Europe’s US-EU Safe Harbor Framework appears straightforward: EU companies can send personal data to United States companies who self-certify compliance with certain privacy standards.
However, the Advocate General (AG) of the Court of Justice of the European Union suggests that it should not be that simple. In light of a challenge to Facebook’s transfer of European personal data to the United States, the AG recommends the Court invalidate the Framework.
Its reasoning is that the “mass indiscriminate surveillance” of data in the US interferes with fundamental personal rights recognised in Europe.
Hours after this article was first published, the Court handed down its judgment agreeing with the Opinion and invalidating the Framework.
By contrast, Australia’s privacy regime has always maintained that no overseas regime is inherently safe; organisations must be aware of the risks of transferring personal information to any overseas jurisdiction.
Austrian student Max Schrems’ action about Facebook data transfers is (rather ironically) not personal. It is a ‘model’ case designed to highlight broader trends in data mining and data access in foreign jurisdictions like the US. That data is often personal information.
The Advocate General’s Opinion released on 23 September 2015 urges the Court of Justice of the European Union to invalidate the US-EU Safe Harbor Framework.
The AG is critical of the Framework’s broad national security exception, which permits personal data to be disclosed to US law enforcement agencies.
The AG argues that the ability of such agencies to access information stored by Facebook US allows for secretive and broad access to EU personal data, without an independent control mechanism to prevent privacy breaches.
It also interferes with the right of EU citizens to private life, recognised by the Charter of Fundamental Rights of the EU.
While the AG’s Opinion is a recommendation and not binding on the Court, the Court is expected to make its decision by the end of this year.
Australia’s privacy regime differs from Europe’s in that it can’t be challenged on the basis of a human rights instrument. Nevertheless, Australian privacy laws do protect a number of the same rights and freedoms as in Europe.
Under the Privacy Act, an Australian organisation that discloses personal information to an overseas recipient must take reasonable steps to ensure the recipient does not breach the Australian Privacy Principles (APPs), and will be accountable for any such breach. 
However, this doesn’t apply if the Australian organisation reasonably believes the recipient is subject to a law or binding scheme imposing privacy protections that are substantially similar to the APPs.
It also doesn’t apply where the individual gives informed consent to the disclosure and to the Australian organisation not being accountable for the acts of the overseas recipient.
Most overseas data transfers will amount to a ‘disclosure’ of personal information and be subject to APP 8. However, if there is only a ‘use’ of personal information (where the organisation retains effective control over the information), APP 8 will not apply. 
Due diligence and a carefully-drafted contract are your best tools for protecting yourself and ensuring you comply with the APPs.
Information transfers from Australia to the US
Data surveillance laws in the US that concerned the AG in the Schrems case do not (yet) impact an Australian organisation’s ability to disclose personal information to the US.
Where an overseas recipient does something with personal information that is required by an applicable foreign law – in the US context, the USA PATRIOT Act  can require a US company to disclose personal information to the US government – this will not breach the APPs. 
The Schrems case will potentially have a significant impact on the Framework and the ability of US companies to import personal data from the EU. Whatever the result, its outcome will heighten privacy awareness globally, and perhaps trigger a reassessment of privacy risks with overseas data transfers.
Given the growing focus on this area, be aware of the legal frameworks in jurisdictions to which you transfer (and from which you collect) data.
Now is also the time to assess just how effective your contracts and other protections are in meeting your obligations under Australian privacy laws.
 An example of ‘use’ in the IT context is routing personal information through servers outside Australia. For further information about the concepts of ‘disclosure’ and ‘use’, see the APP Guidelines.
 The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA).
 Section 6A(4) of the Privacy Act.
The content of this publication is for reference purposes only. It is current at the date of publication. This content does not constitute legal advice and should not be relied upon as such. Legal advice about your specific circumstances should always be obtained before taking any action based on this publication.