Australia: Offshoring data: The new privacy laws


This is a result of IT service providers using personnel and infrastructure in low cost jurisdictions such as India to service Australian based clients. The cloud computing industry alone is now worth nearly $2 billion in Australia and about half of this is spent on public cloud services. Eighty six per cent of Australian businesses now report that they use cloud services.1

While there are onshore data processing options available in the marketplace (including 'Australianonly' clouds2), these may not offer the customer the same benefits (e.g. economies of scale, affordability) as offshore options.

There are a range of commercial risk and regulatory considerations that any customer or supplier considering offshoring data needs to assess. In particular, new laws govern the 'disclosure' by Australian organisations3 of personal information4 to overseas recipients from 12 March 2014.5 This note addresses some of the relevant issues.


The new law replaces the National Privacy Principles (that applied to private organisations) and Information Privacy Principles (that applied to government agencies) with a single list of principles called the Australian Privacy Principles (APPs).

The new law gives the Privacy Commissioner more powers, including:

  • the ability to seek enforceable undertakings from organisations that have breached the Privacy Act and enforce any such undertaking in the courts;
  • the power to initiate own motion investigations
  • whether or not a complaint from an affected individual
  • has been made; and
  • the power to apply to the Federal Court for a civil penalty order of up to $1.7 million for serious or
  • repeated breaches.


APP 8 requires that before disclosing personal information to a person that is outside Australia (an overseas recipient), an Australian organisation must:

  1. take reasonable steps to make sure that the overseas recipient will not breach the APPs and the Australian organisation will be accountable for any such breach by the overseas recipient; or
  2. alternatively:
    1. make it known to the relevant individual that his or her personal information will not be protected by the APPs after the 'disclosure' to the overseas recipient and obtain the indvidual's consent to the 'disclosure'; or
    2. form a reasonable belief that the overseas recipient is subject to laws substantially similar to the APPs.


APP 8 does not apply unless the personal information is 'disclosed' to an overseas recipient.

Is the transfer a 'disclosure' or a 'use'?

The new law does not define what constitutes a 'disclosure'. The NPPs regulate cross-border 'transfers' of personal information, not 'disclosures'.6 Under the Explanatory Memorandum for the new law, Parliament explained that 'disclosure' isn't intended to be as broad as 'transfer'.7 The Merriam Webster Dictionary defines a disclosure as "the act of making something known". Accordingly, a transfer of personal information to an overseas recipient will not necessarily be a 'disclosure' or subject to APP 8.

The Office of the Australian Information Commissioner (OAIC) has suggested that a 'disclosure' occurs when information is released from an entity's effective control.8

In the context of cloud services, the OAIC is of the view that a transfer of personal information will not be a 'disclosure' if the service provider is only storing the data and certain contractual protections are implemented:


Where an APP entity provides personal information to a cloud service provider located overseas for the limited purpose of performing the services of storing and ensuring the entity may access the personal information, this [will not be a 'disclosure'] provided:

  1. a binding contract is entered into requiring the provider to only handle the personal information for these limited purposes;
  2. that contract requires any subcontractors to agree to the same obligations; and
  3. that contract gives the entity effective control of how personal information is handled by overseas recipient.

However, the OAIC has also given guidance that the following service provider arrangements will involve a 'disclosure':

  • outsourcing processing of online purchases through website to an overseas service provider (providing personal information on customers to the service provider in order to facilitate);
  • sending information to an overseas service provider for the purposes of conducting reference checks on behalf of the Australian organisation; or
  • an Australian organisation relying on a parent company offshore to supply billing support (providing the parent with access to its customer database in order to facilitate).

The distinction between the cloud storage example and the other examples given doesn't appear to be justified in terms of 'control'. For example, the online payment processing agreement could be subject to the same contractual controls as the OAIC stipulates in the cloud storage example. The distinction appears to be in the different levels of use or processing of the personal data required by the service provider in each example. In the cloud storage example, the service provider does not need to use, access or view the personal data, whereas in the other examples, the service provider does need to access or view the data in order to perform its services.

It is interesting that neither the new law, nor the OAIC guidance, deals with encryption of personal data in the context of APP 8. Arguably, if a customer encrypts personal information before providing it to its service provider, no 'disclosure' of the personal information will occur.

Even if an Australian organisation can satisfy itself that a transfer of personal information to an overseas recipient is not a 'disclosure' and therefore not subject to APP 8, the organisation may still be liable for any breach of the APPs by the overseas recipient on the basis that the overseas recipient is acting as the Australian organisation's agent and its acts or omissions may be taken to be acts or omissions of the Australian organisation for the purposes of the Privacy Act.

It is important to recognise that OAIC guidance10 in relation to 'disclosure' is not legally binding. However, prudent organisations will take note of the regulator's guidance when implementing compliance procedures.

Based on the Explanatory Memorandum for the new law, we can be confident that the following acts will constitute a 'disclosure':

  • publishing personal information on the internet;
  • accidentally releasing personal information publicly; and
  • sending information to a related company (for
  • example, a parent or sister company).11

Transferring personal information outside Australia: 'use' or 'disclosure'?

Further, a transfer of personal information within the same corporate entity is not considered a 'disclosure', even if that transfer is to an overseas office of the same entity.12

The diagram below is a visual representation of the acts that may constitute a 'disclosure' to an overseas recipient.


Assuming that a 'disclosure' has taken place and it is received by an overseas recipient, the consequence is that an Australian organisation must take reasonable steps to ensure that the overseas recipient does not breach the APPs.

Parliament has suggested that reasonable steps will normally require that an entity enter into a contractual relationship with the recipient.13

The OAIC has also gone a step further, specifying contractual conditions that it believes may be sufficient to satisfy the 'reasonable steps' requirement:


Set out the types of personal information to be 'disclosed' and the specific purposes of 'disclosure'.
Include obligation that overseas recipient complies with APPs in relation to:
  1. collection;
  2. use;
  3. disclosure;
  4. storage; and
  5. destruction/de-identification.
Include obligation that subcontractors comply with same requirements as above.
Include requirement that overseas recipient implement a data breach response plan (for notifying Australian entity of data breaches and required remedial action).


Exception 1: where consent is obtained

An entity will not need to ensure the overseas recipient complies with the APPs if the entity obtains consent from the individual whose information is being 'disclosed'. Consent will only be valid where it is (a) expressly obtained and (b) plainly evident that the individual was aware the entity would not be taking steps to ensure the overseas recipient complies with the APPs.15

The OAIC has suggested that valid consent will be given where:

  1. the entity provides a clear written or oral statement explaining the consequences of consent (i.e. the entity will not be accountable for breaches of the APPs by the foreign entity and the individual may not be able to seek redress); and
  2. the statement explains practical effects and risks associated with 'disclosure' that the entity is aware of (e.g. that the individual will not have the ability to access personal information relating to the individual that is held by the foreign entity).

Exception 2: where the overseas recipient is subject to substantially similar laws

An entity will not need to ensure the overseas recipient complies with the APPs if the entity has a reasonable belief that the person outside Australia is subject to laws substantially similar to the APPs.

What constitutes a reasonable belief?

A reasonable belief is more than merely a 'genuine or subjective belief'. The OAIC suggests that it is the responsibility of the organisation to justify its 'reasonable belief' if there is a dispute. One example that the OAIC gives is where an organisation has obtained independent legal advice on the foreign privacy protections.

What are substantially similar laws?

Laws which are substantially similar do not necessarily need to requote the protections in the APPs. Rather, the 'overall effect' of the law is the determining factor.

The OAIC hasn't been willing to disclose a "white list" of countries that it considers to have substantially similar laws to Australia, but the EU white list16 may be a good starting point for an analysis (the list includes, for example, Switzerland, Argentina and New Zealand). It is prudent to seek legal advice as to whether the country where an overseas recipient is located is subject to substantially similar laws. In the context of cloud computing, this may involve considering the laws of each of the jurisdictions in which the service provider's infrastructure is located.

The OAIC has published its own guidance as to what it will take into account when considering foreign privacy laws:


Is there a comparable definition of 'personal information'?
Does it regulate collection of personal information in a similar way to the APPs?
Does it require the recipient to notify individuals about collection?
Does it require the recipient to use or 'disclose' personal information only for authorised purposes?
Are there comparable data quality and security standards?
Is there a right to access and seek correction of personal information?

The last element is that the similar laws must have enforcement mechanisms that are accessible to an individual whose personal information is 'disclosed'. An equivalent body of the OAIC or courts with similar functions and powers will be a necessity.

Privacy Policy & Collection Statements

In addition to complying with APP 8, Australian organisations are required to include in their Privacy Policy:

  1. whether they are likely to 'disclose' information overseas17; and
  2. b. the countries where overseas recipients are located.18

If the information is likely to be 'disclosed' to a person overseas who is not already listed in the Privacy Policy, then an entity must send the individual a Collection Notice that lists the other countries where the information may be 'disclosed'.19


Australian organisations are also required to take appropriate security measures to protect any personal information from misuse, interference and loss and from unauthorised access, modification or disclosure.20 Security may need to be more rigorous if the information is sensitive or the potential consequences for the individual, if the information were disclosed, are severe.

Other regulation

Depending on the industry the organisation is in or for government agencies, there are additional laws that may also apply to offshore data transfers.

Commonwealth Government agencies are subject to separate, stringent rules when they choose to outsource or offshore data (Attorney-General's Guidelines for Outsourced or Offshore ICT Arrangements). For example, where personal information is sent offshore or placed in a public cloud service arrangement, the agency must first obtain the consent of both the Attorney- General and the Minister responsible for the agency.

There are special data management requirements for financial institutions (APRA Prudential Practice Guide CPG 235). These include ensuring that all contracts for the outsourcing of data (not just personal information) include special conditions relating to the handling of that data. APRA suggests that these include terms covering business continuity management and that a risk assessment procedure be established before these arrangements can be entered into.


1IDC. 'Cloud is now business as usual'. (16 July 2013).
2'Australia-only' cloud services are those where the provider commits to only storing or processing data in data centres located in Australia.
3T his includes entities with an 'Australian link' in accordance with s 5B.
4T his is information or opinion about an identified individual or a person who is reasonably identifiable. It does not matter whether the information is true or actually recorded in a material form.
5Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth).
6NPP 9 (Transborder data flows)
7Privacy Amendment (Enhancing Privacy Protection) Bill 2012 – Explanatory Memorandum p 83
8OAIC Guidance (APP 8) at [8.8]
9OAIC Guidance (APP 8) at [8.14]
10OAIC Australian Privacy Principles Guidelines (February 2014)
11OAIC Guidance (APP 8) at [8.13]
12Privacy Amendment (Enhancing Privacy Protection) Bill 2012 – Explanatory Memorandum p 83
13Privacy Amendment (Enhancing Privacy Protection) Bill 2012 – Explanatory Memorandum p 83
14OAIC Guidance (APP 8) at [8.16]
15Privacy Amendment (Enhancing Privacy Protection) Bill 2012 – Explanatory Memorandum p 84
16T he European Commission has published a "white list" of countries that it considers has adequate data protection laws (see: http://www.
17APP 1.4 (f)
18APP 1.4 (g)
19APP 5.2 (i) and 5.2 (j)
20APP 11.1

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Most awarded firm and Australian deal of the year
Australasian Legal Business Awards
Employer of Choice for Women
Equal Opportunity for Women
in the Workplace (EOWA)

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Mondaq Advice Centre (MACs)
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.