Alinta data privacy breaches show dangers of trade agreements that deregulate data flows

March 2, 2020: An investigation by the Sydney Morning Herald reveals that Chow Tai Fook Enterprises (CTFE), the Hong Kong company that now owns the privatised Australian Alinta energy company, is storing sensitive personal data overseas without adequate privacy protections, despite undertakings given to the Australian government in 2017 that data would be stored in Australia and conform to Australian privacy laws.

The government requirement for those undertakings in 2017 has now been contradicted by clauses in the 2019 Hong Kong Free trade Agreement that allow cross-border data flows and prevent governments from requiring data to be stored in Australia. These clauses could also be included in an e-commerce deal that is currently being negotiated in Geneva between 76 countries, and which is being heavily influenced by technology, energy and other companies. These companies want rules that lock-in the free flow of data across borders, which would enable them to evade local privacy laws and other regulation.

Through its retail operations, Alinta collects names, addresses, birth dates, mobile numbers, Medicare and passport numbers, credit card details and in some cases individual health information of over a million Australians.

CTFE was allowed by the Australian government to buy Alinta in April 2017 on the proviso it would satisfy a series of conditions set by Australia’s Foreign Investment Review Board (FIRB) that were not made public.

The Sydney Morning Herald reports that Alinta internal documents leaked by a company whistleblower have now revealed that the FIRB conditions included that bulk customer data, personal information and electricity and gas data must be stored within Australia, could only be accessed within Australia and must not be taken outside of Australia. Third-party providers must also comply with the FIRB conditions.

Other leaks in the report reveal that, despite these conditions, Australian consumers’ data controlled by a subsidiary company of Alinta is being stored in Singapore and New Zealand. A June 2019 privacy compliance audit by Alinta’s internal auditor EY, assigned the company a “red” or “significant” risk rating on key aspects of its privacy compliance. It said Alinta lacked proper oversight and structure to manage privacy and may not be adequately protecting personal information” and at times “doesn’t meet the requirements of privacy laws".

The Alinta example shows a direct contradiction between Australian government privacy policy and trade deals reached behind closed doors under the influence of global companies that can undermine those policies. See the AFTINET submission on the Hong Kong deal and Geneva negotiations for more details.