Global Data and Cyber Handbook

Australia

Select a Topic
Start Comparison
International Data Transfer
Are there restrictions on the transfer of personal data to third countries?

Last reviewed: 31 December 2024

☒ Yes

There is no concept of a third country in the Privacy Act, and the Privacy Act regulates overseas disclosures rather than transfers.

Transfers of personal data to third countries are only permissible if there is a legal basis for the processing/transfer and one of the following applies:

☒ approved adequate/whitelisted jurisdictions

☒ to holders of specific certifications or followers of specific code of conduct programs each approved by the relevant data protection and cybersecurity authority (e.g., EU-US Data Privacy Framework)

☒ other solutions

Please see the separate question for information on data localization provisions that are not restricted to personal data.

Unless an exception applies, APP entities that disclose personal information to overseas recipients must take reasonable steps to ensure that the overseas recipient does not breach the requirements of the APPs (other than APP 1) (APP 8.1).

The exceptions are:

  • The substantially similar regime exception, where the APP entity reasonably believes that:
    • The recipient of the information is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the APPs protect the information
    • There are mechanisms that the individual can access to take action to enforce that protection of the law or binding scheme

(There is currently no white list of jurisdictions or binding schemes that qualify for this exception but, since December 2024, the legislation has expressly contemplated that the government may make regulations specifying the relevant jurisdictions or schemes. It might reasonably be expected that jurisdictions where the GDPR applies or which are the subject of a European Commission adequacy decision (e.g., Japan) might in future be prescribed for this purpose).

  • Informed consent as follows:
    • The entity expressly informs the individual that if he or she consents to the disclosure of the information, APP 8.1 will not apply to the disclosure
    • After being so informed, the individual consents to the disclosure

(It is relatively unusual to rely on this exception due to the prescriptive requirements for consent and because consent is at risk of being subsequently withdrawn, in which case it will no longer be able to be relied upon).

  • The disclosure of the information is required or authorized by or under an Australian law or a court/tribunal order
  • A permitted general situation (other than the situation relating to legal or equitable claims or alternative dispute resolution) exists in relation to the disclosure of the information by the APP entity
  • The entity is an agency and the disclosure of the information is required or authorized by or under an international agreement relating to information sharing to which Australia is a party
  • The entity is an agency and both of the following apply:
    • The entity reasonably believes that the disclosure of the information is reasonably necessary for one or more enforcement-related activities conducted by, or on behalf of, an enforcement body
    • The recipient is a body that performs functions or exercises powers that are similar to those performed or exercised by an enforcement body

Where APP 8.1 applies:

  • An APP entity will be liable for the conduct of any overseas recipient that would be a breach of the APPs in relation to disclosed personal information
  • Will be responsible for complying with the Privacy Act's Notifiable Data Breaches scheme in relation to any "eligible data breach" affecting personal information held by it or its overseas recipients

The review of the Privacy Act considered whether to change the basis on which overseas disclosures of personal information are regulated. As mentioned above, the first tranche of updates to the Privacy Act following the review introduced a mechanism to prescribe countries and binding schemes as providing substantially similar protection to the APPs, for the purpose of the substantially similar exception. Other proposals made and endorsed by the government include: the introduction of standard contractual clauses; strengthening the informed consent exception by requiring entities to consider the risks of an overseas disclosure and to inform individuals that privacy protections may not apply to their information if they consent; and stronger transparency requirements relating to overseas disclosures. The report on the review of the Privacy Act also recommended – and the government also endorsed – clarifying the meaning of disclosure and reasonable steps.

Separately, overseas disclosures of CDR data are subject to privacy safeguard 8 in Part IVD of the Competition and Consumer Act 2010 (Cth), which is somewhat similar but not identical to APP 8.1. Additionally, the CDR Rules require accredited data recipients of CDR data to make certain disclosures in their CDR policies about where CDR data is stored and disclosed to unaccredited recipients offshore.

{{ $store.state.loadingScreen.message }} ...