If your business shares personal information with overseas recipients as part of its operations, you should understand your privacy obligations extend beyond Australian shores. This means that if your Australian business discloses personal information to an overseas recipient, you are still required to satisfy your obligations under the Australian Privacy Principles (APPs). The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) (Privacy Amendment Act) contains the APPs.

At LegalVision, our clients with international operations are increasingly asking us how they can effectively meet their obligations when it comes to privacy. While it is prudent to seek legal advice regarding your particular circumstances, this article provides a useful guide that is relevant to all Australian businesses that disclose personal information to third parties outside of Australia.

An Overview of APP 8

APP 8 governs cross-border disclosure of personal information. According to APP 8, an Australian entity that discloses personal information to an overseas recipient must take reasonable steps in the circumstances to ensure that the recipient does not breach the APPs in connection with this personal information. However, the Australian entity does not need to take reasonable steps to ensure compliance with APP 1 which requires businesses to have a privacy policy and a process to deal with privacy complaints.

APP 8.1 requires that before disclosing the personal information, the Australian entity takes reasonable steps to ensure the overseas recipient does not breach the APPs. An Australian entity may still be held accountable for the practices or acts of an overseas recipient which result in a breach even if they have taken reasonable steps. However, the Office of the Australian Information Commissioner (OAIC) will take into account the reasonable steps followed when resolving the matter.

It is important to remember that the Australian entity does not need to transfer the personal information to the overseas recipient. The obligation will still arise where an overseas recipient has access to personal information which is stored in Australia, for example, on an Australian database or server. This aligns with the central objective of the Privacy Amendment Act to facilitate the free flow of information across borders while also protecting the privacy of Australians. There are, however, situations where an Australian entity does not need to take reasonable steps (discussed below).

When disclosing personal information to an overseas recipient, there is a requirement for the Australian entity also to comply with APP 6. This Privacy Principle sets out that the business must only disclose personal information for the primary purpose it was collected unless an exception to this principle applies. APP 6 allows an Australian entity to use or disclose personal information for a secondary purpose (defined as the non-primary purpose) in the following situations:

  • where the individual grants consent;
  • where the law requires disclosure; or
  • where it is “reasonably expected” that the Australian entity would disclose the information for the secondary purpose.

In these circumstances, the Australian entity must justify its actions and satisfy OAIC that its disclosure was reasonably expected.

Definition of an Overseas Recipient

APP 8.1 defines an overseas recipient as a person who receives personal information from an APP entity and is not:

  • located in Australia or an external Territory;
  • the person to which the information relates; and
  • the entity which disclosed the information.

This means that if your business sends personal information to its overseas office, APP 8 will not apply as this is still considered the same entity. However, the obligation will arise when an Australian entity shares personal information with a “related body corporate” which is located and operates outside of Australia. Section 50 of the Corporations Act 2001 (Cth) defines a related body corporate as any of the following:

  • a holding company of another body corporate;
  • a subsidiary of another body corporate; or
  • a subsidiary of a holding company of another body corporate.

This means that if your business has an overseas holding company which owns the business assets of your Australian entity, APP 8 will apply when disclosing personal information between these entities.

What Constitutes Disclosure?

Although the APPs don’t define disclosure, an Australian entity will be deemed to have disclosed personal information where it becomes available to others outside of the Australian company. The following actions are examples of disclosure:

  • sharing personal information with an overseas recipient;
  • revealing personal information at an international conference or an overseas meeting;
  • sending a physical document or email which contains personal information to a third party that is based overseas; and
  • publishing personal information on the Internet (regardless of whether it is an international domain or not) that an overseas recipient can access.

Furthermore, if an Australian entity discloses personal information to a contractor that is based overseas, this is also considered disclosure for the purposes of APP 8. A company must also take care when a contractor engages a subcontractor. The Australian entity will be held accountable if they mishandle the personal information and breach the APPs. Here are a few examples of when an Australian entity will engage an overseas contractor:

  • if an Australian business relies on its overseas parent company to provide billing and/or technical support and provides access to its Australian customer database for this purpose; or
  • an Australian eCommerce business outsources the processing of online purchases to a third party based overseas.

However, there are limited circumstances where providing personal information to an overseas contractor is considered ‘use’ rather than ‘disclosure’. APP 8 will not apply where the information is ‘used’ rather than ‘disclosed’. An Australian entity uses personal information when it does not release it from its effective control. Below are some examples of when personal information is used rather than disclosed:

  1. an Australian entity provides personal information to a cloud service provider located overseas for the purpose of storing the information and ensuring they have access to it; and
  2. the contract between the Australian entity and provider sets out that the provider can only handle the information for this purpose.

What Constitutes a Reasonable Step?

As we’ve covered above, an Australian entity must take “reasonable steps” to ensure that the overseas recipient does not mishandle personal information and breach the APPs (APP 8.1). The best way to meet this obligation is to have a good understanding of the actions that will constitute reasonable steps. The OAIC expects businesses to enter into an enforceable contractual relationship with the overseas recipient that requires them to comply with the APPs in relation to the personal information. It is prudent for an Australian entity to include the following in the contract, to minimise their commercial exposure:

  • an acknowledgement that a breach of the APPs by the overseas recipient may result in a breach for the Australian entity;
  • a warranty that the overseas recipient will not breach the APPs; and
  • an indemnity by the overseas recipient in the event that it breaches the APPs.

However, it is important to bear in mind that entering into a contractual relationship alone is not always sufficient. For example, where sensitive information is disclosed more rigorous steps may be taken, including auditing. The following factors help to determine what is reasonable:

  • the volume of information being disclosed;
  • the nature of the information (i.e. personal or sensitive information); and
  • whether there is a requirement for ongoing disclosure of the information.

In situations where it is not reasonable to enter into a contract, the OAIC expects businesses to consider and take other steps to meet their obligations under APP 8.1.

What are the Exceptions to Taking Reasonable Steps?

Interestingly, an Australian entity does not need to comply with APP 8.1 where they reasonably believe the overseas entity is subject to substantially similar laws or a binding scheme. However, you should speak to a lawyer about whether this applies in your circumstances.

Further, an Australian entity does not need to comply with APP 8.1 in the following circumstances:

  • where the individual has given express consent;
  • where it is required by law;
  • where it is for the purpose of taking appropriate action in relation to serious misconduct or unlawful activity;
  • to locate a person who is reported missing;
  • where it is necessary for a diplomatic or consular function or activity;
  • where it is necessary for certain Defence Force activities held outside of Australia;
  • where it is authorised by an international agreement relating to sharing information; and
  • where it is for an enforcement related activity.

Key Takeaways

APP 8 creates an obligation for Australian businesses that disclose personal information with overseas recipients. If this applies to you, it is important to understand your obligations to avoid breaching the APPs. While you may still be accountable even when you have taken reasonable steps, the OAIC will take this into consideration when resolving the matter. As such, when it comes to privacy it is best to take rigorous methods to protect the mishandling of personal information by your business or an overseas recipient.

If you have questions about your obligations under the Australian Privacy Principles, get in touch with our IT lawyers on 1300 544 755 or fill in the form below.

Ayatalla Lewih

Ask Ayatalla a Question

If you would like further information on any of the topics mentioned in this article, please get in touch using the form on this page.