A parliamentary committee inquiring into proposed amendments to privacy legislation has left the door open on companies hoping to defend against improper use of personal information sent overseas.
The committee rubber-stamped the Government's proposed legislative amendments this week but urged it to review the new regime a year after passing the bill to determine the success or progress of some of its elements.
Importantly, the committee suggested the Government reconsider whether to include an explicit defence against failure to abide by Australian Privacy Principle 8, concerning cross-border information disclosure.
The principle requires companies disclosing personal information to a foreign company or entity to take "reasonable steps" to ensure the receiving company does not breach those principles.
The proposed legislation includes exceptions to those steps, including in the instance of an international agreement, but the Attorney-General's Department had pushed back on the proposal from some companies to include an explicit defence to contravening the law in specific cases.
The committee said the proposed legislation had achieved the correct balance between protection of information and encouraging cross-border data flow.
However, it argued that the actual process and success of the exceptions, without an explicit defence to contravention, will "perhaps only be wholly understood once the regime is in operation".
"To safeguard the desired operation of the provisions, the Committee recommends that the prospect of introducing such a defence or exemption be re-evaluated in a review of the operation of the new privacy laws," the committee said in its final report (pdf).
Some companies had suggested during the inquiry that a defence would be required in situations where reasonable steps had been taken, but personal information had been disclosed anyway.
Foxtel specifically suggested that, under the reforms, it could be held accountable for data leaks in "unauthorised" cases "such as by hacking".
The principle was also seen by some as too difficult to enforce, particularly in light of increasing demand for foreign-hosted cloud services.
The Australian Privacy Foundation slammed the principle as an "empty imposition of liability" on companies that exported sensitive data overseas.