A company is sending my data overseas to a country with weak privacy laws. Is this permitted?

What the Law Says

The Privacy Act 1988 (Cth) regulates how Australian businesses handle personal information — including when they send it overseas. The key rule is in Australian Privacy Principle (APP) 8, which restricts offshore disclosures unless specific conditions are met.

Under APP 8.1, an organisation must not disclose personal information to an overseas recipient unless it has taken reasonable steps to ensure the recipient does not breach the APPs — particularly APP 1.2 (accountability) and APP 5–11 (use, storage, correction, and security).

There are three main exceptions: (1) you have consented after being informed that the APPs won’t apply to the overseas recipient; (2) the overseas recipient is subject to a law or binding scheme that gives protections substantially similar to the APPs; or (3) the disclosure is required or authorised by Australian law.

APP 1.2 also requires organisations to take reasonable steps to implement practices and procedures to ensure APP compliance — including for overseas data flows. Failure can lead to enforcement action by the Office of the Australian Information Commissioner (OAIC).

Statutory Text

An organisation must not disclose personal information to an overseas recipient unless the organisation reasonably believes that the recipient will not breach Australian Privacy Principle 8.1.

— Privacy Act 1988 (Cth), Sch 1, APP 8.1 — Cross-border disclosure of personal information

Statutory Text

An organisation must take such steps (if any) as are reasonable in the circumstances to implement practices, procedures and systems relating to the organisation’s functions or activities that will ensure that the organisation complies with the Australian Privacy Principles.

— Privacy Act 1988 (Cth), Sch 1, APP 1.2 — Compliance with Australian Privacy Principles

What to Do

Sources