Case Citation: E v Money Transfer Service [2006] PrivCmrA 5

Subject Heading: Authority to transfer personal information overseas and to a foreign regulatory body.

Law: Section 13D and National Privacy Principle 9 in the Privacy Act 1988 (Cth)

Facts: The complainant attempted to send Australian currency, via electronic transfer, to their family in a foreign country using a money transfer service.

The money transfer service, which was incorporated in a foreign country, was subject to a subpoena issued by a regulatory body in that country. The subpoena required the money transfer service to provide information relating to customers to the regulatory body, if an individual's name matched a list of 'persons of interest' issued by the regulatory body.

The complainant's name matched a name on the list of persons of interest. The money transfer service contacted its Australian subsidiary and asked that it request additional personal information for the purpose of verifying the complainant's identity. The additional information included the complainant's Driver's Licence and passport.

The Australian subsidiary of the money transfer service advised the complainant that once their identity could be verified, the transaction could be completed. The complainant provided the additional personal information which the Australian subsidiary provided to the parent company by facsimile. It was established that the initial identity match was false and the money transfer was subsequently completed.

Issues: A number of entities were involved in the collection of the complainant's information and the Privacy Commissioner was required to determine the applicability of the Privacy Act at various stages during the information flow. This case note addresses those aspects of the complaint that related to the collection of the additional personal information.

The complaint was made to the money transfer service's Australian subsidiary.

The money transfer service held the view that it was the respondent in this case, not its Australian subsidiary. It argued that its Australian subsidiary only provided local administrative support and resources to its parent company and did not enter into transactions with customers.

The money transfer service argued that the additional Australian customer details were entered directly onto a database it held overseas. For this reason, the money transfer service claimed that there was no collection of personal information in Australia.

The money transfer service also claimed that the follow up collection of the complainant's information for the purposes of verifying their identity was required by an applicable law of a foreign country and that the collection was therefore exempt from the Privacy Act.

Section 13D of the Privacy Act was relevant to this aspect of the complaint; it provides that an act or practice of an organisation done or engaged in outside Australia and an external Territory is not an interference with the privacy of an individual if the Act or practice is required by an applicable law of a foreign country.

A further issue was the transfer of information from the Australian subsidiary of the money transfer service to its parent company overseas. National Privacy Principle 9 requires that an organisation may only transfer personal information to an organisation or individual in a foreign country under limited circumstances. A company transferring information overseas to a related company must comply with National Privacy Principle 9.

The issues for the Privacy Commissioner were whether the collection of the complainant's personal information to verify the complainant's identity was an act regulated by the Privacy Act, and if so did section 13D apply and, if not, whether the disclosure of the complainant's personal information to the money transfer service's parent company in a foreign country was consistent with National Privacy Principle 9.

Outcome: The Commissioner's enquiries revealed that the Australian subsidiary of the money transfer service was a body corporate registered with the Australian Securities and Investments Commission and had a corporate identity in the Australian context.

The Commissioner then considered but did not accept the argument that the personal information had been collected outside Australia. The Commissioner's view was that in entering customer information into a database, that information was collected in Australia, and included in a record in Australia, even if momentarily. For this reason the Commissioner was of the view that the Australian subsidiary was the respondent in this matter and was subject to the Privacy Act.

With respect to section 13D, the Commissioner's view was that the Australian subsidiary of the money transfer service had collected the additional information, being copies of the complainant's passport and driver's licence, in Australia. Therefore in this instance section 13D did not apply and the collection of the information was subject to the Privacy Act.

In view of this, the Commissioner then needed to ascertain the circumstances of the disclosure by the Australian subsidiary of the money transfer service to its parent company. National Privacy Principle 9(b) allows for a disclosure of personal information where the individual has consented to the transfer.

It became clear during the investigation that the complainant was informed that their money transaction had been halted until they could provide verification of their identity. They were advised why the transaction had been halted and for what purpose they needed to provide further information. The complainant then provided the necessary documentation and was aware that the information would be disclosed to the money transfer service. The Commissioner was of the view that the complainant's consent to the transfer could be implied from the complainant's actions, and for this reason, the transfer did not breach National Privacy Principle 9.

The Commissioner's decision in the matter was that there had not been an interference with the complainant's privacy and the complaint was closed in accordance with section 41(1)(a) of the Privacy Act.

OFFICE OF THE PRIVACY COMMISSIONER April 2006