Most privacy laws are very broad in the sense that they apply to businesses outside of the state or country in which they were enacted, and the Australia Privacy Act 1988 is no exception to the rule. This privacy law applies to Australian organizations with an annual turnover of more than AUD $3,000,000. The law defines “organization” as:
- An individual, including a sole trader (acting in a commercial capacity);
- A body corporate;
- A partnership;
- Any other unincorporated association; or
- A trust.
While this privacy law primarily applies to medium and large businesses due to the revenue requirement, it is important to note that there are a few exceptions which would require small businesses to comply as well. The following small businesses with an annual turnover of AUD $3,000,000 need to comply with this privacy law
This means that the Privacy Act extends its application to acts done outside Australia by an organization or small business operator with a link to Australia. In this article, we will discuss the requirements and restrictions when transferring data outside of Australia.
Table of Contents
How does the Privacy Act apply where an organization or governmental agency ‘discloses’ personal information overseas?
There are 13 enumerated principles in the Privacy Act that set a baseline of minimum requirements for dealing with personal information. The APP 8 deals with cross-border disclosure of personal information. The Australian Privacy Act defines personal information as any information or opinion that could identify an individual. Similar to the purpose limitation enumerated in Article 5 of the GDPR, APP 6 similarly requires that an APP entity only disclose the personal information for the primary purpose for which it is being collected.
APP 8.1 places a duty on the APP entity to take reasonable steps to ensure the overseas recipient of the personal information does not breach the APP before disclosing any personal information. The APP entity is liable if the overseas recipient mishandles the information and breaches any principle of the APP.
An overseas recipient is defined in APP 8.1 as a person who receives personal information from an APP entity and is:
- Not in Australia or an external territory
- Not in the APP entity disclosing the personal information, and
- Not the individual to whom the personal information relates.
Under APP 8.9 an APP entity discloses personal information to an overseas recipient whenever they:
- Share personal information with an overseas recipient
- Reveal personal information at an international conference or meeting overseas
- Send a hard copy or email containing an individual’s personal information to an overseas client, and
- Publish the personal information on the internet, whether intentionally or not, and it is accessible to an overseas recipient.
Strict liability despite the reasonable steps test
While an APP entity must take reasonable steps to ensure an overseas recipient does not breach the APPs, this does not absolve the APP entity from liability. The best practice if for an APP entity to enter into a contract with the overseas recipient. The APP entity should monitor the recipient’s compliance with the contractual terms. More rigorous terms of the contract and the auditing process will depend on various circumstances including:
- Whether the information disclosed is “sensitive information”
- The entity’s relationship with the recipient
- The possible adverse consequences for an individual if the information is mishandled, and
- Whether the recipient has limited technical and operational safeguards.
Yet, even when the APP entity has done everything possible to protect privacy in the overseas disclosure through contractual measures and the implementation of audit reviews, an APP entity will still be strictly liable if the overseas recipient acts in a way that would constitute a breach of the APPs. There are, however, some exceptions to this rule.
Exceptions to APP 8.1 Compliance
There are a few exceptions to APP 8.1 which requires an APP entity to take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the personal data. This means that an APP entity does not have to comply with the reasonable steps test if one of these exceptions applies:
- First, this requirement does not apply if the overseas recipient is bound by a law or binding scheme that is substantially similar to the APPs.
- Second, under APP 8.27, if an APP entity expressly informs the individual, and the individual consents, either expressly or impliedly, to the disclosure, then the APP entity does not have to comply with 8.1.
- Third, an APP entity may disclose personal information to an overseas recipient without complying with APP 8.1 where the disclosure is required or authorized by or under an Australian law or a count/tribunal order (APP 8.2(c)).
- Fourth, compliance with 8.1 does not apply if it would be unreasonable or impracticable for an APP entity to obtain the individual’s consent to disclosure and the entity reasonably believes the disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.
- Fifth, an APP entity may also disclose personal information to an overseas recipient without complying with APP 8.1 in relation to suspected unlawful activity or serious misconduct, as well as to help locate a person reported missing.
Exceptions to APP 8.1 Compliance for Governmental Agencies Only
Governmental agencies may disclose personal information to an overseas recipient where the agency reasonably believes the disclosure is necessary for the agency’s diplomatic or consular functions, or where the disclosure is required by or under an international agreement related to information sharing to which Australia is a part of. Neither of these exceptions extend to organizations. Lastly, an agency may disclose personal information to an overseas recipient without complying with APP 8.1 where such disclosure is necessary to effectuate an enforcement related activity.
Cross-border transfers under Australia’s Privacy Act compared to the GDPR