Cross-border data flows: meeting privacy obligations in the realm of multi-jurisdiction law enforcement within Australia
Guidance to government agencies receiving requests for personal information from interstate or inter-territory agencies
Effective law enforcement often involves intelligence gathering and the sharing of personal information across state, territory and national borders.
Increasingly, government agencies are requested to provide personal information to law enforcement agencies. Agencies are then faced with the sometimes difficult task of determining whether providing the personal information requested will breach the agency's privacy obligations. This question becomes more complex when the request is made by a law enforcement agency in another jurisdiction.
The exchange of personal information for law enforcement purposes is regulated by Commonwealth, state and territory privacy legislation. In particular, the Australian Privacy Principles (Commonwealth) (APPs), Information Privacy Principles (Victoria) (IPPs) and the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) all permit the disclosure of personal information by an agency where this disclosure is:
- required or authorised 'by or under law'
- otherwise reasonably necessary for law enforcement purposes by, or on behalf of, a law enforcement agency.
The question is – how does this operate when the request for information is made by an agency in another jurisdiction?
Required or authorised by or under law
With respect to the first point, upon receiving a request from an agency (law enforcement or otherwise) in another state or territory, the agency should first consider whether it is bound to comply with the request. This requires the agency to determine whether the requesting agency has a statutory power to compel others to provide information and, if so, whether that statutory power operates extraterritorially so as to apply in the agency's jurisdiction.
Whether an agency can be compelled to provide personal information to an agency in another jurisdiction is largely a matter of fact, to be determined on a case-by-case basis. It will turn very much on a consideration of the applicable provisions of the relevant legislation, including whether there is a nexus between the operation of the relevant statutory provision and the jurisdiction in which it usually operates and whether the application of the legislation was intended to operate beyond that jurisdiction.
If the agency is compelled to disclose the information sought by the requesting agency, complying with the request to provide personal information (even to an agency in another state or territory), will not offend Commonwealth, New South Wales or Victorian privacy legislation.
Reasonably necessary for law enforcement purposes
In the event that the requesting interstate agency cannot compel disclosure of the personal information requested, privacy legislation may still permit the disclosure where it is necessary for law enforcement purposes (or for any other permitted purposes under the applicable privacy principles).
In Victoria, for example, IPP 2.1(g) permits the disclosure of personal information where it is reasonably necessary for the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of a law imposing a penalty or sanction, as well as other specific law enforcement purposes. A similar position exists under the APPs and PPIP Act.
The disclosure of personal information within these jurisdictions will, therefore, generally be permitted if the elements of the relevant privacy principle regarding law enforcement purposes have been met.
The position is less straightforward for disclosures to law enforcement agencies operating in other states or territories. Whether disclosure to an interstate or inter-territory law enforcement agency is permitted depends largely on whether the relevant local privacy legislation (and relevant privacy principle) operates extraterritorially to permit disclosure of information to law enforcement agencies outside of the agency's jurisdiction.
Where requests from Commonwealth law enforcement agencies are concerned, issues of jurisdiction are less likely to arise, given that the Commonwealth legislation will generally prevail over any applicable local legislation.
Where requests are received from interstate or inter-territory law enforcement agencies (as opposed to Commonwealth), it is necessary to determine whether the local privacy legislation, such as IPP 2.1(g) and equivalent provisions in other state and territory privacy principles, operate extraterritorially to permit the disclosure. It is likely that, in most instances, they will operate beyond their jurisdiction and enable disclosures to and between other Australian states or territories.
The approach outlined above provides general guidance to agencies receiving requests for personal information from interstate or inter-territory agencies, and broadly accords with the position established by the authorities considering extraterritorial operation of legislation.
New point of law: What can be considered as a protected document?
A look at Environment Protection Authority v Sydney Water Corporation  NSWLEC 119.
Society of University Lawyers Conference 2023
Maddocks is a proud platinum sponsor of the Society of University Lawyers Conference 2023.
Implementation of Universities Accord Interim Recommendations passed
On 19 October 2023 the Senate passed a slightly amended version of the Higher Education Support Amendment
Preparing for mandatory data breach notification under NSW privacy laws: Five key actions
By Ooma Khurana & Radhika Bhatia
This is the second instalment in our For Your Information campaign