The Australia Privacy Act 1988 and the Australian Privacy Principles (AAPs) regulates how personal information is handled by private entities with an annual turnover of at least AU $3 million, and all Commonwealth Government agencies. The Privacy Act and the APPs will apply to any APP entity that is established in Australia, carries on business in Australia, or collects personal information in Australia. This means that the Privacy Act extends its application to acts done outside Australia by an organization or small business operator with a link to Australia. In this article, we will discuss the requirements and restrictions when transferring data outside of Australia.
How does the Privacy Act apply where an organization or governmental agency ‘discloses’ personal information overseas?
There are 13 enumerated principles in the Privacy Act that set a baseline of minimum requirements for dealing with personal information. The APP 8 deals with cross-border disclosure of personal information. The Australian Privacy Act defines personal information as any information or opinion that could identify an individual. Similar to the purpose limitation enumerated in Article 5 of the GDPR, APP 6 similarly requires that an APP entity only disclose the personal information for the primary purpose for which it is being collected.
APP 8.1 places a duty on the APP entity to take reasonable steps to ensure the overseas recipient of the personal information does not breach the APP before disclosing any personal information. The APP entity is liable if the overseas recipient mishandles the information and breaches any principle of the APP.
An overseas recipient is defined in APP 8.1 as a person who receives personal information from an APP entity and is:
- Not in Australia or an external territory
- Not in the APP entity disclosing the personal information, and
- Not the individual to whom the personal information relates.
Under APP 8.9 an APP entity discloses personal information to an overseas recipient whenever they:
- Share personal information with an overseas recipient
- Reveal personal information at an international conference or meeting overseas
- Send a hard copy or email containing an individual’s personal information to an overseas client, and
- Publish the personal information on the internet, whether intentionally or not, and it is accessible to an overseas recipient.
Strict liability despite the reasonable steps test
While an APP entity must take reasonable steps to ensure an overseas recipient does not breach the APPs, this does not absolve the APP entity from liability. The best practice if for an APP entity to enter into a contract with the overseas recipient. The APP entity should monitor the recipient’s compliance with the contractual terms. More rigorous terms of the contract and the auditing process will depend on various circumstances including:
- Whether the information disclosed is “sensitive information”
- The entity’s relationship with the recipient
- The possible adverse consequences for an individual if the information is mishandled, and
- Whether the recipient has limited technical and operational safeguards.
Yet, even when the APP entity has done everything possible to protect privacy in the overseas disclosure through contractual measures and the implementation of audit reviews, an APP entity will still be strictly liable if the overseas recipient acts in a way that would constitute a breach of the APPs. There are, however, some exceptions to this rule.
Exceptions to APP 8.1 Compliance
There are a few exceptions to APP 8.1 which requires an APP entity to take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the personal data. This means that an APP entity does not have to comply with the reasonable steps test if one of these exceptions applies.
- First, this requirement does not apply if the overseas recipient is bound by a law or binding scheme that is substantially similar to the APPs.
- Second, under APP 8.27, if an APP entity expressly informs the individual, and the individual consents, either expressly or impliedly, to the disclosure, then the APP entity does not have to comply with 8.1.
- Third, an APP entity may disclose personal information to an overseas recipient without complying with APP 8.1 where the disclosure is required or authorized by or under an Australian law or a count/tribunal order (APP 8.2(c)).
- Fourth, compliance with 8.1 does not apply if it would be unreasonable or impracticable for an APP entity to obtain the individual’s consent to disclosure and the entity reasonably believes the disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.
- Fifth, an APP entity may also disclose personal information to an overseas recipient without complying with APP 8.1 in relation to suspected unlawful activity or serious misconduct, as well as to help locate a person reported missing.
Exceptions to APP 8.1 Compliance for Governmental Agencies Only
Governmental agencies may disclose personal information to an overseas recipient where the agency reasonably believes the disclosure is necessary for the agency’s diplomatic or consular functions, or where the disclosure is required by or under an international agreement related to information sharing to which Australia is a part of. Neither of these exceptions extend to organizations. Lastly, an agency may disclose personal information to an overseas recipient without complying with APP 8.1 where such disclosure is necessary to effectuate an enforcement related activity.
Cross-border transfers under Australia’s Privacy Act compared to the GDPR
I am a third year at UIC John Marshall law school in Chicago. After my first year of law school I spent the summer clerking for Vandenack Weaver LLC in Omaha, NE and during my second year of law school I worked for Chicago Daily Law Bulletin as a content specialist. I am passionate about privacy and cybersecurity law and serve as the liaison for the Chicago Bar Association’s Cyber Law and Data Privacy Committee.