Transferring data outside of Australia

Privacy Policy

Australia, Australia Privacy Act 1988

Transferring data outside of Australia

Most privacy laws are very broad in the sense that they apply to businesses outside of the state or country in which they were enacted, and the Australia Privacy Act 1988 is no exception to the rule. This privacy law applies to Australian organizations with an annual turnover of more than AUD $3,000,000. The law defines “organization” as:

  • An individual, including a sole trader (acting in a commercial capacity);
  • A body corporate;
  • A partnership;
  • Any other unincorporated association; or
  • A trust.

While this privacy law primarily applies to medium and large businesses due to the revenue requirement, it is important to note that there are a few exceptions which would require small businesses to comply as well. The following small businesses with an annual turnover of AUD $3,000,000 need to comply with this privacy law

This means that the Privacy Act extends its application to acts done outside Australia by an organization or small business operator with a link to Australia. In this article, we will discuss the requirements and restrictions when transferring data outside of Australia. 

How does the Privacy Act apply where an organization or governmental agency ‘discloses’ personal information overseas? 

There are 13 enumerated principles in the Privacy Act that set a baseline of minimum requirements for dealing with personal information. The APP 8 deals with cross-border disclosure of personal information. The Australian Privacy Act defines personal information as any information or opinion that could identify an individual. Similar to the purpose limitation enumerated in Article 5 of the GDPR, APP 6 similarly requires that an APP entity only disclose the personal information for the primary purpose for which it is being collected. 

APP 8.1 places a duty on the APP entity to take reasonable steps to ensure the overseas recipient of the personal information does not breach the APP before disclosing any personal information. The APP entity is liable if the overseas recipient mishandles the information and breaches any principle of the APP.  

An overseas recipient is defined in APP 8.1 as a person who receives personal information from an APP entity and is:

  • Not in Australia or an external territory 
  • Not in the APP entity disclosing the personal information, and 
  • Not the individual to whom the personal information relates. 

Under APP 8.9 an APP entity discloses personal information to an overseas recipient whenever they: 

  • Share personal information with an overseas recipient 
  • Reveal personal information at an international conference or meeting overseas
  • Send a hard copy or email containing an individual’s personal information to an overseas client, and 
  • Publish the personal information on the internet, whether intentionally or not, and it is accessible to an overseas recipient. 

Strict liability despite the  reasonable steps test

While an APP entity must take reasonable steps to ensure an overseas recipient does not breach the APPs, this does not absolve the APP entity from liability. The best practice if for an APP entity to enter into a contract with the overseas recipient. The APP entity should monitor the recipient’s compliance with the contractual terms. More rigorous terms of the contract and the auditing process will depend on various circumstances including: 

  • Whether the information disclosed is “sensitive information” 
  • The entity’s relationship with the recipient 
  • The possible adverse consequences for an individual if the information is mishandled, and
  • Whether the recipient has limited technical and operational safeguards. 

Yet, even when the APP entity has done everything possible to protect privacy in the overseas disclosure through contractual measures and the implementation of audit reviews, an APP entity will still be strictly liable if the overseas recipient acts in a way that would constitute a breach of the APPs. There are, however, some exceptions to this rule. 

Exceptions to APP 8.1 Compliance 

There are a few exceptions to APP 8.1 which requires an APP entity to take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the personal data. This means that an APP entity does not have to comply with the reasonable steps test if one of these exceptions applies: 

  • First, this requirement does not apply if the overseas recipient is bound by a law or binding scheme that is substantially similar to the APPs. 
  • Second, under APP 8.27, if an APP entity expressly informs the individual, and the individual consents, either expressly or impliedly, to the disclosure, then the APP entity does not have to comply with 8.1. 
  • Third, an APP entity may disclose personal information to an overseas recipient without complying with APP 8.1 where the disclosure is required or authorized by or under an Australian law or a count/tribunal order (APP 8.2(c)). 
  • Fourth, compliance with 8.1 does not apply if it would be unreasonable or impracticable for an APP entity to obtain the individual’s consent to disclosure and the entity reasonably believes the disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety. 
  • Fifth, an APP entity may also disclose personal information to an overseas recipient without complying with APP 8.1 in relation to suspected unlawful activity or serious misconduct, as well as to help locate a person reported missing. 

Exceptions to APP 8.1 Compliance for Governmental Agencies Only 

Governmental agencies may disclose personal information to an overseas recipient where the agency reasonably believes the disclosure is necessary for the agency’s diplomatic or consular functions, or where the disclosure is required by or under an international agreement related to information sharing to which Australia is a part of.  Neither of these exceptions extend to organizations. Lastly, an agency may disclose personal information to an overseas recipient without complying with APP 8.1 where such disclosure is necessary to effectuate an enforcement related activity.

Cross-border transfers under Australia’s Privacy Act compared to the GDPR 

With respect to transferring personal information outside of the EU, Article 45 of the General Data Protection Regulation (GDPR) stipulates that a transfer of personal data to a third country or an international organization can only occur once the Commission has decided that such place can afford an adequate level of protection. To date, the European Commission has not recognized Australia as providing adequate protection. Still, the Australian Privacy Act requires companies to disclose whether they will transfer data to other companies. Because the Australian Privacy Act can impose penalties of up to AUD $2,100,000 for serious or repeated breaches of privacy, use Termageddon’s Privacy policy generator to get your Australia privacy law ready Privacy Policy today.  

Photo of author
About the Author
Skylar Young

I am a third year at UIC John Marshall law school in Chicago. After my first year of law school I spent the summer clerking for Vandenack Weaver LLC in Omaha, NE and during my second year of law school I worked for Chicago Daily Law Bulletin as a content specialist.  I am passionate about privacy and cybersecurity law and serve as the liaison for the Chicago Bar Association's Cyber Law and Data Privacy Committee.

Search the Site
Popular Articles
Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy




How To's

Privacy Policy

Terms of Service

Subscribe for Updates