Table of Contents
- Tips
- An Overview of APP 8
- The Primary Purpose Requirement
- Definition of an Overseas Recipient
- What Amounts to Disclosure?
- Other Circumstances Which Constitute Disclosure
- Used Versus Disclosed
- Use of Personal Information — Examples
- What Constitutes a Reasonable Step?
- What Are the Exceptions to Taking Reasonable Steps?
- Key Takeaways
- Frequently Asked Questions
This article was written by Alexandra Perry and Jordan Bramis.
It was first published in the LexisNexis Privacy Law Bulletin Vol 20 Issue 8.
If your clients are sharing personal information overseas with overseas recipients, their privacy obligations extend beyond Australia. If your Australian business discloses personal information overseas to an overseas recipient, they need to satisfy their obligations under Australian privacy laws, including the Australian Privacy Principles (APPs). This article provides a guide for lawyers who have clients sharing personal information with third parties outside of the country.
Tips
- One — your clients need to understand that the scope of disclosure encompasses more than just physically sending data across borders. Any scenario where personal information becomes accessible to overseas entities, even if stored in Australia, is considered disclosure. So, clients need to implement tahe necessary safeguards.
- Two — rigorous measures need to be taken if clients share personal data overseas. Factors such as the volume and nature of information are relevant, as well as ongoing disclosure requirements.
An Overview of APP 8
The APP 8 was introduced into Australian privacy law to regulate the cross-border disclosure of personal information and was part of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth), which amended the Privacy Act 1988 (Cth).
Its introduction has been driven by factors such as:
- Globalisation and data flows — in an increasingly interconnected world, personal information is frequently transferred across national borders. As data flows expanded, there was a growing need to regulate the transfer of personal information from Australia to overseas entities, especially in light of potential privacy risks.
- Harmonisation with international standards — many countries had already established frameworks to govern cross-border data transfers.
- Protecting privacy rights — APP 8 was introduced to ensure that individuals’ privacy rights are upheld even when their personal information is transferred overseas.
- Enhancing accountability — the aim was to enhance accountability and encourage businesses to be more cautious when sharing data with overseas entities.
Before disclosing personal information, your Australian business must take all reasonable steps to ensure the overseas recipient, such as an overseas contractor, does not breach the APPs. Your business may still be accountable for the practices or acts of an overseas recipient, which results in a breach, even if you have taken reasonable steps. Where a breach of personal information occurs, the Office of the Australian Information Commissioner (OAIC) will take into account the reasonable steps taken by your business when determining how to resolve the matter.
The privacy obligations regarding disclosure will apply whether or not your business actually transferred personal information overseas or not. For example, the obligations will still apply when an overseas recipient can access personal information stored in Australia on an Australian database or server.
Continue reading this article below the formThe Primary Purpose Requirement
Your Australian business must only disclose personal information for the primary purpose for which it was collected unless an exception applies. Pursuant to APP 6, your Australian business may use or disclose personal information for a secondary purpose (defined as the non-primary purpose) in certain situations, including:
- where the individual grants consent;
- where the disclosure is authorised or required by Australian law; or
- where it is “reasonably expected” that the Australian entity would disclose the information for the secondary purpose and the secondary purpose is related to the primary purpose (or, in the case of sensitive information, directly related to the primary purpose).
Definition of an Overseas Recipient
APP 8.1 defines an overseas recipient as a person who receives personal information from an APP entity and is not:
- located in Australia or an external territory;
- the person to which the information relates; and
- the entity which disclosed the information.
This means that if your business is sharing personal information overseas with its overseas office, APP 8 will not apply as this is still considered the same entity. However, the obligation will arise when an Australian entity shares personal information with a “related body corporate” which is located and operates outside of Australia. The Corporations Act 2001 (Cth) defines a related body corporate as any of the following:
- a holding company of another body corporate;
- a subsidiary of another body corporate; or
- a subsidiary of a holding company of another body corporate.
If your business shares personal information with its overseas office, APP 8 will not apply because it is still considered the same entity. However, the obligation under APP 8 comes into effect when an Australian entity discloses personal information to a “related body corporate” that operates outside of Australia. As per the Corporations Act, a related body corporate can be any of the following:
- a holding company of another body corporate;
- a subsidiary of another body corporate; or
- a subsidiary of a holding company of another body corporate.
So, if your business has an overseas holding company that owns the assets of your Australian entity, APP 8 applies when sharing personal information between these entities.
What Amounts to Disclosure?
Although the APPs do not define “disclosure”, your Australian entity will be deemed to have disclosed personal information where this information becomes available to others outside of the Australian company. The following actions are examples of disclosure:
- sharing personal information with an overseas recipient;
- revealing personal information at an international conference or an overseas meeting;
- sending a physical document or email which contains personal information to a third party that is based overseas;
- sharing personal information with an overseas product manufacturer for order fulfilment, shipping and tracking;
- transferring personal information to entities located overseas during mergers, acquisitions or asset sales;
- sharing personal information with overseas analytics and market research firms to gain insights into consumer behaviour; or
- publishing personal information on the Internet (regardless of whether it is an international domain or not) that an overseas recipient can access
Other Circumstances Which Constitute Disclosure
If your clients reveal personal information to an overseas contractor, it also falls under the category of disclosure for the purposes of APP 8. Additionally, clients must also take care when a contractor engages a subcontractor.
The OAIC will generally hold your business accountable if the subcontractor mishandles the personal information and breaches the APPs. Your Australian business is likely to engage an overseas contractor in the following circumstances:
- if your business relies on its overseas parent company to provide billing and/or technical support and provides access to its Australian customer database for this purpose;
- if your business is an e-commerce business that outsources the processing of online purchases to a third party based overseas;
- if your business outsources customer support services to an overseas call centre, which requires access to customer data for issue resolution;
- if your business has an overseas data processing company to handle large datasets, including personal information, such as for surveys or data analysis; or
- if your business outsources services like customer support, data processing or administrative functions to third-party service providers located overseas.

This fact sheet outlines the changes to data and privacy protection in 2023.
Used Versus Disclosed
There are limited circumstances where providing personal information to an overseas contractor is considered “use” rather than “disclosure”. APP 8 will not apply where the information is “used” rather than “disclosed”.
Use of Personal Information — Examples
A client will use personal information when it does not release it from its effective control. Below are some examples of when personal information is used rather than disclosed:
- your business provides personal information to a cloud service provider located overseas to store the information and ensure they have access to it and the contract between your business and the provider states that the provider can only handle the information for this purpose;
- your business contracts an overseas document-archiving service to store historical records, but the service provider doesn’t access or use the data beyond storage; or
- your business shares information with its overseas office so it can be de-identified and used for internal business purposes.
What Constitutes a Reasonable Step?
Australian businesses must take “reasonable steps” to ensure overseas recipients handle personal information properly to avoid breaching the APPs. The best way to meet this obligation is to understand the actions that will constitute reasonable steps. The OAIC expects your business to ensure overseas recipients comply with the APPs through enforceable contracts. To reduce business risk, it is advisable to include the following in your
business’ contract with overseas recipients:
- an acknowledgement that a breach of the APPs by the overseas recipient may in turn result in your client having breached the APPs;
- a warranty that the overseas recipient will not breach the APPs; and
- an indemnity by the overseas recipient in the event that it breaches the APPs
However, a mere contractual relationship between your business and the overseas recipient alone is not always sufficient. For example, where your Australian entity is disclosing sensitive information to an overseas provider, you may need to take more rigorous steps, including auditing. The following factors help to determine what is reasonable:
- the volume of information being disclosed;
- the nature of the information (ie personal or sensitive information); and
- whether there is a requirement for ongoing disclosure of the information
If a contract is not reasonable, businesses need to find other ways to meet APP obligations, according to the OAIC.
What Are the Exceptions to Taking Reasonable Steps?
Your Australian entity does not need to comply with APP 8.1, where it reasonably believes the overseas recipient is subject to substantially similar laws or a binding scheme and there are mechanisms available which allow the individual to enforce their rights or the protection of their information under that law or scheme.
Further, an Australian entity does not need to comply with APP 8.1 in the following circumstances:
- where your business has expressly informed the individual that if they consent to the disclosure, your business will not be responsible for any breach of the APPs by the overseas recipient, and the individual gives express consent on that basis;
- where it is required by law, such as disclosure to an overseas government for compliance with the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth);
- where it is for the purpose of taking appropriate action in relation to serious misconduct or unlawful activity;
- to locate a person who is reported missing;
- where it is necessary for a diplomatic or consular function or activity;
- where it is necessary for certain Defence Force activities held outside of Australia;
- where it is authorised by an international agreement relating to sharing information; or
- where it is for an enforcement-related activity.
Key Takeaways
APP 8 imposes an obligation on your Australian business if it discloses personal information to overseas recipients. If this applies to you, it is crucial to understand your obligations when sharing personal information overseas with overseas recipients to avoid breaching the APPs. While you may still be accountable even when you have taken reasonable steps, the OAIC will consider this when resolving the matter. As such, when it comes to privacy, it is best to take rigorous methods to protect against the mishandling of personal information by your business or an overseas recipient.
If you have questions about sharing personal information overseas or your obligations under the Australian Privacy Principles, contact our experienced IT lawyers as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.
Frequently Asked Questions
The obligations under the APPs will apply to your Australian business if it discloses information to an overseas entity or where an overseas entity has access to the personal information of an Australian individual.
Neither the APPs nor the Privacy Act defines ‘disclosure’. However, disclosure has been interpreted broadly, and a transfer of access of information would likely be considered a disclosure where it becomes available to an overseas entity outside of your Australian company.
We appreciate your feedback – your submission has been successfully received.