2019, and

2.      an application from the Australia and New Zealand Banking Group Limited (ANZ) received on 5 December 2019.

The Applicants seek new PIDs to continue to permit ANZ—along with other authorised-deposit taking institutions within the meaning of the Banking Act 1959 (ADIs)—and the RBA to disclose the personal information of a beneficiary of an IMT to an overseas financial institution when processing an IMT without breaching the APPs.

The applications can be viewed on the Register of Public Interest Determinations on the Office of the Australian Information Commissioner’s website, https://www.oaic.gov.au/engage-with-us/consultations/applications-for-new-public-interest-determinations-regarding-international-money-transfers/consultation-paper/.

The Applicants raised concerns that, in the absence of a PID, they may breach APP 8.1 and other APPs (other than APP 1) as a result of being held accountable for an act or practice of an overseas financial institution in relation to personal information disclosed when processing an IMT.

The process for making an international money transfer

The applications outlined the IMT process.

An IMT is the term used for a payment made by a sender to a beneficiary outside Australia. The IMT process is usually initiated by the sender (an ADI customer) completing an IMT application form. To perform an IMT, it is mandatory for an ADI to disclose the personal information of the beneficiary of the IMT to an overseas financial institution. The personal information required to process an IMT will generally include the name and account information of the beneficiary. However, some overseas financial institutions require the ADI to provide further information, such as the account name, residential address of the beneficiary and additional details about the sender and beneficiary. Generally, this additional information is requested because of in-country regulatory requirements, anti-money laundering (AML) and counter-terrorism financing (CFT) requirements or to allow sanctions checks to be performed.

In their applications, the ANZ and the RBA advised that they each utilise a range of processes to effect an IMT which generally include the use of the Society for Worldwide Interbank Financial Telecommunication (SWIFT) network. Alternatively, ANZ and other ADIs may transfer funds to an offshore branch or subsidiary that will then make a payment to the beneficiary’s financial institution within that jurisdiction.

The SWIFT network is a member-owned cooperative established in 1973. In their applications, ANZ and RBA noted that:

·         The SWIFT network is used by more than 10,000 financial institutions, securities institutions and corporate customers in over 200 countries.

·         The SWIFT network is a secure and highly confidential network, which facilitates the transfer of payments and other financial messages between SWIFT users.

·         High levels of confidentiality are imposed and security is reinforced through the encryption of messages.

·         SWIFT is also subject to a governance structure and publicly available data retrieval policies that enable SWIFT to meet the security commitments required by users.

·         There are three categorised groups of users: supervised financial institutions, non-supervised entities active in the financial industry and closed user groups/corporate entities.

·         SWIFT users can only send financial messages within their user category (therefore a user, for example ANZ, can only send financial messages within its user category).

·         SWIFT has documented, risk-based processes to validate SWIFT users on an ongoing basis.

·         Once a financial institution becomes a SWIFT user, it can transact with other financial institutions through ‘account relationships’ (which are contractual relationships) or by using the ‘Relationship Management Application’ within SWIFT, which allows for the processing of IMTs without an account relationship.

If ANZ or another ADI does not have an account relationship with the beneficiary’s overseas financial institution, it may still transfer money using SWIFT by sending payment instructions to an ‘intermediary bank’ (that is also a SWIFT user), which will then route the payment instructions to the beneficiary’s financial institution. More than one intermediary bank may be involved in the process before the money reaches the beneficiary’s financial institution.

IMTs are also processed with or without the use of the SWIFT network via ANZ’s or another ADI’s own commercial arrangements. For example, ANZ and other ADIs may transfer funds to an offshore branch or subsidiary that will then make a payment to the beneficiary’s financial institution within that jurisdiction using the SWIFT Network or the local payment and settlement system. ANZ submitted that payments between ANZ entities will be at least as secure as SWIFT as it occurs within ANZ’s own firewall and the local payment and settlement system will be a regulated and secure environment.

In their application, the RBA explained that IMTs are sometimes processed by the RBA using the SWIFT network in the same way as ANZ and other ADIs, and as described above. In other instances, the RBA initially transfers the relevant payment instructions to an ‘Agent’ (a foreign bank whose Australian branch is an ADI) through a secure dedicated network. That Agent then uses the SWIFT network to transfer the payment to the beneficiary’s financial institution.

However, in most instances, the RBA transfers the relevant payment instructions through a secure dedicated network to the Agent. That Agent (or its related entity or agent) then arranges for payment to the beneficiary’s financial institution using the local payment and settlement system. The RBA’s application notes that these types of local settlement system payments operate in a regulated and secure environment in which transfers are completed.

 

The RBA has a contract in place with Agents which contains obligations on the Agent including:

·         to use and disclose personal information only for the purposes of the contract

·         not to breach the APPs (while providing that the Agent will not be taken to be in breach in connection with payment and disclosure of personal information of a beneficiary for the purpose of remitting funds to the beneficiary's financial institution)

·         to comply with any request reasonably made by the RBA to comply with the Privacy Act and any other relevant privacy law, and

·         to ensure that its representatives are made aware of and comply with the Agent's obligations in relation to personal information.

 

The applications outline the IMT processes used by ANZ and other ADIs, and the RBA respectively. Interested parties should refer to the applications for a full explanation of those processes.

APP 8 and section 16C — the framework for cross-border disclosure of personal information

APP 8 regulates the cross-border disclosure of personal information. Under APP 8.1, before an APP entity discloses personal information to an overseas recipient, the entity must take reasonable steps to ensure the overseas recipient does not breach the APPs in relation to that information.

 

APP 8.2 sets out a number of exceptions to this requirement, including if:

 

• the entity reasonable believes that:

− the recipient of the information is subject to a law or binding scheme that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the APPs protect the information, and

− there are mechanisms that the individual can access to take action to enforce that protection of the law or binding scheme (APP 8.2(a)), or

 

• both of the following apply:

− the entity expressly informs the individual that if he or she consents to the disclosure of the information, subclause 8.1 will not apply to the disclosure, and

− after being so informed, the individual consents to the disclosure (APP 8.2(b)).

 

APP 8 applies when an APP entity discloses personal information. An APP entity discloses personal information when it makes it accessible to others outside the entity and releases the handling of that information from its effective control.

 

Where APP 8.1 applies and the overseas recipient is not bound by the APPs, the entity will also be held accountable if the overseas recipient does an act or engages in a practice in relation to the personal information that would breach an APP (other than APP 1) (section 16C). In those circumstances, ANZ, another ADI or the RBA (as applicable) will be taken to have breached the APP.

 

Together, APP 8.1 and section 16C create a framework for the cross-border disclosure of personal information that reflects a central object of the Privacy Act: ‘to facilitate the free flow of information across national borders while ensuring that the privacy of individuals is respected’ (subsection 2A(f)).

 

To comply with APP 8.1, the Commissioner generally expects that the relevant APP entity will enter into an enforceable contractual arrangement with an overseas recipient that requires the overseas recipient to handle personal information in accordance with the APPs (other than APP 1).

 

However, it is acknowledged in the APP Guidelines that whether a contract is required, and the terms of the contract, will depend on the circumstances, including the:

·         sensitivity of the personal information

·         the entity’s relationship with the overseas recipient

·         possible adverse consequences if the personal information is mishandled by the overseas recipient

·         existing technical and operational safeguards implemented by the overseas recipient

·         practicability of entering into an enforceable contractual arrangement.

 

Reasons for the decision to make PID 2020-1, PID 2020-2 and GD 2020

Might the disclosure of personal information to an overseas beneficiary in the context of processing an IMT breach an APP?

Both ANZ and the RBA noted that they are unable to rely on any of the relevant exceptions in APP 8.2 in the context of the IMT process.

APP 8.2(a)

Both ANZ and RBA submitted that they are unable to rely on this exception because:

·         it would not be practical to obtain up-to-date legal advice on the privacy regimes of every jurisdiction to which IMTs may be sent—which may include any jurisdiction that has a functioning banking system. The RBA noted that there are currently 146 jurisdictions to which IMTs initiated by RBA customers are sent.

·         even if they did obtain such legal advice, those countries which do not have substantially similar privacy schemes and do not allow individuals to take action to enforce protection of their personal information, would fall outside of the exception in APP 8.2(a).

This would result in an inability to send IMTs to beneficiaries in particular countries and likely disadvantage both the sender and the beneficiary. ANZ has noted that may motivate senders to rely on less secure means of processing IMTs, for example, through less formal money remittance services.

APP 8.2(b)

ANZ and the RBA submitted that their role in the IMT process is limited to collecting the information about the beneficiary from the sender of the IMT. There is no legal (or other) relationship between either the RBA or ANZ and the beneficiary, and there would not be an opportunity for ANZ or the RBA to seek the beneficiary’s consent in accordance with the exception in APP 8.2(b) prior to processing the IMT. Further, ANZ and RBA submitted that due to the large volume of IMTs processed, it would not be feasible to contact each beneficiary across a wide range of jurisdictions to obtain their consent before disclosing their personal information in connection with the IMT process

Other exceptions in APP 8.2

The RBA and ANZ state they are unable to rely on any of the other exceptions in APP 8.2.

Therefore, there is an obligation on RBA and ANZ to comply with APP 8.1 when processing IMTs and take reasonable steps to ensure that the overseas financial institution receiving the beneficiary’s personal information does not breach the APPs in handling that information.

Requirement to take reasonable steps to ensure overseas recipients do not breach the APPs

Chapter 8 of the APP guidelines states that it is generally expected that to comply with APP 8.1, the relevant APP entity will enter into an enforceable contractual arrangement with an overseas recipient that requires the overseas recipient to handle personal information in accordance with the APPs. However, the APP guidelines acknowledge that whether a contract is required, and the terms of the contract, will depend on the circumstances, including the practicability of taking that step.

ANZ and the RBA submitted that, given that the SWIFT network is used by more than 10,000 members, it is not practicable to have enforceable contractual arrangements with every potential overseas financial institution to which they might disclose the beneficiary’s personal information when processing an IMT. Rather, when using the SWIFT network to process IMTs, ANZ, other ADIs and the RBA rely on the relationships created by the SWIFT network.

Further, ANZ noted that each bank that received information as part of an IMT transaction is operating under its own privacy regime and there would be little incentive to agree to separate privacy standards to process IMTs received from ANZ. In addition, ANZ submitted that it is unlikely that overseas financial institutions would agree to enter into contracts requiring them to handle personal information in accordance with the APPs given the protections afforded by the SWIFT network. As such, it is not feasible for it, or another ADI, to try to alter SWIFT to impose contractual obligations on other SWIFT users requiring them to comply with the APPs in relation to the personal information of IMT beneficiaries.

ANZ noted that it has not received any complaints from beneficiaries relating to how their personal information is dealt with in processing IMTs since Privacy (International Money Transfers) Public Interest Determination 2015 (No. 1) commenced. ANZ further submitted that the collection and disclosure of the beneficiary’s name and account number enables ANZ to comply with mandatory anti-money laundering (AML) and counter-terrorism financing (CTF) obligations.

The RBA indicated that it mostly uses an Agent to process IMTs (as explained above) and that it has a contract with the Agent which contains obligations in relation to the handling of personal information. The RBA submitted that the RBA and the Agent recognise that it is not reasonable to expect that the Agent would accept an obligation to ensure that all organisations in the payment chain agree to comply with the APPs. ANZ and the RBA submitted that, although they take (and will continue to take) steps to protect the beneficiary’s information where it is disclosed overseas during the processing of an IMT, they cannot always be satisfied that these steps would satisfy the ‘reasonable steps’ test in APP 8.1.

For this reason, ANZ, any other ADI or the RBA may breach APP 8.1 when disclosing a beneficiary’s personal information to an overseas financial institution during the processing of IMTs.

Section 16C

Both ANZ and the RBA submitted that, as it would not be practicable to take further steps to ensure that the overseas financial institution does not do an act or engage in a practice that would breach the APPs, there is a risk that they will be taken to have breached the APPs (other than APP 1) as a result of subsection 16C(2) of the Privacy Act.

The Commissioner’s view

Given the considerations above, the Commissioner was satisfied that the Applicants may breach APP 8.1 when disclosing personal information to overseas financial institutions in processing IMTs.  In particular, the Commissioner considered that:

·         there are no applicable exceptions under APP 8.2 that would apply, and

·         the Applicants cannot always be satisfied that the steps that are (and continue to be) taken by ANZ and the RBA to protect the personal information they disclose to overseas beneficiaries would be considered ‘reasonable in the circumstances’ (as required by APP 8.1).

The Commissioner considers that, where the overseas financial institution mishandles that personal information, it likely that the Applicants and any other ADI, using an IMT process that does not involve an enforceable contractual arrangement, would breach an APP (other than APP 1) by reason of section 16C.

Finally, in terms of the expectation that reasonable steps under APP 8 includes entering into enforceable contractual arrangements with the overseas financial institutions to which the beneficiary’s personal information is disclosed, the Commissioner considers that this continues to be impracticable in the circumstances of the IMT process for the ANZ, the RBA and other ADIs.

Does the public interest in disclosing the personal information substantially outweigh the public interest in complying with the APPs?

In deciding whether the public interest in allowing the Applicants and other ADIs to continue to process IMTs in the manner described in the applications outweighs the public interest in complying with the APPs, the Commissioner took account of the matters raised in the applications and submissions received in response to public consultation.

The RBA and ANZ made a number of arguments that the public interest in processing IMTs in the manner described above continues to substantially outweigh the public interest in complying with APP 8.1 and other APPs in cases where the Applicants might be held accountable for a breach by an overseas financial institution.

Public interest benefits associated with making PIDs to allow the IMT process to continue in its current form

In their applications, the RBA and ANZ outlined a number of public interest benefits associated with making IMTs available to Australian ADI customers:

·         IMTs allow individuals to benefit from the global movement of money. They can be used, for example, to allow families to support one another over long distances, and allow private transactions to take place involving parties in different jurisdictions.

·         IMTs provide simple, secure, cost-effective and reliable means for the global transfer of money.

·         IMTs provide payment security and transaction certainty. This also assists government to better enforce AML and CTF rules.

·         IMTs allow the government to meet its obligations to overseas beneficiaries in a timely and secure manner.

·         IMTs are an important element of international financial relations, with SWIFT processing a daily average of 31.3 million payment messages.

·         Australia is one of the largest economies in the world, a leading economy in the Asia Pacific Region and a member of the Group of 20 Nations. The IMT process, in its current form, is one component of the global financial system, and Australia is a significant contributor to that system. Maintaining the certainty, reliability and efficiency of IMT processing by ADIs in Australia serves an important public interest within the context of Australia’s role within the global economy.

The ANZ submitted that it would be detrimental for Australia’s reputation as a leading international financial participant if it becomes impracticable for ADIs in Australia to process IMTs.

 

The Australian Banking Association (ABA) provided a submission, reiterating that maintaining the certainty, reliability and efficiency of IMT processing serves an important public interest within the context of Australia’s role within the global community.  The ABA also submitted that IMTs provide a simple, secure, cost effective and reliable means for the global transfer of money for individuals.

 

The Australian Transaction Reports and Analysis Centre (AUSTRAC) also made a submission, noting that there are public interest reasons for allowing the ANZ and RBA to disclose personal information as part of processing IMTs in the context of anti-money laundering and counter-terrorism financing (AML/CTF) obligations and efforts. Specifically:

·         Sharing payer and payee information is a core obligation under the Financial Action Task Force’s International Standards on Combatting Money Laundering and the Financing of Terrorism (FATF Standards).

·         Sharing payer and payee information with international financial institutions allows those institutions to implement preventative measures to mitigate money laundering, terrorism financing and sanctions risks, monitor transactions for suspicious activities and make reports to their domestic financial intelligence agency.

·         The requirement on reporting entities in Australia to report incoming and outgoing IMTs (including the name and other personal information of the ordering and beneficial customers) in a timely manner provides AUSTRAC with valuable information about the movement of money and the people behind these transactions.

·         AUSTRAC analyses and shares this information as financial intelligence with law enforcement, national security, intelligence and revenue protection agencies as well as international counterparts to detect, prevent and disrupt money laundering, terrorism financing and other serious crimes.

·         The disclosure by the RBA and ADIs of a beneficiary’s personal information to an overseas financial institution in the context of IMT strengthens global efforts to combat money laundering, terrorism financing and other serious crimes.

The submissions can be viewed on the Register of Public Interest Determinations on the Office of the Australian Information Commissioner’s website, https://www.oaic.gov.au/engage-with-us/consultations/applications-for-new-public-interest-determinations-regarding-international-money-transfers/applications-for-new-public-interest-determinations-regarding-international-money-transfers-submissions/.

Public interest benefits associated with not making PIDs to allow the IMT process to continue in its current form

ANZ and the RBA both submitted that the main public benefit associated with APP 8 compliance during IMT processing is to ensure the protection of the personal information of beneficiaries.

ANZ noted that, in this respect, personal information is already protected in a number of ways when processing IMTs:

·         Disclosure to an overseas financial institution is conducted within a secure environment. IMTs are processed in a heavily regulated and controlled environment, the basis of which is a trusted network of relationships between financial institutions. Where IMTs are processed using the SWIFT network, personal information is protected by a secure and highly protected proprietary system. Otherwise ANZ only sends payment messages to financial institutions that are licenced, authorised or registered with and subject to the supervision of that financial market regulator.

·         The disclosures that do occur as part of the IMT process are the minimum needed to allow the IMT to be processed.

·         The current IMT process is a successful and secure means of conducting international money transfers. ANZ stated that it is not aware of any complaint being made by a beneficiary in relation to the offshore disclosure of their personal information in order to process an IMT.

The Commissioner’s view

The Commissioner considers that:

·         the public interest in ANZ and the RBA being able to process IMTs in the manner described in their applications with confidence that they are not breaching the APPs, substantially outweighs the public interest in requiring ANZ and the RBA to adhere to the requirements of APP 8.1 in all circumstances,

·         the public interest in ANZ and the RBA being able to process IMTs in the manner described in their applications substantially outweighs the public interest in ANZ and the RBA being held accountable for an act or practice of an overseas financial institution in relation to in relation to personal information disclosed when processing an IMT, through the operation of section 16C(2) of the Privacy Act, and

·         the same public interest considerations make it appropriate for the Commissioner to make a generalising determination that applies to other ADIs that process IMTs.

In forming this view, the Commissioner acknowledges the importance of the IMT process for individuals that send and receive IMTs, for international financial relations and for the global financial system. Further, the Commissioner recognises the significant detrimental consequences that might result from a disruption to the IMT process.

Following consideration of both applications, the Commissioner recognises that the IMT processes, as described in the applications, ensure that personal information is disclosed within secure and confidential environments.

In addition, the Commissioner has taken into account ANZ’s assertion that it has not received any complaints by beneficiaries of IMTs in relation to the handling of their personal information during the IMT process. Furthermore, the OAIC has not received any complaints in relation to the three PIDs that are currently in force in relation to IMT.

Finally, the Commissioner has taken into account the ABA’s suggestions in relation to the preferred number of years that the PIDs should remain in force.

The ABA recommends that the PIDs should provide permanent exemptions until the Privacy Act is updated to address the underlying reasons that PIDs were required in 2015 (due to amendments to the Privacy Act at that time). The ABA states that this would reduce unnecessary regulatory costs and red tape from Australian ADIs and the RBA.

The Commissioner considers that PIDs remain the most appropriate mechanism for providing an exemption to the requirement to comply with the APPs specifically in relation to processing IMTs.

The purpose of Part VI of the Privacy Act is to provide a mechanism for entities to seek a determination by the Commissioner with respect to a particular act or practice, and subsection 72(2) of the Privacy Act allows the Commissioner to make a PID.

The effect of determinations under Part IV of the Privacy Act are naturally limited in scope. Such determinations can only authorise acts or practices, by particular APP entities, in circumstances where the Commissioner is satisfied that the public interest in doing that act or practice substantially outweighs the public interest in adhering to the APPs.

Section 72 operates to abolish the need for specific amendments to the Privacy Act for individual limited instances of derogation. This provision is a useful component of the regulatory framework in allowing greater flexibility, where appropriate, in the privacy regime. As PIDs are disallowable by Parliament, they are subject to appropriate Parliamentary oversight.

Alternatively, the ABA recommends that the PIDs should remain in force for a minimum of ten years. 

Noting that the ANZ (as Applicant) has sought a PID for a period of five years, the Commissioner considers that all three PIDs should be made, and remain in force for, a period of five years.

Consultation

The Commissioner has consulted on the development of PID 2020-1, PID 2020-2 and GD 2020 in accordance with Part VI of the Privacy Act and section 17 of the Legislation Act 2003.

As required by subsection 74(1) of the Privacy Act, the RBA’s and ANZ’s applications were published on the OAIC’s website on 16 December 2019.

As required by section 75, the Commissioner prepared drafts of the proposed PIDs. The drafts were made publicly available on the OAIC’s website, along with an explanation of the Commissioner’s preliminary view on the applications. The drafts were available on the website from 16 December 2019 until 31 January 2020 and the public was invited to make submissions on the draft PIDs and on the issues raised in the applications.

The Commissioner wrote to interested parties on Wednesday 18 December 2019 to advise that a Consultation Paper had been published on the OAIC’s website and inviting submissions by 31 January 2020. The Commissioner also invited interested parties to request a conference.

As required by subsections 75(2) and 75(2A), the Commissioner also invited the Applicants to request a conference about the draft PIDs. Two submissions were received in relation to the proposed PIDs: one from the Australian Banking Association and one from AUSTRAC. Both submissions were broadly supportive of the making of the PIDs on the terms set out in the draft PIDs.

The Commissioner did not receive any requests to hold a conference.

As a result, PID 2020-1, PID 2020-2 and GD 2020 contain no substantive changes from the proposed draft version released for public consultation.

Operation

PID 2020-1, PID 2020-2 and GD 2020 will remain in force for a period of five years from the day they commence.

GD 2020 applies to all authorised deposit-taking institutions within the meaning of the Banking Act 1959. A list of the ADIs is maintained by the Australian Prudential Regulatory Authority. 

Statement of Compatibility with Human Rights

Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011

Privacy (International Money Transfers) Public Interest Determination 2020 (No. 1) (PID 2020-1), Privacy (International Money Transfers) Public Interest Determination 2020 (No. 2) (PID 2020-2) and Privacy (International Money Transfers) Generalising Determination 2020 (GD 2020)

These three disallowable Legislative Instruments are compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.

Overview of the Disallowable Legislative Instruments

The purpose of PID 2020-1, PID 2020-2, GD 2020 is to permit the Applicants, ANZ and the RBA, and all authorised deposit-taking institutions within the meaning of the Banking Act 1959 to disclose the personal information of a beneficiary of an international money transfer (IMT) to an overseas financial institution when processing an IMT without breaching the APPs.

The need for PIDs first arose following the commencement of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Privacy Amendment Act).

The Privacy Amendment Act, which commenced on 12 March 2014, replaced the National Privacy Principles (NPPs), which applied to some private sector organisations, and the Information Privacy Principles (IPPs), which applied to by Australian Government agencies, with a single set of harmonised principles, the APPs.

A new APP 8 dealing with cross-border disclosure of personal information replaced the old NPP 9. APP 8.1 requires an APP entity that discloses personal information to an overseas recipient to take reasonable steps to ensure that the overseas recipient does not breach the APPs (other than APP 1) in relation to the information, unless an APP 8.2 exception applies.

Prior to the commencement of the Privacy Amendment Act, the Applicants and other ADIs relied on the exceptions contained in NPP 9(d) and NPP 9(e) to disclose the personal information of beneficiaries to overseas financial institutions when processing IMTs. Those exceptions applied where:

·         the transfer was necessary for the conclusion or performance of a contract concluded in the interest of the individual between the organisation and a third party (NPP 9(d)), or

·         all of the following apply:

o   the transfer was for the benefit of the individual,

o   it was impracticable to obtain the consent of the individual to that transfer, and

o   if it were practicable to obtain such consent, the individual would likely give it (NPP 9(e)).

The exceptions set out in APP 8.2 differ from the NPP 9 exceptions and include if:

·         the entity reasonably believes that:

o   the recipient of the information is subject to a law or binding scheme that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the APPs protect the information, and

o   there are mechanisms that the individual can access to take action to enforce that protection of the law or binding scheme (APP 8.2(a)), or

·         both of the following apply:

o   the entity expressly informs the individual that if he or she consents to the disclosure of the information, subclause 8.1 will not apply to the disclosure, and

o   after being so informed, the individual consents to the disclosure (APP 8.2(b)).

Importantly, APP 8.2 does not cover either of the exceptions set out in NPP 9(d) or (e).

The Privacy Amendment Act also introduced a new accountability approach dealing with cross-border data flows. As part of this approach, a new section 16C provides that where an APP entity discloses personal information to an overseas recipient in circumstances where the overseas recipient is not bound by the APPs and an APP 8.2 exception does not apply to the disclosure, the APP entity will be taken to have breached the APPs in instances where the overseas recipient does an act or engages in a practice in relation to that information that would be a breach of the APPs (other than APP 1) if the APPs so applied to that act or practice.

While the changes to the Privacy Act made by the Privacy Amendment Act did not prohibit the processing of IMTs by the Applicants and other ADIs, they did:

·       require that before processing an IMT, the Applicants and other ADIs take reasonable steps to ensure that the overseas financial institution to which a beneficiary’s personal information is to be disclosed, does not breach the APPs (other than APP 1) in relation to that information, and

·       in some circumstances, make the Applicants and other ADIs accountable for any acts or practices of the overseas financial institution that breach the APPs (other than APP 1) in relation to that information.

PID 2015-1, PID 2015-2 and GD 2015 were made to address this issue and are due to sunset on 25 February 2020. These PIDs will be replaced by PID 2020-1, PID 2020-2 and GD 2020, respectively.

PID 2020-1, PID 2020-2 and GD 2020 will ensure that the Applicants and other ADIs do not breach APP 8.1 when disclosing the beneficiary’s personal information to the overseas financial institution, and are not held to breach another APP (other than APP 1) as a result of being held accountable for an act or practice of the overseas financial institution in relation to that information (in accordance with subsection 16C(2)).

The central public interest objective served by PID 2020-1, PID 2020-2 and GD 2020 is to permit the Applicants and other ADIs to continue to process IMTs, which has benefits for individuals who might send or receive money using IMTs, Australia and its reputation as a participant in the global financial system, and the stability of the global financial system.

Human rights implications

The determinations engage Article 17 of the International Covenant on Civil and Political Rights (ICCPR), which provides that no one shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence, nor to unlawful attacks on his or her honour and reputation, and that everyone has the right to the protection of the law against such interference and attacks. The Preamble to the Privacy Act makes clear that the legislation was intended to implement, at least in part, Australia’s obligations relating to privacy under the ICCPR.

PID 2020-1, PID 2020-2 and GD 2020 limit the right against the arbitrary interference with privacy and the right to the protection of the law against such interference, by limiting the application of protections in the Privacy Act in relation to the cross-border disclosure of personal information.

 

However, the right to privacy is not absolute and there may be circumstances in which the guarantees in Article 17 can be outweighed by other considerations. Importantly, the Commissioner must have regard to the objects of the Privacy Act when exercising his functions and powers. These objects include:

·         to promote the protection of the privacy of individuals (paragraph 2A(a))

·         to recognise that the protection of the privacy of individuals is balanced with the interest of entities in carrying out their functions and activities (paragraph 2A(b))

·         to promote responsible and transparent handling of personal information by entities (paragraph 2A(d))

·         to facilitate the free flow of information across national borders while ensuring that the privacy of individuals is respected (paragraph 2A(f)).

The Commissioner was satisfied that the public interest in permitting the acts or practices the subject of PID 2020-1, PID 2020-2 and GD 2020 substantially outweigh the public interest in adhering to the APPs, having regard to the benefits for individuals in a simple, secure, cost-effective and reliable means for the global transfer of money, the practicality of complying with the APPs in these particular circumstances, and the existing safeguards in place to protect personal information.

Conclusion

It is considered that to the extent that the acts or practices authorised by PID 2020-1, PID 2020-2 and GD 2020 limit human rights, those limitations are reasonable and proportionate.

Angelene Falk

Australian Information Commissioner