Cross-border data flows: meeting privacy obligations in the realm of multi-jurisdiction law enforcement within Australia
By Kate Oliver• 17 March 2015 • 6 min read
Guidance to government agencies receiving requests for personal information from interstate or inter-territory agencies
Effective law enforcement often involves intelligence gathering and the sharing of personal information across state, territory and national borders.
Increasingly, government agencies are requested to provide personal information to law enforcement agencies. Agencies are then faced with the sometimes difficult task of determining whether providing the personal information requested will breach the agency's privacy obligations. This question becomes more complex when the request is made by a law enforcement agency in another jurisdiction.
The exchange of personal information for law enforcement purposes is regulated by Commonwealth, state and territory privacy legislation. In particular, the Australian Privacy Principles (Commonwealth) (APPs), Information Privacy Principles (Victoria) (IPPs) and the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) all permit the disclosure of personal information by an agency where this disclosure is:
- required or authorised 'by or under law'
- otherwise reasonably necessary for law enforcement purposes by, or on behalf of, a law enforcement agency.
The question is – how does this operate when the request for information is made by an agency in another jurisdiction?
Required or authorised by or under law
With respect to the first point, upon receiving a request from an agency (law enforcement or otherwise) in another state or territory, the agency should first consider whether it is bound to comply with the request. This requires the agency to determine whether the requesting agency has a statutory power to compel others to provide information and, if so, whether that statutory power operates extraterritorially so as to apply in the agency's jurisdiction.
Whether an agency can be compelled to provide personal information to an agency in another jurisdiction is largely a matter of fact, to be determined on a case-by-case basis. It will turn very much on a consideration of the applicable provisions of the relevant legislation, including whether there is a nexus between the operation of the relevant statutory provision and the jurisdiction in which it usually operates and whether the application of the legislation was intended to operate beyond that jurisdiction.
If the agency is compelled to disclose the information sought by the requesting agency, complying with the request to provide personal information (even to an agency in another state or territory), will not offend Commonwealth, New South Wales or Victorian privacy legislation.
Reasonably necessary for law enforcement purposes
In the event that the requesting interstate agency cannot compel disclosure of the personal information requested, privacy legislation may still permit the disclosure where it is necessary for law enforcement purposes (or for any other permitted purposes under the applicable privacy principles).
In Victoria, for example, IPP 2.1(g) permits the disclosure of personal information where it is reasonably necessary for the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of a law imposing a penalty or sanction, as well as other specific law enforcement purposes. A similar position exists under the APPs and PPIP Act.
The disclosure of personal information within these jurisdictions will, therefore, generally be permitted if the elements of the relevant privacy principle regarding law enforcement purposes have been met.
The position is less straightforward for disclosures to law enforcement agencies operating in other states or territories. Whether disclosure to an interstate or inter-territory law enforcement agency is permitted depends largely on whether the relevant local privacy legislation (and relevant privacy principle) operates extraterritorially to permit disclosure of information to law enforcement agencies outside of the agency's jurisdiction.
Where requests from Commonwealth law enforcement agencies are concerned, issues of jurisdiction are less likely to arise, given that the Commonwealth legislation will generally prevail over any applicable local legislation.
Where requests are received from interstate or inter-territory law enforcement agencies (as opposed to Commonwealth), it is necessary to determine whether the local privacy legislation, such as IPP 2.1(g) and equivalent provisions in other state and territory privacy principles, operate extraterritorially to permit the disclosure. It is likely that, in most instances, they will operate beyond their jurisdiction and enable disclosures to and between other Australian states or territories.
The approach outlined above provides general guidance to agencies receiving requests for personal information from interstate or inter-territory agencies, and broadly accords with the position established by the authorities considering extraterritorial operation of legislation.
|Kate Oliver | Senior Associate|
|Erin Tucker | Associate|
 On each occasion that a request is received, however, it must be assessed against the elements that we have outlined before making a final decision about whether to release the information being sought.
 APP 6.1(b). The position may also be affected by any public interest determinations made by the Australian Information Commissioner under s 72 of the Privacy Act 1988 (Cth).
 IPP 2.1(f). The position may also be affected by any public interest determinations made by the Victorian Privacy and Data Protection Commissioner under s 29 of the Privacy and Data Protection Act 2014 (Vic).
 Section 23.
 Set out in the Privacy and Data Protection Act 2014 (Vic).
 APP 6.2(e).
 Section 23.
 See, for example, O'Connor v Healey (1967) 69 SR (NSW) 111, Kumagai Gumi v Commissioner of Taxation  FCA 235 and AB v Victoria Police  VPrivCmr 3.
Managing climate change-related risks in the financial system
By Patrick Ibbotson & Jessica Dorricott
Risks posed by climate change to the stability of the US financial system.
GDPR decision slaps down Privacy Shield and imposes strict conditions on Standard Contractual Clauses – implications for Australian organisations
Impacts for Australian entities who are either directly subject to the GDPR or receiving personal data from the EEA.
What is in a name? The disclosure of public servants’ names and contact details under FOI
The OAIC has issued a position paper on the disclosure of public servants’ names and contact details in documents.