International Data Transfer to Third Countries

APP 8 regulates the “disclosure” of personal data overseas (as opposed to the “transfer” of information) – it applies whenever an organisation makes personal data available to entities located outside Australia, even where the information is stored in Australia. Before an organisation discloses personal information about an individual to another organisation which is not in Australia, the first organisation must ensure that the overseas recipient does not breach the Australian Privacy Principles in relation to personal data. The APP Guidelines indicate that the organisation usually has to obtain a contractual commitment from the overseas recipient that it will handle the personal data in accordance with the APPs.

Exceptions established by the Law

Transfer are admissible if:

  • the entity reasonably believes that the recipient is subject to a law, or binding scheme, that has the effect of protecting the information in a way that is similar to the way in which the Australian Privacy Principles protect the information and, likewise, there are mechanisms that the individual can access to take action to enforce that protection of the law or binding scheme;
  • the individual consents to the disclosure after being expressly informed by the entity that if he or she consents to the disclosure, the obligation to ensure that the overseas recipient does not breach the Australian Privacy Principles will not apply to that disclosure;
  • the disclosure of the information is required or authorised by an Australian law or a court/tribunal order; or
  • a permitted general situation exists in relation to the disclosure.

Further, unless an exception applies, the organisation may be held accountable if the overseas recipient does breach the APPs (despite the organisation having taken the “reasonable steps” referred to above).

Organisations also need to consider APP 11 when disclosing personal data to overseas recipients. The obligation to take reasonable steps to protect personal data from misuse, interference and loss and unauthorised access, modification or disclosure will apply to the disclosure of personal data to an overseas recipient. Organisations disclosing personal data to overseas recipients will need to ensure that the personal data will continue to be secure once disclosed.

There is currently no ability for organisations to use binding corporate rules in respect of the cross-border disclosure of personal data.