Cloud Compliance Center

Australia

Select a Topic
Quick Links
Start Comparison
Overseas hosting
8. Are there any restrictions under local data protection laws that would impact the overseas hosting of data?

There are generally no applicable data localization requirements in Australia at present. However, there are some data protection requirements that need to be considered when offshoring data.

Where personal information is to be hosted in a data center outside Australia, the following Australian Privacy Principles ("APPs") contained in the Privacy Act 1988 (Cth) ("Privacy Act") will be relevant:

  • APP 6: If an entity regulated by the Privacy Act ("regulated entity") holds information about an individual that was collected for a particular purpose, that information must not be used or disclosed for another secondary purpose unless the relevant individual has consented to this, or the use or disclosure falls within one of a permitted set of exceptions. One such exception is where the individual would reasonably expect the entity to use or disclose the information for the secondary purpose and that secondary purpose is sufficiently related to the primary purpose of collection. 
  • APP 8.1: Unless an exception applies, a regulated entity that is to disclose personal information to an overseas recipient must take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the APPs. The Australian-regulated entity is also subject to strict liability for breaches by the offshore entity. "Reasonable steps" in this context should include, at a minimum, having an appropriate data transfer agreement in place that obliges the offshore recipient to comply with the APPs and that also contains obligations framed to help ensure compliance in practice (e.g., audit rights and controls).
  • APP 11: A regulated entity must take reasonable steps to protect information from misuse, interference and loss, and from unauthorized access, modification or disclosure.

Specific to the cloud, the APPs provide guidance on when providing personal information to a cloud service provider might — in certain limited circumstances — be classified as a "use" by the regulated entity providing the information as opposed to a "disclosure" by the regulated entity. As such, it is possible that a pure cloud hosting arrangement that meets the above criteria may be classified as a use only, not a disclosure, by the customer and, therefore, will not be subject to APP 8. However, where no disclosure has occurred, the activity would still involve "use" and "holding" of the data by the cloud customer, hence APP 6 and APP 11 would still need to be complied with.

Additional requirements apply for data that is part of the Consumer Data Right scheme.

The Privacy Act has been recently reviewed and the government is considering making a range of modernizations to Australian privacy law in response, including proposals that would impact APP 6, APP 8 and APP 11. Any resulting changes to the law may have implications for the overseas hosting of data.

Quick Links
{{ $store.state.loadingScreen.message }} ...