Transfer versus transit: Emails and section 33
Section 33 of the Information Privacy Act 2009 sets limits on transferring personal information overseas. But how does it apply to email which may go through a lot of different countries as it makes its way to its destination?
Obviously, if you’re in Queensland and you send an email with personal information in it to someone in British Columbia you’re transferring information overseas. The personal information has moved from Australia to Canada so you have to comply with section 33.
What may appear less simple is what happens when you‘re in Brisbane and you send an email to someone in Rockhampton.
“Wait,” you say, “Rockhampton’s in Queensland! What are you talking about?”.
It’s true, Rockhampton is in Queensland but it’s possible that your email travelled through a number of other countries on its way there.
How does email work?
When you send an email travels out of your agency’s network and through a number of routers until it reaches its destination. Those routers may be located in Australia or they may be located overseas; it’s impossible to know which it will be when you hit the send button.
Does this mean personal information in every email is transferred overseas?
Definitely not. Our view is that if personal information is routed through another country and immediately directed back to Australia it has not been transferred overseas.
For example, an email may be sent from one Australian email address to another: if it happens to be routed through New Zealand and Singapore on the way, that information has not been 'transferred' out of Australia. The information has not been sent to or received by the other country; it has simply passed through on the way to somewhere else.
To sum up: if you send emails with personal information to someone in Canada, you have to make sure you satisfy section 33. If you send emails with personal information to someone in Rockhampton, section 33 doesn’t get a look in.