September 28, 2022
Visa and the Australian Banking Association have taken differing positions on the value of adopting more General Data Protection Regulation (GDPR)-like data standards nationally. They do, however, agree that strict data localisation rules would be unwelcome. GDPR alignment was mooted when the Department of Home Affairs in April solicited submissions on a proposed national data security action…

Visa and the Australian Banking Association have taken differing positions on the value of adopting more General Data Protection Regulation (GDPR)-like data standards nationally.

They do, however, agree that strict data localisation rules would be unwelcome.

GDPR alignment was mooted when the Department of Home Affairs in April solicited submissions on a proposed national data security action plan aimed at closing “gaps that exist in our data settings”.

In its submission, Visa noted the GDPR is already a global standard since its inception in 2018 and has had a “seminal influence on the development of new privacy legislation in a number of countries”.

“Data protection and privacy frameworks that are based on a common set of international consensus-based principles help global efforts to build interoperable systems and mechanisms that facilitate cross-border data transfers,” Visa wrote [pdf].

Visa said this will “also help to bridge current gaps in international privacy norms, while facilitating the safe and secure transfer of personal information.”

The payments company argued the approach requires businesses “demonstrate the existence and effectiveness” over “imposing prescriptive and onerous requirements”.

“GDPR also encourages a ‘privacy by design’ approach under which organisations ensure that their products and services take privacy requirements into account – from inception and throughout the data lifecycle.”

Visa said despite Australia’s data protection and security laws already taking a “flexible” approach, “there are definite advantages in increasing the alignment between these laws and GDPR”.

Visa further saw “a number of areas” for close alignment with the GDPR including better data controller and processor distinction, broader legal bases, security requirements, data breach notification and cross-border transfers.

However, the Australian Banking Association contended that while the GDPR “is a detailed legislative regime on privacy” it “may not be appropriate material to incorporate in government guidance”.

“We caution against applying the GDPR framework as a whole into Australia, as aspects of the GDPR has created friction or barriers for consumers that may not be proportionate to privacy benefits,” the ABA said [pdf].

The ABA added that, should the government distinguish between overseas jurisdictions, it “suggests drawing a distinction between laws that govern privacy and commerce, and national security laws.”

Data localisation opposed

Visa and the ABA were better aligned on the topic of data localisation and the risks associated with offshore data storage, both opposing it.

Visa said “overly restricting data flows increases security, operational, and fraud risks and dampens innovation”.

“Fraud detection relies on companies being able to track and analyse suspicious transactions across national borders, thereby increasing security and stability in the payments ecosystem.”

Visa added companies may be forced to “rely more heavily on local patterns than on global ones, making risk models less powerful and consumers less secure.”

“Furthermore, data localisation often prevents businesses from adequately ensuring data resilience, data recovery, and business continuity by severing connections with key data centres around the world.”

“For data use to be equitable, trusted and safe, it is necessary to achieve both data security and openness – and we can.”

Visa said digital trade agreements that ensure “interoperability, allow data to move freely across borders and promote a level playing field” are essential to enable access to world-class technologies and contribute to sustainable and equitable economic growth.

Meanwhile the ABA “cautions against a general policy or prohibition on storing or moving data offshore” as the practice “may not safeguard against hacking and other cyber attacks, which by their nature is a borderless crime”.

It added that many “Australian entities use third party providers of software or platform services” and the country’s experience “has shown that offshore data storage can be consistent with ensuring Australian regulators continuing to have full and timely access to the data needed to fulfill their regulatory and supervisory mandate.”

Source