Privacy protection should mean notification in advance, before confidential information is sent willy-nilly out of Australia, Dr Terry Dwyer writes, countering Privacy Commissioner Tim Pilgrim’s arguments.
Privacy demands prior notification
For background, see: It cant…, it won’t…, and it shouldn’t work
To: Australian Privacy Commissioner, Mr Timothy Pilgrim
From: Dr Terry Dwyer *, lawyer and economist, of Dwyer Lawyers, chartered tax advisers
2 April 2014
Dear Mr Pilgrim
I am not really that much comforted by your reply. I am as much, if not more, concerned by government bodies sending personal information overseas as well as by companies giving information to the ATO which then sends it offshore automatically without any judicial oversight or right of appeal.
If there is to be a statutory right to privacy surely it should mean that individuals ought be notified before their confidential financial or other information is sent offshore by either a company or by a government agency in a form readable by others and individuals should have the right to seek a Court order to block that information breach. (I have no problems with encrypted cloud storage of data where control of access remains here).
As for your submission to the Treasury, it seemed to me remarkably mild, given the mass invasion of privacy involved. There are 1 million Australians living overseas whose financial asset details back here will automatically be given to foreign governments. The ATO has never, ever, before had asset details en masses. This FATCA/OECD automatic asset and income information distribution is a wide open invitation for criminals to bribe or corrupt foreign or local tax officials to carry out kidnapping or extortion or identity theft. These things have already happened here and overseas.
Incidentally, I do not like the idea that any company can disclose my personal information if “required or authorised under law”.
The test for any ethical company should be “if required under law” – “authorised” is a weasel word mutually satisfactory to governments and large corporations.
The more I learn about how much weaker our privacy protections have become since we had a Federal privacy law, the more I wish I were back in the 1960s when some things were just not done by either companies or governments.
I assume you have no objection to my continuing to publicize my concerns.
B.A. (Hons) B.Ec. (Hons) (Syd.) M.A. Ph.D. (Harvard), Dip. Law (Syd.), CT, and member of Civil Liberties Australia
To: Dr Terry Dwyer
From: Timothy Pilgrim, Privacy Commissioner
Subject: Disclosure of Personal Information Overseas [SEC=UNCLASSIFIED]
21 March 2014
Dear Mr Dwyer
I am writing in response to your emails to Tim Wilson in which you have raised concerns about how privacy protections apply to personal information disclosed by certain companies overseas. Your emails also refer to the US Foreign Account Tax Compliance Act (FATCA).
I am aware that there has been, and continues to be significant community concern about the cross-border disclosure of personal information (see for example, the results from the Office of the Australian Information Commissioner’s (OAIC) recent survey on Community Attitudes to Privacy). As more organisations enter into business arrangements that require the international disclosure of personal information or make use of the ‘cloud’ to store information people are becoming more aware of the risks as well as the benefits associated with these practices. I am hopeful that recent changes to the Privacy Act which enhance the openness and transparency of, and accountability for, cross-border disclosures, may go some way in addressing such concerns.
As you may be aware, the Privacy Act now includes a set of 13 new Australian Privacy Principles (APPs) that regulate the handling of personal information by Australian and Norfolk Island Government agencies and some private sector organisations (referred to as APP entities). These principles commenced on 12 March 2014. These changes include a new principle that regulates the cross border disclosure of personal information by Australian entities (see APP 8). Before entities disclose personal information overseas, they must take reasonable steps to ensure that the overseas recipient does not breach the APPs and they will remain accountable for the actions of the overseas recipient, unless an exception applies. This approach allows for cross-border disclosure in a way that ensures privacy protections are in place in accordance with the Privacy Act and that individuals will be able to seek redress if their information is mishandled.
The OAIC has a range of regulatory and enforcement powers to ensure compliance with the APPs. In that regard, we have recently released for public exposure a draft policy outlining the OAIC’s approach to using those powers draft Privacy Regulatory Action Policy.
In terms of seeking enforcement in jurisdictions outside of Australia, the OAIC works closely with its counterparts in a number of regions through forums such as APEC and the OECD as part of cross border privacy enforcement arrangements.
US Foreign Account Tax Compliance Act (FATCA)
As you may be aware, the Department of the Treasury is leading the Australian Government’s negotiation of a bilateral intergovernmental agreement with the USA in relation to the US Foreign Account Tax Compliance Act (FATCA), and we suggest that you contact that Department in relation to any concerns you have. You may be interested in the OAIC’s submission made in September 2012, to the Treasury on its consultation on the Intergovernmental agreement to implement FATCA.
Timothy Pilgrim | Privacy Commissioner