Skip to content
LegalVision

Demystifying Cross-Border Data Sharing: Your Client’s Privacy Obligations

Avatar photo

By Alexandra Perry
Deputy Head of Legal Australia

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Summarise with: ChatGPT logo ChatGPT Perplexity logo Perplexity Microsoft Copilot logo Microsoft Copilot
Table of Contents

This article was written by Alexandra Perry and Jordan Bramis.

It was first published in the LexisNexis Privacy Law Bulletin Vol 20 Issue 8.

If your clients are sharing personal information overseas with overseas recipients, their privacy obligations extend beyond Australia. If your Australian business discloses personal information overseas to an overseas recipient, they need to satisfy their obligations under Australian privacy laws, including the Australian Privacy Principles (APPs). This article provides a guide for lawyers who have clients sharing personal information with third parties outside of the country.

Tips

  • One — your clients need to understand that the scope of disclosure encompasses more than just physically sending data across borders. Any scenario where personal information becomes accessible to overseas entities, even if stored in Australia, is considered disclosure. So, clients need to implement tahe necessary safeguards.
  • Two — rigorous measures need to be taken if clients share personal data overseas. Factors such as the volume and nature of information are relevant, as well as ongoing disclosure requirements.

An Overview of APP 8

The APP 8 was introduced into Australian privacy law to regulate the cross-border disclosure of personal information and was part of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth), which amended the Privacy Act 1988 (Cth).

Its introduction has been driven by factors such as:

  • Globalisation and data flows — in an increasingly interconnected world, personal information is frequently transferred across national borders. As data flows expanded, there was a growing need to regulate the transfer of personal information from Australia to overseas entities, especially in light of potential privacy risks.
  • Harmonisation with international standards — many countries had already established frameworks to govern cross-border data transfers.
  • Protecting privacy rights — APP 8 was introduced to ensure that individuals’ privacy rights are upheld even when their personal information is transferred overseas.
  • Enhancing accountability — the aim was to enhance accountability and encourage businesses to be more cautious when sharing data with overseas entities.

Before disclosing personal information, your Australian business must take all reasonable steps to ensure the overseas recipient, such as an overseas contractor, does not breach the APPs. Your business may still be accountable for the practices or acts of an overseas recipient, which results in a breach, even if you have taken reasonable steps. Where a breach of personal information occurs, the Office of the Australian Information Commissioner (OAIC) will take into account the reasonable steps taken by your business when determining how to resolve the matter.

The privacy obligations regarding disclosure will apply whether or not your business actually transferred personal information overseas or not. For example, the obligations will still apply when an overseas recipient can access personal information stored in Australia on an Australian database or server.

Continue reading this article below the form
Loading form

The Primary Purpose Requirement

Your Australian business must only disclose personal information for the primary purpose for which it was collected unless an exception applies. Pursuant to APP 6, your Australian business may use or disclose personal information for a secondary purpose (defined as the non-primary purpose) in certain situations, including:

  • where the individual grants consent;
  • where the disclosure is authorised or required by Australian law; or
  • where it is “reasonably expected” that the Australian entity would disclose the information for the secondary purpose and the secondary purpose is related to the primary purpose (or, in the case of sensitive information, directly related to the primary purpose).

Definition of an Overseas Recipient

APP 8.1 defines an overseas recipient as a person who receives personal information from an APP entity and is not:

  • located in Australia or an external territory;
  • the person to which the information relates; and
  • the entity which disclosed the information.

This means that if your business is sharing personal information overseas with its overseas office, APP 8 will not apply as this is still considered the same entity. However, the obligation will arise when an Australian entity shares personal information with a “related body corporate” which is located and operates outside of Australia. The Corporations Act 2001 (Cth) defines a related body corporate as any of the following:

  • a holding company of another body corporate;
  • a subsidiary of another body corporate; or
  • a subsidiary of a holding company of another body corporate.

If your business shares personal information with its overseas office, APP 8 will not apply because it is still considered the same entity. However, the obligation under APP 8 comes into effect when an Australian entity discloses personal information to a “related body corporate” that operates outside of Australia. As per the Corporations Act, a related body corporate can be any of the following:

  • a holding company of another body corporate;
  • a subsidiary of another body corporate; or
  • a subsidiary of a holding company of another body corporate.

So, if your business has an overseas holding company that owns the assets of your Australian entity, APP 8 applies when sharing personal information between these entities.

What Amounts to Disclosure?

Although the APPs do not define “disclosure”, your Australian entity will be deemed to have disclosed personal information where this information becomes available to others outside of the Australian company. The following actions are examples of disclosure:

  • sharing personal information with an overseas recipient;
  • revealing personal information at an international conference or an overseas meeting;
  • sending a physical document or email which contains personal information to a third party that is based overseas;
  • sharing personal information with an overseas product manufacturer for order fulfilment, shipping and tracking;
  • transferring personal information to entities located overseas during mergers, acquisitions or asset sales;
  • sharing personal information with overseas analytics and market research firms to gain insights into consumer behaviour; or
  • publishing personal information on the Internet (regardless of whether it is an international domain or not) that an overseas recipient can access

Other Circumstances Which Constitute Disclosure

If your clients reveal personal information to an overseas contractor, it also falls under the category of disclosure for the purposes of APP 8. Additionally, clients must also take care when a contractor engages a subcontractor.

The OAIC will generally hold your business accountable if the subcontractor mishandles the personal information and breaches the APPs. Your Australian business is likely to engage an overseas contractor in the following circumstances:

  • if your business relies on its overseas parent company to provide billing and/or technical support and provides access to its Australian customer database for this purpose;
  • if your business is an e-commerce business that outsources the processing of online purchases to a third party based overseas;
  • if your business outsources customer support services to an overseas call centre, which requires access to customer data for issue resolution;
  • if your business has an overseas data processing company to handle large datasets, including personal information, such as for surveys or data analysis; or
  • if your business outsources services like customer support, data processing or administrative functions to third-party service providers located overseas.
Front page of publication
2023 Key Data and Privacy Developments

This fact sheet outlines the changes to data and privacy protection in 2023.

Download Now

Used Versus Disclosed

There are limited circumstances where providing personal information to an overseas contractor is considered “use” rather than “disclosure”. APP 8 will not apply where the information is “used” rather than “disclosed”.

Use of Personal Information — Examples

A client will use personal information when it does not release it from its effective control. Below are some examples of when personal information is used rather than disclosed:

  • your business provides personal information to a cloud service provider located overseas to store the information and ensure they have access to it and the contract between your business and the provider states that the provider can only handle the information for this purpose;
  • your business contracts an overseas document-archiving service to store historical records, but the service provider doesn’t access or use the data beyond storage; or
  • your business shares information with its overseas office so it can be de-identified and used for internal business purposes.

What Constitutes a Reasonable Step?

Australian businesses must take “reasonable steps” to ensure overseas recipients handle personal information properly to avoid breaching the APPs. The best way to meet this obligation is to understand the actions that will constitute reasonable steps. The OAIC expects your business to ensure overseas recipients comply with the APPs through enforceable contracts. To reduce business risk, it is advisable to include the following in your

business’ contract with overseas recipients:

  • an acknowledgement that a breach of the APPs by the overseas recipient may in turn result in your client having breached the APPs;
  • a warranty that the overseas recipient will not breach the APPs; and
  • an indemnity by the overseas recipient in the event that it breaches the APPs

However, a mere contractual relationship between your business and the overseas recipient alone is not always sufficient. For example, where your Australian entity is disclosing sensitive information to an overseas provider, you may need to take more rigorous steps, including auditing. The following factors help to determine what is reasonable:

  • the volume of information being disclosed;
  • the nature of the information (ie personal or sensitive information); and
  • whether there is a requirement for ongoing disclosure of the information

If a contract is not reasonable, businesses need to find other ways to meet APP obligations, according to the OAIC.

What Are the Exceptions to Taking Reasonable Steps?

Your Australian entity does not need to comply with APP 8.1, where it reasonably believes the overseas recipient is subject to substantially similar laws or a binding scheme and there are mechanisms available which allow the individual to enforce their rights or the protection of their information under that law or scheme.

Further, an Australian entity does not need to comply with APP 8.1 in the following circumstances:

  • where your business has expressly informed the individual that if they consent to the disclosure, your business will not be responsible for any breach of the APPs by the overseas recipient, and the individual gives express consent on that basis;
  • where it is required by law, such as disclosure to an overseas government for compliance with the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth);
  • where it is for the purpose of taking appropriate action in relation to serious misconduct or unlawful activity;
  • to locate a person who is reported missing;
  • where it is necessary for a diplomatic or consular function or activity;
  • where it is necessary for certain Defence Force activities held outside of Australia;
  • where it is authorised by an international agreement relating to sharing information; or
  • where it is for an enforcement-related activity.

Key Takeaways

APP 8 imposes an obligation on your Australian business if it discloses personal information to overseas recipients. If this applies to you, it is crucial to understand your obligations when sharing personal information overseas with overseas recipients to avoid breaching the APPs. While you may still be accountable even when you have taken reasonable steps, the OAIC will consider this when resolving the matter. As such, when it comes to privacy, it is best to take rigorous methods to protect against the mishandling of personal information by your business or an overseas recipient.

If you have questions about sharing personal information overseas or your obligations under the Australian Privacy Principles, contact our experienced IT lawyers as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.

Frequently Asked Questions 

When do the APPs apply to overseas disclosure?

The obligations under the APPs will apply to your Australian business if it discloses information to an overseas entity or where an overseas entity has access to the personal information of an Australian individual.

What is ‘disclosure’ under the APPs?

Neither the APPs nor the Privacy Act defines ‘disclosure’. However, disclosure has been interpreted broadly, and a transfer of access of information would likely be considered a disclosure where it becomes available to an overseas entity outside of your  Australian company.

Register for our free webinars

Demystifying M&A: What Every Business Owner Should Know

Online
Understand the essentials of mergers and acquisitions and protect your business value. Register for our free webinar.
Register Now

Social Media Compliance: Safeguard Your Brand and Avoid Common Pitfalls

Online
Avoid legal pitfalls in social media marketing and safeguard your brand. Register for our free webinar.
Register Now

Building a Strong Startup: Ask a Lawyer and Founder Your Tough Questions

Stone & Chalk Tech Central, Level 1 - 477 Pitt St Haymarket 2000
Join LegalVision and Bluebird at the Spark Festival to ask a lawyer and founder your startup questions. Register now.
Register Now

Construction Industry Update: What To Expect in 2026

Online
Stay ahead of major construction regulatory changes. Register for our free webinar.
Register Now
See more webinars >
Alexandra Perry

Alexandra Perry

Deputy Head of Legal Australia | View profile

Alexandra is the Deputy Head of Legal Australia at LegalVision, with particular expertise in commercial health, privacy and consumer law. She is qualified and has a practising certificate in New Zealand, as well as Australia. Alexandra also specialises in regulatory compliance. She uses her experience to provide commercial and regulatory advice to in-house legal teams and to draft and negotiate general commercial agreements. She has a Master of Laws from the University of Melbourne and has previously worked as a lawyer at top law firms in New Zealand and Australia.

Qualifications: Bachelor of Laws, University of Canterbury, Master of Laws, University of Melbourne. 

Read all articles by Alexandra

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

Privacy Considerations When Incorporating Blockchain Technology in Your Business

Key SaaS Privacy and Data Considerations

Can I Collect an Individual’s Personal Information From a Third Party?

Is My Organisation Exempt From the Spam Act?

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards