Businesses often find the need to share personal information outside Australia with people in other countries. Businesses must remember that privacy laws aren’t limited to Australian borders.
If an Australian business shares information with people overseas, it must still comply with privacy laws and the Australian Privacy Principles (APPs). Hiring a privacy lawyer is a great step. This article discusses the important legal considerations of sending personal information overseas.
This article, by our privacy and data lawyers, explores key risks and considerations you need to know before sending information overseas.
Key takeaways
- Businesses must comply with the APPs even when sharing information outside Australia
- Compliance with the APPs requires due diligence, Privacy Impact Assessments, and robust contractual agreements
- Risks of sharing personal information overseas include data breaches, misuse, identity theft, and fraud
- Australian businesses are responsible for how overseas recipients handle transferred personal information
- Transparency, data minimisation and ongoing monitoring are critical to maintaining trust and compliance
- Personal information should only be shared for the primary purpose, with explicit consent when necessary
What are the risks of sending personal information overseas?
Transfer of personal data abroad refers to the transfer of sensitive and private data about individuals from one country to another. While this is often a necessary part of many business operations, it also poses certain risks and challenges that companies must be aware of.
Some key risks associated with sending personal information overseas:
Data breaches
Once personal information is in the possession of an overseas recipient, there is a risk that the recipient may use it for purposes to which the individual did not give express consent.
For example, the overseas recipient could use the data for marketing initiatives or other commercial activities. This unauthorised use not only violates the individual’s data protection rights, but also undermines trust placed in the overseas contractor responsible for protecting the data.
Learn more about data breaches and who is responsible for information security.
Misuse of personal information
Fair work legal advice is really important. There are some criteria that apply to unfair dismissal claims (including to defend them successfully). It might be obvious that some criteria have been met, but it may also be unclear if there is a valid unfair dismissal claim or whether it is likely that an employer has a good defence.
As an example, things can get complicated when it comes to casual employees. An unfair dismissal lawyer may need to consider whether the worker was employed on a regular and systematic basis, even though they were referred to as a ‘casual employee’.
I’ve also been involved in unfair dismissal claims where it was unclear whether the small business fair dismissal code applied. This was because the employer employed more than 15 staff but some of them were arguably not ’employees’.
Our team have some basic questions for our clients when they reach out about a claim for unfair dismissal. These questions enable us to quickly ascertain whether it is likely that the eligibility criteria have been met or if there was a valid reason for dismissal.
Identity theft
Identity theft involves using the stolen information to impersonate the individual. When an individual’s personal information falls into the wrong hands due to a data breach or illegal access, an opportunity for identity theft presents itself.
With such information, identity thieves could open fraudulent accounts, apply for credit or engage in other activities that could have serious consequences for the victim.
Fraud
Personal information is a valuable asset for fraudsters. These fraudsters may use such information for fraudulent activities.
For example, a malicious actor could use the information to make illegal purchases through the victim’s financial accounts, resulting in financial loss. Additionally, fraudsters could attempt to gain unauthorised access to bank accounts or commit other forms of substantially similar financial fraud.
When does personal data leave Australia?
Defining cross-border data transfers
Cross-border data transfers refer to the transfer or exchange of personal information about individuals from Australia to another country. This can involve various types of data, including names, addresses, financial details and other sensitive information.
These transfers are necessary for many modern businesses and operations, particularly in a connected global economy. They can occur for various reasons, such as outsourcing services to a foreign company, using cloud storage with servers outside Australia, or serving a global customer base.
Types of International Data Sharing
Cloud storage and hosting
Cloud storage and hosting is a way to store, manage and access data over the internet instead of storing it on one’s computer or hard drive. All such data is stored on remote servers owned and operated by cloud service providers.
Outsourcing services
Outsourcing is the process of contracting third-party vendors or service providers to perform specific business functions or tasks. This practice is general in various industries and often involves the transfer of sensitive information to external companies. All these companies outsource for various reasons, including cost reduction, efficiency enhancement, or access to specific expertise.
Global customer base
A global customer base describes a company that sells products or services to customers worldwide. These companies sell their products through channels such as online sales, traditional shops or distributors.
Who is responsible for the handling of personal information by overseas recipients?
The Australian Privacy Principles (APPs) apply to all Australian businesses, regardless of where they are located or where they store or process personal information.
If an Australian business transfers personal information overseas, it is responsible for the handling of that information by the recipient overseas.
All Australian businesses that transfer personal information overseas must take reasonable steps to ensure that the overseas recipient:
Only uses the personal information for the purpose for which it was disclosed
The Australian Privacy Principle (APP) states that a business must not use or disclose personal information for a purpose other than that for which it was collected.
For example, suppose a business discloses personal data to an overseas recipient to provide customer service. In that case, the recipient must not use such information for other purposes, such as marketing or advertising.
However, if the individual has consented to the use or disclosure, the overseas recipient may use the data for the purpose for which consent was given.
Does not disclose the personal information to anyone else without the individual’s consent
The Australian Privacy Principles (APPs) provide that a business must not disclose personal information to another business or person unless the person has consented to the disclosure or an exception applies.
The recipient abroad may not disclose anyone’s personal information without their consent. This also applies to disclosing personal information to a subsidiary or affiliate of the overseas recipient.
Australian businesses can do the following to ensure that overseas recipients do not disclose personal information to third parties without the individual’s consent:
Obtain the individual’s consent to disclose personal information to overseas recipients.
Clearly state in any agreements with overseas recipients that they may not disclose personal information to third parties without the individual’s consent.
Conduct due diligence on overseas recipients to ensure they have adequate policies and procedures to protect personal information.
Monitor the use of personal information by overseas recipients to ensure that they comply with APPs
Takes steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure
The Australian Privacy Principles (APPs) state that a business must take reasonable steps to protect the personal information it holds from misuse, interference, loss and unauthorised access, modification or disclosure.
The overseas recipient must take reasonable steps to protect the personal information from the above risks. This may include:
- implementing appropriate security measures, such as encryption, firewalls, and access controls
- training of staff in the secure handling of personal information
- having a plan in place to deal with data breaches
- conducting regular security audits
The reasonable steps an overseas recipient must take to protect personal information will depend on the nature of such information and the risks associated with its disclosure.
If a foreign recipient breaches the APPs, the Australian business that disclosed the personal data may be liable.
Ensuring an overseas recipient complies with the Australian Privacy Principles
When transferring personal information outside Australia, it’s critical that an overseas recipient complies with the Australian Privacy Principles (APPs). We also recommend hiring a privacy lawyer.
Here is a step-by-step explanation of how to ensure compliance:
Due diligence and choosing a provider
Before sharing personal data, businesses should conduct thorough due diligence on the recipient. This includes assessing their reputation, privacy practices and any compliance with privacy regulations.
Privacy Impact Assessment
Businesses should conduct a privacy impact assessment to evaluate the potential risks and benefits of sharing personal information with the overseas recipient. This will help identify and mitigate potential data protection risks.
Contractual agreements
Organisations should create a contractual agreement with the overseas recipient that includes specific privacy and data protection provisions. This contract should clearly outline the responsibilities and obligations of both parties in relation to handling personal information.
APP compliance clause
In the agreement between, the business and the recipient, there must be a clause in the contract requiring the overseas recipient to comply with Australian Privacy Principles. This highlights the recipient’s obligation to uphold the same privacy standards expected of an Australian entity.
Security Measures
Businesses should specify in the contract with the overseas entity that the recipient must implement appropriate security measures to protect the personal data it receives. These may include encryption, access controls, and regular security audits.
Consent and Notice
Businesses should inform individuals before sharing their personal information and obtain explicit consent where appropriate. Transparency is key to maintaining trust and compliance with data protection laws.
This consent might be captured in your businesses privacy policy.
Data minimisation
Businesses should only share as much personal information as is necessary for the recipient to fulfil the intended purpose. Avoid sharing excess or irrelevant data.
Monitoring and oversight
Businesses should ensure a system for ongoing monitoring and oversight of the overseas recipient’s data handling practices. Regular audits and assessments can help ensure compliance.
Reporting and Incident Response
There must be arrangements to report data breaches or privacy incidents to the business promptly. This allows for timely response and implementation of remedial actions.
Training and education
Businesses should provide training and guidance to the overseas recipient’s staff on data protection, and best practices for handling personal information.
Review and Updates
The contractual arrangements between the company and the recipient must be reviewed and updated to reflect any changes in data protection laws, company policies or the nature of the shared data.
Termination clause
The agreement must include a clause that provides for termination of the contract in the event that data protection obligations aren’t met. This provides a shield in the event that the overseas recipient doesn’t comply with its obligations.
Disclosing personal information for the primary purpose
The ‘primary purpose’ is the main reason for collecting personal information. It is usually found in the privacy notice given before, during, or shortly after the collection of the data. However, it may also happen that this notice has not been given or does not exist at all. In such cases, the primary purpose must strictly focus on the specific job or activity for which the data were collected.
Disclosure of personal information for the primary purpose refers to sharing an individual’s personal information with a third party, but only for the specific reason the information was originally collected.
Organisations should only collect personal information for a specific, legitimate purpose. They should also ensure that such information is not used or disclosed for other purposes without the consent of the individual.
Personal information may be shared between departments or teams as long as it serves the primary purpose. For example, a customer’s contact details may be shared with the shipping department to facilitate the delivery of a purchased item.
However, if a business needs to share personal information with a third party (e.g., a shipping company or a payment processor), it can only do so if it is in line with the primary purpose. For example, sharing a customer’s address with a courier service for delivery is a permissible use.
Frequently asked questions
What legal obligations must Australian organisations meet when sharing personal information overseas?
Organisations must comply with the APPs, particularly APP 8, which mandates taking reasonable steps to ensure the recipient outside Australia does not breach privacy standards equivalent to those in Australia.
Can an organisation transfer personal information overseas without consent?
Yes, but only if the transfer is necessary for contractual purposes, required by Australian law, or if the individuals consent after being informed.
What are the risks of sharing personal information outside Australia?
The main risks include potential breaches of privacy due to weaker data protection laws in the recipient country, which could lead to unauthorised access, misuse, or loss of the personal information.