The 2021 Free Trade Agreement between the UK and Australia comes into effect at midnight on 31 May 2023.

The explanatory memorandum to the agreement states that “The Treaty supports areas like… free flows of data and tackling spam. It maintains personal data protections standards for UK consumers whilst facilitating the free flow of data and saves UK businesses from the unnecessary cost of storing their data in Australia by removing unjustified data localisation requirements”.

Australia is not, however, the subject of either an adequacy decision issued by the European Commission under the GDPR or adequacy regulations issued by the Secretary of State under the UK GDPR and Data Protection Act 2018. Australia was identified in August 2021 as being one of the UK’s priority destinations for adequacy (together with Brazil, Colombia, the Dubai International Financial Centre, India, Indonesia, Kenya, the Republic of Korea, Singapore and the US). The precursor to the European Data Protection Board (EDPB), the Article 29 Working Party, considered the level of protection for personal data offered by Australian law, in particular the Australian Privacy Amendment (Private Sector) Act 2000. The Working Party noted with concern in its 2001 report that: small businesses whose activities were deemed not to pose a high risk to privacy rights were exempt; employee data was also excluded from the scope of the Act; personal data in the public domain did not attract protection; special protections only applied to the collection of sensitive or special category personal data and not to other processing activities (except in relation to health data); and, direct marketing did not require consent. These were among other concerns raised by the Working Party, which recommended that additional safeguards would be necessary before adequacy could be granted. Australia declined to revisit its legal framework to address these issues at the time and EC adequacy was not pursued. Australia’s Attorney-General has, however, recently published its Privacy Act Review Report, paving the way for reform.

So in light of those deficiencies compared to the framework for the protection of personal data across the EEA and the UK, how will personal data protection be maintained while facilitating the free flow of data?

Article 14 of the Treaty, set out in Volume V, includes a number of measures pertaining to data protection. The Treaty prohibits, at Article 14.10.2, restrictions on the cross-border transfer of information, including personal data, by electronic means for the conduct of the business of a service supplier of either of the Parties (excluding financial services). That would, on its face, indicate that the existing protections for the transfer of personal data outside of the UK would be removed, which could prejudice the UK’s own EC adequacy decision by permitting unrestricted onward transfers of personal data.

The data explainer to the Treaty, however, emphasises that “Transfers of personal data to Australia must satisfy the UK’s data protection laws”. These only permit the transfer of personal data outside the UK where an adequacy regulation or other safeguards are in place or where a derogation applies. As such, the Treaty would appear to have no immediate impact on the ease of transferring personal data to Australia, albeit that it may indicate the government’s intention to adopt adequacy regulations, at least in respect of certain types of personal data and/or certain sectors of the economy, in the near future.

It is notable that the wording of this aspect of the UK-Australia Free Trade Agreement differs from the wording of the UK-New Zealand Free Trade Agreement, which takes effect at the same time, and instead of prohibiting restrictions on cross-border transfers of information states that “Each Party shall allow the cross-border transfer of information by electronic means, including personal information, if this activity is for the conduct of the business of a covered person”. New Zealand is already the subject of a 2012 EC adequacy decision, and transfers of personal data from the UK and EEA to New Zealand are therefore permissible on that basis.

The UK-Australia Free Trade Agreement does address at least one of the concerns raised by the Working Party - imposing a requirement at Article 14.17.1 to require the consent of recipients to receive unsolicited commercial electronic messages - or direct marketing.