Global Data and Cyber Handbook

Australia

Select a Topic
Start Comparison
Data localization and regulation of non-personal data
Jump to
Data localization and regulation of non-personal data Start Comparison
Are there data localization/data residency or other types of laws that may require the retention and storage of data in the local jurisdiction, or prohibit the transfer of data out of the jurisdiction?

Last review date: 31 December 2024

 Yes

☒  a)    data localization / data residency laws that mandate retention of personal data or a copy thereof in the local jurisdiction (include whether copies or the original data may be also be stored outside of the jurisdiction):

There are no data localization/data residency requirements for personal data generally (although offshoring will need to be done in accordance with the Privacy Act).

However, some level of data localization/data residency is required, or may be required, in specific sectors:

  • In some States/Territories (e.g., NSW and Vic), health records laws restrict disclosure of health records outside of the relevant State/Territory (i.e., impose in-State/in-Territory data sovereignty requirements) unless certain criteria are met (e.g., the individual consents to the transfer; a substantially similar protective regime will apply to the disclosed records; the transfer is necessary for the performance of a contract between the individual and the organization; or the organization has taken reasonable steps to protect the information consistent with State/Territory privacy principles). Original health records and copies of them would be subject to the same disclosure restrictions.
  • Additional requirements apply before a credit provider can disclose credit eligibility information to offshore recipients who do not have an Australian link. Each credit provider with an Australian link will be responsible for its breach of credit reporting provisions of Australian privacy laws. Original data and copies of it would be subject to the same requirements.
  • "My Health Records" and associated information (e.g., back-ups of My Health Records) must not be held, taken, processed or handled outside Australia at all (except that the My Health Records system operator can hold, take, process or handle non personal and non-identifying information outside Australia). This means that original My Health Records and copies of them may not be removed from Australia.
  • Under the SOCI Act, telecommunication carriers have an obligation to maintain competent supervision of, and effective control over, their telecommunication network, including to consider any offshore arrangements in the applicable risk management assessment, particularly where data (presumably including personal information) is being disclosed to, or accessed from, foreign locations. The requirement does not exclude offshoring arrangements but does require regulated entities to have considered the risk of such arrangements, and are likely to have implemented some mitigation measures.

☒  b.)   other laws that mandate retention of personal data or a copy thereof in the local jurisdiction (include whether copies or the original data may be also be stored outside of the jurisdiction):

         national security laws

         tax or financial record laws

         export control laws

         other

In addition to the laws and requirements noted above:

  • Prudentially-regulated institutions will also be subject to guidelines and standards on outsourcing and risk management, which may indirectly affect them and how they disclose data to offshore service providers.
  • Goods, software or technology listed on the Defence and Strategic Goods List (DSGL) are "controlled technology" under customs laws. Listed items include certain technical data and information and encryption technology. Items listed in the DSGL may not be exported, supplied, published or brokered from Australia unless either a permit has been granted by the Minister for Defence or a legislative exemption applies to the export, supply, publication or brokering activity.
  • Under telecommunications and critical infrastructure laws, a responsible minister can give directions to telco carriers, carriage service providers and registered operators of critical infrastructure if satisfied that there is a risk that would be prejudicial to security. It is conceivable that these directions could include directions not to send or make available data offshore (e.g., if there were concerns about foreign government interference)
  • Under foreign investment approval laws, a condition of foreign investment approval could potentially include requiring that certain data relating to the business subject to approval be retained in Australia.

    In addition:

  • Telecommunications interception laws do not specify data sovereignty or data residency requirements, but do impose requirements on relevant providers to ensure interception capability or capacity exists in Australia and/or that there is some presence for law enforcement to deal with in Australia. This may impact on decisions whether and how to offshore data and systems.
  • Other non-privacy or security specific legislation may require certain information to be kept in specific locations (e.g., corporations or work health and safety laws may require certain registers or records to be kept at a particular office or in-jurisdiction) and this may have the effect of requiring data localization. Typically, in these instances, it will be acceptable to host copies of this data offshore.
  • Commonwealth, State or Territory government policies may also express a preference for data localization, or recommend additional steps are taken where data is offshored.

The Department of Home Affairs issued a discussion paper on 6 April 2022, which sought stakeholder consultation on, amongst other things, whether Australia needed an explicit approach to data localization. The consultation concluded on 24 June 2022. However, there have been no further updates on data localization since then. The review of the Privacy Act considered submissions for and against extending the obligations in APP 8 to cover "uses" or "transfers" but the report on the review stopped short of recommending a broader data localization requirement, and neither the government's 2023-2030 Australian Cyber Security Strategy nor the associated Action Plan make reference to data localization. In fact, as noted in a previous response, the December 2024 updates to the Privacy Act aim to facilitate overseas data transfers by introducing a mechanism to prescribe countries and certification schemes as providing substantially similar protection to the APPs.

Does law or regulation impose mandatory requirements to share or make accessible non-personal data?

Last review date: 31 December 2024

         Obligation for private organizations to share or make accessible non-personal financial data

         Obligation for private organizations to share or make accessible other non-personal data

If so, please provide brief details of the relevant law or regulation.

The CDR scheme was introduced to give consumers greater control over their consumer data. It enables a consumer to direct a data holder (e.g., a bank or energy provider) to provide their CDR data to an accredited data recipient, in a CDR compliant format, to enable consumers to compare products and services, control and share data to access new products, and provide great consumer convenience.

The Motor vehicle information scheme (MVIS) requires motor vehicle manufacturers to share service and repair information with Australian motor vehicle repairers and registered training organizations. The scheme "applies to passenger vehicles and light goods vehicles other than omnibuses, manufactured on or after 1 January 2002. It does not apply to two- or three-wheeled vehicles, farm, construction or heavy vehicles, motor homes or buses."

Additionally, please note:

  • The DATA Scheme introduced by the Data Availability and Transparency Act 2022 (Cth) facilitates/authorizes rather than mandates the sharing of data of government agencies and Australian universities for specific purposes, i.e., government service delivery, informing government policy/programs and R&D. There is a public sector focus here, somewhat akin to the EU Data Governance Act.
  • Throughout its Digital Platforms Services Inquiry, the ACCC has discussed the advantages enjoyed by certain digital platforms because they have access to an enormous range of data, which other businesses do not enjoy. The ACCC has, in this context, considered the potential to apply "data access" requirements or enhance "data portability" in the digital platforms sector. The discussions are focused on digital platforms at this stage, rather than the economy as a whole. Even in this context, the ACCC's Sept 2022 report suggests that any data-sharing regime for platforms would not be introduced until after the Privacy Act reforms are complete. The later September 2023 and March 2024 ACCC interim reports considered IoT/smart home devices and data-sharing schemes respectively. However, no legislative changes have been made at this stage.
  • The Cyber Security Act 2024 (Cth) contemplates that manufacturers and suppliers of certain smart (IoT) devices acquired in Australia will be required to comply with mandatory security standards, and comply with ancillary obligations such as to publish information about the product and supply the product with a statement of compliance. It is expected that the relevant standards will be made via legislative instruments. It is not yet clear when any such standards will come into effect.
  • The SOCI Act requires the registration of critical infrastructure assets to a non-public government register, including the disclosure of certain operational information, direct interest holder information and risk management information. Further information may be directed by the government to be disclosed in relation to security incidents impacting a critical infrastructure asset.
What specific obligations do these data-sharing rules impose on private organizations?

Last review date: 31 December 2024

         Obligation to share data on request

         Obligation to share data proactively 

CDR-accredited businesses must provide consumers with the right under the CDR to share data with another accredited provider. Additionally, CDR Data is subject to 13 privacy safeguards, which mirror the 13 APPs. There are strict rules and standards associated with the CDR scheme, particularly around obtaining consent, privacy and security.

The ACCC’s website contains a summary of the responsibilities of data providers under the MVIS. A key obligation is to offer to supply scheme information and make it easily accessible by publishing it on their website and making the offer free to access.

The Cyber Security Act 2024 (Cth) contemplates that manufacturers and suppliers of certain smart (IoT) devices acquired in Australia will be required to comply with mandatory security standards, and comply with ancillary obligations such as to publish information about the product and supply the product with a statement of compliance. It is expected that the relevant standards will be made via legislative instruments. It is not yet clear when any such standards will come into effect.

The SOCI Act requires the registration of critical infrastructure assets in a non-public government register, including the disclosure of certain operational information, direct interest holder information and risk management information. Further information may be directed by the government to be disclosed in relation to security incidents impacting a critical infrastructure asset.

{{ $store.state.loadingScreen.message }} ...