Rules Mate
Insights

APP 8 overseas disclosure: when AU businesses are accountable for what an overseas recipient does

Australian Privacy Principle 8 makes an APP entity accountable for what an overseas recipient does with personal information it discloses. Here's the rule, the exceptions, and how to discharge the obligation.

Rules Mate EditorialPublished 1 June 20263 min read
Share:X / TwitterLinkedInEmail

What APP 8 requires

APP 8 applies when an Australian Privacy Principle (APP) entity discloses personal information to an overseas recipient. This principle is outlined in Schedule 1 to the Privacy Act 1988 and governs the responsibilities of Australian organisations when sharing data internationally. Privacy Act 2026 readiness

APP 8.1 places a direct obligation on the disclosing APP entity. It requires that the entity take steps that are reasonable in the circumstances to ensure the overseas recipient does not breach the Australian Privacy Principles concerning the disclosed information.

Section 16C of the Privacy Act 1988 further clarifies accountability. It stipulates that an APP entity is held accountable for breaches by the overseas recipient, effectively treating the breach as if the APP entity had committed it.

The exceptions in APP 8.2

APP 8.2 details circumstances where the obligations of APP 8.1 do not apply. A key exception exists when an Australian business reasonably believes the overseas recipient is governed by a law or binding scheme. This scheme must provide a level of protection for the information that is overall at least substantially similar to the protections offered by the Australian Privacy Principles (APPs), and must include mechanisms allowing individuals to enforce that protection.

Another exception arises when an individual consents to the overseas disclosure, but this consent must be expressly informed. This means the individual must be specifically told that section 16C will not apply should they provide consent for the overseas disclosure. General consent obtained within a longer document is unlikely to satisfy this requirement.

Finally, there are other, more limited exceptions. These include disclosures required or authorised by Australian law or court order, and certain permitted general and health-related situations.

Practical steps

Australian businesses subject to the Notifiable Data Breaches (NDB) scheme must understand their obligations regarding overseas disclosures under the Australian Privacy Principles (APPs). Businesses remain accountable for how overseas recipients handle personal information, even when that information is transferred legitimately. A key step is to comprehensively map all overseas data flows. This includes transfers to cloud hosting providers, Know Your Customer (KYC) vendors, payroll providers, and customer-support outsourcing services.

Following the mapping process, businesses must carefully assess each overseas recipient. For each recipient, a decision must be made as to whether any exception under APP 8.2 applies. This decision, and the reasoning behind it, should be documented. If no applicable exception exists, the business must take reasonable steps to ensure the overseas recipient agrees to obligations that are substantially equivalent to the Australian Privacy Principles. This contractual commitment should include rights for the business to audit the recipient’s practices and receive notifications of any data breaches.

Finally, transparency with individuals is essential. Businesses must update their Privacy Policy, as required by APP 1.3, to disclose the countries where personal information is likely to be sent.

  • Document all decisions regarding APP 8.2 exceptions.
  • Include audit and incident-notification rights in contracts with overseas recipients.

Why this matters more now

The commencement of the new statutory privacy tort on 10 June 2025 significantly alters the landscape for Australian businesses disclosing personal information overseas. Previously, redress for privacy breaches was largely limited to avenues pursued by the Office of the Australian Information Commissioner (OAIC). Now, individuals have a direct civil cause of action for serious invasions of privacy, meaning businesses can face private lawsuits in addition to potential OAIC enforcement action.

APP 8, which governs overseas disclosures, is increasingly under scrutiny. Major OAIC determinations have highlighted inadequate controls relating to overseas recipients as a contributing factor in significant data breaches. These determinations demonstrate the OAIC’s focus on ensuring Australian businesses adequately manage the privacy risks associated with transferring personal information internationally.

The potential for civil penalties under section 13G of the Privacy Act 1988 for significant or repeated APP 8 contraventions further underscores the importance of robust overseas disclosure practices. Businesses must now be more diligent in assessing and managing the privacy practices of overseas recipients to mitigate legal and reputational risks.

  • Increased individual redress options
  • Greater OAIC scrutiny
  • Potential for civil penalties

Frequently asked

Is the AU entity liable if an overseas recipient breaches privacy?

Yes. Section 16C of the Privacy Act makes the disclosing APP entity accountable for breaches of the APPs by the overseas recipient — treating the act as if the APP entity had done it — unless one of the APP 8.2 exceptions applies.

Can I rely on consent to disclose overseas?

Only if the individual is expressly informed that section 16C will not apply if they consent, and the consent is sufficiently specific. Generic consents bundled into long terms-and-conditions generally won't meet 'expressly informed'.

Related

Free tools